TABLE OF CONTENTS

Overview
Default Cryptographic Settings
- 2.1 Branch / Hub ↔ Controller Tunnels
- 2.2 Branch / Hub ↔ Branch / Hub Tunnels
Quick Reference Summary
Algorithm Performance Guidance
Changing Default IKE and IPsec parameters between Branch and Controllers
- 5.1 Before Deploying Branches
- 5.2 After Branches Are Already Deployed
Changing Default IPsec parameters between Branch/Hub and Branch/Hub
Diffie-Hellman Groups & Perfect Forward Secrecy
- Group 19 (ECDH — NIST P-256)
Frequently Asked Questions

Overview

Versa SD-WAN leverages industry-standard IKEv2 and IPsec protocols to secure all overlay tunnels between network elements. IKEv2 and IPsec are used to establish secure communication between Branch/Hub devices and Controllers, while data exchanged between Branch/Hub devices is encrypted using IPsec.

All traffic traversing the Versa SD-WAN overlay is encrypted within the IPsec tunnel, ensuring confidentiality and integrity across the WAN.

This article outlines the default cryptographic algorithms configured out of the box, explains recommended settings for different traffic paths, and provides performance considerations to help customers make informed decisions when customizing IKE and IPsec encryption, integrity algorithms, and DH/PFS groups.

Two distinct tunnel types are used in a Versa SD-WAN deployment, each with independently configurable cryptographic profiles:

Branch / Hub → Controller — control-plane and management traffic
Branch / Hub → Branch / Hub — data-plane overlay traffic (spoke-to-spoke and hub-to-spoke)

Default Cryptographic Settings

The following tables document Versa's factory default IKE and IPsec settings. These are applied automatically when a new device is provisioned and do not require manual configuration.

2.1 Branch / Hub ↔ Controller Tunnels

Used for control-plane communication between CPE devices (branches and hubs) and the Versa Controller.

IKE Phase 1 (Key Exchange)

Parameter	Algorithm	Strength	Notes
Encryption	AES-256	256-bit	FIPS 140-2 compliant. Industry standard for key exchange.
Hash	SHA-256	256-bit	Provides data integrity verification for IKE negotiation.
DH Group	Group 19 (ECDH P-256)	256-bit	Elliptic Curve DH — smaller keys, equivalent to RSA-3072.

IPsec Phase 2 (Data Encryption)

Parameter	Algorithm	Strength	Notes
Encryption	AES-256	256-bit	Encrypts all tunnel traffic. FIPS 140-2 compliant.
Hash	SHA-256	256-bit	HMAC-SHA-256 for packet integrity and authentication.
DH Group	Group 19 (ECDH P-256)	256-bit	Perfect Forward Secrecy enabled via ECDH Group 19.

2.2 Branch / Hub ↔ Branch / Hub Tunnels

Used for data-plane overlay traffic between CPE devices. Versa uses AES-GCM (Authenticated Encryption with Associated Data) for this path, which combines encryption and integrity in a single pass for maximum performance.

IPsec (Data Encryption)

Parameter	Algorithm	Strength	Notes
Encryption	AES-128-GCM	128-bit	AEAD cipher — authentication is built into encryption.
Hash	GCM (AEAD)	128-bit	No separate HMAC needed. Reduces CPU overhead significantly.
DH Group	Group 19 (ECDH P-256)	256-bit	PFS ensures compromise of one session does not affect others.

Quick Reference Summary

The table below summarizes the default settings across all tunnel types in a single view.

Tunnel Type	Encryption	Hash / Mode	DH Group
Branch/Hub → Controller (IKE)	AES-256	SHA-256	Group 19 (ECDH-256)
Branch/Hub → Controller (IPsec)	AES-256	SHA-256	Group 19 (ECDH-256)
Branch/Hub → Branch/Hub (IPsec)	AES-128	GCM (AEAD)	Group 19 (ECDH-256)

Algorithm Performance Guidance

When selecting encryption and hash algorithms, there is always a trade-off between security strength and throughput. The table below compares common algorithm combinations to guide your selection.

