Windows Suite B Support with IKEv1 » History » Version 10
Andreas Steffen, 15.07.2009 09:08
escaped # characters
| 1 | 10 | Andreas Steffen | h1. Windows Suite B Support with IKEv1 |
|---|---|---|---|
| 2 | 1 | Andreas Steffen | |
| 3 | 3 | Andreas Steffen | Windows Vista Service Pack 1, Windows Server 2008 and Windows 7 support the Suite B cryptographic algorithms for IPsec defined by "RFC 4869":http://tools.ietf.org/html/rfc4869. For Windows configuration details see http://support.microsoft.com/kb/949856/. |
| 4 | 2 | Andreas Steffen | |
| 5 | 8 | Andreas Steffen | The following command sets the IKEv1 Main Mode algorithms: |
| 6 | 2 | Andreas Steffen | |
| 7 | 1 | Andreas Steffen | <pre> |
| 8 | 1 | Andreas Steffen | netsh advfirewall set global mainmode mmsecmethods ecdhp256:aes128-sha256,ecdhp384:aes192-sha384,dhgroup14:aes128-sha1 |
| 9 | 1 | Andreas Steffen | </pre> |
| 10 | 2 | Andreas Steffen | |
| 11 | 2 | Andreas Steffen | The currently configured algorithms can be checked using the command: |
| 12 | 1 | Andreas Steffen | |
| 13 | 1 | Andreas Steffen | <pre> |
| 14 | 1 | Andreas Steffen | netsh advfirewall show global |
| 15 | 1 | Andreas Steffen | |
| 16 | 1 | Andreas Steffen | Main Mode: |
| 17 | 1 | Andreas Steffen | KeyLifetime 480min,0sess |
| 18 | 1 | Andreas Steffen | SecMethods ECDHP256-AES128-SHA256,ECDHP384-AES192-SHA384,DHGroup14-AES128-SHA1 |
| 19 | 1 | Andreas Steffen | ForceDH No |
| 20 | 3 | Andreas Steffen | </pre> |
| 21 | 3 | Andreas Steffen | |
| 22 | 8 | Andreas Steffen | The following command sets the IKEv1 Quick Mode algorithms in the rule "VPN ECP": |
| 23 | 3 | Andreas Steffen | |
| 24 | 3 | Andreas Steffen | <pre> |
| 25 | 8 | Andreas Steffen | netsh advfirewall consec set rule name="VPN ECP" new qmsecmethods=esp:aesgcm192-aesgcm192,esp:aesgcm128-aesgcm128,esp:sha1-aes128 |
| 26 | 3 | Andreas Steffen | </pre> |
| 27 | 4 | Andreas Steffen | |
| 28 | 8 | Andreas Steffen | The current rule settings are shown with the following command: |
| 29 | 5 | Andreas Steffen | |
| 30 | 5 | Andreas Steffen | <pre> |
| 31 | 5 | Andreas Steffen | netsh advfirewall consec show rule name="VPN ECP" |
| 32 | 5 | Andreas Steffen | |
| 33 | 5 | Andreas Steffen | Rule Name: VPN ECP |
| 34 | 5 | Andreas Steffen | ---------------------------------------------------------------------- |
| 35 | 5 | Andreas Steffen | Enabled: Yes |
| 36 | 5 | Andreas Steffen | Profiles: Domain,Private,Public |
| 37 | 5 | Andreas Steffen | Type: Static |
| 38 | 5 | Andreas Steffen | Mode: Tunnel |
| 39 | 5 | Andreas Steffen | LocalTunnelEndpoint: Any |
| 40 | 5 | Andreas Steffen | RemoteTunnelEndpoint: 10.10.0.1 |
| 41 | 5 | Andreas Steffen | Endpoint1: 10.10.0.6/32 |
| 42 | 5 | Andreas Steffen | Endpoint2: 10.10.1.0/24 |
| 43 | 5 | Andreas Steffen | Protocol: Any |
| 44 | 5 | Andreas Steffen | Action: RequireInRequireOut |
| 45 | 5 | Andreas Steffen | Auth1: ComputerCert |
| 46 | 1 | Andreas Steffen | Auth1CAName: C=CH, O=strongSwan Project, CN=strongSwan 2009 CA |
| 47 | 1 | Andreas Steffen | Auth1CertMapping: No |
| 48 | 5 | Andreas Steffen | Auth1ExcludeCAName: No |
| 49 | 1 | Andreas Steffen | Auth1CertType: Root |
| 50 | 5 | Andreas Steffen | Auth1HealthCert: No |
| 51 | 5 | Andreas Steffen | MainModeSecMethods: ECDHP256-AES128-SHA256,ECDHP384-AES192-SHA384,DHGroup14-AES128-SHA1 |
| 52 | 5 | Andreas Steffen | QuickModeSecMethods: ESP:AESGCM192-AESGCM192+60min+100000kb,ESP:AESGCM128-AESGCM128+60min+100000kb,ESP:SHA1-AES128+60min+100000kb |
| 53 | 1 | Andreas Steffen | ExemptIPsecProtectedConnections: No |
| 54 | 1 | Andreas Steffen | ApplyAuthorization: No |
| 55 | 5 | Andreas Steffen | Ok. |
| 56 | 1 | Andreas Steffen | </pre> |
| 57 | 5 | Andreas Steffen | |
| 58 | 8 | Andreas Steffen | On the strongSwan side the following entries are required in ipsec.conf for 128 bit security: |
| 59 | 8 | Andreas Steffen | |
| 60 | 1 | Andreas Steffen | <pre> |
