IKE Proposal configuration requires authentication even with AES GCM #8947

New Issue

Closed

opened 2025-12-29 20:43:12 +01:00 by adam · 6 comments

adam commented 2025-12-29 20:43:12 +01:00

Owner

Copy Link

Originally created by @markkuleinio on GitHub (Dec 12, 2023).

Originally assigned to: @jeremystretch on GitHub.

Deployment Type

Self-hosted

NetBox Version

v3.7-beta1

Python Version

3.11

Steps to Reproduce

1. Go to VPN - IKE Proposals, Add
2. Select Encryption algorithm: 256-bit AES (GCM)

Expected Behavior

It should be possible to select "None" in Authentication algorithm.

Example of PAN-OS configuration:

set network ike crypto-profiles ike-crypto-profiles IKE-SHA384-AES256-DH20-86400 encryption aes-256-gcm
set network ike crypto-profiles ike-crypto-profiles IKE-SHA384-AES256-DH20-86400 hash non-auth
set network ike crypto-profiles ike-crypto-profiles IKE-SHA384-AES256-DH20-86400 dh-group group20
set network ike crypto-profiles ike-crypto-profiles IKE-SHA384-AES256-DH20-86400 lifetime hours 24

Observed Behavior

Authentication algorithm must be selected from the dropdown, there is no "None" option, not possible to match NetBox with the actual device configuration

Originally created by @markkuleinio on GitHub (Dec 12, 2023). Originally assigned to: @jeremystretch on GitHub. ### Deployment Type Self-hosted ### NetBox Version v3.7-beta1 ### Python Version 3.11 ### Steps to Reproduce 1. Go to VPN - IKE Proposals, Add 2. Select Encryption algorithm: 256-bit AES (GCM) ### Expected Behavior It should be possible to select "None" in Authentication algorithm. Example of PAN-OS configuration: ``` set network ike crypto-profiles ike-crypto-profiles IKE-SHA384-AES256-DH20-86400 encryption aes-256-gcm set network ike crypto-profiles ike-crypto-profiles IKE-SHA384-AES256-DH20-86400 hash non-auth set network ike crypto-profiles ike-crypto-profiles IKE-SHA384-AES256-DH20-86400 dh-group group20 set network ike crypto-profiles ike-crypto-profiles IKE-SHA384-AES256-DH20-86400 lifetime hours 24 ``` ### Observed Behavior Authentication algorithm must be selected from the dropdown, there is no "None" option, not possible to match NetBox with the actual device configuration 

adam added the type: bugstatus: acceptedbetaseverity: low labels 2025-12-29 20:43:12 +01:00

adam closed this issue 2025-12-29 20:43:12 +01:00

adam commented 2025-12-29 20:43:13 +01:00

Author

Owner

Copy Link

@jeremystretch commented on GitHub (Dec 12, 2023):

Is there a difference in the PAN-OS config between explicitly setting hash non-auth and not setting the parameter at all? Or is this effectively the same? Just trying to fully understand the context.

@jeremystretch commented on GitHub (Dec 12, 2023): Is there a difference in the PAN-OS config between explicitly setting `hash non-auth` and not setting the parameter at all? Or is this effectively the same? Just trying to fully understand the context.

adam commented 2025-12-29 20:43:14 +01:00

Author

Owner

Copy Link

@markkuleinio commented on GitHub (Dec 12, 2023):

# show
set network ike crypto-profiles ike-crypto-profiles TEST encryption aes-256-gcm
set network ike crypto-profiles ike-crypto-profiles TEST dh-group group20
set network ike crypto-profiles ike-crypto-profiles TEST lifetime hours 24

# commit
Validation Error:
 network -> ike -> crypto-profiles -> ike-crypto-profiles -> TEST  is missing 'hash'
 network -> ike -> crypto-profiles -> ike-crypto-profiles is invalid

# set hash ?
  [          Start a list of values.
  md5        below 80-bit strength
  non-auth   Integrity check is unnecessary when AESGCM is chosen
  sha1       NIST rating 128-bit strength
  sha256     NIST rating 256-bit strength
  sha384     NIST rating over 256-bit strength
  sha512     NIST rating over 256-bit strength

# set hash non-auth

# commit
Configuration committed successfully

PAN-OS 10.2.7

@markkuleinio commented on GitHub (Dec 12, 2023): ``` # show set network ike crypto-profiles ike-crypto-profiles TEST encryption aes-256-gcm set network ike crypto-profiles ike-crypto-profiles TEST dh-group group20 set network ike crypto-profiles ike-crypto-profiles TEST lifetime hours 24 # commit Validation Error: network -> ike -> crypto-profiles -> ike-crypto-profiles -> TEST is missing 'hash' network -> ike -> crypto-profiles -> ike-crypto-profiles is invalid # set hash ? [ Start a list of values. md5 below 80-bit strength non-auth Integrity check is unnecessary when AESGCM is chosen sha1 NIST rating 128-bit strength sha256 NIST rating 256-bit strength sha384 NIST rating over 256-bit strength sha512 NIST rating over 256-bit strength # set hash non-auth # commit Configuration committed successfully ``` PAN-OS 10.2.7

adam commented 2025-12-29 20:43:14 +01:00

Author

Owner

Copy Link

@jeremystretch commented on GitHub (Dec 12, 2023):

Ok, so the command itself is required and no-hash effectively represents "none." Thanks.

@jeremystretch commented on GitHub (Dec 12, 2023): Ok, so the command itself is required and `no-hash` effectively represents "none." Thanks.

adam commented 2025-12-29 20:43:14 +01:00

Author

Owner

Copy Link

@DanSheps commented on GitHub (Dec 12, 2023):

Just want to say thank you for giving the beta a test run and helping us tweak it further.

@DanSheps commented on GitHub (Dec 12, 2023): Just want to say thank you for giving the beta a test run and helping us tweak it further.

adam commented 2025-12-29 20:43:15 +01:00

Author

Owner

Copy Link

@jeremystretch commented on GitHub (Dec 12, 2023):

We should also think about IPSec policies (phase two): It should be possible to set only encryption or authentication (or both), right?

As for IKE policies (phase one), IIRC encryption is always required.

@jeremystretch commented on GitHub (Dec 12, 2023): We should also think about IPSec policies (phase two): It should be possible to set only encryption _or_ authentication (or both), right? As for IKE policies (phase one), IIRC encryption is always required.

adam commented 2025-12-29 20:43:15 +01:00

Author

Owner

Copy Link

@markkuleinio commented on GitHub (Dec 12, 2023):

We should also think about IPSec policies (phase two): It should be possible to set only encryption or authentication (or both), right?

I'd say yes:

# edit ipsec-crypto-profiles IPSEC_TEST
# set ?
+ dh-group   phase-2 DH group (PFS DH group)
> ah         AH only
> esp        ESP options
> lifesize   IPSec SA lifesize
> lifetime   IPSec SA lifetime

# set ah ?
> authentication   Authentication algorithm

# set ah authentication ?
  [        Start a list of values.
  md5      below 80-bit strength
  sha1     NIST rating 128-bit strength
  sha256   NIST rating 256-bit strength
  sha384   NIST rating over 256-bit strength
  sha512   NIST rating over 256-bit strength

# set ah authentication sha512
# set lifetime seconds 3600
# show
set network ike crypto-profiles ipsec-crypto-profiles IPSEC_TEST ah authentication sha512
set network ike crypto-profiles ipsec-crypto-profiles IPSEC_TEST lifetime seconds 3600

# commit
Configuration committed successfully

= no ESP

@markkuleinio commented on GitHub (Dec 12, 2023): > We should also think about IPSec policies (phase two): It should be possible to set only encryption or authentication (or both), right? I'd say yes: ``` # edit ipsec-crypto-profiles IPSEC_TEST # set ? + dh-group phase-2 DH group (PFS DH group) > ah AH only > esp ESP options > lifesize IPSec SA lifesize > lifetime IPSec SA lifetime # set ah ? > authentication Authentication algorithm # set ah authentication ? [ Start a list of values. md5 below 80-bit strength sha1 NIST rating 128-bit strength sha256 NIST rating 256-bit strength sha384 NIST rating over 256-bit strength sha512 NIST rating over 256-bit strength # set ah authentication sha512 # set lifetime seconds 3600 # show set network ike crypto-profiles ipsec-crypto-profiles IPSEC_TEST ah authentication sha512 set network ike crypto-profiles ipsec-crypto-profiles IPSEC_TEST lifetime seconds 3600 # commit Configuration committed successfully ``` = no ESP

