IPsec-VPN uses IKE (Internet Key Exchange) to negotiate keys and IPsec to encrypt data in transit. Both phases require an encryption algorithm, an authentication algorithm, and a DH group. Use this reference to choose a suitable combination.
We recommend the AES256-GCM-16 + SHA256 + DH Group 14 cipher suite for the IKE and IPsec phases on an IPsec-VPN gateway. For a Classic VPN gateway or a Transit Router, we recommend AES256 + SHA256 + DH Group 14.
IKE encryption algorithm
Encrypts data exchanged during IKE key negotiation.
|
Algorithm |
Key length |
Security |
Performance |
VPN Gateway |
Transit Router |
Recommendation |
|
AES256-GCM-16 |
256-bit |
Very High |
High (hardware acceleration) |
enhanced only |
Not supported |
Recommended |
|
AES128-GCM-16 |
128-bit |
High |
Very High (hardware acceleration) |
enhanced only |
Not supported |
Recommended |
|
AES256 |
256-bit |
High |
Medium |
enhanced / standard |
Supported |
Recommended |
|
AES192 |
192-bit |
High |
Medium |
enhanced / standard |
Supported |
Available |
|
AES128 |
128-bit |
Medium |
High |
enhanced / standard |
Supported |
Available |
|
3DES |
168-bit |
Low |
Low |
enhanced / standard |
Supported |
Not Recommended |
|
DES |
56-bit |
Very Low |
Medium |
enhanced / standard |
Supported |
Not Recommended |
|
SM4 |
128-bit |
High (Chinese cryptographic standard) |
Medium |
standard only |
Not supported |
Recommended for Chinese cryptographic scenarios |
DES (56-bit) and 3DES (168-bit) are vulnerable to brute-force attacks. Use AES128 or stronger in production.
GCM mode
AES-GCM (Galois/Counter Mode) is an AEAD mode that combines encryption and integrity verification. Advantages over CBC mode:
-
Higher performance: Supports parallel processing and hardware acceleration for higher throughput.
-
Stronger security: Built-in integrity check eliminates the need for a separate authentication algorithm.
-
Lower latency: Encryption and authentication in a single pass reduces processing overhead.
AES128-GCM-16 and AES256-GCM-16 are available only on enhanced VPN Gateways. They are not supported on standard VPN Gateways or Transit Routers.
IKE authentication algorithm
Verifies packet integrity during IKE negotiation and prevents tampering.
|
Algorithm name |
Digest length |
Security |
Performance |
VPN Gateway |
Transit Router |
Recommendation |
|
SHA512 |
512-bit |
Extremely High |
Low |
enhanced / traditional |
Supported |
Recommended for high-security scenarios |
|
SHA384 |
384-bit |
High |
Medium |
enhanced / traditional |
Supported |
Available |
|
SHA256 |
256-bit |
High |
High |
enhanced / traditional |
Supported |
Recommended |
|
SHA1 |
160-bit |
Medium |
High |
enhanced / traditional |
Supported |
Available for compatibility scenarios |
|
MD5 |
128-bit |
Low |
Extremely High |
enhanced / traditional |
Supported |
Not recommended |
|
SM3 |
256-bit |
High (GM standard) |
Medium |
traditional only |
Not Supported |
Recommended for GM-required scenarios |
MD5 is vulnerable to collision attacks. Use SHA256 or stronger in production.
IPsec encryption algorithm
Encrypts data traffic during the IPsec phase. The same algorithms are available as for the IKE phase.
|
Algorithm |
Key length |
Security |
Performance |
VPN gateway support |
Transit router support |
Recommendation |
|
AES256-GCM-16 |
256-bit |
Extremely High |
High (hardware acceleration) |
enhanced only |
Not supported |
Recommended |
|
AES128-GCM-16 |
128-bit |
High |
Extremely High (hardware acceleration) |
enhanced only |
Not supported |
Recommended |
|
AES256 |
256-bit |
High |
Medium |
enhanced / standard |
Supported |
Recommended |
|
AES192 |
192-bit |
High |
Medium |
enhanced / standard |
Supported |
Available |
|
AES128 |
128-bit |
Medium |
High |
enhanced / standard |
Supported |
Available |
|
3DES |
168-bit |
Low |
Low |
enhanced / standard |
Supported |
Not recommended |
|
DES |
56-bit |
Extremely Low |
Medium |
enhanced / standard |
Supported |
Not recommended |
|
SM4 |
128-bit |
High (Guomi standard) |
Medium |
standard only |
Not supported |
Recommended for Guomi scenarios |
You can use different encryption algorithms for IKE and IPsec. For example, AES256 for IKE key negotiation and AES128 for IPsec data traffic to increase throughput. However, using the same algorithm for both phases simplifies configuration and maintenance.
