Allow AES-GCM for P1 where using IKEv2. Ticket #5990

2 files changed, 7 insertions, 0 deletions

diff --git a/src/etc/inc/ipsec.inc b/src/etc/inc/ipsec.inc
index f60e639..a77e485 100644
--- a/src/etc/inc/ipsec.inc
+++ b/src/etc/inc/ipsec.inc
@@ -101,6 +101,9 @@ $ipsec_idhandling = array(
 global $p1_ealgos;
 $p1_ealgos = array(
 	'aes' => array('name' => 'AES', 'keysel' => array('lo' => 128, 'hi' => 256, 'step' => 64)),
+	'aes128gcm' => array('name' => 'AES128-GCM', 'keysel' => array('lo' => 64, 'hi' => 128, 'step' => 32)),
+	'aes192gcm' => array('name' => 'AES192-GCM', 'keysel' => array('lo' => 64, 'hi' => 128, 'step' => 32)),
+	'aes256gcm' => array('name' => 'AES256-GCM', 'keysel' => array('lo' => 64, 'hi' => 128, 'step' => 32)),
 	'blowfish' => array('name' => 'Blowfish', 'keysel' => array('lo' => 128, 'hi' => 256, 'step' => 64)),
 	'3des' => array('name' => '3DES'),
 	'cast128' => array('name' => 'CAST128')
diff --git a/src/usr/local/www/vpn_ipsec_phase1.php b/src/usr/local/www/vpn_ipsec_phase1.php
index 3bdfd38..a9fb081 100644
--- a/src/usr/local/www/vpn_ipsec_phase1.php
+++ b/src/usr/local/www/vpn_ipsec_phase1.php
@@ -391,6 +391,10 @@ if ($_POST) {
 		$input_errors[] = gettext("Valid arguments for IKE type are v1, v2 or auto");
 	}
 
+	if (preg_match("/aes\d+gcm/", $_POST['ealgo']) && $_POST['iketype'] != "ikev2") {
+		$input_errors[] = gettext("Encryption Algorithm AES-GCM can only be used with IKEv2");
+	}
+
 	if (!empty($_POST['ealgo']) && isset($config['system']['crypto_hardware'])) {
 		if ($config['system']['crypto_hardware'] == "glxsb") {
 			if ($_POST['ealgo'] == "aes" && $_POST['ealgo_keylen'] != "128") {