Skip to content

IPsec encryption algorithms

Sophos Firewall supports the following encryption algorithms for IKEv1 and IKEv2 phase 1 and 2.

IKEv2 ciphers

Sophos Firewall supports these encryption algorithms for IKEv2.

Phase 1

DH group	Encryption	Authentication
1 (DH768)	AES256	SHA2 512
2 (DH1024)	AES192	SHA2 384
5 (DH1536)	AES128	SHA2 256
14 (DH2048)	Blowfish	SHA1
15 (DH3072)	3DES	MD5
16 (DH4096)
17 (DH6144)
18 (DH8192)
25 (ecp192)
26 (ecp224)
19 (ecp256)
20 (ecp384)
21 (ecp521)
31 (curve25519)

Phase 2

DH group	Encryption	Authentication
None	AES256	SHA2 512
Same as phase-I	AES192	SHA2 384
1 (DH768)	AES128	SHA2 256
2 (DH1024)	Blowfish	SHA1
5 (DH1536)	3DES	MD5
14 (DH2048)	AES256GCM16
15 (DH3072)	AES192GCM16
16 (DH4096)	AES128GCM16
17 (DH6144)	AES256GMAC
18 (DH8192)	AES192GMAC
25 (ecp192)	AES128GMAC
26 (ecp224)
19 (ecp256)
20 (ecp384)
21 (ecp521)
31 (curve25519)

IKEv1 ciphers

Sophos Firewall supports these encryption algorithms for IKEv1.

Phase 1

DH group	Encryption	Authentication
1 (DH768)	AES256	SHA2 512
2 (DH1024)	AES192	SHA2 384
5 (DH1536)	AES128	SHA2 256
14 (DH2048)	Blowfish	SHA1
15 (DH3072)	3DES	MD5
16 (DH4096)	TwoFish
17 (DH6144)	Serpent
18 (DH8192)
25 (ecp192)
26 (ecp224)
19 (ecp256)
20 (ecp384)
21 (ecp521)
31 (curve25519)

Phase 2

DH group	Encryption	Authentication
None	AES256	SHA2 512
Same as phase-I	AES192	SHA2 384
1 (DH768)	AES128	SHA2 256
2 (DH1024)	Blowfish	SHA1
5 (DH1536)	3DES	MD5
14 (DH2048)	AES256GCM16
15 (DH3072)	AES192GCM16
16 (DH4096)	AES128GCM16
17 (DH6144)	AES256GMAC
18 (DH8192)	AES192GMAC
25 (ecp192)	AES128GMAC
26 (ecp224)	TwoFish
19 (ecp256)	Serpent
20 (ecp384)
21 (ecp521)
31 (curve25519)

More resources

Add an IPsec profile