Encryption profiles
The confidentiality and integrity of data exchanged over a VPN (site to site or client to site) depend on the use of robust cryptographic algorithms negotiated between both parties. By using encryption profiles, allowed algorithms can be specified. Even though the pre-configured StrongEncryption profile is compatible with the requirements of Appendix B1 of the RGS (in French), it is advisable to manually reconfigure the IKE and IPsec encryption profiles.
In order of preference, the following algorithms are recommended:
- 256-bit or 128-bit encryption algorithms: AES-GCM, AES-CTR, and AES-CBC;
- If AES-GCM, SHA2-512, SHA2-384 or SHA2-256 are used, embedded GMAC authentication or integrity algorithms;
- Diffie-Hellman (PFS in phase 2) key exchange algorithms of at least 256 bits on elliptical curves. If no elliptical curves are available, use modules that are at least 3072 bits. This translates to DH group numbers in order of strength: 30 or 21, 29 or 20, 28 or 19, 18, 17, 16, or 15.
The tables below provide the lowest encryption profile that is compatible with the recommendations in the RGS. The cryptoperiods indicated in these tables are not taken directly from the RGS but given for information only. They must be set according to the organization’s security policy.
ANSSI-recommended IKE encryption profile
| Parameter | Lowest value | Recommended value |
| Encryption algorithm | AES GCM 256 | AES GCM 256 |
| Diffie-Hellman group | Group DH15 (3072 bits) | Group DH28 (256 bits) |
| Cryptoperiod | 86400s | 21600s |
ANSSI-recommended IPsec encryption profile
| Parameter | Lowest value | Recommended value |
| Encryption algorithm | AES CBC 128 | AES GCM 256 |
| Hashing/authentication | SHA 256 | |
| Diffie-Hellman group | Group DH14 (2048 bits) | Group DH28 (256 bits) |
| Cryptoperiod | 21600s | 3600s |
For more information, refer to ANSSI's Guide on selecting cryptographic algorithms (in French).
R38 | SNS-SMC | Use strong algorithms for IKE and IPsec
We recommend using encryption algorithms that are in line with the details given above, and with ANSSI's Guide on selecting cryptographic algorithms (in French).
Encryption profiles can be found in Configuration > VPN > IPsec VPN > Encryption profiles for SNS firewalls, and in Configuration > Encryption profiles on the SMC server.