Project

General

Profile

Windows Suite B Support with IKEv1 » History » Version 12

Version 11 (Andreas Steffen, 22.07.2009 13:57) → Version 12/26 (Andreas Steffen, 22.07.2009 14:31)

h1. Windows Suite B Support with IKEv1

Windows Vista Service Pack 1, Windows Server 2008 and Windows 7 support the Suite B cryptographic algorithms for IPsec defined by "RFC 4869":http://tools.ietf.org/html/rfc4869. For Windows configuration details see http://support.microsoft.com/kb/949856/.

The following command sets the IKEv1 Main Mode algorithms:

<pre>
netsh advfirewall set global mainmode mmsecmethods ecdhp256:aes128-sha256,ecdhp384:aes192-sha384,dhgroup14:aes128-sha1
</pre>

The currently configured algorithms can be checked using the command:

<pre>
netsh advfirewall show global

Main Mode:
KeyLifetime 480min,0sess
SecMethods ECDHP256-AES128-SHA256,ECDHP384-AES192-SHA384,DHGroup14-AES128-SHA1
ForceDH No
</pre>

The following command sets the IKEv1 Quick Mode algorithms in the rule "VPN Suite B":

<pre>
netsh advfirewall consec set rule name="VPN Suite B" new qmsecmethods=esp:aesgcm128-aesgcm128,esp:aesgcm192-aesgcm192,esp:aesgcm256-aesgcm256
</pre>

The current rule settings are shown with the following command:

<pre>
netsh advfirewall consec show rule name="VPN Suite B"

Rule Name: VPN Suite B
----------------------------------------------------------------------
Enabled: Yes
Profiles: Domain,Private,Public
Type: Static
Mode: Tunnel
LocalTunnelEndpoint: 10.10.0.6
RemoteTunnelEndpoint: 10.10.0.1
Endpoint1: 10.10.0.6/32
Endpoint2: 10.10.1.0/24
Protocol: Any
Action: RequireInRequireOut
Auth1: ComputerCertECDSAP256
Auth1ECDSAP256CAName: C=CH, O=strongSec GmbH, CN=strongSec 2007 CA
Auth1ECDSAP256CertMapping: No
Auth1ECDSAP256ExcludeCAName: No
Auth1ECDSAP256CertType: Root
Auth1ECDSAP256HealthCert: No
MainModeSecMethods: ECDHP256-AES128-SHA256,ECDHP384-AES192-SHA384,DHGroup14-AES128-SHA1
QuickModeSecMethods: ESP:AESGCM128-AESGCM128+60min+100000kb,ESP:AESGCM192-AESGCM192+60min+100000kb,ESP:AESGCM256-AESGCM256+60min+100000kb
ExemptIPsecProtectedConnections: No
ApplyAuthorization: No
Ok.
</pre>

On the strongSwan side the following entries are required in ipsec.conf for 128 bit security:

<pre>
conn suiteB
left=10.10.0.1
leftcert=koala_ecCert.pem
leftid=@koala.strongsec.com
leftsubnet=10.10.1.0/24
leftfirewall=yes
lefthostaccess=yes
right=10.10.0.6
rightid="C=CH, O=strongSec GmbH, OU=ECDSA-256, CN=bonsai.strongsec.com"
rightca=%same
keyexchange=ikev1
ike=aes128-sha256-ecp256!
esp=aes128gcm16!
pfs=no
</pre>

and for 192 bit security:

<pre>
conn ecp

dpdaction=clear keyexchange=ikev1
dpddelay=300s ike=aes192-sha384-ecp384!
rekey=no esp=aes192gcm16!
auto=add pfs=no
</pre>

Here the resulting status output: output for 128 bit security:

<pre>
root@koala:~# ipsec statusall suiteB ecp

Status of IKEv1 pluto daemon (strongSwan 4.3.3): "ecp": 10.10.1.0/24===10.10.0.1[@vpn.strongswan.org]...10.10.0.6[C=CH, O=strongSwan Project, CN=win.strongswan.org]; erouted; eroute owner: !#12
loaded plugins: curl test-vectors aes des sha1 sha2 md5 gmp openssl pubkey random hmac "ecp": CAs: 'C=CH, O=strongSwan Project, CN=strongSwan 2009 CA'...'C=CH, O=strongSwan Project, CN=strongSwan 2009 CA'
"ecp": ike_life: 10800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3
"ecp": dpd_action: clear; dpd_delay: 300s; dpd_timeout: 150s;
"ecp": policy: PUBKEY+ENCRYPT+TUNNEL+DONTREKEY; prio: 24,32; interface: eth1;

debug options: control

"suiteB": 10.10.1.0/24===10.10.0.1[@koala.strongsec.com]...10.10.0.6[C=CH, O=strongSec GmbH, OU=ECDSA-256, CN=bonsai.strongsec.com];
"ecp": newest ISAKMP SA: !#11; newest IPsec SA: !#12;
"ecp": IKE proposal: AES_CBC_128/HMAC_SHA2_256/ECP_256
"ecp": ESP proposal: AES_GCM_16_128/AUTH_NONE/<N/A>

!#12: "ecp" STATE_QUICK_R2 (IPsec SA established); EVENT_SA_EXPIRE in 3422s; newest IPSEC; eroute owner
!#12: "ecp" esp.3ca2dd6b@10.10.0.6 (180 bytes, 172s ago) esp.368105e6@10.10.0.1 (240 bytes, 172s ago); tunnel
!#11: "ecp" STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_EXPIRE in 28622s; newest ISAKMP
</pre>

and 192 bit security:

<pre>
ipsec statusall ecp

"ecp": 10.10.1.0/24===10.10.0.1[@vpn.strongswan.org]...10.10.0.6[C=CH, O=strongSwan Project, CN=win.strongswan.org];
erouted; eroute owner: !#21 !#16
"suiteB": "ecp": CAs: 'C=CH, O=strongSec GmbH, CN=strongSec 2007 O=strongSwan Project, CN=strongSwan 2009 CA'...'C=CH, O=strongSec GmbH, CN=strongSec 2007 O=strongSwan Project, CN=strongSwan 2009 CA'
"suiteB": "ecp": ike_life: 10800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3
"suiteB": "ecp": dpd_action: clear; dpd_delay: 300s; dpd_timeout: 150s;
"suiteB": "ecp": policy: PUBKEY+ENCRYPT+TUNNEL+DONTREKEY; prio: 24,32; interface: eth1;
"suiteB": "ecp": newest ISAKMP SA: !#20; !#15; newest IPsec SA: !#21; !#16;
"suiteB": "ecp": IKE proposal: AES_CBC_128/HMAC_SHA2_256/ECP_256 AES_CBC_192/HMAC_SHA2_384/ECP_384
"suiteB": "ecp": ESP proposal: AES_GCM_16_128/AUTH_NONE/<N/A> AES_GCM_16_192/AUTH_NONE/<N/A>

!#21: "suiteB" !#16: "ecp" STATE_QUICK_R2 (IPsec SA established); EVENT_SA_EXPIRE in 3580s; 3584s; newest IPSEC; eroute owner
!#21: "suiteB" esp.671c2d71@10.10.0.6 !#16: "ecp" esp.5ee37f6a@10.10.0.6 (180 bytes, 14s 10s ago) esp.9f12330a@10.10.0.1 esp.a350055d@10.10.0.1 (240 bytes, 14s 10s ago); tunnel
!#20: "suiteB" !#15: "ecp" STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_EXPIRE in 28780s; 28783s; newest ISAKMP
</pre>