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

update-changelog-comments-docs

feature-removal-issue-type

20911-dropdown

20239-plugin-menu-classes-mutable-state

21097-graphql-id-lookups

feature

fix_module_substitution

20923-dcim-templates

20044-elevation-stuck-lightmode

feature-ip-prefix-link

v4.5-beta1-release

20068-import-moduletype-attrs

20766-fix-german-translation-code-literals

20378-del-script

7604-filter-modifiers-v3

circuit-swap

12318-case-insensitive-uniqueness

20637-improve-device-q-filter

20660-script-load

19724-graphql

20614-update-ruff

14884-script

02496-max-page

19720-macaddress-interface-generic-relation

19408-circuit-terminations-export-templates

20203-openapi-check

fix-19669-api-image-download

7604-filter-modifiers

19275-fixes-interface-bulk-edit

fix-17794-get_field_value_return_list

11507-show-aggregate-and-rir-on-api

9583-add_column_specific_search_field_to_tables

v4.5.0

v4.4.10

v4.4.9

v4.5.0-beta1

v4.4.8

v4.4.7

v4.4.6

v4.4.5

v4.4.4

v4.4.3

v4.4.2

v4.4.1

v4.4.0

v4.3.7

v4.4.0-beta1

v4.3.6

v4.3.5

v4.3.4

v4.3.3

v4.3.2

v4.3.1

v4.3.0

v4.2.9

v4.3.0-beta2

v4.2.8

v4.3.0-beta1

v4.2.7

v4.2.6

v4.2.5

v4.2.4

v4.2.3

v4.2.2

v4.2.1

v4.2.0

v4.1.11

v4.1.10

v4.1.9

v4.1.8

v4.2-beta1

v4.1.7

v4.1.6

v4.1.5

v4.1.4

v4.1.3

v4.1.2

v4.1.1

v4.1.0

v4.0.11

v4.0.10

v4.0.9

v4.1-beta1

v4.0.8

v4.0.7

v4.0.6

v4.0.5

v4.0.3

v4.0.2

v4.0.1

v4.0.0

v3.7.8

v3.7.7

v4.0-beta2

v3.7.6

v3.7.5

v4.0-beta1

v3.7.4

v3.7.3

v3.7.2

v3.7.1

v3.7.0

v3.6.9

v3.6.8

v3.6.7

v3.7-beta1

v3.6.6

v3.6.5

v3.6.4

v3.6.3

v3.6.2

v3.6.1

v3.6.0

v3.5.9

v3.6-beta2

v3.5.8

v3.6-beta1

v3.5.7

v3.5.6

v3.5.5

v3.5.4

v3.5.3

v3.5.2

v3.5.1

v3.5.0

v3.4.10

v3.4.9

v3.5-beta2

v3.4.8

v3.5-beta1

v3.4.7

v3.4.6

v3.4.5

v3.4.4

v3.4.3

v3.4.2

v3.4.1

v3.4.0

v3.3.10

v3.3.9

v3.4-beta1

v3.3.8

v3.3.7

v3.3.6

v3.3.5

v3.3.4

v3.3.3

v3.3.2

v3.3.1

v3.3.0

v3.2.9

v3.2.8

v3.3-beta2

v3.2.7

v3.3-beta1

v3.2.6

v3.2.5

v3.2.4

v3.2.3

v3.2.2

v3.2.1

v3.2.0

v3.1.11

v3.1.10

v3.2-beta2

v3.1.9

v3.2-beta1

v3.1.8

v3.1.7

v3.1.6

v3.1.5

v3.1.4

v3.1.3

v3.1.2

v3.1.1

v3.1.0

v3.0.12

v3.0.11

v3.0.10

v3.1-beta1

v3.0.9

v3.0.8

v3.0.7

v3.0.6

v3.0.5

v3.0.4

v3.0.3

v3.0.2

v3.0.1

v3.0.0

v2.11.12

v3.0-beta2

v2.11.11

v2.11.10

v3.0-beta1

v2.11.9

v2.11.8

v2.11.7

v2.11.6

v2.11.5

v2.11.4

v2.11.3

v2.11.2

v2.11.1

v2.11.0

v2.10.10

v2.10.9

v2.11-beta1

v2.10.8

v2.10.7