| 61 | 9 | Andreas Steffen | conn ecp |
| 62 | 9 | Andreas Steffen | keyexchange=ikev1 |
| 63 | 9 | Andreas Steffen | ike=aes128-sha256-ecp256! |
| 64 | 9 | Andreas Steffen | esp=aes128gcm16! |
| 65 | 9 | Andreas Steffen | pfs=no |
| 66 | 8 | Andreas Steffen | </pre> |
| 67 | 1 | Andreas Steffen | |
| 68 | 1 | Andreas Steffen | and for 192 bit security: |
| 69 | 1 | Andreas Steffen | |
| 70 | 1 | Andreas Steffen | <pre> |
| 71 | 9 | Andreas Steffen | conn ecp |
| 72 | 9 | Andreas Steffen | keyexchange=ikev1 |
| 73 | 9 | Andreas Steffen | ike=aes192-sha384-ecp384! |
| 74 | 9 | Andreas Steffen | esp=aes192gcm16! |
| 75 | 9 | Andreas Steffen | pfs=no |
| 76 | 6 | Andreas Steffen | </pre> |
| 77 | 6 | Andreas Steffen | |
| 78 | 8 | Andreas Steffen | Here the status output for 128 bit security: |
| 79 | 8 | Andreas Steffen | |
| 80 | 7 | Andreas Steffen | <pre> |
| 81 | 7 | Andreas Steffen | ipsec statusall ecp |
| 82 | 7 | Andreas Steffen | |
| 83 | 10 | Andreas Steffen | "ecp": 10.10.1.0/24===10.10.0.1[@vpn.strongswan.org]...10.10.0.6[C=CH, O=strongSwan Project, CN=win.strongswan.org]; erouted; eroute owner: !#12 |
| 84 | 1 | Andreas Steffen | "ecp": CAs: 'C=CH, O=strongSwan Project, CN=strongSwan 2009 CA'...'C=CH, O=strongSwan Project, CN=strongSwan 2009 CA' |
| 85 | 1 | Andreas Steffen | "ecp": ike_life: 10800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3 |
| 86 | 1 | Andreas Steffen | "ecp": dpd_action: clear; dpd_delay: 300s; dpd_timeout: 150s; |
| 87 | 1 | Andreas Steffen | "ecp": policy: PUBKEY+ENCRYPT+TUNNEL+DONTREKEY; prio: 24,32; interface: eth1; |
| 88 | 10 | Andreas Steffen | "ecp": newest ISAKMP SA: !#11; newest IPsec SA: !#12; |
| 89 | 1 | Andreas Steffen | "ecp": IKE proposal: AES_CBC_128/HMAC_SHA2_256/ECP_256 |
| 90 | 1 | Andreas Steffen | "ecp": ESP proposal: AES_GCM_16_128/AUTH_NONE/<N/A> |
| 91 | 1 | Andreas Steffen | |
| 92 | 10 | Andreas Steffen | !#12: "ecp" STATE_QUICK_R2 (IPsec SA established); EVENT_SA_EXPIRE in 3422s; newest IPSEC; eroute owner |
| 93 | 10 | Andreas Steffen | !#12: "ecp" esp.3ca2dd6b@10.10.0.6 (180 bytes, 172s ago) esp.368105e6@10.10.0.1 (240 bytes, 172s ago); tunnel |
| 94 | 10 | Andreas Steffen | !#11: "ecp" STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_EXPIRE in 28622s; newest ISAKMP |
| 95 | 8 | Andreas Steffen | </pre> |
| 96 | 8 | Andreas Steffen | |
| 97 | 8 | Andreas Steffen | and 192 bit security: |
| 98 | 8 | Andreas Steffen | |
| 99 | 8 | Andreas Steffen | <pre> |
| 100 | 8 | Andreas Steffen | ipsec statusall ecp |
| 101 | 8 | Andreas Steffen | |
| 102 | 10 | Andreas Steffen | "ecp": 10.10.1.0/24===10.10.0.1[@vpn.strongswan.org]...10.10.0.6[C=CH, O=strongSwan Project, CN=win.strongswan.org]; erouted; eroute owner: !#16 |
| 103 | 8 | Andreas Steffen | "ecp": CAs: 'C=CH, O=strongSwan Project, CN=strongSwan 2009 CA'...'C=CH, O=strongSwan Project, CN=strongSwan 2009 CA' |
| 104 | 8 | Andreas Steffen | "ecp": ike_life: 10800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3 |
| 105 | 8 | Andreas Steffen | "ecp": dpd_action: clear; dpd_delay: 300s; dpd_timeout: 150s; |
| 106 | 8 | Andreas Steffen | "ecp": policy: PUBKEY+ENCRYPT+TUNNEL+DONTREKEY; prio: 24,32; interface: eth1; |
| 107 | 10 | Andreas Steffen | "ecp": newest ISAKMP SA: !#15; newest IPsec SA: !#16; |
| 108 | 8 | Andreas Steffen | "ecp": IKE proposal: AES_CBC_192/HMAC_SHA2_384/ECP_384 |
| 109 | 8 | Andreas Steffen | "ecp": ESP proposal: AES_GCM_16_192/AUTH_NONE/<N/A> |
| 110 | 8 | Andreas Steffen | |
| 111 | 10 | Andreas Steffen | !#16: "ecp" STATE_QUICK_R2 (IPsec SA established); EVENT_SA_EXPIRE in 3584s; newest IPSEC; eroute owner |
| 112 | 10 | Andreas Steffen | !#16: "ecp" esp.5ee37f6a@10.10.0.6 (180 bytes, 10s ago) esp.a350055d@10.10.0.1 (240 bytes, 10s ago); tunnel |
| 113 | 10 | Andreas Steffen | !#15: "ecp" STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_EXPIRE in 28783s; newest ISAKMP |
| 114 | 7 | Andreas Steffen | </pre> |