IPsec Algorithms and Methods Supported in Windows

Applies To: Windows Server 2008, Windows Vista

The following tables identify the key exchange protocols, integrity and encryption algorithms, and authentication methods included in versions of the Windows operating system.

  • An “X” indicates the table entry can be configured by using the Windows Firewall with Advanced Security MMC snap-in or the Netsh command-line tool.

  • An “O” indicates the table entry can be configured only by using the Netsh command-line tool.

For more information about a protocol, click the protocol name.

Warning

The Diffie-Hellman Group 1 key exchange protocol, the Message-Digest algorithm 5 (MD5) integrity algorithm, the Data Encryption Standard (DES) encryption algorithm, and the preshared key authentication method are included for backward compatibility only. We do not recommend that you use them in a production environment.

Key exchange protocols

  Netsh abbreviation Windows 2000 Windows XP and Windows Server 2003 Windows Vista Windows Vista SP1 and Windows Server 2008 Windows Server 2008 R2 and Windows 7

Diffie-Hellman Group 1

dhgroup1

X

X

X

X

X

Diffie-Hellman Group 2

dhgroup2

X

X

X

X

X

Diffie-Hellman Group 14

dhgroup14

X

X

X

X

Elliptic Curve Diffie-Hellman P-256

ecdhp256

     

O

X

Elliptic Curve Diffie-Hellman P-384

ecdhp384

     

O

X

Integrity algorithms

  Netsh abbreviation Windows 2000 Windows XP and Windows Server 2003 Windows Vista Windows Vista SP1 and Windows Server 2008 Windows Server 2008 R2 and Windows 7

Message-Digest algorithm 5

md5

X

X

X

X

X

Secure Hash Algorithm 1

sha1

X

X

X

X

X

Secure Hash Algorithm 256-bit (main mode only)

sha256

     

O

X

Secure Hash Algorithm 384-bit (main mode only)

sha384

     

O

X

Advanced Encryption Standard-Galois Message Authentication Code (AES-GMAC) 128-bit (quick mode only)

aesgmac128

     

O

X

AES-GMAC 192-bit (quick mode only)

aesgmac192

     

O

X

AES-GMAC 256-bit (quick mode only)

aesgmac256

     

O

X

Advanced Encryption Standard in Galois/Counter Mode (AES-GCM) 128-bit (quick mode only)

aesgcm128

     

O

X

AES-GCM 192-bit (quick mode only)

aesgcm192

     

O

X

AES-GCM 256-bit (quick mode only)

aesgcm192

     

O

X

Encryption algorithms

  Netsh abbreviation Windows 2000 Windows XP and Windows Server 2003 Windows Vista Windows Vista SP1 and Windows Server 2008 Windows Server 2008 R2 and Windows 7

Data Encryption Standard (DES)

des

X

X

X

X

X

Triple-DES

3des

X

X

X

X

X

Advanced Encryption Standard-Cipher Block Chaining (AES-CBC) 128-bit

aes128

     

O

X

AES-CBC 192-bit

aes192

     

O

X

AES-CBC 256-bit

aes256

     

O

X

AES-GCM 128-bit (quick mode only)

aesgcm128

   

O

X

AES-GCM 192 (quick mode only)

aesgcm192

     

O

X

AES-GCM 256 (quick mode only)

aesgcm256

     

O

X

Authentication methods

  Netsh abbreviation Windows 2000 Windows XP and Windows Server 2003 Windows Vista Windows Vista SP1 and Windows Server 2008 Windows Server 2008 R2 and Windows 7

Preshared key

computerpsk

X

X

X

X

X

Computer Kerberos V5

computerkerb

X

X

X

X

X

Computer certificate

computercert

X

X

X

X

X

Computer NTLMv2

computerntlm

   

X

X

X

User Kerberos V5

userkerb

   

X

X

X

User NTLMv2

userntlm

   

X

X

X

User certificate

usercert

   

X

X

X

Computer certificate with Elliptic Curve Digital Signature Algorithm (ECDSA)-P256 signing

computercertecdsap256

     

O

X

Computer certificate with ECDSA-P384 signing

computercertecdsap384

     

O

X

User certificate with ECDSA-P256 signing

usercertecdsap256

     

O

X

User certificate with ECDSA-P384 signing

usercertecdsap384

     

O

X