Fortinet Document Library

Version:


Table of Contents

Cookbook

6.2.0
Download PDF
Copy Link

Encryption algorithms

This topic provides a brief introduction to IPsec phase1 and phase2 encryption algorithms and includes the following sections:

IKEv1 phase1 encryption algorithm

The default encryption algorithm is:

aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1

DES is a symmetric-key algorithm which means the same key is used for encrypting and decrypting data. FortiGate supports:

  • des-md5
  • des-sha1
  • des-sha256
  • des-sha384
  • des-sha512

3DES apply DES algorithm three times to each data. FortiGate supports:

  • 3des-md5
  • 3des-sha1
  • 3des-sha256
  • 3des-sha384
  • 3des-sha512

AES is a symmetric-key algorithm with different key length: 128, 192, and 256 bits. FortiGate supports:

  • aes128-md5
  • aes128-sha1
  • aes128-sha256
  • aes128-sha384
  • aes128-sha512
  • aes192-md5
  • aes192-sha1
  • aes192-sha256
  • aes192-sha384
  • aes192-sha512
  • aes256-md5
  • aes256-sha1
  • aes256-sha256
  • aes256-sha384
  • aes256-sha512

The ARIA algorithm is based on AES with different key length: 128, 192, and 256 bits. FortiGate supports:

  • aria128-md5
  • aria128-sha1
  • aria128-sha256
  • aria128-sha384
  • aria128-sha512
  • aria192-md5
  • aria192-sha1
  • aria192-sha256
  • aria192-sha384
  • aria192-sha512
  • aria256-md5
  • aria256-sha1
  • aria256-sha256
  • aria256-sha384
  • aria256-sha512

SEED is a symmetric-key algorithm. FortiGate supports:

  • seed128-md5
  • seed128-sha1
  • seed128-sha256
  • seed128-sha384
  • seed128-sha512

Suite-B is a set of encryption algorithm, AES encryption with ICV in GCM mode. FortiGate supports Suite-B on new kernel platforms only. IPsec traffic cannot offload to NPU. CP9 supports Suite-B offloading, otherwise packets are encrypted and decrypted by software. FortiGate supports:

  • suite-b-gcm-128
  • suite-b-gcm-256

IKEv1 phase2 encryption algorithm

The default encryption algorithm is:

aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305

In null encryption, IPsec traffic can offload NPU/CP. FortiGate supports:

  • null-md5
  • null-sha1
  • null-sha256
  • null-sha384
  • null-sha512

In DES encryption algorithm, IPsec traffic can offload NPU/CP. FortiGate supports:

  • des-null
  • des-md5
  • des-sha1
  • des-sha256
  • des-sha384
  • des-sha512

In 3DES encryption algorithm, IPsec traffic can offload NPU/CP. FortiGate supports:

  • 3des-null
  • 3des-md5
  • 3des-sha1
  • 3des-sha256
  • 3des-sha384
  • 3des-sha512

In AES encryption algorithm, IPsec traffic can offload NPU/CP. FortiGate supports:

  • aes128-null
  • aes128-md5
  • aes128-sha1
  • aes128-sha256
  • aes128-sha384
  • aes128-sha512
  • aes192-null
  • aes192-md5
  • aes192-sha1
  • aes192-sha256
  • aes192-sha384
  • aes192-sha512
  • aes256-null
  • aes256-md5
  • aes256-sha1
  • aes256-sha256
  • aes256-sha384
  • aes256-sha512

In AESGCM encryption algorithm, IPsec traffic cannot offload NPU/CP. FortiGate supports:

  • aes128gcm
  • aes256gcm

In chacha20poly1305 encryption algorithm, IPsec traffic cannot offload NPU/CP. FortiGate supports:

  • chacha20poly1305

In ARIA encryption algorithm, IPsec traffic cannot offload NPU/CP. FortiGate supports:

  • aria128-null
  • aria128-md5
  • aria128-sha1
  • aria128-sha256
  • aria128-sha384
  • aria128-sha512
  • aria192-null
  • aria192-md5
  • aria192-sha1
  • aria192-sha256
  • aria192-sha384
  • aria192-sha512
  • aria256-null
  • aria256-md5
  • aria256-sha1
  • aria256-sha256
  • aria256-sha384
  • aria256-sha512

In SEED encryption algorithm, IPsec traffic cannot offload NPU/CP. FortiGate supports:

  • seed-null
  • seed-md5
  • seed-sha1
  • seed-sha256
  • seed-sha384
  • seed-sha512

IKEv2 phase1 encryption algorithm

The default encryption algorithm is:

aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256

DES is a symmetric-key algorithm which means the same key is used for encrypting and decrypting data. FortiGate supports:

