Windows Suite B Support with IKEv1 » History » Version 13
« Previous -
Version 13/26
(diff) -
Next » -
Current version
Andreas Steffen, 22.07.2009 14:38
added screen shots
Windows Suite B Support with IKEv1¶
Windows Vista Service Pack 1, Windows Server 2008 and Windows 7 support the Suite B cryptographic algorithms for IPsec defined by RFC 4869. For Windows configuration details see http://support.microsoft.com/kb/949856/.
First we create a new "VPN Suite B" security rule:
The following command sets the IKEv1 Main Mode algorithms:
netsh advfirewall set global mainmode mmsecmethods ecdhp256:aes128-sha256,ecdhp384:aes192-sha384,dhgroup14:aes128-sha1
The currently configured algorithms can be checked using the command:
netsh advfirewall show global Main Mode: KeyLifetime 480min,0sess SecMethods ECDHP256-AES128-SHA256,ECDHP384-AES192-SHA384,DHGroup14-AES128-SHA1 ForceDH No
The following command sets the IKEv1 Quick Mode algorithms in the rule "VPN Suite B":
netsh advfirewall consec set rule name="VPN Suite B" new qmsecmethods=esp:aesgcm128-aesgcm128,esp:aesgcm192-aesgcm192,esp:aesgcm256-aesgcm256
The current rule settings are shown with the following command:
netsh advfirewall consec show rule name="VPN Suite B" Rule Name: VPN Suite B ---------------------------------------------------------------------- Enabled: Yes Profiles: Domain,Private,Public Type: Static Mode: Tunnel LocalTunnelEndpoint: 10.10.0.6 RemoteTunnelEndpoint: 10.10.0.1 Endpoint1: 10.10.0.6/32 Endpoint2: 10.10.1.0/24 Protocol: Any Action: RequireInRequireOut Auth1: ComputerCertECDSAP256 Auth1ECDSAP256CAName: C=CH, O=strongSec GmbH, CN=strongSec 2007 CA Auth1ECDSAP256CertMapping: No Auth1ECDSAP256ExcludeCAName: No Auth1ECDSAP256CertType: Root Auth1ECDSAP256HealthCert: No MainModeSecMethods: ECDHP256-AES128-SHA256,ECDHP384-AES192-SHA384,DHGroup14-AES128-SHA1 QuickModeSecMethods: ESP:AESGCM128-AESGCM128+60min+100000kb,ESP:AESGCM192-AESGCM192+60min+100000kb,ESP:AESGCM256-AESGCM256+60min+100000kb ExemptIPsecProtectedConnections: No ApplyAuthorization: No Ok.
On the strongSwan side the following entries are required in ipsec.conf for 128 bit security:
conn suiteB left=10.10.0.1 leftcert=koala_ecCert.pem leftid=@koala.strongsec.com leftsubnet=10.10.1.0/24 leftfirewall=yes lefthostaccess=yes right=10.10.0.6 rightid="C=CH, O=strongSec GmbH, OU=ECDSA-256, CN=bonsai.strongsec.com" rightca=%same keyexchange=ikev1 ike=aes128-sha256-ecp256! esp=aes128gcm16! pfs=no dpdaction=clear dpddelay=300s rekey=no auto=add
Pinging host 10.10.1.11 from the Windows 7 host triggers the IKEv1 tunnel setup.
The following Windows status information is available for the Main Mode:
and the established Quick Mode:
And here the resulting status output on the Linux side:
root@koala:~# ipsec statusall suiteB Status of IKEv1 pluto daemon (strongSwan 4.3.3): loaded plugins: curl test-vectors aes des sha1 sha2 md5 gmp openssl pubkey random hmac debug options: control "suiteB": 10.10.1.0/24===10.10.0.1[@koala.strongsec.com]...10.10.0.6[C=CH, O=strongSec GmbH, OU=ECDSA-256, CN=bonsai.strongsec.com]; erouted; eroute owner: !#21 "suiteB": CAs: 'C=CH, O=strongSec GmbH, CN=strongSec 2007 CA'...'C=CH, O=strongSec GmbH, CN=strongSec 2007 CA' "suiteB": ike_life: 10800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3 "suiteB": dpd_action: clear; dpd_delay: 300s; dpd_timeout: 150s; "suiteB": policy: PUBKEY+ENCRYPT+TUNNEL+DONTREKEY; prio: 24,32; interface: eth1; "suiteB": newest ISAKMP SA: !#20; newest IPsec SA: !#21; "suiteB": IKE proposal: AES_CBC_128/HMAC_SHA2_256/ECP_256 "suiteB": ESP proposal: AES_GCM_16_128/AUTH_NONE/<N/A> !#21: "suiteB" STATE_QUICK_R2 (IPsec SA established); EVENT_SA_EXPIRE in 3580s; newest IPSEC; eroute owner !#21: "suiteB" esp.671c2d71@10.10.0.6 (180 bytes, 14s ago) esp.9f12330a@10.10.0.1 (240 bytes, 14s ago); tunnel !#20: "suiteB" STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_EXPIRE in 28780s; newest ISAKMP