can anyone shed light on why I get "failure: AEAD already provides authentication" when I try to create a ipsec profile


[admin@Mikrotik] /ip/ipsec/proposal> add name=proposal-test enc-algorithms=aes-128-gcm
failure: AEAD already provides authentication

seems to be there is absolutely no way to use aes with gcm...

I've seen this question a few times already. Per the interwebs:

AES-GCM (Galois Counter Mode) internally uses AES in CTR mode that can provide confidentiality and at most Ind-CPA security. AES-GCM also uses GHASH to provide integrity and authentication like any secure MAC.

In the end, AES-GCM constitutes an authenticated encryption (AE) mode with Associated Data ( AEAD).

In other words no authentication algorithm is required as AES-GCM already uses one. Just don't check the box (or set it to null) and you'll be able move forward.

well authentication is set to null. Still same.

Please provide screenshots. I've used this with no problems before so I betting you have a configuration issue.

Edit: Have you tried it without selecting anything - including null?

the command I posted in the beginning of this thread is exactly this. And the result is "null" (if you choose AES-256-CTR for example so the command executes).

Seems I can duplicate that from the command line but it works just fine via WinBox. Looks like you may have found a bug. I'd report it.

doesnt work in web GUI, doesn't work on CLI.. nobody uses Winbox... (unless some folks who use windows maybe)

You're being difficult to work with. MANY people use Winbox and I do so on Windows, Linux, and MacOS.

But I'll look past your onerous behavior and provide this as a solution as it worked for me on CLI. For the auth algorithm just use "".

[ngoehring@CapAX-1] /ip/ipsec/proposal> add name=test enc-algorithms=aes-128-gcm a
uth-algorithms=""
[ngoehring@CapAX-1] /ip/ipsec/proposal> print
Flags: X - disabled; * - default
0 * name="default" auth-algorithms=sha1
enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc lifetime=30m
pfs-group=modp1024

1 name="test" auth-algorithms="" enc-algorithms=aes-128-gcm lifetime=30m
pfs-group=modp1024


You're welcome

Ironically, I was able to figure this out by producing a working proposal using Winbox, then printing the proposal from the CLI. Might want to reevaluate your dismissal of tools for future troubleshooting.

oh null is not same as "". Thats interesting find. As far as Winbox goes, I just can't run it on modern Macs wit ARM CPUs and it doesn't give me anything the web gui doesn't give me (besides bugs like this one being only in one variant of GUI or CLI every once in a while).

You might be able to run winbox in a qemu emulation in a virtual windows which is then a several gigabyte package for something which is built into every router and works with a simple browser. Thats why I stay away from Winbox. You might be happy with it if your daily driver is s Intel windows machine.

In all fairness, and with all crankiness aside, I still think it's a bug that you should report. NULL would seem like it should work as "" is just that - null. So that's a goof on MT's part as far as I am concerned and should be corrected. I work on various laptops depending on my mood - a ubuntu linux one, windows, or a macbook pro m1. Winbox via Wine works outstandingly for me on both linux and Mac. I'd recommend giving it a try.

of course I reported it already