IPsec Algorithms and Methods Supported in Windows
Applies To: Windows Server 2008, Windows Vista
The following tables identify the key exchange protocols, integrity and encryption algorithms, and authentication methods included in versions of the Windows operating system.
An “X” indicates the table entry can be configured by using the Windows Firewall with Advanced Security MMC snap-in or the Netsh command-line tool.
An “O” indicates the table entry can be configured only by using the Netsh command-line tool.
For more information about a protocol, click the protocol name.
Warning
The Diffie-Hellman Group 1 key exchange protocol, the Message-Digest algorithm 5 (MD5) integrity algorithm, the Data Encryption Standard (DES) encryption algorithm, and the preshared key authentication method are included for backward compatibility only. We do not recommend that you use them in a production environment.
Key exchange protocols
| Netsh abbreviation | Windows 2000 | Windows XP and Windows Server 2003 | Windows Vista | Windows Vista SP1 and Windows Server 2008 | Windows Server 2008 R2 and Windows 7 | |
|---|---|---|---|---|---|---|
dhgroup1 |
X |
X |
X |
X |
X |
|
dhgroup2 |
X |
X |
X |
X |
X |
|
dhgroup14 |
X |
X |
X |
X |
||
ecdhp256 |
O |
X |
||||
ecdhp384 |
O |
X |
Integrity algorithms
| Netsh abbreviation | Windows 2000 | Windows XP and Windows Server 2003 | Windows Vista | Windows Vista SP1 and Windows Server 2008 | Windows Server 2008 R2 and Windows 7 | |
|---|---|---|---|---|---|---|
md5 |
X |
X |
X |
X |
X |
|
sha1 |
X |
X |
X |
X |
X |
|
Secure Hash Algorithm 256-bit (main mode only) |
sha256 |
O |
X |
|||
sha384 |
O |
X |
||||
Advanced Encryption Standard-Galois Message Authentication Code (AES-GMAC) 128-bit (quick mode only) |
aesgmac128 |
O |
X |
|||
AES-GMAC 192-bit (quick mode only) |
aesgmac192 |
O |
X |
|||
AES-GMAC 256-bit (quick mode only) |
aesgmac256 |
O |
X |
|||
Advanced Encryption Standard in Galois/Counter Mode (AES-GCM) 128-bit (quick mode only) |
aesgcm128 |
O |
X |
|||
AES-GCM 192-bit (quick mode only) |
aesgcm192 |
O |
X |
|||
AES-GCM 256-bit (quick mode only) |
aesgcm192 |
O |
X |
Encryption algorithms
| Netsh abbreviation | Windows 2000 | Windows XP and Windows Server 2003 | Windows Vista | Windows Vista SP1 and Windows Server 2008 | Windows Server 2008 R2 and Windows 7 | |
|---|---|---|---|---|---|---|
des |
X |
X |
X |
X |
X |
|
3des |
X |
X |
X |
X |
X |
|
Advanced Encryption Standard-Cipher Block Chaining (AES-CBC) 128-bit |
aes128 |
O |
X |
|||
aes192 |
O |
X |
||||
aes256 |
O |
X |
||||
AES-GCM 128-bit (quick mode only) |
aesgcm128 |
O |
X |
|||
AES-GCM 192 (quick mode only) |
aesgcm192 |
O |
X |
|||
AES-GCM 256 (quick mode only) |
aesgcm256 |
O |
X |
Authentication methods
| Netsh abbreviation | Windows 2000 | Windows XP and Windows Server 2003 | Windows Vista | Windows Vista SP1 and Windows Server 2008 | Windows Server 2008 R2 and Windows 7 | |
|---|---|---|---|---|---|---|
computerpsk |
X |
X |
X |
X |
X |
|
computerkerb |
X |
X |
X |
X |
X |
|
computercert |
X |
X |
X |
X |
X |
|
computerntlm |
X |
X |
X |
|||
userkerb |
X |
X |
X |
|||
userntlm |
X |
X |
X |
|||
usercert |
X |
X |
X |
|||
Computer certificate with Elliptic Curve Digital Signature Algorithm (ECDSA)-P256 signing |
computercertecdsap256 |
O |
X |
|||
computercertecdsap384 |
O |
X |
||||
usercertecdsap256 |
O |
X |
||||
usercertecdsap384 |
O |
X |