Cloud VPN supports the following ciphers and configuration parameters for peer VPN devices or VPN services. Cloud VPN auto-negotiates the connection as long as the peer side uses a supported IKE cipher setting.
For configuration instructions, see Configuring the peer VPN gateway.
The following IKE ciphers are supported for Classic VPN and HA VPN.
IKEv2 ciphers that use AEAD
The following ciphers use authenticated encryption with associated data (AEAD).
Phase 1
Cipher role | Cipher | Notes |
---|---|---|
Encryption & Integrity |
|
In this list, the first number is the size of the ICV parameter in bytes (octets), and the second is the key length in bits. Some documentation might express the ICV parameter (the first number) in bits instead (8 becomes 64, 12 becomes 96, and 16 becomes 128). |
Pseudo-Random Function (PRF) |
|
Many devices don't require an explicit PRF setting. |
Diffie-Hellman (DH) |
|
Cloud VPN's proposal presents these key exchange algorithms in the order shown. Cloud VPN accepts any proposal that includes one or more of these algorithms in any order. |
Phase 1 lifetime | 36,000 seconds (10 hours) |
Phase 2
Cipher role | Cipher | Notes |
---|---|---|
Encryption & Integrity |
|
Cloud VPN's proposal presents these algorithms in the order shown. Cloud VPN accepts any proposal that includes one or more of these algorithms in any order. The first number in each algorithm is the size of the ICV parameter in bytes (octets), and the second is its key length in bits. Some documentation might express the ICV parameter (the first number) in bits instead (8 becomes 64, 12 becomes 96, 16 becomes 128). |
PFS Algorithm (required) |
|
Cloud VPN's proposal presents these key exchange algorithms in the order shown. Cloud VPN accepts any proposal that includes one or more of these algorithms in any order. |
Diffie-Hellman (DH) | Refer to Phase 1. | If your VPN gateway requires DH settings for Phase 2, use the same settings that you used for Phase 1. |
Phase 2 lifetime | 10,800 seconds (3 hours) |
IKEv2 ciphers that don't use AEAD
Phase 1
Cipher role | Cipher | Notes |
---|---|---|
Encryption |
|
Cloud VPN's proposal presents these symmetric encryption algorithms in the order shown. Cloud VPN accepts any proposal that includes one or more of these algorithms in any order. |
Integrity |
|
Cloud VPN's proposal presents these HMAC algorithms in the order shown. Cloud VPN accepts any proposal that includes one or more of these algorithms in any order. Documentation for your on-premises VPN gateway might use a slightly
different name for the algorithm. For example,
|
Pseudo-Random Function (PRF) |
|
Many devices don't require an explicit PRF setting. |
Diffie-Hellman (DH) |
|
Cloud VPN's proposal presents these key exchange algorithms in the order shown. Cloud VPN accepts any proposal that includes one or more of these algorithms in any order. |
Phase 1 lifetime | 36,000 seconds (10 hours) |
Phase 2
Cipher role | Cipher | Notes |
---|---|---|
Encryption |
|
Cloud VPN's proposal presents these symmetric encryption algorithms in the order shown. Cloud VPN accepts any proposal that includes one or more of these algorithms in any order. |
Integrity |
|
Cloud VPN's proposal presents these HMAC algorithms in the order shown. Cloud VPN accepts any proposal that includes one or more of these algorithms in any order. Documentation for your on-premises VPN gateway might use a slightly
different name for the algorithm. For example,
|
PFS Algorithm (required) |
|
Cloud VPN's proposal presents these key exchange algorithms in the order shown. Cloud VPN accepts any proposal that includes one or more of these algorithms in any order. |
Diffie-Hellman (DH) | Refer to Phase 1. | If your VPN gateway requires DH settings for Phase 2, use the same settings that you used for Phase 1. |
Phase 2 lifetime | 10,800 seconds (3 hours) |
IKEv1 ciphers
Phase 1
Cipher role | Cipher |
---|---|
Encryption | AES-CBC-128 |
Integrity | HMAC-SHA1-96 |
Pseudo-Random Function (PRF)* | PRF-SHA1-96 |
Diffie-Hellman (DH) | modp_1024 (Group 2) |
Phase 1 lifetime | 36,600 seconds (10 hours, 10 minutes) |
*For more information about PRF in IKEv1, see RFC 2409.
Phase 2
Cipher role | Cipher |
---|---|
Encryption | AES-CBC-128 |
Integrity | HMAC-SHA1-96 |
PFS Algorithm (required) | modp_1024 (Group 2) |
Diffie-Hellman (DH) | If you need to specify DH for your VPN gateway, use the same setting that you used for Phase 1. |
Phase 2 lifetime | 10,800 seconds (3 hours) |
What's next
- To learn about the basic concepts of Cloud VPN, see the Cloud VPN overview.
- To find resources for maintaining VPN tunnels and gateways, see the Maintaining VPNs how-to guides.
- To help you solve common issues that you might encounter when using Cloud VPN, see Troubleshooting.