Use: AES-CTR-128, AES-CTR-256, AES-GCM-128, AES-GCM-256

Avoid: AES-CBC-128, AES-CBC-256

IKEv1 Phase 1 exchanges use only main mode

IKEv1 and IKEv2 SA lifetimes are able to be limited to 24 hours for Phase 1 SAs and 8 hours for Phase 2 SAs.

IKEv1 and IKEv2 SA lifetimes are able to be limited to 100 – 200 MB of traffic.

All IKE protocols implement DH Groups 14 (2048-bit MODP) and above.

Peer Authentication can use RSA and ECDSA

Mutual Authentication with X.509v3 certificates are required.

All sessions must be rejected if remote peer is only advertising non compliant algorithms and key sizes different than listed above.