Datapath
The following refers to the IKE/IPsec datapath implementation of overlay tunnels between Silver Peak devices.
VXOA Release Key Management IPsec
Authentication Key Exchange Encryption Message digest/hash/HMAC Other parameters (till 8.1.5.x)
7.3
(Regular "IPsec" mode with IKE)
IKE. Custom/auto‐generated Pre‐
Shared Keys, no certificates DH Group 14 (2048bit) AES‐128‐CBC SHA1 DPD On, every 5 minutes
Authentication Key Exchange Encryption Message digest/hash/HMAC IKE Mode IKEv1, Main
8.0
(Regular "IPsec" mode with IKE) IKE. Custom/auto‐generated Pre‐
Shared Keys, no certificates DH Group 14 (2048bit) AES‐128‐CBC, AES‐256‐CBC SHA1 Nat traversal On, keepalive 8secs
Authentication Key Exchange Encryption Message digest/hash/HMAC IKE Lifetime/Rekey 12hrs
8.1.0‐8.1.5.x
(Regular "IPsec" mode with IKE) IKE. Custom/auto‐generated Pre‐ SHA2 (SHA256, SHA384, SHA512),
Shared Keys, no certificates DH Group 14 (2048bit) AES‐128‐CBC, AES‐256‐CBC SHA1(default) IPsec Lifetime/Rekey 60mins
8.1.6+ IKE pre‐shared key
IPsec UDP mode without IKE is Encryption Message digest/hash/HMAC rotation Every week
default. Regular "IPsec" mode is
Through Secure Zero Touch SHA2 (SHA256, SHA384, SHA512),
also supported.
Provisioning Proprietary, through Orchestrator AES‐128‐CBC, AES‐256‐CBC SHA1(default) Other parameters (8.1.6+)
Default every day, can be
configured per hour, at
IPsec UDP Key Rotation the minimum
Appliance WebUI
The following refers to the ciphers used by the VXOA software for WebUI on Silver Peak Edge Connect, VX/NX devices.
openssl
Release TLS Certificate Appliance as TLS server: TLS between web browser and appliance keygen can
8.0.x and later Works with Signature Hash Public Key Certificate Format Key exchange Encryption Protocol HMAC
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS1.2 SHA256 RSA , 2048bits PEM DHE_RSA AES128‐CBC TLS 1.2 SHA1 secp256k1
Self‐signed and
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS1.2 CA‐signed AES256‐CBC SHA256 secp384r1
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS1.2 AES128‐GCM SHA384 secp521r1
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS1.2 AES256‐GCM prime256v1
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS1.2 Disabled: Null, DES, RC4, MD5, PSK, IDEA, Export
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS1.2
NOTE: TLS protocol implemented within EdgeConnect and NX devices uses only algorithms specified above.
Orchestrator
The following refers to the ciphers used by the Silver Peak Orchestrator/GMS devices.
GMS Release TLS Certificate Orchestrator as TLS server: TLS session to appliance, cloud portal, client web browser
8.0.x and later Works with Signature Hash Public Key Certificate Format Server Key Exchange Server AuthenticationEncryption HMAC Protocol
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 TLS1.2 SHA256 RSA, 2048bits PEM DHE_RSA RSA AES128‐CBC SHA1 TLS 1.2
Self‐signed and
TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS1.2 CA‐signed ECDHE_RSA AES256‐CBC SHA256
TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS1.2 AES128‐GCM SHA384
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 TLS1.2 AES256‐GCM
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 TLS1.2
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 TLS1.2
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS1.2
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS1.2 Disabled: SSL, SSLv2, SSLv3, .*NULL.*, .*RC4.*, .*MD5.*, .*DES.*, .*DSS.*
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS1.2
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS1.2
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS1.2
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS1.2
NOTE: TLS protocol implemented within EdgeConnect and NX devices uses only algorithms specified above.
SSLAcceleration
The following refers to the ciphers used by the SSL proxy feature on the Silver Peak VXOA software running on Edge Connect, NX/VX devices.
VXOA Release Key Exchange Ciphers Digest Protocol Cert Format Supported extension
6.2.x RSA AES128 MD5 ssl v3 PEM SSL_EXT_SERVER_NAME:
RSA AES256 SHA1 TLS 1.0 PFX SSL_EXT_MAX_FRAGMENT_LENGTH:
RC4 SHA2 (SHA 256 supported) TLS 1.1 SSL_EXT_RENEGOTIATION_INFO:
3DES TLS 1.2 SSL_EXT_ELLIPTIC_CURVES:
SSL_EXT_EC_POINT_FORMATS:
SSL_EXT_SIGNATURE_ALGORITHMS:
7.3.x RSA AES128 MD5 ssl v3 PEM Support for all 6.2.x and following
DHE AES256 SHA1 TLS 1.0 PFX SSL_EXT_TRUSTED_CA_KEYS:
ECDHE AES128‐GCM SHA2 (SHA 384 supported) TLS 1.1 SSL_EXT_SESSION_TICKET:
AES256‐GCM TLS 1.2 SSL_EXT_HEARTBEAT:
RC4 SSL_EXT_ALPN:
3DES SSL_EXT_STATUS_REQUEST:
SSL_EXT_STATUS_REQUEST_V2:
SSL_EXT_NEXT_PROTOCOL_NEGOTIATION:
8.x RSA (confirm 2048bits) AES128 MD5 ssl v3 PEM Same as 7.3
DHE (confirm 2048bits) AES256 SHA1 TLS 1.0 PFX EXTENDED_MASTER_SECRET
ECDHE (confirm 224 bits) AES128‐GCM SHA2 (SHA 384 supported) TLS 1.1
AES256‐GCM TLS 1.2
RC4
3DES
NOTE: TLS protocol implemented within EdgeConnect and NX devices uses only algorithms specified above.
NetworkMemory
The following refers to the ciphers used by the VXOA software for Network Memory on‐disk encryption on Silver Peak Edge Connect, VX/NX devices.
VXOA Release Network Memory Ciphers
8.1.x AES128
SNMPv3
The following refers to the ciphers used by the VXOA software SNMPv3 functionality on Silver Peak Edge Connect, VX/NX devices.
VXOA Release SNMPv3 Ciphers
AES128 (encryption),
8.1.x SHA1 (hashing/integrity)
SSH
The following refers to the ciphers used by the VXOA software for SSH on Silver Peak Edge Connect, VX/NX devices.
VXOA Release SSH Ciphers Notes
AES128 (encryption), SSHv2.0 only, Linux kernel
8.1.x SHA1 (hashing/integrity) based