Beginning with NSX-T Data Center 2.5, you can specify a security compliance suite to use to configure the security profiles used for an IPSec VPN session.

A security compliance suite has predefined values that are used for different security parameters and that cannot be modified. When you select a compliance suite, the predefined values are automatically used for the security profile of the IPSec VPN session you are configuring.

The following table lists the compliance suites that are supported for IKE profiles in NSX-T Data Center and the values that are predefined for each.
Compliance Suite Name IKE Version Encryption Algorithm Digest Algorithm Diffie Hellman Group
CNSA IKE V2 AES 256 SHA2 384 Group 15, Group 20
FIPS IKE FLEX AES 128 SHA2 256 Group 20
Foundation IKE V1 AES 128 SHA2 256 Group 14
PRIME IKE V2 AES GCM 128 Not Set Group 19
Suite-B-GCM-128 IKE V2 AES 128 SHA2 256 Group 19
Suite-B-GCM-256 IKE V2 AES 256 SHA2 384 Group 20
Note: The AES 128 and AES 256 algorithms use the CBC mode of operation.
The following table lists the compliance suites that are supported for IPSec profiles in NSX-T Data Center and the values that are predefined for each.
Compliance Suite Name Encryption Algorithm Digest Algorithm PFS Group Diffie-Hellman Group
CNSA AES 256 SHA2 384 Enabled Group 15, Group 20
FIPS AES GCM 128 Not Set Enabled Group 20
Foundation AES 128 SHA2 256 Enabled Group 14
PRIME AES GCM 128 Not Set Enabled Group 19
Suite-B-GCM-128 AES GCM 128 Not Set Enabled Group 19
Suite-B-GCM-256 AES GCM 256 Not Set Enabled Group 20
Note: The AES 128 and AES 256 algorithms use the CBC mode of operation.