Windows Suite B Support with IKEv1 » History » Version 14
Andreas Steffen, 22.07.2009 15:40
add ECDSA-256 machine certificate import
1 | 10 | Andreas Steffen | h1. Windows Suite B Support with IKEv1 |
---|---|---|---|
2 | 1 | Andreas Steffen | |
3 | 3 | Andreas Steffen | Windows Vista Service Pack 1, Windows Server 2008 and Windows 7 support the Suite B cryptographic algorithms for IPsec defined by "RFC 4869":http://tools.ietf.org/html/rfc4869. For Windows configuration details see http://support.microsoft.com/kb/949856/. |
4 | 2 | Andreas Steffen | |
5 | 14 | Andreas Steffen | First we import an ECDSA-256 machine certificate in to the local computer part of the Windows registry using the Microsoft Management Console (mmc): |
6 | 14 | Andreas Steffen | |
7 | 14 | Andreas Steffen | !advfirewall_mmc.png! |
8 | 14 | Andreas Steffen | |
9 | 14 | Andreas Steffen | Here some details of the imported ECDSA-256 certificate: |
10 | 14 | Andreas Steffen | |
11 | 14 | Andreas Steffen | !advfirewall_ecdsa256_cert.png! |
12 | 14 | Andreas Steffen | |
13 | 14 | Andreas Steffen | Next we create a new "VPN Suite B" security rule: |
14 | 13 | Andreas Steffen | |
15 | 13 | Andreas Steffen | !advfirewall_security_rules.png! |
16 | 13 | Andreas Steffen | |
17 | 8 | Andreas Steffen | The following command sets the IKEv1 Main Mode algorithms: |
18 | 2 | Andreas Steffen | |
19 | 1 | Andreas Steffen | <pre> |
20 | 1 | Andreas Steffen | netsh advfirewall set global mainmode mmsecmethods ecdhp256:aes128-sha256,ecdhp384:aes192-sha384,dhgroup14:aes128-sha1 |
21 | 1 | Andreas Steffen | </pre> |
22 | 2 | Andreas Steffen | |
23 | 2 | Andreas Steffen | The currently configured algorithms can be checked using the command: |
24 | 1 | Andreas Steffen | |
25 | 1 | Andreas Steffen | <pre> |
26 | 1 | Andreas Steffen | netsh advfirewall show global |
27 | 1 | Andreas Steffen | |
28 | 1 | Andreas Steffen | Main Mode: |
29 | 1 | Andreas Steffen | KeyLifetime 480min,0sess |
30 | 1 | Andreas Steffen | SecMethods ECDHP256-AES128-SHA256,ECDHP384-AES192-SHA384,DHGroup14-AES128-SHA1 |
31 | 1 | Andreas Steffen | ForceDH No |
32 | 3 | Andreas Steffen | </pre> |
33 | 3 | Andreas Steffen | |
34 | 11 | Andreas Steffen | The following command sets the IKEv1 Quick Mode algorithms in the rule "VPN Suite B": |
35 | 3 | Andreas Steffen | |
36 | 3 | Andreas Steffen | <pre> |
37 | 11 | Andreas Steffen | netsh advfirewall consec set rule name="VPN Suite B" new qmsecmethods=esp:aesgcm128-aesgcm128,esp:aesgcm192-aesgcm192,esp:aesgcm256-aesgcm256 |
38 | 3 | Andreas Steffen | </pre> |
39 | 4 | Andreas Steffen | |
40 | 8 | Andreas Steffen | The current rule settings are shown with the following command: |
41 | 5 | Andreas Steffen | |
42 | 5 | Andreas Steffen | <pre> |
43 | 11 | Andreas Steffen | netsh advfirewall consec show rule name="VPN Suite B" |
44 | 5 | Andreas Steffen | |
45 | 11 | Andreas Steffen | Rule Name: VPN Suite B |
46 | 5 | Andreas Steffen | ---------------------------------------------------------------------- |
47 | 5 | Andreas Steffen | Enabled: Yes |
48 | 5 | Andreas Steffen | Profiles: Domain,Private,Public |
49 | 5 | Andreas Steffen | Type: Static |
50 | 5 | Andreas Steffen | Mode: Tunnel |
51 | 11 | Andreas Steffen | LocalTunnelEndpoint: 10.10.0.6 |
52 | 5 | Andreas Steffen | RemoteTunnelEndpoint: 10.10.0.1 |
53 | 5 | Andreas Steffen | Endpoint1: 10.10.0.6/32 |
54 | 5 | Andreas Steffen | Endpoint2: 10.10.1.0/24 |
55 | 5 | Andreas Steffen | Protocol: Any |
56 | 5 | Andreas Steffen | Action: RequireInRequireOut |
57 | 11 | Andreas Steffen | Auth1: ComputerCertECDSAP256 |
58 | 11 | Andreas Steffen | Auth1ECDSAP256CAName: C=CH, O=strongSec GmbH, CN=strongSec 2007 CA |
59 | 11 | Andreas Steffen | Auth1ECDSAP256CertMapping: No |
60 | 11 | Andreas Steffen | Auth1ECDSAP256ExcludeCAName: No |
61 | 11 | Andreas Steffen | Auth1ECDSAP256CertType: Root |
62 | 11 | Andreas Steffen | Auth1ECDSAP256HealthCert: No |
63 | 5 | Andreas Steffen | MainModeSecMethods: ECDHP256-AES128-SHA256,ECDHP384-AES192-SHA384,DHGroup14-AES128-SHA1 |
