Encryption profiles
The confidentiality and integrity of data exchanged over a VPN (site to site or client to site) depend on the use of robust cryptographic algorithms negotiated between both parties. By using encryption profiles, the algorithms allowed can be clearly listed. Even though the pre-configured StrongEncryption profile is compatible with the requirements of Appendix B1 of the RGS (in French), it is advisable to manually reconfigure the IKE and IPsec encryption profiles.
The tables below provide the minimum requirements for encryption profiles that are compatible with the recommendations in the RGS. The cryptoperiods indicated in these tables are not taken directly from the RGS but given for information only. They must be set according to the organization’s security policy.
Minimum requirements for the RGS-compatible IKE encryption profiles
Parameter | Value |
Encryption algorithm | AES-CBC 128 |
Hash function | SHA 256 |
Diffie-Hellman group | DH group 14 (2048 bits) |
Cryptoperiod | 21600s |
Minimum requirements for the RGS-compatible IPsec encryption profiles
Parameter | Value |
Encryption algorithm | AES-GCM 256 |
Hash function | SHA 384 |
Diffie-Hellman group | Group 19 (256 bits) |
Cryptoperiod | 3600s |
R38 | SNS-SMC | Use strong algorithms for IKE and IPsec
The algorithms used in IKE and IPsec encryption profiles should be at least AES-GCM 256, SHA 384 and Diffie-Hellman group 19.
Encryption profiles can be found in Configuration > VPN > IPsec VPN > Encryption profiles for SNS firewalls and in Configuration > Encryption profiles on the SMC server.