Project

General

Profile

Windows Suite B Support with IKEv1 » History » Version 13

Andreas Steffen, 22.07.2009 14:38
added screen shots

1 10 Andreas Steffen
h1. Windows Suite B Support with IKEv1
2 1 Andreas Steffen
3 3 Andreas Steffen
Windows Vista Service Pack 1, Windows Server 2008 and Windows 7 support the Suite B cryptographic algorithms for IPsec defined by "RFC 4869":http://tools.ietf.org/html/rfc4869. For Windows configuration details see http://support.microsoft.com/kb/949856/.
4 2 Andreas Steffen
5 13 Andreas Steffen
First we create a new "VPN Suite B" security rule:
6 13 Andreas Steffen
7 13 Andreas Steffen
!advfirewall_security_rules.png!
8 13 Andreas Steffen
9 8 Andreas Steffen
The following command sets the IKEv1 Main Mode algorithms:
10 2 Andreas Steffen
11 1 Andreas Steffen
<pre>
12 1 Andreas Steffen
netsh advfirewall set global mainmode mmsecmethods ecdhp256:aes128-sha256,ecdhp384:aes192-sha384,dhgroup14:aes128-sha1
13 1 Andreas Steffen
</pre>
14 2 Andreas Steffen
15 2 Andreas Steffen
The currently configured algorithms can be checked using the command:
16 1 Andreas Steffen
17 1 Andreas Steffen
<pre>
18 1 Andreas Steffen
netsh advfirewall show global
19 1 Andreas Steffen
20 1 Andreas Steffen
Main Mode:
21 1 Andreas Steffen
KeyLifetime  480min,0sess
22 1 Andreas Steffen
SecMethods   ECDHP256-AES128-SHA256,ECDHP384-AES192-SHA384,DHGroup14-AES128-SHA1
23 1 Andreas Steffen
ForceDH      No
24 3 Andreas Steffen
</pre>
25 3 Andreas Steffen
26 11 Andreas Steffen
The following command sets the IKEv1 Quick Mode algorithms in the rule "VPN Suite B":
27 3 Andreas Steffen
28 3 Andreas Steffen
<pre>
29 11 Andreas Steffen
netsh advfirewall consec set rule name="VPN Suite B" new qmsecmethods=esp:aesgcm128-aesgcm128,esp:aesgcm192-aesgcm192,esp:aesgcm256-aesgcm256
30 3 Andreas Steffen
</pre>
31 4 Andreas Steffen
32 8 Andreas Steffen
The current rule settings are shown with the following command:
33 5 Andreas Steffen
34 5 Andreas Steffen
<pre>
35 11 Andreas Steffen
netsh advfirewall consec show rule name="VPN Suite B"
36 5 Andreas Steffen
37 11 Andreas Steffen
Rule Name:                            VPN Suite B
38 5 Andreas Steffen
----------------------------------------------------------------------
39 5 Andreas Steffen
Enabled:                              Yes
40 5 Andreas Steffen
Profiles:                             Domain,Private,Public
41 5 Andreas Steffen
Type:                                 Static
42 5 Andreas Steffen
Mode:                                 Tunnel
43 11 Andreas Steffen
LocalTunnelEndpoint:                  10.10.0.6
44 5 Andreas Steffen
RemoteTunnelEndpoint:                 10.10.0.1
45 5 Andreas Steffen
Endpoint1:                            10.10.0.6/32
46 5 Andreas Steffen
Endpoint2:                            10.10.1.0/24
47 5 Andreas Steffen
Protocol:                             Any
48 5 Andreas Steffen
Action:                               RequireInRequireOut
49 11 Andreas Steffen
Auth1:                                ComputerCertECDSAP256
50 11 Andreas Steffen
Auth1ECDSAP256CAName:                 C=CH, O=strongSec GmbH, CN=strongSec 2007 CA
51 11 Andreas Steffen
Auth1ECDSAP256CertMapping:            No
52 11 Andreas Steffen
Auth1ECDSAP256ExcludeCAName:          No
53 11 Andreas Steffen
Auth1ECDSAP256CertType:               Root
54 11 Andreas Steffen
Auth1ECDSAP256HealthCert:             No
55 5 Andreas Steffen
MainModeSecMethods:                   ECDHP256-AES128-SHA256,ECDHP384-AES192-SHA384,DHGroup14-AES128-SHA1
56 11 Andreas Steffen
QuickModeSecMethods:                  ESP:AESGCM128-AESGCM128+60min+100000kb,ESP:AESGCM192-AESGCM192+60min+100000kb,ESP:AESGCM256-AESGCM256+60min+100000kb
57 1 Andreas Steffen
ExemptIPsecProtectedConnections:      No
58 1 Andreas Steffen
ApplyAuthorization:                   No
59 5 Andreas Steffen
Ok.
60 1 Andreas Steffen
</pre>
61 5 Andreas Steffen
62 8 Andreas Steffen
On the strongSwan side the following entries are required in ipsec.conf for 128 bit security:
63 8 Andreas Steffen
64 1 Andreas Steffen
<pre>
65 11 Andreas Steffen
conn suiteB
66 12 Andreas Steffen
     left=10.10.0.1
67 12 Andreas Steffen
     leftcert=koala_ecCert.pem
68 12 Andreas Steffen
     leftid=@koala.strongsec.com
69 12 Andreas Steffen
     leftsubnet=10.10.1.0/24
70 12 Andreas Steffen
     leftfirewall=yes
71 12 Andreas Steffen
     lefthostaccess=yes
72 12 Andreas Steffen
     right=10.10.0.6
73 12 Andreas Steffen
     rightid="C=CH, O=strongSec GmbH, OU=ECDSA-256, CN=bonsai.strongsec.com"
74 12 Andreas Steffen
     rightca=%same
75 1 Andreas Steffen
     keyexchange=ikev1
76 1 Andreas Steffen
     ike=aes128-sha256-ecp256!
77 1 Andreas Steffen
     esp=aes128gcm16!
78 10 Andreas Steffen
     pfs=no
79 12 Andreas Steffen
     dpdaction=clear
80 12 Andreas Steffen
     dpddelay=300s
81 12 Andreas Steffen
     rekey=no
82 10 Andreas Steffen
     auto=add
83 1 Andreas Steffen
</pre>
84 1 Andreas Steffen
85 13 Andreas Steffen
Pinging host 10.10.1.11 from the Windows 7 host triggers the IKEv1 tunnel setup.
86 13 Andreas Steffen
The following Windows status information is available for the Main Mode:
87 13 Andreas Steffen
88 13 Andreas Steffen
!advfirewall_main_mode_128.png!
89 13 Andreas Steffen
90 13 Andreas Steffen
and the established Quick Mode:
91 13 Andreas Steffen
92 13 Andreas Steffen
!advfirewall_quick_mode_128.png!
93 13 Andreas Steffen
94 13 Andreas Steffen
And here the resulting status output on the Linux side:
95 8 Andreas Steffen
96 8 Andreas Steffen
<pre>
97 12 Andreas Steffen
root@koala:~# ipsec statusall suiteB
98 8 Andreas Steffen
99 12 Andreas Steffen
Status of IKEv1 pluto daemon (strongSwan 4.3.3):
100 12 Andreas Steffen
loaded plugins: curl test-vectors aes des sha1 sha2 md5 gmp openssl pubkey random hmac 
101 12 Andreas Steffen
debug options: control
102 10 Andreas Steffen
 
