What happens if a laptop and a server don't have a encryption algorithm in common?
Does IPSec abort the connection or does it always have default algorithms?
1 Answer
If there are no algorithms in common, the connection will fail.
The RFCs specify "mandatory-to-implement" algorithms which should result in the two sides always having something in common, but those are updated by newer RFCs, up to the point that previously "mandatory-to-implement" become "must-not-support". This is because IPSec is an old standard. So if one side is much older than the other, they can have zero algorithms in common.
Current RFC 8221 says "ENCR_AES_GCM_16" is required. That is a good algorithm. You should make sure you can use that.
If you can't use that then use ENCR_CHACHA20_POLY1305, and if you can't use that then use ENCR_AES_CBC with AH with AUTH_HMAC_SHA2_512_256 (or any HMAC, I guess). Avoid 3DES. CCM is ok, but slower than GCM and is probably only for slow devices with a hardware AES engine, not laptops which can go GCM or phones which can do ChaCha.
