Operating system

Windows Vista/7/8/Server 2008/Server 2012


Connection mode

Transport mode


Key exchange protocol

IKEv1 (main mode)


Authentication method

Preshared key
Digital signature


Hash algorithm
(and key length) 
HMACSHA196
HMACSHA2 (256 bits or 384 bits)


Encryption algorithm
(and key length) 
3DESCBC
AESCBC (128 bits, 192 bits, or 256 bits)


Key exchange algorithm/group (and key length)

DiffieHellman (DH)
Group 1 (768 bits)
Group 2 (1024 bits)
Group 14 (2048 bits)


ESP

Hash algorithm

HMACSHA196

Encryption algorithm
(and key length) 
3DESCBC
AESCBC (128 bits, 192 bits, or 256 bits)


Hash algorithm/encryption algorithm (and key length)

AESGCM (128 bits, 192 bits, or 256 bits)


AH

Hash algorithm

HMACSHA196

IPSec supports communication to a unicast address (or a single device).
The machine cannot use both IPSec and DHCPv6 at the same time.
IPSec is unavailable in networks in which NAT or IP masquerade is implemented.

Format

Key: PKCS#12*1
CA certificate: X.509v1 or X.509v3, DER (encoded binary), PEM

File extension

Key: ".p12" or ".pfx"
CA certificate: ".cer" or ".pem"

Public key algorithm
(and key length) 
RSA (512 bits, 1024 bits, 2048 bits, or 4096 bits), ECDSA (P256, P384, P521)

Certificate signature algorithm

SHA1RSA, SHA256RSA, SHA384RSA*2, SHA512RSA*2, MD5RSA, MD2RSA, SHA1ECDSA, SHA256ECDSA, SHA384ECDSA, or SHA512ECDSA

Certificate thumbprint algorithm

SHA1

*1Requirements for the certificate contained in a key are pursuant to CA certificates.
*2SHA384RSA and SHA512RSA are available only when the RSA key length is 1024 bits or more.

The machine does not support use of a certificate revocation list (CRL).

Hash:

MD4, MD5, SHA1

HMAC:

HMACMD5

Common key cryptosystem:

RC2, RC4, DES

Public key cryptosystem:

RSA encryption (512 bits/1024 bits), RSA signature (512 bits/1024 bits), DSA (512 bits/1024 bits), DH (512 bits/1024 bits)

Even when <Prohibit Weak Encryp. Key/Cert.>/<Prohibit Key/Cert. with Weak Encryption> is set to <On>, the hash algorithm SHA1, which is used for signing a root certificate, can be used.
