Skip to content

IPsec encryption algorithms

Sophos Firewall supports the following encryption algorithms for IKEv1 and IKEv2 phase 1 and 2.

IKEv2 ciphers

Sophos Firewall supports these encryption algorithms for IKEv2.

Phase 1

DH group Encryption Authentication
1 (DH768) AES256 SHA2 512
2 (DH1024) AES192 SHA2 384
5 (DH1536) AES128 SHA2 256
14 (DH2048) Blowfish SHA1
15 (DH3072) 3DES MD5
16 (DH4096)
17 (DH6144)
18 (DH8192)
25 (ecp192)
26 (ecp224)
19 (ecp256)
20 (ecp384)
21 (ecp521)
31 (curve25519)

Phase 2

DH group Encryption Authentication
None AES256 SHA2 512
Same as phase-I AES192 SHA2 384
1 (DH768) AES128 SHA2 256
2 (DH1024) Blowfish SHA1
5 (DH1536) 3DES MD5
14 (DH2048) AES256GCM16
15 (DH3072) AES192GCM16
16 (DH4096) AES128GCM16
17 (DH6144) AES256GMAC
18 (DH8192) AES192GMAC
25 (ecp192) AES128GMAC
26 (ecp224)
19 (ecp256)
20 (ecp384)
21 (ecp521)
31 (curve25519)

IKEv1 ciphers

Sophos Firewall supports these encryption algorithms for IKEv1.

Phase 1

DH group Encryption Authentication
1 (DH768) AES256 SHA2 512
2 (DH1024) AES192 SHA2 384
5 (DH1536) AES128 SHA2 256
14 (DH2048) Blowfish SHA1
15 (DH3072) 3DES MD5
16 (DH4096) TwoFish
17 (DH6144) Serpent
18 (DH8192)
25 (ecp192)
26 (ecp224)
19 (ecp256)
20 (ecp384)
21 (ecp521)
31 (curve25519)

Phase 2

DH group Encryption Authentication
None AES256 SHA2 512
Same as phase-I AES192 SHA2 384
1 (DH768) AES128 SHA2 256
2 (DH1024) Blowfish SHA1
5 (DH1536) 3DES MD5
14 (DH2048) AES256GCM16
15 (DH3072) AES192GCM16
16 (DH4096) AES128GCM16
17 (DH6144) AES256GMAC
18 (DH8192) AES192GMAC
25 (ecp192) AES128GMAC
26 (ecp224) TwoFish
19 (ecp256) Serpent
20 (ecp384)
21 (ecp521)
31 (curve25519)

More resources