IPSEC Encryption algorithms
Encryption algorithms
IKEv1 phase1 encryption algorithm
The default encryption algorithm is:
aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
DES is a symmetric-key algorithm which means the same key is used for encrypting and decrypting data. FortiGate supports:
- des-md5 l des-sha1 l des-sha256 l des-sha384 l des-sha512
3DES apply DES algorithm three times to each data. FortiGate supports:
- 3des-md5 l 3des-sha1 l 3des-sha256 l 3des-sha384 l 3des-sha512
AES is a symmetric-key algorithm with different key length: 128, 192, and 256 bits. FortiGate supports:
- aes128-md5 l aes128-sha1 l aes128-sha256 l aes128-sha384 l aes128-sha512 l aes192-md5 l aes192-sha1 l aes192-sha256 l aes192-sha384 l aes192-sha512 l aes256-md5 l aes256-sha1 l aes256-sha256 l aes256-sha384 l aes256-sha512
The ARIA algorithm is based on AES with different key length: 128, 192, and 256 bits. FortiGate supports:
- aria128-md5 l aria128-sha1 l aria128-sha256 l aria128-sha384 l aria128-sha512 l aria192-md5 l aria192-sha1 l aria192-sha256 l aria192-sha384 l aria192-sha512 l aria256-md5 l aria256-sha1 l aria256-sha256
aria256-sha384 aria256-sha512
SEED is a symmetric-key algorithm. FortiGate supports:
- seed128-md5 l seed128-sha1 l seed128-sha256 l seed128-sha384 l seed128-sha512
Suite-B is a set of encryption algorithm, AES encryption with ICV in GCM mode. FortiGate supports Suite-B on new kernel platforms only. IPsec traffic cannot offload to NPU. CP9 supports Suite-B offloading, otherwise packets are encrypted and decrypted by software. FortiGate supports:
- suite-b-gcm-128 l suite-b-gcm-256
Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!
Don't Forget To visit the YouTube Channel for the latest Fortinet Training Videos and Question / Answer sessions!
- FortinetGuru YouTube Channel
- FortiSwitch Training Videos
Cybersecurity Videos and Training Available Via: Office of The CISO Security Training Videos
I cant seem to find any straight up documentation that recommends a specific set of Phase1/2 settings for being secure but offering the best performance. It seems like its just a roll of the dice on which ones to choose.
I roll with AES256/SHA512 most of the time with a DH Group of 16. I have no idea how it compares performance wise though. It really depends on the organizations needs.
Hi Mike,
I have questions that related to VPN ike1 and ike2, when I tried to use DH group 5 I got some strange behavior some times it’s dropping some subnets and allowing another subnet, Once I disable DH5 on phase2 and use DH 2 on phase 1 everything is working fine.
So is that issue with the protocol or with FortiGate firewalls? I will be grateful for your reply
Hi Mike
i tried to use DH5 in phase 2 each time i ended up with strange behavior some local sub-net can reach remote sub-net and other can’t reach. is this issue with algorithm or with fortigate firewall