fix(vpn): fix security proposal doc

RoRoJ · RoRoJ · commit 22e3bf2d0fee · 2025-07-07T13:46:32.000+02:00
diff --git a/pages/site-to-site-vpn/reference-content/security-proposals.mdx b/pages/site-to-site-vpn/reference-content/security-proposals.mdx
@@ -38,16 +38,14 @@ When defining your Site-to-Site VPN security proposal, you must define the algor
 | Protocol        | Element         | Description                                        | User must define?  |
 |-----------------|-----------------|----------------------------------------------------|----------------------------|
 | **IKEv2**       | **Encryption**  | Algorithm to encrypt IKE negotiation messages      | ✅ Yes                      |
-| **IKEv2**       | **Integrity**   | HMAC-based algorithm to verify IKE negotiation messages have not been tampered with | ✅ Yes                         |
+| **IKEv2**       | **Integrity**   | HMAC-based algorithm to verify IKE negotiation messages have not been tampered with. <br/><br/>Only set an HMAC integrity algorithm if **not** using an AEAD algorithm for IKEv2 encryption (see below). Otherwise, integrity is built in, and you do not need to set an IKEv2 integrity algorithm. | ❓ Depends                       |
 | **IKEv2**       | **Key Exchange Method** | DH group to define strength of key exchange | ✅ Yes                      |
 
 | Protocol        | Element         | Description                                        | User must define?  |
 |-----------------|-----------------|----------------------------------------------------|----------------------------|
 | **ESP**         | **Encryption**  | Algorithm to encrypt traffic's data payloads  | ✅ Yes                       |
 | **ESP**         | **Integrity**   | HMAC-based algorithm to verify data payloads have not been tampered with. <br/><br/>Only set an HMAC integrity algorithm if **not** using an AEAD algorithm for ESP encryption (see below). Otherwise, integrity is built in, and you do not need to set an ESP integrity algorithm. | ❓ Depends                         |
-| **ESP**         | **Key Exchange Method**   | Not applicable to ESP.                     | ❌ No                         |
-
-?? Pseudorandom function ??
+| **ESP**         | **Key Exchange Method**   | DH group to define strength of key exchange         | ❌ No                         |
 
 ## Encryption algorithms
 
@@ -65,7 +63,7 @@ The following encryption algorithms are available.
 | `aes192` (AES-CBC)      | non-AEAD         | 192            | ⚠️ Medium       | Rarely used, `aes256` is preferred.            | ⚠️ Use with caution |
 | `aes128` (AES-CBC)      | non-AEAD         | 128            | ⚠️ Medium       | Suitable for performance-sensitive VPNs, where constraints don't allow `aes256`                     | ⚠️ Use with caution |
 
-\* **A**uthenticated **E**ncryption with **A**ssociated **D**ata (**AEAD**) algorithms provide both encryption and authentication in a single step. They are more secure and efficient than non-AEAD algorithms, but are not supported by all legacy devices. We recommend that you always prefer AEAD algorithms (`aes256gcm16` or `chacha20poly1305`) for performance and security. Choosing an AEAD algorithm for ESP encryption means you do **not** need to define an algorithm for ESP integrity.
+\* **A**uthenticated **E**ncryption with **A**ssociated **D**ata (**AEAD**) algorithms provide both encryption and authentication in a single step. They are more secure and efficient than non-AEAD algorithms, but are not supported by all legacy devices. We recommend that you always prefer AEAD algorithms (`aes256gcm16` or `chacha20poly1305`) for performance and security. Choosing an AEAD algorithm for IKEv2/ESP encryption means you do **not** need to define an algorithm for IKEv2/ESP integrity.
 
 ## Integrity algorithms
 
