Is there a way to find key values for AES-GCM in using scapy(python)?

Question

When i use scapy to create sa(ipsec), I am getting "ValueError: Invalid key size (96) for AES" The provided values are accepted while creating sa, but failed when I apply for encryption.(No error for other algo like AES-CBC), AES-GCM is supported in scapy

Code used:

>>> sa = SecurityAssociation(ESP,spi=10,crypt_algo='AES-GCM',crypt_key=b'aaaaaaabbbbbaaaa',auth_algo='NULL',auth_key=b'NULL',tunnel_header=ip_tunnel)

>>> sa
<scapy.layers.ipsec.SecurityAssociation object at 0x7f055f6dd5b0>

>>> e = sa.encrypt(plain_txt)
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib/python3/dist-packages/scapy/layers/ipsec.py", line 998, in encrypt
    return self._encrypt_esp(pkt, seq_num=seq_num,
  File "/usr/lib/python3/dist-packages/scapy/layers/ipsec.py", line 898, in _encrypt_esp
    esp = self.crypt_algo.encrypt(self, esp, self.crypt_key,
  File "/usr/lib/python3/dist-packages/scapy/layers/ipsec.py", line 358, in encrypt
    cipher = self.new_cipher(key, mode_iv)
  File "/usr/lib/python3/dist-packages/scapy/config.py", line 681, in func_in
    return func(*args, **kwargs)
  File "/usr/lib/python3/dist-packages/scapy/layers/ipsec.py", line 301, in new_cipher
    self.cipher(key),
  File "/usr/lib/python3/dist-packages/cryptography/hazmat/primitives/ciphers/algorithms.py", line 35, in __init__
    self.key = _verify_key_size(self, key)
  File "/usr/lib/python3/dist-packages/cryptography/hazmat/primitives/ciphers/algorithms.py", line 20, in _verify_key_size
    raise ValueError("Invalid key size ({}) for {}.".format(
ValueError: Invalid key size (96) for AES.

Answer 1

While AES keys for AES-GCM with IPsec can be 128, 192 or 256 bits (16, 24 or 32 bytes), an additional 4-byte (32-bit) salt value is required that's added to the IV for each packet. So the key material that has to be supplied is actually 160, 224 or 288 bits (20, 28 or 36 bytes), see RFC 4106, section 8.1.

You can see that in the error here:

 ValueError: Invalid key size (96) for AES

From the 128-bit key aaaaaaabbbbbaaaa you supplied, the 32-bit salt is internally removed so the key for AES is reduced to 96 bits, which isn't enough. To fix this, add four additional characters to your key.