  • des-md5
  • des-sha1
  • des-sha256
  • des-sha384
  • des-sha512

3DES apply DES algorithm three times to each data. FortiGate supports:

  • 3des-md5
  • 3des-sha1
  • 3des-sha256
  • 3des-sha384
  • 3des-sha512

AES is a symmetric-key algorithm with different key length: 128, 192, and 256 bits. FortiGate supports:

  • aes128-md5
  • aes128-sha1
  • aes128-sha256
  • aes128-sha384
  • aes128-sha512
  • aes128gcm-prfsha1
  • aes128gcm-prfsha256
  • aes128gcm-prfsha384
  • aes128gcm-prfsha512
  • aes192-md5
  • aes192-sha1
  • aes192-sha256
  • aes192-sha384
  • aes192-sha512
  • aes256-md5
  • aes256-sha1
  • aes256-sha256
  • aes256-sha384
  • aes256-sha512
  • aes256gcm-prfsha1
  • aes256gcm-prfsha256
  • aes256gcm-prfsha384
  • aes256gcm-prfsha512

The ARIA algorithm is based on AES with different key length: 128, 192, and 256 bits. FortiGate supports:

  • aria128-md5
  • aria128-sha1
  • aria128-sha256
  • aria128-sha384
  • aria128-sha512
  • aria192-md5
  • aria192-sha1
  • aria192-sha256
  • aria192-sha384
  • aria192-sha512
  • aria256-md5
  • aria256-sha1
  • aria256-sha256
  • aria256-sha384
  • aria256-sha512

In chacha20poly1305 encryption algorithm, FortiGate supports:

  • chacha20poly1305-prfsha1
  • chacha20poly1305-prfsha256
  • chacha20poly1305-prfsha384
  • chacha20poly1305-prfsha512

SEED is a symmetric-key algorithm. FortiGate supports:

  • seed128-md5
  • seed128-sha1
  • seed128-sha256
  • seed128-sha384
  • seed128-sha512

Suite-B is a set of encryption algorithm, AES encryption with ICV in GCM mode. FortiGate supports Suite-B on new kernel platforms only. IPsec traffic cannot offload to NPU. CP9 supports Suite-B offloading, otherwise packets are encrypted and decrypted by software. FortiGate supports:

  • suite-b-gcm-128
  • suite-b-gcm-256

IKEv2 phase2 encryption algorithm

The default encryption algorithm is:

aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305

In null encryption, IPsec traffic can offload NPU/CP. FortiGate supports:

  • null-md5
  • null-sha1
  • null-sha256
  • null-sha384
  • null-sha512

In DES encryption algorithm, IPsec traffic can offload NPU/CP. FortiGate supports:

  • des-null
  • des-md5
  • des-sha1
  • des-sha256
  • des-sha384
  • des-sha512

In 3DES encryption algorithm, IPsec traffic can offload NPU/CP. FortiGate supports:

  • 3des-null
  • 3des-md5
  • 3des-sha1
  • 3des-sha256
  • 3des-sha384
  • 3des-sha512

In AES encryption algorithm, IPsec traffic can offload NPU/CP. FortiGate supports:

  • aes128-null
  • aes128-md5
  • aes128-sha1
  • aes128-sha256
  • aes128-sha384
  • aes128-sha512
  • aes192-null
  • aes192-md5
  • aes192-sha1
  • aes192-sha256
  • aes192-sha384
  • aes192-sha512
  • aes256-null
  • aes256-md5
  • aes256-sha1
  • aes256-sha256
  • aes256-sha384
  • aes256-sha512

In AESGCM encryption algorithm, IPsec traffic cannot offload NPU. CP9 supports AESGCM offloading. FortiGate supports:

  • aes128gcm
  • aes256gcm

In chacha20poly1305 encryption algorithm, IPsec traffic cannot offload NPU/CP. FortiGate supports:

  • chacha20poly1305

In ARIA encryption algorithm, IPsec traffic cannot offload NPU/CP. FortiGate supports:

  • aria128-null
  • aria128-md5
  • aria128-sha1
  • aria128-sha256
  • aria128-sha384
  • aria128-sha512
  • aria192-null
  • aria192-md5
  • aria192-sha1
  • aria192-sha256
  • aria192-sha384
  • aria192-sha512
  • aria256-null
  • aria256-md5
  • aria256-sha1
  • aria256-sha256
  • aria256-sha384
  • aria256-sha512

In SEED encryption algorithm, IPsec traffic cannot offload NPU/CP. FortiGate supports:

  • seed-null
  • seed-md5
  • seed-sha1
  • seed-sha256
  • seed-sha384
  • seed-sha512

