Project

General

Profile

Windows Suite B Support with IKEv1 » History » Version 10

Andreas Steffen, 15.07.2009 09:08
escaped # characters

1 10 Andreas Steffen
h1. Windows Suite B Support with IKEv1
2 1 Andreas Steffen
3 3 Andreas Steffen
Windows Vista Service Pack 1, Windows Server 2008 and Windows 7 support the Suite B cryptographic algorithms for IPsec defined by "RFC 4869":http://tools.ietf.org/html/rfc4869. For Windows configuration details see http://support.microsoft.com/kb/949856/.
4 2 Andreas Steffen
5 8 Andreas Steffen
The following command sets the IKEv1 Main Mode algorithms:
6 2 Andreas Steffen
7 1 Andreas Steffen
<pre>
8 1 Andreas Steffen
netsh advfirewall set global mainmode mmsecmethods ecdhp256:aes128-sha256,ecdhp384:aes192-sha384,dhgroup14:aes128-sha1
9 1 Andreas Steffen
</pre>
10 2 Andreas Steffen
11 2 Andreas Steffen
The currently configured algorithms can be checked using the command:
12 1 Andreas Steffen
13 1 Andreas Steffen
<pre>
14 1 Andreas Steffen
netsh advfirewall show global
15 1 Andreas Steffen
16 1 Andreas Steffen
Main Mode:
17 1 Andreas Steffen
KeyLifetime  480min,0sess
18 1 Andreas Steffen
SecMethods   ECDHP256-AES128-SHA256,ECDHP384-AES192-SHA384,DHGroup14-AES128-SHA1
19 1 Andreas Steffen
ForceDH      No
20 3 Andreas Steffen
</pre>
21 3 Andreas Steffen
22 8 Andreas Steffen
The following command sets the IKEv1 Quick Mode algorithms in the rule "VPN ECP":
23 3 Andreas Steffen
24 3 Andreas Steffen
<pre>
25 8 Andreas Steffen
netsh advfirewall consec set rule name="VPN ECP" new qmsecmethods=esp:aesgcm192-aesgcm192,esp:aesgcm128-aesgcm128,esp:sha1-aes128
26 3 Andreas Steffen
</pre>
27 4 Andreas Steffen
28 8 Andreas Steffen
The current rule settings are shown with the following command:
29 5 Andreas Steffen
30 5 Andreas Steffen
<pre>
31 5 Andreas Steffen
netsh advfirewall consec show rule name="VPN ECP"
32 5 Andreas Steffen
33 5 Andreas Steffen
Rule Name:                            VPN ECP
34 5 Andreas Steffen
----------------------------------------------------------------------
35 5 Andreas Steffen
Enabled:                              Yes
36 5 Andreas Steffen
Profiles:                             Domain,Private,Public
37 5 Andreas Steffen
Type:                                 Static
38 5 Andreas Steffen
Mode:                                 Tunnel
39 5 Andreas Steffen
LocalTunnelEndpoint:                  Any
40 5 Andreas Steffen
RemoteTunnelEndpoint:                 10.10.0.1
41 5 Andreas Steffen
Endpoint1:                            10.10.0.6/32
42 5 Andreas Steffen
Endpoint2:                            10.10.1.0/24
43 5 Andreas Steffen
Protocol:                             Any
44 5 Andreas Steffen
Action:                               RequireInRequireOut
45 5 Andreas Steffen
Auth1:                                ComputerCert
46 1 Andreas Steffen
Auth1CAName:                          C=CH, O=strongSwan Project, CN=strongSwan 2009 CA
47 1 Andreas Steffen
Auth1CertMapping:                     No
48 5 Andreas Steffen
Auth1ExcludeCAName:                   No
49 1 Andreas Steffen
Auth1CertType:                        Root
50 5 Andreas Steffen
Auth1HealthCert:                      No
51 5 Andreas Steffen
MainModeSecMethods:                   ECDHP256-AES128-SHA256,ECDHP384-AES192-SHA384,DHGroup14-AES128-SHA1
52 5 Andreas Steffen
QuickModeSecMethods:                  ESP:AESGCM192-AESGCM192+60min+100000kb,ESP:AESGCM128-AESGCM128+60min+100000kb,ESP:SHA1-AES128+60min+100000kb
53 1 Andreas Steffen
ExemptIPsecProtectedConnections:      No
54 1 Andreas Steffen
ApplyAuthorization:                   No
55 5 Andreas Steffen
Ok.
56 1 Andreas Steffen
</pre>