IPsec authentication algorithm
Verifies the integrity of transmitted data. The same algorithms are available as for IKE authentication.
|
Algorithm name |
Digest length |
Security |
Performance |
VPN gateway type |
Transit router support |
Recommendation |
|
SHA512 |
512-bit |
Extremely High |
Low |
Enhanced / Classic |
Supported |
Recommended for high-security scenarios |
|
SHA384 |
384-bit |
High |
Medium |
Enhanced / Classic |
Supported |
A viable option |
|
SHA256 |
256-bit |
High |
High |
Enhanced / Classic |
Supported |
Recommended |
|
SHA1 |
160-bit |
Medium |
High |
Enhanced / Classic |
Supported |
Available for compatibility purposes |
|
MD5 |
128-bit |
Low |
Extremely High |
Enhanced / Classic |
Supported |
Not recommended |
|
SM3 |
256-bit |
High (GM) |
Medium |
Classic only |
Not supported |
Recommended for GM scenarios |
AES-GCM provides built-in integrity verification (AEAD) through GCM mode. When GCM is used, the authentication algorithm protects only IKE negotiation, while GCM handles IPsec data integrity.
DH group
A DH group (Diffie-Hellman group) generates a shared key during IKE key exchange. Longer keys provide stronger security but increase computational overhead. PFS (Perfect Forward Secrecy) in the IPsec phase also uses a DH group.
|
DH group |
Key length |
Security |
Performance |
Recommendation |
Description |
|
Group 1 |
768-bit |
Very Low |
Very High |
Not Recommended |
Considered insecure. Use only for compatibility with legacy devices. |
|
Group 2 |
1024-bit |
Low |
High |
Not Recommended |
Offers insufficient security. Upgrading to Group 14 is recommended. |
|
Group 5 |
1536-bit |
Medium |
Medium |
Usable |
Offers moderate security. Suitable for transitional use. |
|
Group 14 |
2048-bit |
High |
Medium |
Recommended |
The current mainstream choice, offering a good balance between security and performance. |
|
Group 24 |
2048-bit (elliptic curve) |
High |
High |
Usable |
An elliptic curve-based DH exchange that offers better performance than Group 14. |
We recommend DH group 14 (2048-bit). Group 1 and Group 2 do not meet modern security requirements and are not recommended for production. For the IPsec phase, enable PFS and use the same DH group as the IKE phase.
Guomi algorithm
Guomi (GM) algorithms are Chinese commercial cryptographic algorithms certified by the State Cryptography Administration. IPsec-VPN supports SM4 for encryption and SM3 for authentication.
SM4 encryption
|
Property |
Description |
|
Algorithm type |
Symmetric block cipher |
|
Key length |
128-bit |
|
Block size |
128-bit |
|
Security level |
High (compliant with Chinese national cryptographic standards) |
|
Usage |
IKE encryption, IPsec encryption |
|
Scope |
Only for IPsec connections that are bound to a Classic VPN Gateway |
SM4 has security strength comparable to AES-128. As a core symmetric cipher in China's commercial cryptography system, it is widely used in finance and government sectors.
SM3 authentication
|
Property |
Description |
|
Algorithm type |
cryptographic hash algorithm |
|
Digest length |
256-bit |
|
Security level |
High (compliant with Chinese national cryptographic standards) |
|
Usage |
IKE authentication, IPsec authentication |
|
Scope |
Only for IPsec connections that are bound to a Classic VPN Gateway |
SM3 has security strength comparable to SHA-256. As a core hash algorithm in China's commercial cryptography system, it is used for data integrity checks and digital signatures.
Limitations of Guomi algorithms:
-
Guomi algorithms can be used only with IPsec connections that are bound to a Classic VPN Gateway.
-
Guomi algorithms are not supported with an Enhanced VPN Gateway or a Transit Router.
-
When using Guomi algorithms, a VPN Gateway does not support IPsec connections over a private network.
-
Guomi algorithms are supported only in Chinese mainland regions.
-
SM4 and SM3 must be used together. They cannot be combined with other algorithms. For example, the combination of SM4 and SHA-256 is not supported.
Recommended cipher suites
Select a cipher suite based on your security requirements and device compatibility.
|
Security level |
Encryption algorithm |
Authentication algorithm |
DH group |
Use case |
|
Very High (Recommended) |
AES256-GCM-16 |
SHA256 |
Group 14 |
For an enhanced VPN Gateway that requires high security and performance. |
|
High |
AES256 |
SHA256 |
Group 14 |
For general production environments that require good compatibility. |
|
Medium |
AES128 |
SHA256 |
Group 14 |
For high-performance data transfer. |
|
Basic |
AES128 |
SHA1 |
Group 2 |
For compatibility with non-upgradable legacy devices. |
|
SM algorithm |
SM4 |
SM3 |
Group 14 |
For use cases that require SM algorithm compliance. |
FAQ
IKE version selection
-
IKEv2 (Recommended): More efficient negotiation, native support for multiple subnets and NAT traversal, and stronger security.
-
IKEv1: Compatible with legacy devices, but has a more complex negotiation process and limited multi-subnet support.
Use IKEv2 if the peer gateway supports it.
Same algorithms for IKE and IPsec
No. You can configure different algorithms for IKE and IPsec. However, using the same combination for both simplifies operations and reduces configuration errors.
Handling peers without AES-GCM
Both peers must support AES-GCM. If your peer does not, use AES256 + SHA256 + DH group 14, which provides strong security with broad compatibility.
Enabling PFS
Yes. We highly recommend enabling it. PFS (Perfect Forward Secrecy) ensures that previously negotiated session keys remain secure even if a long-term key is compromised. With PFS enabled, the system performs a new DH key exchange each time it renegotiates the Security Association (SA). Use the same DH group for PFS as for the IKE phase.