Supported IKE ciphers

Cloud VPN supports the following ciphers and configuration parameters for peer VPN devices or VPN services. Cloud VPN auto-negotiates the connection as long as the peer side uses a supported IKE cipher setting.

For configuration instructions, see Configure the peer VPN gateway.

Cloud VPN operates in IPsec ESP Tunnel Mode.

The following IKE ciphers are supported for Classic VPN and HA VPN.

IKEv2 ciphers that use AEAD

The following ciphers use authenticated encryption with associated data (AEAD).

Phase 1

Cipher role Cipher Notes
Encryption & Integrity
  • AES-GCM-16-128
  • AES-GCM-16-192
  • AES-GCM-16-256

In this list, the first number is the size of the ICV parameter in bytes (octets), and the second is the key length in bits.

Some documentation might express the ICV parameter (the first number) in bits instead (8 becomes 64, 12 becomes 96, and 16 becomes 128).
Pseudo-Random Function (PRF)
  • PRF-AES128-XCBC
  • PRF-AES128-CMAC
  • PRF-HMAC-SHA1
  • PRF-HMAC-MD5
  • PRF-HMAC-SHA2-256
  • PRF-HMAC-SHA2-384
  • PRF-HMAC-SHA2-512
 Many devices don't require an explicit PRF setting.
Diffie-Hellman (DH)
  • modp_2048 (Group 14)
  • modp_2048_224 (modp_2048s224)
  • modp_2048_256 (modp_2048s256)
  • modp_1536 (Group 5)
  • modp_3072 (Group 15)
  • modp_4096 (Group 16)
  • modp_8192 (Group 18)
  • modp_1024 (Group 2)
  • modp_1024_160 (modp_1024s160)
  • ecp_256 (Group 19)
  • ecp_384 (Group 20)
  • ecp_521 (Group 21)
  • curve_25519 (Group 31)
 Cloud VPN's proposal presents these key exchange algorithms in the order shown. Cloud VPN accepts any proposal that includes one or more of these algorithms in any order.
Phase 1 lifetime 36,000 seconds (10 hours)

Phase 2

Cipher role Cipher Notes
Encryption & Integrity
  • AES-GCM-16-128
  • AES-GCM-16-256
  • AES-GCM-16-192

Cloud VPN's proposal presents these algorithms in the order shown. Cloud VPN accepts any proposal that includes one or more of these algorithms in any order.

The first number in each algorithm is the size of the ICV parameter in bytes (octets), and the second is its key length in bits. Some documentation might express the ICV parameter (the first number) in bits instead (8 becomes 64, 12 becomes 96, 16 becomes 128).
PFS Algorithm (required)
  • modp_2048 (Group 14)
  • modp_2048_224 (modp_2048s224)
  • modp_2048_256 (modp_2048s256)
  • modp_1536 (Group 5)
  • modp_3072 (Group 15)
  • modp_4096 (Group 16)
  • modp_8192 (Group 18)
  • modp_1024 (Group 2)
  • modp_1024_160 (modp_1024s160)
  • ecp_256 (Group 19)
  • ecp_384 (Group 20)
  • ecp_521 (Group 21)
  • curve_25519 (Group 31)
 Cloud VPN's proposal presents these key exchange algorithms in the order shown. Cloud VPN accepts any proposal that includes one or more of these algorithms in any order.
Diffie-Hellman (DH) Refer to Phase 1. If your VPN gateway requires DH settings for Phase 2, use the same settings that you used for Phase 1.
Phase 2 lifetime 10,800 seconds (3 hours)

IKEv2 ciphers that don't use AEAD

Phase 1

Cipher role Cipher Notes
Encryption
  • AES-CBC-128
  • AES-CBC-192
  • AES-CBC-256
  • 3DES-CBC
  • AES-XCBC-96
  • AES-CMAC-96
 Cloud VPN's proposal presents these symmetric encryption algorithms in the order shown. Cloud VPN accepts any proposal that includes one or more of these algorithms in any order.
Integrity
  • HMAC-SHA1-96
  • HMAC-MD5-96
  • HMAC-SHA2-256-128
  • HMAC-SHA2-384-192
  • HMAC-SHA2-512-256

Cloud VPN's proposal presents these HMAC algorithms in the order shown. Cloud VPN accepts any proposal that includes one or more of these algorithms in any order.

