Use: AES-CTR-128, AES-CTR-256, AES-GCM-128, AES-GCM-256
Avoid: AES-CBC-128, AES-CBC-256
IKEv1 Phase 1 exchanges use only main mode
IKEv1 and IKEv2 SA lifetimes are able to be limited to 24 hours for Phase 1 SAs and 8 hours for Phase 2 SAs.
IKEv1 and IKEv2 SA lifetimes are able to be limited to 100 – 200 MB of traffic.
All IKE protocols implement DH Groups 14 (2048-bit MODP) and above.
Peer Authentication can use RSA and ECDSA
Mutual Authentication with X.509v3 certificates are required.
All sessions must be rejected if remote peer is only advertising non compliant algorithms and key sizes different than listed above.