Windows Suite B Support with IKEv1 » History » Version 13
Andreas Steffen, 22.07.2009 14:38
added screen shots
| 1 | 10 | Andreas Steffen | h1. Windows Suite B Support with IKEv1 |
|---|---|---|---|
| 2 | 1 | Andreas Steffen | |
| 3 | 3 | Andreas Steffen | Windows Vista Service Pack 1, Windows Server 2008 and Windows 7 support the Suite B cryptographic algorithms for IPsec defined by "RFC 4869":http://tools.ietf.org/html/rfc4869. For Windows configuration details see http://support.microsoft.com/kb/949856/. |
| 4 | 2 | Andreas Steffen | |
| 5 | 13 | Andreas Steffen | First we create a new "VPN Suite B" security rule: |
| 6 | 13 | Andreas Steffen | |
| 7 | 13 | Andreas Steffen | !advfirewall_security_rules.png! |
| 8 | 13 | Andreas Steffen | |
| 9 | 8 | Andreas Steffen | The following command sets the IKEv1 Main Mode algorithms: |
| 10 | 2 | Andreas Steffen | |
| 11 | 1 | Andreas Steffen | <pre> |
| 12 | 1 | Andreas Steffen | netsh advfirewall set global mainmode mmsecmethods ecdhp256:aes128-sha256,ecdhp384:aes192-sha384,dhgroup14:aes128-sha1 |
| 13 | 1 | Andreas Steffen | </pre> |
| 14 | 2 | Andreas Steffen | |
| 15 | 2 | Andreas Steffen | The currently configured algorithms can be checked using the command: |
| 16 | 1 | Andreas Steffen | |
| 17 | 1 | Andreas Steffen | <pre> |
| 18 | 1 | Andreas Steffen | netsh advfirewall show global |
| 19 | 1 | Andreas Steffen | |
| 20 | 1 | Andreas Steffen | Main Mode: |
| 21 | 1 | Andreas Steffen | KeyLifetime 480min,0sess |
| 22 | 1 | Andreas Steffen | SecMethods ECDHP256-AES128-SHA256,ECDHP384-AES192-SHA384,DHGroup14-AES128-SHA1 |
| 23 | 1 | Andreas Steffen | ForceDH No |
| 24 | 3 | Andreas Steffen | </pre> |
| 25 | 3 | Andreas Steffen | |
| 26 | 11 | Andreas Steffen | The following command sets the IKEv1 Quick Mode algorithms in the rule "VPN Suite B": |
| 27 | 3 | Andreas Steffen | |
| 28 | 3 | Andreas Steffen | <pre> |
| 29 | 11 | Andreas Steffen | netsh advfirewall consec set rule name="VPN Suite B" new qmsecmethods=esp:aesgcm128-aesgcm128,esp:aesgcm192-aesgcm192,esp:aesgcm256-aesgcm256 |
| 30 | 3 | Andreas Steffen | </pre> |
| 31 | 4 | Andreas Steffen | |
| 32 | 8 | Andreas Steffen | The current rule settings are shown with the following command: |
| 33 | 5 | Andreas Steffen | |
| 34 | 5 | Andreas Steffen | <pre> |
| 35 | 11 | Andreas Steffen | netsh advfirewall consec show rule name="VPN Suite B" |
| 36 | 5 | Andreas Steffen | |
| 37 | 11 | Andreas Steffen | Rule Name: VPN Suite B |
| 38 | 5 | Andreas Steffen | ---------------------------------------------------------------------- |
| 39 | 5 | Andreas Steffen | Enabled: Yes |
| 40 | 5 | Andreas Steffen | Profiles: Domain,Private,Public |
| 41 | 5 | Andreas Steffen | Type: Static |
| 42 | 5 | Andreas Steffen | Mode: Tunnel |
| 43 | 11 | Andreas Steffen | LocalTunnelEndpoint: 10.10.0.6 |
| 44 | 5 | Andreas Steffen | RemoteTunnelEndpoint: 10.10.0.1 |
| 45 | 5 | Andreas Steffen | Endpoint1: 10.10.0.6/32 |
| 46 | 5 | Andreas Steffen | Endpoint2: 10.10.1.0/24 |
| 47 | 5 | Andreas Steffen | Protocol: Any |
| 48 | 5 | Andreas Steffen | Action: RequireInRequireOut |
| 49 | 11 | Andreas Steffen | Auth1: ComputerCertECDSAP256 |
| 50 | 11 | Andreas Steffen | Auth1ECDSAP256CAName: C=CH, O=strongSec GmbH, CN=strongSec 2007 CA |
| 51 | 11 | Andreas Steffen | Auth1ECDSAP256CertMapping: No |
| 52 | 11 | Andreas Steffen | Auth1ECDSAP256ExcludeCAName: No |
| 53 | 11 | Andreas Steffen | Auth1ECDSAP256CertType: Root |
| 54 | 11 | Andreas Steffen | Auth1ECDSAP256HealthCert: No |
| 55 | 5 | Andreas Steffen | MainModeSecMethods: ECDHP256-AES128-SHA256,ECDHP384-AES192-SHA384,DHGroup14-AES128-SHA1 |
| 56 | 11 | Andreas Steffen | QuickModeSecMethods: ESP:AESGCM128-AESGCM128+60min+100000kb,ESP:AESGCM192-AESGCM192+60min+100000kb,ESP:AESGCM256-AESGCM256+60min+100000kb |
| 57 | 1 | Andreas Steffen | ExemptIPsecProtectedConnections: No |
