Windows Suite B Support with IKEv1 » History » Version 10
Andreas Steffen, 15.07.2009 09:08
escaped # characters
1 | 10 | Andreas Steffen | h1. Windows Suite B Support with IKEv1 |
---|---|---|---|
2 | 1 | Andreas Steffen | |
3 | 3 | Andreas Steffen | Windows Vista Service Pack 1, Windows Server 2008 and Windows 7 support the Suite B cryptographic algorithms for IPsec defined by "RFC 4869":http://tools.ietf.org/html/rfc4869. For Windows configuration details see http://support.microsoft.com/kb/949856/. |
4 | 2 | Andreas Steffen | |
5 | 8 | Andreas Steffen | The following command sets the IKEv1 Main Mode algorithms: |
6 | 2 | Andreas Steffen | |
7 | 1 | Andreas Steffen | <pre> |
8 | 1 | Andreas Steffen | netsh advfirewall set global mainmode mmsecmethods ecdhp256:aes128-sha256,ecdhp384:aes192-sha384,dhgroup14:aes128-sha1 |
9 | 1 | Andreas Steffen | </pre> |
10 | 2 | Andreas Steffen | |
11 | 2 | Andreas Steffen | The currently configured algorithms can be checked using the command: |
12 | 1 | Andreas Steffen | |
13 | 1 | Andreas Steffen | <pre> |
14 | 1 | Andreas Steffen | netsh advfirewall show global |
15 | 1 | Andreas Steffen | |
16 | 1 | Andreas Steffen | Main Mode: |
17 | 1 | Andreas Steffen | KeyLifetime 480min,0sess |
18 | 1 | Andreas Steffen | SecMethods ECDHP256-AES128-SHA256,ECDHP384-AES192-SHA384,DHGroup14-AES128-SHA1 |
19 | 1 | Andreas Steffen | ForceDH No |
20 | 3 | Andreas Steffen | </pre> |
21 | 3 | Andreas Steffen | |
22 | 8 | Andreas Steffen | The following command sets the IKEv1 Quick Mode algorithms in the rule "VPN ECP": |
23 | 3 | Andreas Steffen | |
24 | 3 | Andreas Steffen | <pre> |
25 | 8 | Andreas Steffen | netsh advfirewall consec set rule name="VPN ECP" new qmsecmethods=esp:aesgcm192-aesgcm192,esp:aesgcm128-aesgcm128,esp:sha1-aes128 |
26 | 3 | Andreas Steffen | </pre> |
27 | 4 | Andreas Steffen | |
28 | 8 | Andreas Steffen | The current rule settings are shown with the following command: |
29 | 5 | Andreas Steffen | |
30 | 5 | Andreas Steffen | <pre> |
31 | 5 | Andreas Steffen | netsh advfirewall consec show rule name="VPN ECP" |
32 | 5 | Andreas Steffen | |
33 | 5 | Andreas Steffen | Rule Name: VPN ECP |
34 | 5 | Andreas Steffen | ---------------------------------------------------------------------- |
35 | 5 | Andreas Steffen | Enabled: Yes |
36 | 5 | Andreas Steffen | Profiles: Domain,Private,Public |
37 | 5 | Andreas Steffen | Type: Static |
38 | 5 | Andreas Steffen | Mode: Tunnel |
39 | 5 | Andreas Steffen | LocalTunnelEndpoint: Any |
40 | 5 | Andreas Steffen | RemoteTunnelEndpoint: 10.10.0.1 |
41 | 5 | Andreas Steffen | Endpoint1: 10.10.0.6/32 |
42 | 5 | Andreas Steffen | Endpoint2: 10.10.1.0/24 |
43 | 5 | Andreas Steffen | Protocol: Any |
44 | 5 | Andreas Steffen | Action: RequireInRequireOut |
45 | 5 | Andreas Steffen | Auth1: ComputerCert |
46 | 1 | Andreas Steffen | Auth1CAName: C=CH, O=strongSwan Project, CN=strongSwan 2009 CA |
47 | 1 | Andreas Steffen | Auth1CertMapping: No |
48 | 5 | Andreas Steffen | Auth1ExcludeCAName: No |
49 | 1 | Andreas Steffen | Auth1CertType: Root |
50 | 5 | Andreas Steffen | Auth1HealthCert: No |
51 | 5 | Andreas Steffen | MainModeSecMethods: ECDHP256-AES128-SHA256,ECDHP384-AES192-SHA384,DHGroup14-AES128-SHA1 |
52 | 5 | Andreas Steffen | QuickModeSecMethods: ESP:AESGCM192-AESGCM192+60min+100000kb,ESP:AESGCM128-AESGCM128+60min+100000kb,ESP:SHA1-AES128+60min+100000kb |
53 | 1 | Andreas Steffen | ExemptIPsecProtectedConnections: No |
54 | 1 | Andreas Steffen | ApplyAuthorization: No |
55 | 5 | Andreas Steffen | Ok. |
56 | 1 | Andreas Steffen | </pre> |
57 | 5 | Andreas Steffen | |
58 | 8 | Andreas Steffen | On the strongSwan side the following entries are required in ipsec.conf for 128 bit security: |
59 | 8 | Andreas Steffen | |
60 | 1 | Andreas Steffen | <pre> |