Algorithm	Relative Performance	Security Level	Recommended
AES-128-GCM	Fastest	Strong	✔ Yes
AES-256-GCM	Fast (~same as AES128-GCM)	Very Strong	✔ Yes
AES-256 + SHA-256	~40% degradation compared with AES128-GCM/AES256-GCM	Strong	Not recommended unless required by specific customer security or compliance policies
AES-256 + SHA-384	~80% degradation compared with AES128-GCM/AES256-GCM	Strong	Not recommended unless mandated by customer security or regulatory requirements
AES-256 + SHA-512	~80% degradation compared with AES128-GCM/AES256-GCM	Strong	Not recommended unless mandated by customer security or regulatory requirements
AES-256 + SHA-1	Medium	Legacy	✘ Not recommended (legacy algorithm)
3DES / DES	Slow	Weak	✘ Not recommended (weak/obsolete algorithm)

Versa Recommendation

Use AES-256-GCM for all data-plane (Branch-to-Branch) tunnels when a 256-bit encryption policy is required.
It provides strong cryptographic protection with minimal performance impact, leveraging hardware acceleration available on modern CPUs.
The throughput difference between AES-128-GCM and AES-256-GCM is typically less than 10% on supported hardware.
Both options provide strong security, with AES-256-GCM often preferred for compliance-sensitive deployments.
Avoid non-GCM hash-based algorithms (e.g., SHA-1, SHA-256, SHA-384, and SHA-512 in non-AEAD mode) on high-throughput links.
These require separate HMAC computation, resulting in measurable performance overhead and reduced scalability.
Do not use 3DES or DES in production environments.
These algorithms are considered cryptographically weak and are not supported in FIPS-compliant deployments.

Changing Default IKE and IPsec parameters between Branch and Controllers

5.1 Before Deploying Branches

If you need to customize the IKE or IPsec profile before provisioning branch devices, modify the settings on the Controller first. This ensures all newly provisioned devices negotiate the correct algorithms from the first connection.

Log in to Versa Director and navigate to your organisation's template.
Open the IKE / IPsec profile and update the Encryption, Hash, and DH Group fields to the desired values.
Save and publish the updated template.
Deploy branches — they will automatically inherit the updated IKE/IPsec parameters.

5.2 After Branches Are Already Deployed

Changing cryptographic settings on live deployed devices requires a coordinated sequence to avoid tunnel outages. Follow these steps carefully:

⚠️ Important — Read Before Proceeding

Mismatched IKE/IPsec parameters between the Controller and CPE devices will cause tunnels to drop. Always follow the sequence below and change Controllers first.

Changes take effect only after the IPsec SA is re-keyed or the device is rebooted. Plan a maintenance window accordingly.

Update the IPsec VPN profile on template in Director.
Push the updated template to Hub/Branches nodes first with the Reboot option enabled.
Apply the same template change to all branch/hub devices using the reboot push option.
Verify Controller tunnels re-establish successfully with the new parameters.
Monitor tunnel state in Director — all devices should show Connected status within 10 minutes of reboot.

If tunnels do not re-establish, check that the IKE and IPsec proposals on both ends match exactly. Mismatched DH groups are the most common cause of negotiation failure after a cipher change.

Changing Default IPsec parameters between Branch/Hub and Branch/Hub

If you need to modify the default IPsec encryption or integrity algorithms (for example, changing from the Versa default AES-128-GCM), update the Branch-to-Branch SD-WAN profile accordingly.

To ensure uninterrupted connectivity during the transition, follow these steps:

Create a new transform-set with the desired encryption and integrity algorithms.
Retain the existing AES-128-GCM transform-set and configure both transform-sets in the SD-WAN profile.
Push the updated profile to all required Branch/Hub devices.
After confirming that tunnels are successfully established using the new transform-set, remove the default AES-128-GCM transform-set from the profile.