Encryption algorithms

This topic provides a brief introduction to IPsec phase1 and phase2 encryption algorithms and includes the following sections:

IKEv1 phase1 encryption algorithm

The default encryption algorithm is:

aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1

DES is a symmetric-key algorithm which means the same key is used for encrypting and decrypting data. FortiGate supports:

  • des-md5
  • des-sha1
  • des-sha256
  • des-sha384
  • des-sha512

3DES apply DES algorithm three times to each data. FortiGate supports:

  • 3des-md5
  • 3des-sha1
  • 3des-sha256
  • 3des-sha384
  • 3des-sha512

AES is a symmetric-key algorithm with different key length: 128, 192, and 256 bits. FortiGate supports:

  • aes128-md5
  • aes128-sha1
  • aes128-sha256
  • aes128-sha384
  • aes128-sha512
  • aes192-md5
  • aes192-sha1
  • aes192-sha256
  • aes192-sha384
  • aes192-sha512
  • aes256-md5
  • aes256-sha1
  • aes256-sha256
  • aes256-sha384
  • aes256-sha512

The ARIA algorithm is based on AES with different key length: 128, 192, and 256 bits. FortiGate supports:

  • aria128-md5
  • aria128-sha1
  • aria128-sha256
  • aria128-sha384
  • aria128-sha512
  • aria192-md5
  • aria192-sha1
  • aria192-sha256
  • aria192-sha384
  • aria192-sha512
  • aria256-md5
  • aria256-sha1
  • aria256-sha256
  • aria256-sha384
  • aria256-sha512

SEED is a symmetric-key algorithm. FortiGate supports:

  • seed128-md5
  • seed128-sha1
  • seed128-sha256
  • seed128-sha384
  • seed128-sha512

Suite-B is a set of encryption algorithm, AES encryption with ICV in GCM mode. FortiGate supports Suite-B on new kernel platforms only. IPsec traffic cannot offload to NPU. CP9 supports Suite-B offloading, otherwise packets are encrypted and decrypted by software. FortiGate supports:

  • suite-b-gcm-128
  • suite-b-gcm-256

IKEv1 phase2 encryption algorithm

The default encryption algorithm is:

aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305

In null encryption, IPsec traffic can offload NPU/CP. FortiGate supports:

  • null-md5
  • null-sha1
  • null-sha256
  • null-sha384
  • null-sha512

In DES encryption algorithm, IPsec traffic can offload NPU/CP. FortiGate supports:

  • des-null
  • des-md5
  • des-sha1
  • des-sha256
  • des-sha384
  • des-sha512

In 3DES encryption algorithm, IPsec traffic can offload NPU/CP. FortiGate supports:

  • 3des-null
  • 3des-md5
  • 3des-sha1
  • 3des-sha256
  • 3des-sha384
  • 3des-sha512

In AES encryption algorithm, IPsec traffic can offload NPU/CP. FortiGate supports:

  • aes128-null
  • aes128-md5
  • aes128-sha1
  • aes128-sha256
  • aes128-sha384
  • aes128-sha512
  • aes192-null
  • aes192-md5
  • aes192-sha1
  • aes192-sha256
  • aes192-sha384
  • aes192-sha512
  • aes256-null
  • aes256-md5
  • aes256-sha1
  • aes256-sha256
  • aes256-sha384
  • aes256-sha512

In AESGCM encryption algorithm, IPsec traffic cannot offload NPU/CP. FortiGate supports:

  • aes128gcm
  • aes256gcm

In chacha20poly1305 encryption algorithm, IPsec traffic cannot offload NPU/CP. FortiGate supports:

  • chacha20poly1305

In ARIA encryption algorithm, IPsec traffic cannot offload NPU/CP. FortiGate supports:

  • aria128-null
  • aria128-md5
  • aria128-sha1
  • aria128-sha256
  • aria128-sha384
  • aria128-sha512
  • aria192-null
  • aria192-md5
  • aria192-sha1
  • aria192-sha256
  • aria192-sha384
  • aria192-sha512
  • aria256-null
  • aria256-md5
  • aria256-sha1
  • aria256-sha256
  • aria256-sha384
  • aria256-sha512

In SEED encryption algorithm, IPsec traffic cannot offload NPU/CP. FortiGate supports:

  • seed-null
  • seed-md5
  • seed-sha1
  • seed-sha256
  • seed-sha384
  • seed-sha512

IKEv2 phase1 encryption algorithm

The default encryption algorithm is:

aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256

DES is a symmetric-key algorithm which means the same key is used for encrypting and decrypting data. FortiGate supports:

