Supported IKE Ciphers

Cloud VPN supports the following ciphers and configuration parameters for on-premises VPN devices or VPN services. Cloud VPN auto-negotiates the connection as long as the on-premises side uses a supported IKE cipher setting.

For configuration instructions, see Configuring the On-premises VPN Gateway.

For each role, the most secure option presently supported in Cloud VPN is bolded
Note: Cloud VPN operates in IPSec ESP Tunnel Mode

IKEv2 supported ciphers
Phase Cipher role Cipher
Phase 1 Encryption • 3DES
• AES-CBC-128, AES-CBC-192, AES-CBC-256
• AES-GCM-128-8, AES-GCM-192-8, AES-GCM-256-8
• AES-GCM-128-12, AES-GCM-192-12, AES-GCM-256-12
• AES-GCM-128-16, AES-GCM-192-16, AES-GCM-256-16
On some platforms, GCM algorithms may have their ICV parameter octets (8, 12, 16) specified in bits (64, 96, 128 respectively).
Integrity • HMAC-MD5-96
• HMAC-SHA1-96
• AES-XCBC-96, AES-CMAC-96
• HMAC-SHA2-256-128, HMAC-SHA2-384-192, HMAC-SHA2-512-256
These names vary depending on platform. For example, HMAC-SHA2-512-256 may be referred to as just SHA-512, dropping the truncation length number and other extraneous information.
Pseudo-Random Function (PRF) • PRF-MD5-96
• PRF-SHA1-96
• PRF-AES-XCBC-96, PRF-AES-CMAC-96
• PRF-SHA2-256, PRF-SHA2-384, PRF-SHA2-512
Many devices won't require an explicit PRF setting.
Diffie-Hellman (DH) • Group 2 (modp_1024), Group 5 (modp_1536), Group 14 (modp_2048), Group 15 (modp_3072), Group 16 (modp_4096)
• modp_1024s160, modp_2048s224, modp_2048s256
Phase 1 lifetime 36,000 seconds (10 hours)
Phase 2 Encryption • 3DES
• AES-CBC-128, AES-CBC-192, AES-CBC-256
• AES-GCM-128-8, AES-GCM-192-8, AES-GCM-256-8
• AES-GCM-128-12, AES-GCM-192-12, AES-GCM-256-12
• AES-GCM-128-16, AES-GCM-192-16, AES-GCM-256-16
On some platforms, GCM algorithms may have their ICV parameter octets (8, 12, 16) specified in bits (64, 96, 128 respectively).
Integrity • HMAC-MD5-96
• HMAC-SHA1-96
• AES-XCBC-96, AES-CMAC-96
• HMAC-SHA2-256-128, HMAC-SHA2-384-192, HMAC-SHA2-512-256
These names vary depending on platform. For example, HMAC-SHA2-512-256 may be referred to as just SHA-512, dropping the truncation length number and other extraneous information.
PFS Algorithm (required) • Group 2 (modp_1024), Group 5 (modp_1536), Group 14 (modp_2048), Group 15 (modp_3072), Group 16 (modp_4096), Group 18 (modp_8192)
• modp_1024s160, modp_2048s224, modp_2048s256
Diffie-Hellman (DH) Some devices require a DH value for Phase 2. If so, use the value that you used in Phase 1.
Phase 2 lifetime 10,800 seconds (3 hours)
IKEv1 supported ciphers
Phase Cipher Role Cipher
Phase 1 Encryption AES-CBC-128
Integrity HMAC-SHA1-96
PFS Algorithm (required) Group 2 (modp_1024)
Pseudo-Random Function (PRF) PRF-SHA1-96
Diffie-Hellman (DH) Group 2 (modp_1024)
Phase 1 lifetime 36,600 seconds (10 hours, 10 minutes)
Phase 2 Encryption AES-CBC-128
Integrity HMAC-SHA1-96
Diffie-Hellman (DH) Some devices require a DH value for Phase 2. If so, use the value that you used in Phase 1.
Phase 2 lifetime 10,800 seconds (3 hours)

What's next

Was this page helpful? Let us know how we did:

Send feedback about...