103 12 Andreas Steffen
"suiteB": 10.10.1.0/24===10.10.0.1[@koala.strongsec.com]...10.10.0.6[C=CH, O=strongSec GmbH, OU=ECDSA-256, CN=bonsai.strongsec.com]; erouted; eroute owner: !#21
104 12 Andreas Steffen
"suiteB":   CAs: 'C=CH, O=strongSec GmbH, CN=strongSec 2007 CA'...'C=CH, O=strongSec GmbH, CN=strongSec 2007 CA'
105 12 Andreas Steffen
"suiteB":   ike_life: 10800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3
106 12 Andreas Steffen
"suiteB":   dpd_action: clear; dpd_delay: 300s; dpd_timeout: 150s;
107 12 Andreas Steffen
"suiteB":   policy: PUBKEY+ENCRYPT+TUNNEL+DONTREKEY; prio: 24,32; interface: eth1; 
108 12 Andreas Steffen
"suiteB":   newest ISAKMP SA: !#20; newest IPsec SA: !#21; 
109 12 Andreas Steffen
"suiteB":   IKE proposal: AES_CBC_128/HMAC_SHA2_256/ECP_256
110 12 Andreas Steffen
"suiteB":   ESP proposal: AES_GCM_16_128/AUTH_NONE/<N/A>
111 12 Andreas Steffen
 
112 12 Andreas Steffen
!#21: "suiteB" STATE_QUICK_R2 (IPsec SA established); EVENT_SA_EXPIRE in 3580s; newest IPSEC; eroute owner
113 12 Andreas Steffen
!#21: "suiteB" esp.671c2d71@10.10.0.6 (180 bytes, 14s ago) esp.9f12330a@10.10.0.1 (240 bytes, 14s ago); tunnel
114 12 Andreas Steffen
!#20: "suiteB" STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_EXPIRE in 28780s; newest ISAKMP
115 1 Andreas Steffen
</pre>