v2.10.6

v2.10.5

v2.10.4

v2.10.3

v2.10.2

v2.10.1

v2.10.0

v2.9.11

v2.10-beta2

v2.9.10

v2.10-beta1

v2.9.9

v2.9.8

v2.9.7

v2.9.6

v2.9.5

v2.9.4

v2.9.3

v2.9.2

v2.9.1

v2.9.0

v2.9-beta2

v2.8.9

v2.9-beta1

v2.8.8

v2.8.7

v2.8.6

v2.8.5

v2.8.4

v2.8.3

v2.8.2

v2.8.1

v2.8.0

v2.7.12

v2.7.11

v2.7.10

v2.7.9

v2.7.8

v2.7.7

v2.7.6

v2.7.5

v2.7.4

v2.7.3

v2.7.2

v2.7.1

v2.7.0

v2.6.12

v2.6.11

v2.6.10

v2.6.9

v2.7-beta1

Solcon-2020-01-06

v2.6.8

v2.6.7

v2.6.6

v2.6.5

v2.6.4

v2.6.3

v2.6.2

v2.6.1

v2.6.0

v2.5.13

v2.5.12

v2.6-beta1

v2.5.11

v2.5.10

v2.5.9

v2.5.8

v2.5.7

v2.5.6

v2.5.5

v2.5.4

v2.5.3

v2.5.2

v2.5.1

v2.5.0

v2.4.9

v2.5-beta2

v2.4.8

v2.5-beta1

v2.4.7

v2.4.6

v2.4.5

v2.4.4

v2.4.3

v2.4.2

v2.4.1

v2.4.0

v2.3.7

v2.4-beta1

v2.3.6

v2.3.5

v2.3.4

v2.3.3

v2.3.2

v2.3.1

v2.3.0

v2.2.10

v2.3-beta2

v2.2.9

v2.3-beta1

v2.2.8

v2.2.7

v2.2.6

v2.2.5

v2.2.4

v2.2.3

v2.2.2

v2.2.1

v2.2.0

v2.1.6

v2.2-beta2

v2.1.5

v2.2-beta1

v2.1.4

v2.1.3

v2.1.2

v2.1.1

v2.1.0

v2.0.10

v2.1-beta1

v2.0.9

v2.0.8

v2.0.7

v2.0.6

v2.0.5

v2.0.4

v2.0.3

v2.0.2

v2.0.1

v2.0.0

v2.0-beta3

v1.9.6

v1.9.5

v2.0-beta2

v1.9.4-r1

v1.9.3

v2.0-beta1

v1.9.2

v1.9.1

v1.9.0-r1

v1.8.4

v1.8.3

v1.8.2

v1.8.1

v1.8.0

v1.7.3

v1.7.2-r1

v1.7.1

v1.7.0

v1.6.3

v1.6.2-r1

v1.6.1-r1

1.6.1

v1.6.0

v1.5.2

v1.5.1

v1.5.0

v1.4.2

v1.4.1

v1.4.0

v1.3.2

v1.3.1

v1.3.0

v1.2.2

v1.2.1

v1.2.0

v1.1.0

v1.0.7-r1

v1.0.7

v1.0.6

v1.0.5

v1.0.4

v1.0.3-r1

v1.0.3

1.0.0

Labels

Clear labels

beta

breaking change

complexity: high

complexity: low

complexity: medium

needs milestone

netbox

pending closure

plugin candidate

pull-request

Mirrored from GitHub Pull Request

severity: high

severity: low

severity: medium

status: accepted

status: backlog

status: blocked

status: duplicate

status: needs owner

status: needs triage

status: revisions needed

status: under review

topic: GraphQL

topic: Internationalization

topic: OpenAPI

topic: UI/UX

topic: cabling

topic: event rules

topic: htmx navigation

topic: industrialization

topic: migrations

topic: plugins

topic: scripts

topic: templating

topic: testing

type: bug

type: deprecation

type: documentation

type: feature

type: housekeeping

type: translation

No Label beta severity: low status: accepted type: bug

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

adam

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/netbox#8947