Help Center/ Virtual Private Network/ FAQs/ Classic VPN/ Product Consultation/ What Are VPN Negotiation Parameters? What Are Their Default Values?
Updated on 2024-07-23 GMT+08:00

What Are VPN Negotiation Parameters? What Are Their Default Values?

Table 1 VPN negotiation parameters

Protocol

Parameter

Value

IKE

Authentication Algorithm

  • MD5 (This algorithm is insecure. Exercise caution when using this algorithm.)
  • SHA1 (This algorithm is insecure. Exercise caution when using this algorithm.)
  • SHA2-256 (default value)

  • SHA2-384
  • SHA2-512

Encryption Algorithm

  • 3DES (This algorithm is insecure. Exercise caution when using this algorithm.)
  • AES-256
  • AES-192
  • AES-128 (default value)

DH Algorithm

  • Group 5 (This algorithm is insecure. Exercise caution when using this algorithm.)
  • Group 2 (This algorithm is insecure. Exercise caution when using this algorithm.)
  • Group 14 (default value)
  • Group 1 (This algorithm is insecure. Exercise caution when using this algorithm.)
  • Group 15
  • Group 16
  • Group 19
  • Group 20
  • Group 21
NOTE:

In some regions, only Group 14, Group 2, and Group 5 are available.

Version

  • v1 (not recommended due to security risks)
  • v2 (default value)

Lifetime (s)

86400 (default value)

Unit: second

Value range: 60 to 604800

IPsec

Authentication Algorithm

  • SHA1 (This algorithm is insecure. Exercise caution when using this algorithm.)
  • MD5 (This algorithm is insecure. Exercise caution when using this algorithm.)
  • SHA2-256 (default value)
  • SHA2-384
  • SHA2-512

Encryption Algorithm

  • AES-128 (default value)
  • AES-192
  • AES-256
  • 3DES (This algorithm is insecure. Exercise caution when using this algorithm.)

PFS

  • DH group 5 (This algorithm is insecure. Exercise caution when using this algorithm.)
  • DH group 2 (This algorithm is insecure. Exercise caution when using this algorithm.)
  • DH group 14 (default value)
  • DH group 1 (This algorithm is insecure. Exercise caution when using this algorithm.)
  • DH group 15
  • DH group 16
  • DH group 19
  • DH group 20
  • DH group 21
  • Disable
NOTE:

In some regions, only DH group 14, DH group 2, and DH group 5 are available.

Transfer Protocol

  • ESP (default value)
  • AH
  • AH-ESP

Lifetime (s)

3600 (default value)

Unit: second

Value range: 480 to 604800

  • Perfect Forward Secrecy (PFS) is a security feature.

    IKE negotiation has two phases, phase one and phase two. The key of phase two (IPsec SA) is derived from the key generated in phase one. Once the key in phase one is disclosed, the security of the IPsec VPN may be adversely affected. To improve the key security, IKE provides PFS. After PFS is configured, an additional DH exchange will be performed during IPsec SA negotiation, and a new IPsec SA key will be generated, improving IPsec SA security.

  • To ensure security, PFS is enabled on the cloud side by default. Ensure that PFS is also enabled on the on-premises gateway. Otherwise, the negotiation will fail.
  • To enable PFS, ensure that the configurations at both ends of a VPN are the same.
  • The default traffic-based lifetime of an IPsec SA is 1,843,200 KB and cannot be changed for the VPN. This lifetime does not affect the establishment of an IPsec SA.