Supported Compliance Suites

Starting with NSX Data Center 6.4.5, you can specify a compliance suite to configure the various parameters in the security profile of an IPSec VPN site.

A security compliance suite has a predefined set of values for various security parameters. Think of a compliance suite as a predefined template to help you automatically configure the security profile of an IPSec VPN session according to a defined standard. For example, the National Security Agency in the US government publishes the CNSA suite, and this standard is used for national security applications. When you select a compliance suite, the security profile of an IPSec VPN site is automatically configured with predefined values, and you cannot edit these values. By specifying a compliance suite, you avoid the need of individually configuring each parameter in the security profile.

NSX supports seven security compliance suites. The following table lists the predefined values for various configuration parameters in each supported compliance suite.

Table 1. Compliance Suites: Predefined Configuration Parameter Values
Configuration Parameter	Compliance Suite
	CNSA	Suite-B-GCM-128	Suite-B-GCM-256	Suite-B-GMAC-128	Suite-B-GMAC-256	Prime	Foundation
IKE Version	IKEv2	IKEv2	IKEv2	IKEv2	IKEv2	IKEv2	IKEv1
Digest Algorithm	SHA 384	SHA 256	SHA 384	SHA 256	SHA 384	SHA 256	SHA 256
Encryption Algorithm	AES 256	AES 128	AES 256	AES 128	AES 256	AES GCM 128	AES 128
Tunnel Encryption	AES 256	AES GCM 128	AES GCM 256	AES GMAC 128	AES GMAC 256	AES GCM 128	AES 128
Tunnel Digest Algorithm	SHA 384	NULL	NULL	NULL	NULL	NULL	SHA 256
Authentication	RSA Certificate (3072-bit key) ECDSA Certificate (P-384 curve)	ECDSA Certificate (P-256 curve)	ECDSA Certificate (P-384 curve)	ECDSA Certificate (P-256 curve)	ECDSA Certificate (P-384 curve)	ECDSA Certificate (P-256 curve)	RSA Certificate (2048-bit key and SHA-256)
DH Group	DH15 and ECDH20	ECDH19	ECDH20	ECDH19	ECDH20	ECDH19	DH14

Caution: Starting in NSX 6.4.6, the "Suite-B-GMAC-128" and "Suite-B-GMAC-256" compliance suites are deprecated. If you configured IPSec VPN sites in NSX 6.4.5 with any of these two deprecated compliance suites, you can still upgrade the edges to 6.4.6. However, a warning message appears to inform you that the IPSec VPN sites are using a vulnerable compliance suite.

Attention: When you configure an IPSec VPN site using "Prime" and "Foundation" compliance suites, you cannot configure ikelifetime and salifetime site extensions. These site extensions are pre-configured based on the standard.

When you select the "CNSA" compliance suite, both DH15 and ECDH20 DH groups are internally configured on the NSX Edge. However, the following caveats exist when you select this compliance suite:

If the IPSec VPN service on an NSX Edge is configured as an initiator, NSX sends only ECDH20 to establish an IKE security association with the remote IPSec VPN site. By default, NSX uses ECDH20 because it is more secure than DH15. If a third-party responder IPSec VPN site is configured with only DH15, the responder sends an invalid IKE payload error message and asks the initiator to use the DH15 group. The initiator reinitiates IKE SA with the DH15 group, and a tunnel gets established between both the IPSec VPN sites. However, if the third-party IPSec VPN solution does not support an invalid IKE payload error, the tunnel is never established between both sites.
If the IPSec VPN service on an NSX Edge is configured as a responder, the tunnel is always established depending on the DH group that is shared by the initiator IPSec VPN site.
When both the initiator and responder IPSec VPN sites use an NSX Edge, the tunnel is always established with ECDH20.