61 | 9 | Andreas Steffen | conn ecp |
62 | 9 | Andreas Steffen | keyexchange=ikev1 |
63 | 9 | Andreas Steffen | ike=aes128-sha256-ecp256! |
64 | 9 | Andreas Steffen | esp=aes128gcm16! |
65 | 9 | Andreas Steffen | pfs=no |
66 | 8 | Andreas Steffen | </pre> |
67 | 1 | Andreas Steffen | |
68 | 1 | Andreas Steffen | and for 192 bit security: |
69 | 1 | Andreas Steffen | |
70 | 1 | Andreas Steffen | <pre> |
71 | 9 | Andreas Steffen | conn ecp |
72 | 9 | Andreas Steffen | keyexchange=ikev1 |
73 | 9 | Andreas Steffen | ike=aes192-sha384-ecp384! |
74 | 9 | Andreas Steffen | esp=aes192gcm16! |
75 | 9 | Andreas Steffen | pfs=no |
76 | 6 | Andreas Steffen | </pre> |
77 | 6 | Andreas Steffen | |
78 | 8 | Andreas Steffen | Here the status output for 128 bit security: |
79 | 8 | Andreas Steffen | |
80 | 7 | Andreas Steffen | <pre> |
81 | 7 | Andreas Steffen | ipsec statusall ecp |
82 | 7 | Andreas Steffen | |
83 | 10 | Andreas Steffen | "ecp": 10.10.1.0/24===10.10.0.1[@vpn.strongswan.org]...10.10.0.6[C=CH, O=strongSwan Project, CN=win.strongswan.org]; erouted; eroute owner: !#12 |
84 | 1 | Andreas Steffen | "ecp": CAs: 'C=CH, O=strongSwan Project, CN=strongSwan 2009 CA'...'C=CH, O=strongSwan Project, CN=strongSwan 2009 CA' |
85 | 1 | Andreas Steffen | "ecp": ike_life: 10800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3 |
86 | 1 | Andreas Steffen | "ecp": dpd_action: clear; dpd_delay: 300s; dpd_timeout: 150s; |
87 | 1 | Andreas Steffen | "ecp": policy: PUBKEY+ENCRYPT+TUNNEL+DONTREKEY; prio: 24,32; interface: eth1; |
88 | 10 | Andreas Steffen | "ecp": newest ISAKMP SA: !#11; newest IPsec SA: !#12; |
89 | 1 | Andreas Steffen | "ecp": IKE proposal: AES_CBC_128/HMAC_SHA2_256/ECP_256 |
90 | 1 | Andreas Steffen | "ecp": ESP proposal: AES_GCM_16_128/AUTH_NONE/<N/A> |
91 | 1 | Andreas Steffen | |
92 | 10 | Andreas Steffen | !#12: "ecp" STATE_QUICK_R2 (IPsec SA established); EVENT_SA_EXPIRE in 3422s; newest IPSEC; eroute owner |
93 | 10 | Andreas Steffen | !#12: "ecp" esp.3ca2dd6b@10.10.0.6 (180 bytes, 172s ago) esp.368105e6@10.10.0.1 (240 bytes, 172s ago); tunnel |
94 | 10 | Andreas Steffen | !#11: "ecp" STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_EXPIRE in 28622s; newest ISAKMP |
95 | 8 | Andreas Steffen | </pre> |
96 | 8 | Andreas Steffen | |
97 | 8 | Andreas Steffen | and 192 bit security: |
98 | 8 | Andreas Steffen | |
99 | 8 | Andreas Steffen | <pre> |
100 | 8 | Andreas Steffen | ipsec statusall ecp |
101 | 8 | Andreas Steffen | |
102 | 10 | Andreas Steffen | "ecp": 10.10.1.0/24===10.10.0.1[@vpn.strongswan.org]...10.10.0.6[C=CH, O=strongSwan Project, CN=win.strongswan.org]; erouted; eroute owner: !#16 |
103 | 8 | Andreas Steffen | "ecp": CAs: 'C=CH, O=strongSwan Project, CN=strongSwan 2009 CA'...'C=CH, O=strongSwan Project, CN=strongSwan 2009 CA' |
104 | 8 | Andreas Steffen | "ecp": ike_life: 10800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3 |
105 | 8 | Andreas Steffen | "ecp": dpd_action: clear; dpd_delay: 300s; dpd_timeout: 150s; |
106 | 8 | Andreas Steffen | "ecp": policy: PUBKEY+ENCRYPT+TUNNEL+DONTREKEY; prio: 24,32; interface: eth1; |
107 | 10 | Andreas Steffen | "ecp": newest ISAKMP SA: !#15; newest IPsec SA: !#16; |
108 | 8 | Andreas Steffen | "ecp": IKE proposal: AES_CBC_192/HMAC_SHA2_384/ECP_384 |
109 | 8 | Andreas Steffen | "ecp": ESP proposal: AES_GCM_16_192/AUTH_NONE/<N/A> |
110 | 8 | Andreas Steffen | |
111 | 10 | Andreas Steffen | !#16: "ecp" STATE_QUICK_R2 (IPsec SA established); EVENT_SA_EXPIRE in 3584s; newest IPSEC; eroute owner |
112 | 10 | Andreas Steffen | !#16: "ecp" esp.5ee37f6a@10.10.0.6 (180 bytes, 10s ago) esp.a350055d@10.10.0.1 (240 bytes, 10s ago); tunnel |
113 | 10 | Andreas Steffen | !#15: "ecp" STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_EXPIRE in 28783s; newest ISAKMP |
114 | 7 | Andreas Steffen | </pre> |