but My Peer-to-peer connection (a Teltonika RUTX11 router) failed as a result of a software upgrade, and when I logged in to IPFire to check the status I noticed something odd.
In the Peer-to-peer config I enabled SHA512, then selected AES256-GCM.
The second I did so, SHA512 gets greyed out.
I pressed the SAVE button and it went back to the main OpenVPN screen
But when I clicked the pencil to edit the P2P connection again I see a different
hashing option:
unfortunately, as far as I am aware Whirlpool 512 is not supported by my client device.
is this just a curiosity of the GUI ? or can I not use SHA512 for P2P with AES256-GCM Please (and if not , what is the limitation please ?)
To check my understanding of the article (I am not yet a cryptography expert)
AES-GCM uses its own algorithm (GMAC) for data integrity, therefore the option is greyed out. Implicitly then, no other HMAC is necessary when using GCM? correct?
I am therefore a little confused as to why I can specify AES-GCM with a selection of HMAC approaches for a road warrior but not for a P2P ?
I am not 100% sure but I believe it is related to the roadwarrior being a server/client interaction while the net2net is a server/server interaction. The WUI page for the P2P nete2net connection uses the terms “server” and “client” but this is just to differentiate the two ends. They could just as easily have been called “fred” and “tony”.
@ummeegge can probably explain better, and correct me if my input is incorrect, as he has been involved very closely in the code for the net2net connection.
Hi all,
the n2n WUI is a little more advanced according to the HMAC selection and greys the HMAC selection out if you choose an GCM (AEAD) cipher since the Galois Counter Mode offers already an Galois Message Authentication Code (GMAC) . The n2n WUI shows this fact to the user whereby the Roadwarrior would need also an approrpiate Java Code to show this too git.ipfire.org Git - ipfire-2.x.git/blob - html/cgi-bin/ovpnmain.cgi .
–tls-auth (TLS Channel Protection:) uses also it´s own HMAC but if --auth has been set in server.conf and you choose an GCM in the WebUserInterface or in general an AEAD Cipher, the --auth directive will simply be ignored by OpenVPN., so everything will work as it should.
Ah, okay. So with the RW connection, it makes no difference what HMAC I choose (I am using AES GCM 256 bit) so it will just use the GMAC automatically behind the scenes.