  • des-md5
  • des-sha1
  • des-sha256
  • des-sha384
  • des-sha512

3DES apply DES algorithm three times to each data. FortiGate supports:

  • 3des-md5
  • 3des-sha1
  • 3des-sha256
  • 3des-sha384
  • 3des-sha512

AES is a symmetric-key algorithm with different key length: 128, 192, and 256 bits. FortiGate supports:

  • aes128-md5
  • aes128-sha1
  • aes128-sha256
  • aes128-sha384
  • aes128-sha512
  • aes128gcm-prfsha1
  • aes128gcm-prfsha256
  • aes128gcm-prfsha384
  • aes128gcm-prfsha512
  • aes192-md5
  • aes192-sha1
  • aes192-sha256
  • aes192-sha384
  • aes192-sha512
  • aes256-md5
  • aes256-sha1
  • aes256-sha256
  • aes256-sha384
  • aes256-sha512
  • aes256gcm-prfsha1
  • aes256gcm-prfsha256
  • aes256gcm-prfsha384
  • aes256gcm-prfsha512

The ARIA algorithm is based on AES with different key length: 128, 192, and 256 bits. FortiGate supports:

  • aria128-md5
  • aria128-sha1
  • aria128-sha256
  • aria128-sha384
  • aria128-sha512
  • aria192-md5
  • aria192-sha1
  • aria192-sha256
  • aria192-sha384
  • aria192-sha512
  • aria256-md5
  • aria256-sha1
  • aria256-sha256
  • aria256-sha384
  • aria256-sha512

In chacha20poly1305 encryption algorithm, FortiGate supports:

  • chacha20poly1305-prfsha1
  • chacha20poly1305-prfsha256
  • chacha20poly1305-prfsha384
  • chacha20poly1305-prfsha512

SEED is a symmetric-key algorithm. FortiGate supports:

  • seed128-md5
  • seed128-sha1
  • seed128-sha256
  • seed128-sha384
  • seed128-sha512

Suite-B is a set of encryption algorithm, AES encryption with ICV in GCM mode. FortiGate supports Suite-B on new kernel platforms only. IPsec traffic cannot offload to NPU. CP9 supports Suite-B offloading, otherwise packets are encrypted and decrypted by software. FortiGate supports:

  • suite-b-gcm-128
  • suite-b-gcm-256

IKEv2 phase2 encryption algorithm

The default encryption algorithm is:

aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305

In null encryption, IPsec traffic can offload NPU/CP. FortiGate supports:

  • null-md5
  • null-sha1
  • null-sha256
  • null-sha384
  • null-sha512

In DES encryption algorithm, IPsec traffic can offload NPU/CP. FortiGate supports:

  • des-null
  • des-md5
  • des-sha1
  • des-sha256
  • des-sha384
  • des-sha512

In 3DES encryption algorithm, IPsec traffic can offload NPU/CP. FortiGate supports:

  • 3des-null
  • 3des-md5
  • 3des-sha1
  • 3des-sha256
  • 3des-sha384
  • 3des-sha512

In AES encryption algorithm, IPsec traffic can offload NPU/CP. FortiGate supports:

  • aes128-null
  • aes128-md5
  • aes128-sha1
  • aes128-sha256
  • aes128-sha384
  • aes128-sha512
  • aes192-null
  • aes192-md5
  • aes192-sha1
  • aes192-sha256
  • aes192-sha384
  • aes192-sha512
  • aes256-null
  • aes256-md5
  • aes256-sha1
  • aes256-sha256
  • aes256-sha384
  • aes256-sha512

In AESGCM encryption algorithm, IPsec traffic cannot offload NPU. CP9 supports AESGCM offloading. FortiGate supports:

  • aes128gcm
  • aes256gcm

In chacha20poly1305 encryption algorithm, IPsec traffic cannot offload NPU/CP. FortiGate supports:

  • chacha20poly1305

In ARIA encryption algorithm, IPsec traffic cannot offload NPU/CP. FortiGate supports:

  • aria128-null
  • aria128-md5
  • aria128-sha1
  • aria128-sha256
  • aria128-sha384
  • aria128-sha512
  • aria192-null
  • aria192-md5
  • aria192-sha1
  • aria192-sha256
  • aria192-sha384
  • aria192-sha512
  • aria256-null
  • aria256-md5
  • aria256-sha1
  • aria256-sha256
  • aria256-sha384
  • aria256-sha512

In SEED encryption algorithm, IPsec traffic cannot offload NPU/CP. FortiGate supports:

  • seed-null
  • seed-md5
  • seed-sha1
  • seed-sha256
  • seed-sha384
  • seed-sha512