64 | 11 | Andreas Steffen | QuickModeSecMethods: ESP:AESGCM128-AESGCM128+60min+100000kb,ESP:AESGCM192-AESGCM192+60min+100000kb,ESP:AESGCM256-AESGCM256+60min+100000kb |
65 | 1 | Andreas Steffen | ExemptIPsecProtectedConnections: No |
66 | 1 | Andreas Steffen | ApplyAuthorization: No |
67 | 5 | Andreas Steffen | Ok. |
68 | 1 | Andreas Steffen | </pre> |
69 | 5 | Andreas Steffen | |
70 | 8 | Andreas Steffen | On the strongSwan side the following entries are required in ipsec.conf for 128 bit security: |
71 | 8 | Andreas Steffen | |
72 | 1 | Andreas Steffen | <pre> |
73 | 11 | Andreas Steffen | conn suiteB |
74 | 12 | Andreas Steffen | left=10.10.0.1 |
75 | 12 | Andreas Steffen | leftcert=koala_ecCert.pem |
76 | 12 | Andreas Steffen | leftid=@koala.strongsec.com |
77 | 12 | Andreas Steffen | leftsubnet=10.10.1.0/24 |
78 | 12 | Andreas Steffen | leftfirewall=yes |
79 | 12 | Andreas Steffen | lefthostaccess=yes |
80 | 12 | Andreas Steffen | right=10.10.0.6 |
81 | 12 | Andreas Steffen | rightid="C=CH, O=strongSec GmbH, OU=ECDSA-256, CN=bonsai.strongsec.com" |
82 | 12 | Andreas Steffen | rightca=%same |
83 | 1 | Andreas Steffen | keyexchange=ikev1 |
84 | 1 | Andreas Steffen | ike=aes128-sha256-ecp256! |
85 | 1 | Andreas Steffen | esp=aes128gcm16! |
86 | 10 | Andreas Steffen | pfs=no |
87 | 12 | Andreas Steffen | dpdaction=clear |
88 | 12 | Andreas Steffen | dpddelay=300s |
89 | 12 | Andreas Steffen | rekey=no |
90 | 10 | Andreas Steffen | auto=add |
91 | 1 | Andreas Steffen | </pre> |
92 | 1 | Andreas Steffen | |
93 | 13 | Andreas Steffen | Pinging host 10.10.1.11 from the Windows 7 host triggers the IKEv1 tunnel setup. |
94 | 13 | Andreas Steffen | The following Windows status information is available for the Main Mode: |
95 | 13 | Andreas Steffen | |
96 | 13 | Andreas Steffen | !advfirewall_main_mode_128.png! |
97 | 13 | Andreas Steffen | |
98 | 13 | Andreas Steffen | and the established Quick Mode: |
99 | 13 | Andreas Steffen | |
100 | 13 | Andreas Steffen | !advfirewall_quick_mode_128.png! |
101 | 13 | Andreas Steffen | |
102 | 13 | Andreas Steffen | And here the resulting status output on the Linux side: |
103 | 8 | Andreas Steffen | |
104 | 8 | Andreas Steffen | <pre> |
105 | 12 | Andreas Steffen | root@koala:~# ipsec statusall suiteB |
106 | 8 | Andreas Steffen | |
107 | 12 | Andreas Steffen | Status of IKEv1 pluto daemon (strongSwan 4.3.3): |
108 | 12 | Andreas Steffen | loaded plugins: curl test-vectors aes des sha1 sha2 md5 gmp openssl pubkey random hmac |
109 | 12 | Andreas Steffen | debug options: control |
110 | 10 | Andreas Steffen | |
111 | 12 | Andreas Steffen | "suiteB": 10.10.1.0/24===10.10.0.1[@koala.strongsec.com]...10.10.0.6[C=CH, O=strongSec GmbH, OU=ECDSA-256, CN=bonsai.strongsec.com]; erouted; eroute owner: !#21 |
112 | 12 | Andreas Steffen | "suiteB": CAs: 'C=CH, O=strongSec GmbH, CN=strongSec 2007 CA'...'C=CH, O=strongSec GmbH, CN=strongSec 2007 CA' |
113 | 12 | Andreas Steffen | "suiteB": ike_life: 10800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3 |
114 | 12 | Andreas Steffen | "suiteB": dpd_action: clear; dpd_delay: 300s; dpd_timeout: 150s; |
115 | 12 | Andreas Steffen | "suiteB": policy: PUBKEY+ENCRYPT+TUNNEL+DONTREKEY; prio: 24,32; interface: eth1; |
116 | 12 | Andreas Steffen | "suiteB": newest ISAKMP SA: !#20; newest IPsec SA: !#21; |
117 | 12 | Andreas Steffen | "suiteB": IKE proposal: AES_CBC_128/HMAC_SHA2_256/ECP_256 |
118 | 12 | Andreas Steffen | "suiteB": ESP proposal: AES_GCM_16_128/AUTH_NONE/<N/A> |
119 | 12 | Andreas Steffen | |
120 | 12 | Andreas Steffen | !#21: "suiteB" STATE_QUICK_R2 (IPsec SA established); EVENT_SA_EXPIRE in 3580s; newest IPSEC; eroute owner |
121 | 12 | Andreas Steffen | !#21: "suiteB" esp.671c2d71@10.10.0.6 (180 bytes, 14s ago) esp.9f12330a@10.10.0.1 (240 bytes, 14s ago); tunnel |
122 | 12 | Andreas Steffen | !#20: "suiteB" STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_EXPIRE in 28780s; newest ISAKMP |
123 | 1 | Andreas Steffen | </pre> |