Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Techniq808
New Contributor

AES Block Cipher Modes

Does anyone know the default AES block cipher mode used (GCM, CBC, CTR, etc) for IPSec VPN Phase I/II?

 

And is this configurable/modifiable?

 

Thanks in advance.

2 REPLIES 2
emnoc
Esteemed Contributor III

It should be cbc ,  what version are you  working with ( fortios ) and have you  looked at the cli reference guide ?

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
ispcolohost

Later FortiOS versions allow you to select GCM for phase2 but you must explicitly select it.  If you don't see those in the drop down for the p2 config, your version is not new enough.  You can also select CHACHA20POLY1305 for the p2.  Now, that being said, I have a feeling you'll only gain from making this selection if you're running on a box with a new enough CPU that has the AES-NI instruction set.  I was about to post a thread asking about this actually, since the FortiOS docs aren't clear.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors