Both AES-CBC and AES-GCM are no longer mandated and only one must be selected.

FCS_IPSEC_EXT.1.4 in VPN GW v2.1 is replaced as follows:

FCS_IPSEC_EXT.1.4 The TSF shall implement the IPsec protocol ESP as defined by RFC 4303 using the cryptographic algorithms [selection: AES-CBC-128, AES-CBC-256 (specified in RFC 3602), AES-GCM-128, AES-GCM-256 (specified in RFC 4106)] and [selection: AES-CBC-192 (specified in RFC 3602), AES-GCM-192 (specified in RFC 4106), no other algorithm] together with a Secure Hash Algorithm (SHA)-based HMAC [selection: HMAC-SHA-1, HMAC-SHA-256, HMAC-SHA-384, HMAC-SHA-512, no other algorithm].

Application Note:

This SFR element has been modified from its definition in the NDcPP by mandating either 128 or 256 bit key sizes for AES and GCM, thereby disallowing for the sole selection of 192 bit key sizes. When an AES-CBC algorithm is selected, at least one SHA-based HMAC must also be chosen. If only an AES-GCM algorithm is selected, then a SHA-based HMAC is not required since AES-GCM satisfies both confidentiality and integrity functions. IPsec may utilize a truncated version of the SHA-based HMAC functions contained in the selections. Where a truncated output is utilized, this is described in the TSS.

See issue description.