Cloud VPN supports the following ciphers and configuration parameters for peer VPN devices or VPN services. Cloud VPN auto-negotiates the connection as long as the peer side uses a supported IKE cipher setting.
For configuration instructions, see Configuring the peer VPN gateway.
IKE cipher overview
The following IKE ciphers are supported for Classic VPN and HA VPN.
There are two sections for IKEv2, one for ciphers using authenticated encryption with associated data (AEAD), and one for ciphers that do not use AEAD.
IKEv2 ciphers that use AEAD
Phase 1
| Cipher role | Cipher | Notes |
|---|---|---|
| Encryption & Integrity |
|
In this list, the first number is the size of the ICV parameter
in bytes (octets) and the second is the key length in bits. Some documentation might express the ICV parameter (the first number) in bits instead (8 becomes 64, 12 becomes 96, and 16 becomes 128). |
| Pseudo-Random Function (PRF) |
|
Many devices won't require an explicit PRF setting. |
| Diffie-Hellman (DH) |
|
Cloud VPN's proposal presents these key exchange algorithms in the order shown. Cloud VPN accepts any proposal that includes one or more of these algorithms in any order. |
| Phase 1 lifetime | 36,000 seconds (10 hours) | — |
Phase 2
| Cipher role | Cipher | Notes |
|---|---|---|
| Encryption & Integrity |
|
Cloud VPN's proposal presents these algorithms in the order shown.
Cloud VPN accepts any proposal that includes one or more of these
algorithms, in any order. Note that the first number in each algorithm is the size of the ICV parameter in bytes (octets) and the second is its key length in bits. Some documentation might express the ICV parameter (the first number) in bits instead (8 becomes 64, 12 becomes 96, 16 becomes 128). |
| PFS Algorithm (required) |
|
Cloud VPN's proposal presents these key exchange algorithms in the order shown. Cloud VPN accepts any proposal that has one or more of these algorithms in any order. |
| Diffie-Hellman (DH) | Refer to Phase 1 | If your VPN gateway requires DH settings for Phase 2, use the same settings you used for Phase 1. |
| Phase 2 lifetime | 10,800 seconds (3 hours) | — |
IKEv2 ciphers that don't use AEAD
Phase 1
| Cipher role | Cipher | Notes |
|---|---|---|
| Encryption |
|
Cloud VPN's proposal presents these symmetric encryption algorithms in the order shown. Cloud VPN accepts any proposal that use one or more of these algorithms, in any order. |
| Integrity |
|
Cloud VPN's proposal presents these HMAC algorithms
in the order shown. Cloud VPN accepts any proposal that has one
or more of these algorithms, in any order. Documentation for your on-premises VPN gateway might use a slightly different name for the algorithm. For example, HMAC-SHA2-512-256 might
be referred to as just SHA2-512 or SHA-512, dropping the
truncation length number and other extraneous information.
|
| Pseudo-Random Function (PRF) |
|
Many devices won't require an explicit PRF setting. |
| Diffie-Hellman (DH) |
|
Cloud VPN's proposal presents these key exchange algorithms in the order shown. Cloud VPN accepts any proposal that contains one or more of these algorithms, in any order. |
| Phase 1 lifetime | 36,000 seconds (10 hours) | — |
Phase 2
| Cipher role | Cipher | Notes |
|---|---|---|
| Encryption |
|
Cloud VPN's proposal presents these symmetric encryption algorithms in the order shown. Cloud VPN accepts any proposal that contains one or more of these algorithms, in any order. |
| Integrity |
|
Cloud VPN's proposal presents these
HMAC algorithms in the order shown. Cloud VPN accepts
any proposal that contains one or more of these algorithms, in any order. Documentation for your on-premises VPN gateway might use a slightly different name for the algorithm. For example, HMAC-SHA2-512-256 might be referred to as just SHA2-512 or
SHA-512, dropping the truncation length number and other extraneous information.
|
| PFS Algorithm (required) |
|
Cloud VPN's proposal presents these key exchange algorithms in the order shown. Cloud VPN accepts any proposal that contains one or more of these algorithms, in any order. |
| Diffie-Hellman (DH) | Refer to Phase 1. | If your VPN gateway requires DH settings for Phase 2, use the same settings that you used for Phase 1. |
| Phase 2 lifetime | 10,800 seconds (3 hours) | — |
IKEv1 ciphers
Phase 1
| Cipher role | Cipher |
|---|---|
| Encryption | AES-CBC-128 |
| Integrity | HMAC-SHA1-96 |
| Pseudo-Random Function (PRF)* | PRF-SHA1-96 |
| Diffie-Hellman (DH) | modp_1024 (Group 2) |
| Phase 1 lifetime | 36,600 seconds (10 hours, 10 minutes) |
*For more information about PRF in IKEv1, see RFC 2409.
Phase 2
| Cipher role | Cipher |
|---|---|
| Encryption | AES-CBC-128 |
| Integrity | HMAC-SHA1-96 |
| PFS Algorithm (required) | modp_1024 (Group 2) |
| Diffie-Hellman (DH) | If you need to specify DH for your VPN gateway, use the same setting that you used for Phase 1. |
| Phase 2 lifetime | 10,800 seconds (3 hours) |
What's next
- Learn about the basic concepts of Cloud VPN
- Create a custom Virtual Private Cloud network
- Maintain VPN tunnels and gateways
- See Advanced Configurations for information on high-availability, high-throughput scenarios, or multiple subnet scenarios.
- View logs and monitoring metrics
- Get troubleshooting help