Documentation for your on-premises VPN gateway might use a slightly different name for the algorithm. For example, HMAC-SHA2-512-256 might be referred to as SHA2-512 or SHA-512, dropping the truncation length number and other extraneous information.
Pseudo-Random Function (PRF)
  • PRF-AES-128-XCBC
  • PRF-AES-128-CMAC
  • PRF-SHA1
  • PRF-MD5
  • PRF-SHA2-256
  • PRF-SHA2-384
  • PRF-SHA2-512
 Many devices don't require an explicit PRF setting.
Diffie-Hellman (DH)
  • modp_2048 (Group 14)
  • modp_2048_224 (modp_2048s224)
  • modp_2048_256 (modp_2048s256)
  • modp_1536 (Group 5)
  • modp_3072 (Group 15)
  • modp_4096 (Group 16)
  • modp_8192 (Group 18)
  • modp_1024 (Group 2)
  • modp_1024_160 (modp_1024s160)
  • ecp_256 (Group 19)
  • ecp_384 (Group 20)
  • ecp_521 (Group 21)
  • curve_25519 (Group 31)
 Cloud VPN's proposal presents these key exchange algorithms in the order shown. Cloud VPN accepts any proposal that includes one or more of these algorithms in any order.
Phase 1 lifetime 36,000 seconds (10 hours)

Phase 2

Cipher role Cipher Notes
Encryption
  • AES-CBC-128
  • AES-CBC-256
  • AES-CBC-192
 Cloud VPN's proposal presents these symmetric encryption algorithms in the order shown. Cloud VPN accepts any proposal that includes one or more of these algorithms in any order.
Integrity
  • HMAC-SHA2-256-128
  • HMAC-SHA2-512-256
  • HMAC-SHA1-96

Cloud VPN's proposal presents these HMAC algorithms in the order shown. Cloud VPN accepts any proposal that includes one or more of these algorithms in any order.

Documentation for your on-premises VPN gateway might use a slightly different name for the algorithm. For example, HMAC-SHA2-512-256 might be referred to as SHA2-512 or SHA-512, dropping the truncation length number and other extraneous information.
PFS Algorithm (required)
  • modp_2048 (Group 14)
  • modp_2048_224 (modp_2048s224)
  • modp_2048_256 (modp_2048s256)
  • modp_1536 (Group 5)
  • modp_3072 (Group 15)
  • modp_4096 (Group 16)
  • modp_8192 (Group 18)
  • modp_1024 (Group 2)
  • modp_1024_160 (modp_1024s160)
  • ecp_256 (Group 19)
  • ecp_384 (Group 20)
  • ecp_521 (Group 21)
  • curve_25519 (Group 31)
 Cloud VPN's proposal presents these key exchange algorithms in the order shown. Cloud VPN accepts any proposal that includes one or more of these algorithms in any order.
Diffie-Hellman (DH) Refer to Phase 1. If your VPN gateway requires DH settings for Phase 2, use the same settings that you used for Phase 1.
Phase 2 lifetime 10,800 seconds (3 hours)

IKEv1 ciphers

Phase 1

Cipher role Cipher
Encryption AES-CBC-128
Integrity HMAC-SHA1-96
Pseudo-Random Function (PRF)* PRF-SHA1-96
Diffie-Hellman (DH) modp_1024 (Group 2)
Phase 1 lifetime 36,600 seconds (10 hours, 10 minutes)

*For more information about PRF in IKEv1, see RFC 2409.

Phase 2

Cipher role Cipher
Encryption AES-CBC-128
Integrity HMAC-SHA1-96
PFS Algorithm (required) modp_1024 (Group 2)
Diffie-Hellman (DH) If you need to specify DH for your VPN gateway, use the same setting that you used for Phase 1.
Phase 2 lifetime 10,800 seconds (3 hours)

What's next

  • To learn about the basic concepts of Cloud VPN, see the Cloud VPN overview.
  • To help you solve common issues that you might encounter when using Cloud VPN, see Troubleshooting.