Encryption profiles

The confidentiality and integrity of data exchanged over a VPN (site to site or client to site) depend on the use of robust cryptographic algorithms negotiated between both parties. By using encryption profiles, the algorithms allowed can be clearly listed. Even though the pre-configured StrongEncryption profile is compatible with the requirements of Appendix B1 of the RGS (in French), it is advisable to manually reconfigure the IKE and IPsec encryption profiles.

The tables below provide the minimum requirements for encryption profiles that are compatible with the recommendations in the RGS. The cryptoperiods indicated in these tables are not taken directly from the RGS but given for information only. They must be set according to the organization’s security policy.

Minimum requirements for the RGS-compatible IKE encryption profiles

Parameter Value
Encryption algorithm AES-CBC 128
Hash function SHA 256
Diffie-Hellman group DH group 14 (2048 bits)
Cryptoperiod 21600s

Minimum requirements for the RGS-compatible IPsec encryption profiles

Parameter Value
Encryption algorithm AES-GCM 256
Hash function SHA 384
Diffie-Hellman group Group 19 (256 bits)
Cryptoperiod 3600s

R38 | SNS-SMC | Use strong algorithms for IKE and IPsec
The algorithms used in IKE and IPsec encryption profiles should be at least AES-GCM 256, SHA 384 and Diffie-Hellman group 19.
Encryption profiles can be found in Configuration > VPN > IPsec VPN > Encryption profiles for SNS firewalls and in Configuration > Encryption profiles on the SMC server.