This staged approach prevents tunnel disruption by ensuring that both peers maintain at least one mutually supported proposal during the migration process.

Diffie-Hellman Groups & Perfect Forward Secrecy

All Versa SD-WAN tunnels use Perfect Forward Secrecy (PFS) by default. PFS ensures that even if a long-term private key is compromised, past session keys cannot be derived — every IPsec SA uses a fresh Diffie-Hellman exchange.

Group 19 (ECDH — NIST P-256)

Versa defaults to DH Group 19, which uses Elliptic Curve Diffie-Hellman (ECDH) over the NIST P-256 curve. This offers equivalent security to a 3072-bit RSA key while using significantly smaller key sizes, resulting in faster negotiation and lower CPU overhead.

DH Group	Group 19 — NIST P-256 (ECDH)
Key Size	256-bit elliptic curve (equivalent to ~3072-bit RSA)
PFS Enabled	Yes — every IPsec SA negotiation uses a fresh key exchange
FIPS Compliant	Yes — NIST P-256 is approved under FIPS 186-4
RFC Reference	RFC 5903 — Elliptic Curve Groups for IKE and IKEv2

Frequently Asked Questions

Why does Versa use GCM for Branch-to-Branch but SHA-256 for Branch-to-Controller?

Branch-to-Branch tunnels carry high-volume data-plane traffic where throughput and scalability are critical. AES-GCM (AEAD) integrates encryption and integrity in a single operation, eliminating separate HMAC computation and reducing CPU overhead at scale.

Branch-to-Controller tunnels primarily handle control-plane and management traffic at significantly lower volumes. In this context, SHA-256 provides strong, auditable integrity verification without material performance impact.

Is it safe to mix AES-128 and AES-256 devices in the same deployment?

Yes, provided both endpoints include the other's cipher in their IKE proposal list. During negotiation, IKE will automatically select the strongest mutually supported algorithm.

However, for operational consistency and simplified troubleshooting, Versa recommends standardizing on a single cipher suite within the same network segment.

What happens if IKE parameters mismatch after a cipher change?

If IKE parameters do not match between peers, tunnel negotiation will fail and the tunnel will not establish. Device logs will typically display the error:

NO_PROPOSAL_CHOSEN

To prevent this condition:

Update Controllers first.
Verify successful tunnel establishment.
Then push configuration changes to Branch devices.

This ensures both ends maintain compatible active proposals during the transition.

AES-256-GCM vs AES-256 + SHA-256 — Which Should I Use?

Recommendation: Use AES-256-GCM.

AES-256-GCM provides integrated encryption and integrity (AEAD) in a single operation and benefits from hardware acceleration on modern CPUs. This results in better performance, lower CPU utilization, and improved scalability.

AES-256 + SHA-256 remains cryptographically strong but requires separate encryption and HMAC processing, introducing measurable performance overhead without providing additional practical security benefits.

Use AES-256 + SHA-256 only when required for regulatory compliance or legacy interoperability.

AES-256-GCM vs AES-256 + SHA-384 — Which Is More Secure?

Recommendation: AES-256-GCM remains the preferred option.

Although SHA-384 uses a larger hash size, it does not provide meaningful additional security in typical enterprise SD-WAN deployments. Overall security strength is generally bounded by the encryption algorithm and key exchange parameters.

AES-256 + SHA-384 introduces significant performance overhead due to separate HMAC computation. Unless mandated by regulatory requirements, AES-256-GCM is the better choice.

AES-256-GCM vs AES-256 + SHA-512 — Is SHA-512 Stronger?

Recommendation: AES-256-GCM is preferred.

SHA-512 does not increase the effective encryption strength beyond AES-256. In practical deployments, AES-256-GCM already delivers strong authenticated encryption with significantly better performance and lower CPU utilization.

AES-256 + SHA-512 should be used only when explicitly required by customer security or regulatory policies. For modern deployments, AES-256-GCM provides the optimal balance of security, performance, and efficiency.

Encryption, Ciphers & DH/PFS Group Recommendations for SD-WAN