| 58 | 1 | Andreas Steffen | ApplyAuthorization: No |
| 59 | 5 | Andreas Steffen | Ok. |
| 60 | 1 | Andreas Steffen | </pre> |
| 61 | 5 | Andreas Steffen | |
| 62 | 8 | Andreas Steffen | On the strongSwan side the following entries are required in ipsec.conf for 128 bit security: |
| 63 | 8 | Andreas Steffen | |
| 64 | 1 | Andreas Steffen | <pre> |
| 65 | 11 | Andreas Steffen | conn suiteB |
| 66 | 12 | Andreas Steffen | left=10.10.0.1 |
| 67 | 12 | Andreas Steffen | leftcert=koala_ecCert.pem |
| 68 | 12 | Andreas Steffen | leftid=@koala.strongsec.com |
| 69 | 12 | Andreas Steffen | leftsubnet=10.10.1.0/24 |
| 70 | 12 | Andreas Steffen | leftfirewall=yes |
| 71 | 12 | Andreas Steffen | lefthostaccess=yes |
| 72 | 12 | Andreas Steffen | right=10.10.0.6 |
| 73 | 12 | Andreas Steffen | rightid="C=CH, O=strongSec GmbH, OU=ECDSA-256, CN=bonsai.strongsec.com" |
| 74 | 12 | Andreas Steffen | rightca=%same |
| 75 | 1 | Andreas Steffen | keyexchange=ikev1 |
| 76 | 1 | Andreas Steffen | ike=aes128-sha256-ecp256! |
| 77 | 1 | Andreas Steffen | esp=aes128gcm16! |
| 78 | 10 | Andreas Steffen | pfs=no |
| 79 | 12 | Andreas Steffen | dpdaction=clear |
| 80 | 12 | Andreas Steffen | dpddelay=300s |
| 81 | 12 | Andreas Steffen | rekey=no |
| 82 | 10 | Andreas Steffen | auto=add |
| 83 | 1 | Andreas Steffen | </pre> |
| 84 | 1 | Andreas Steffen | |
| 85 | 13 | Andreas Steffen | Pinging host 10.10.1.11 from the Windows 7 host triggers the IKEv1 tunnel setup. |
| 86 | 13 | Andreas Steffen | The following Windows status information is available for the Main Mode: |
| 87 | 13 | Andreas Steffen | |
| 88 | 13 | Andreas Steffen | !advfirewall_main_mode_128.png! |
| 89 | 13 | Andreas Steffen | |
| 90 | 13 | Andreas Steffen | and the established Quick Mode: |
| 91 | 13 | Andreas Steffen | |
| 92 | 13 | Andreas Steffen | !advfirewall_quick_mode_128.png! |
| 93 | 13 | Andreas Steffen | |
| 94 | 13 | Andreas Steffen | And here the resulting status output on the Linux side: |
| 95 | 8 | Andreas Steffen | |
| 96 | 8 | Andreas Steffen | <pre> |
| 97 | 12 | Andreas Steffen | root@koala:~# ipsec statusall suiteB |
| 98 | 8 | Andreas Steffen | |
| 99 | 12 | Andreas Steffen | Status of IKEv1 pluto daemon (strongSwan 4.3.3): |
| 100 | 12 | Andreas Steffen | loaded plugins: curl test-vectors aes des sha1 sha2 md5 gmp openssl pubkey random hmac |
| 101 | 12 | Andreas Steffen | debug options: control |
| 102 | 10 | Andreas Steffen | |
| 103 | 12 | Andreas Steffen | "suiteB": 10.10.1.0/24===10.10.0.1[@koala.strongsec.com]...10.10.0.6[C=CH, O=strongSec GmbH, OU=ECDSA-256, CN=bonsai.strongsec.com]; erouted; eroute owner: !#21 |
| 104 | 12 | Andreas Steffen | "suiteB": CAs: 'C=CH, O=strongSec GmbH, CN=strongSec 2007 CA'...'C=CH, O=strongSec GmbH, CN=strongSec 2007 CA' |
| 105 | 12 | Andreas Steffen | "suiteB": ike_life: 10800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3 |
| 106 | 12 | Andreas Steffen | "suiteB": dpd_action: clear; dpd_delay: 300s; dpd_timeout: 150s; |
| 107 | 12 | Andreas Steffen | "suiteB": policy: PUBKEY+ENCRYPT+TUNNEL+DONTREKEY; prio: 24,32; interface: eth1; |
| 108 | 12 | Andreas Steffen | "suiteB": newest ISAKMP SA: !#20; newest IPsec SA: !#21; |
| 109 | 12 | Andreas Steffen | "suiteB": IKE proposal: AES_CBC_128/HMAC_SHA2_256/ECP_256 |
| 110 | 12 | Andreas Steffen | "suiteB": ESP proposal: AES_GCM_16_128/AUTH_NONE/<N/A> |
| 111 | 12 | Andreas Steffen | |
| 112 | 12 | Andreas Steffen | !#21: "suiteB" STATE_QUICK_R2 (IPsec SA established); EVENT_SA_EXPIRE in 3580s; newest IPSEC; eroute owner |
| 113 | 12 | Andreas Steffen | !#21: "suiteB" esp.671c2d71@10.10.0.6 (180 bytes, 14s ago) esp.9f12330a@10.10.0.1 (240 bytes, 14s ago); tunnel |
| 114 | 12 | Andreas Steffen | !#20: "suiteB" STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_EXPIRE in 28780s; newest ISAKMP |
| 115 | 1 | Andreas Steffen | </pre> |