IPSEC Encryption algorithms

4 Replies

Encryption algorithms

IKEv1 phase1 encryption algorithm

The default encryption algorithm is:

aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1

DES is a symmetric-key algorithm which means the same key is used for encrypting and decrypting data. FortiGate supports:

  • des-md5 l des-sha1 l des-sha256 l des-sha384 l des-sha512

3DES apply DES algorithm three times to each data. FortiGate supports:

  • 3des-md5 l 3des-sha1 l 3des-sha256 l 3des-sha384 l 3des-sha512

AES is a symmetric-key algorithm with different key length: 128, 192, and 256 bits. FortiGate supports:

  • aes128-md5 l aes128-sha1 l aes128-sha256 l aes128-sha384 l aes128-sha512 l aes192-md5 l aes192-sha1 l aes192-sha256 l aes192-sha384 l aes192-sha512 l aes256-md5 l aes256-sha1 l aes256-sha256 l aes256-sha384 l aes256-sha512

The ARIA algorithm is based on AES with different key length: 128, 192, and 256 bits. FortiGate supports:

  • aria128-md5 l aria128-sha1 l aria128-sha256 l aria128-sha384 l aria128-sha512 l aria192-md5 l aria192-sha1 l aria192-sha256 l aria192-sha384 l aria192-sha512 l aria256-md5 l aria256-sha1 l aria256-sha256

 

aria256-sha384 aria256-sha512

SEED is a symmetric-key algorithm. FortiGate supports:

  • seed128-md5 l seed128-sha1 l seed128-sha256 l seed128-sha384 l seed128-sha512

Suite-B is a set of encryption algorithm, AES encryption with ICV in GCM mode. FortiGate supports Suite-B on new kernel platforms only. IPsec traffic cannot offload to NPU. CP9 supports Suite-B offloading, otherwise packets are encrypted and decrypted by software. FortiGate supports:

  • suite-b-gcm-128 l suite-b-gcm-256
This entry was posted in Administration Guides, FortiGate, FortiOS 6.2 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

4 thoughts on “IPSEC Encryption algorithms

  1. Billy Dodson

    I cant seem to find any straight up documentation that recommends a specific set of Phase1/2 settings for being secure but offering the best performance. It seems like its just a roll of the dice on which ones to choose.

    Reply
    1. Mike Post author

      I roll with AES256/SHA512 most of the time with a DH Group of 16. I have no idea how it compares performance wise though. It really depends on the organizations needs.

      Reply
  2. a.nabil

    Hi Mike,

    I have questions that related to VPN ike1 and ike2, when I tried to use DH group 5 I got some strange behavior some times it’s dropping some subnets and allowing another subnet, Once I disable DH5 on phase2 and use DH 2 on phase 1 everything is working fine.
    So is that issue with the protocol or with FortiGate firewalls? I will be grateful for your reply

    Reply
  3. a.nabil

    Hi Mike
    i tried to use DH5 in phase 2 each time i ended up with strange behavior some local sub-net can reach remote sub-net and other can’t reach. is this issue with algorithm or with fortigate firewall

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.