57 5 Andreas Steffen
58 8 Andreas Steffen
On the strongSwan side the following entries are required in ipsec.conf for 128 bit security:
59 8 Andreas Steffen
60 1 Andreas Steffen
<pre>
61 9 Andreas Steffen
conn ecp
62 9 Andreas Steffen
     keyexchange=ikev1
63 9 Andreas Steffen
     ike=aes128-sha256-ecp256!
64 9 Andreas Steffen
     esp=aes128gcm16!
65 9 Andreas Steffen
     pfs=no
66 8 Andreas Steffen
</pre>
67 1 Andreas Steffen
68 1 Andreas Steffen
and for 192 bit security:
69 1 Andreas Steffen
70 1 Andreas Steffen
<pre>
71 9 Andreas Steffen
conn ecp
72 9 Andreas Steffen
     keyexchange=ikev1
73 9 Andreas Steffen
     ike=aes192-sha384-ecp384!
74 9 Andreas Steffen
     esp=aes192gcm16!
75 9 Andreas Steffen
     pfs=no
76 6 Andreas Steffen
</pre>
77 6 Andreas Steffen
78 8 Andreas Steffen
Here the status output for 128 bit security:
79 8 Andreas Steffen
80 7 Andreas Steffen
<pre>
81 7 Andreas Steffen
ipsec statusall ecp
82 7 Andreas Steffen
83 10 Andreas Steffen
"ecp": 10.10.1.0/24===10.10.0.1[@vpn.strongswan.org]...10.10.0.6[C=CH, O=strongSwan Project, CN=win.strongswan.org]; erouted; eroute owner: !#12
84 1 Andreas Steffen
"ecp":   CAs: 'C=CH, O=strongSwan Project, CN=strongSwan 2009 CA'...'C=CH, O=strongSwan Project, CN=strongSwan 2009 CA'
85 1 Andreas Steffen
"ecp":   ike_life: 10800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3
86 1 Andreas Steffen
"ecp":   dpd_action: clear; dpd_delay: 300s; dpd_timeout: 150s;
87 1 Andreas Steffen
"ecp":   policy: PUBKEY+ENCRYPT+TUNNEL+DONTREKEY; prio: 24,32; interface: eth1; 
88 10 Andreas Steffen
"ecp":   newest ISAKMP SA: !#11; newest IPsec SA: !#12; 
89 1 Andreas Steffen
"ecp":   IKE proposal: AES_CBC_128/HMAC_SHA2_256/ECP_256
90 1 Andreas Steffen
"ecp":   ESP proposal: AES_GCM_16_128/AUTH_NONE/<N/A>
91 1 Andreas Steffen
92 10 Andreas Steffen
!#12: "ecp" STATE_QUICK_R2 (IPsec SA established); EVENT_SA_EXPIRE in 3422s; newest IPSEC; eroute owner
93 10 Andreas Steffen
!#12: "ecp" esp.3ca2dd6b@10.10.0.6 (180 bytes, 172s ago) esp.368105e6@10.10.0.1 (240 bytes, 172s ago); tunnel
94 10 Andreas Steffen
!#11: "ecp" STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_EXPIRE in 28622s; newest ISAKMP
95 8 Andreas Steffen
</pre>
96 8 Andreas Steffen
97 8 Andreas Steffen
and 192 bit security:
98 8 Andreas Steffen
99 8 Andreas Steffen
<pre>
100 8 Andreas Steffen
ipsec statusall ecp
101 8 Andreas Steffen
102 10 Andreas Steffen
"ecp": 10.10.1.0/24===10.10.0.1[@vpn.strongswan.org]...10.10.0.6[C=CH, O=strongSwan Project, CN=win.strongswan.org]; erouted; eroute owner: !#16
103 8 Andreas Steffen
"ecp":   CAs: 'C=CH, O=strongSwan Project, CN=strongSwan 2009 CA'...'C=CH, O=strongSwan Project, CN=strongSwan 2009 CA'
104 8 Andreas Steffen
"ecp":   ike_life: 10800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3
105 8 Andreas Steffen
"ecp":   dpd_action: clear; dpd_delay: 300s; dpd_timeout: 150s;
106 8 Andreas Steffen
"ecp":   policy: PUBKEY+ENCRYPT+TUNNEL+DONTREKEY; prio: 24,32; interface: eth1; 
107 10 Andreas Steffen
"ecp":   newest ISAKMP SA: !#15; newest IPsec SA: !#16; 
108 8 Andreas Steffen
"ecp":   IKE proposal: AES_CBC_192/HMAC_SHA2_384/ECP_384
109 8 Andreas Steffen
"ecp":   ESP proposal: AES_GCM_16_192/AUTH_NONE/<N/A>
110 8 Andreas Steffen
 
111 10 Andreas Steffen
!#16: "ecp" STATE_QUICK_R2 (IPsec SA established); EVENT_SA_EXPIRE in 3584s; newest IPSEC; eroute owner
112 10 Andreas Steffen
!#16: "ecp" esp.5ee37f6a@10.10.0.6 (180 bytes, 10s ago) esp.a350055d@10.10.0.1 (240 bytes, 10s ago); tunnel
113 10 Andreas Steffen
!#15: "ecp" STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_EXPIRE in 28783s; newest ISAKMP
114 7 Andreas Steffen
</pre>