Version 14 - History - Windows Suite B Support with IKEv1 - strongSwan

Windows Suite B Support with IKEv1 » History » Version 14

Andreas Steffen, 22.07.2009 15:40
add ECDSA-256 machine certificate import

-Andreas Steffen
+h1. Windows Suite B Support with IKEv1
 Andreas Steffen
-Andreas Steffen
+Windows Vista Service Pack 1, Windows Server 2008 and Windows 7 support the Suite B cryptographic algorithms for IPsec defined by "RFC 4869":http://tools.ietf.org/html/rfc4869. For Windows configuration details see http://support.microsoft.com/kb/949856/.
 Andreas Steffen
-Andreas Steffen
+First we import an ECDSA-256 machine certificate in to the local computer part of the Windows registry using the Microsoft Management Console (mmc):
 Andreas Steffen
-Andreas Steffen
+!advfirewall_mmc.png!
 Andreas Steffen
-Andreas Steffen
+Here some details of the imported ECDSA-256 certificate:
 Andreas Steffen
-Andreas Steffen
+!advfirewall_ecdsa256_cert.png!
 Andreas Steffen
-Andreas Steffen
+Next we create a new "VPN Suite B" security rule:
 Andreas Steffen
-Andreas Steffen
+!advfirewall_security_rules.png!
 Andreas Steffen
-Andreas Steffen
+The following command sets the IKEv1 Main Mode algorithms:
 Andreas Steffen
-Andreas Steffen
+<pre>
-Andreas Steffen
+netsh advfirewall set global mainmode mmsecmethods ecdhp256:aes128-sha256,ecdhp384:aes192-sha384,dhgroup14:aes128-sha1
-Andreas Steffen
+</pre>
 Andreas Steffen
-Andreas Steffen
+The currently configured algorithms can be checked using the command:
 Andreas Steffen
-Andreas Steffen
+<pre>
-Andreas Steffen
+netsh advfirewall show global
 Andreas Steffen
-Andreas Steffen
+Main Mode:
-Andreas Steffen
+KeyLifetime  480min,0sess
-Andreas Steffen
+SecMethods   ECDHP256-AES128-SHA256,ECDHP384-AES192-SHA384,DHGroup14-AES128-SHA1
-Andreas Steffen
+ForceDH      No
-Andreas Steffen
+</pre>
 Andreas Steffen
-Andreas Steffen
+The following command sets the IKEv1 Quick Mode algorithms in the rule "VPN Suite B":
 Andreas Steffen
-Andreas Steffen
+<pre>
-Andreas Steffen
+netsh advfirewall consec set rule name="VPN Suite B" new qmsecmethods=esp:aesgcm128-aesgcm128,esp:aesgcm192-aesgcm192,esp:aesgcm256-aesgcm256
-Andreas Steffen
+</pre>
 Andreas Steffen
-Andreas Steffen
+The current rule settings are shown with the following command:
 Andreas Steffen
-Andreas Steffen
+<pre>
-Andreas Steffen
+netsh advfirewall consec show rule name="VPN Suite B"
 Andreas Steffen
-Andreas Steffen
+Rule Name:                            VPN Suite B
-Andreas Steffen
+----------------------------------------------------------------------
-Andreas Steffen
+Enabled:                              Yes
-Andreas Steffen
+Profiles:                             Domain,Private,Public
-Andreas Steffen
+Type:                                 Static
-Andreas Steffen
+Mode:                                 Tunnel
-Andreas Steffen
+LocalTunnelEndpoint:                  10.10.0.6
-Andreas Steffen
+RemoteTunnelEndpoint:                 10.10.0.1
-Andreas Steffen
+Endpoint1:                            10.10.0.6/32
-Andreas Steffen
+Endpoint2:                            10.10.1.0/24
-Andreas Steffen
+Protocol:                             Any
-Andreas Steffen
+Action:                               RequireInRequireOut
-Andreas Steffen
+Auth1:                                ComputerCertECDSAP256
-Andreas Steffen
+Auth1ECDSAP256CAName:                 C=CH, O=strongSec GmbH, CN=strongSec 2007 CA
-Andreas Steffen
+Auth1ECDSAP256CertMapping:            No
-Andreas Steffen
+Auth1ECDSAP256ExcludeCAName:          No
-Andreas Steffen
+Auth1ECDSAP256CertType:               Root
-Andreas Steffen
+Auth1ECDSAP256HealthCert:             No
-Andreas Steffen
+MainModeSecMethods:                   ECDHP256-AES128-SHA256,ECDHP384-AES192-SHA384,DHGroup14-AES128-SHA1
-Andreas Steffen
+QuickModeSecMethods:                  ESP:AESGCM128-AESGCM128+60min+100000kb,ESP:AESGCM192-AESGCM192+60min+100000kb,ESP:AESGCM256-AESGCM256+60min+100000kb
-Andreas Steffen
+ExemptIPsecProtectedConnections:      No
-Andreas Steffen
+ApplyAuthorization:                   No
-Andreas Steffen
+Ok.
-Andreas Steffen
+</pre>
 Andreas Steffen
-Andreas Steffen
+On the strongSwan side the following entries are required in ipsec.conf for 128 bit security:
 Andreas Steffen
-Andreas Steffen
+<pre>
-Andreas Steffen
+conn suiteB
-Andreas Steffen
+     left=10.10.0.1
-Andreas Steffen
+     leftcert=koala_ecCert.pem
-Andreas Steffen
+     leftid=@koala.strongsec.com
-Andreas Steffen
+     leftsubnet=10.10.1.0/24
-Andreas Steffen
+     leftfirewall=yes
-Andreas Steffen
+     lefthostaccess=yes
-Andreas Steffen
+     right=10.10.0.6
-Andreas Steffen
+     rightid="C=CH, O=strongSec GmbH, OU=ECDSA-256, CN=bonsai.strongsec.com"
-Andreas Steffen
+     rightca=%same
-Andreas Steffen
+     keyexchange=ikev1
-Andreas Steffen
+     ike=aes128-sha256-ecp256!
-Andreas Steffen
+     esp=aes128gcm16!
-Andreas Steffen
+     pfs=no
-Andreas Steffen
+     dpdaction=clear
-Andreas Steffen
+     dpddelay=300s
-Andreas Steffen
+     rekey=no
-Andreas Steffen
+     auto=add
-Andreas Steffen
+</pre>
 Andreas Steffen
-Andreas Steffen
+Pinging host 10.10.1.11 from the Windows 7 host triggers the IKEv1 tunnel setup.
-Andreas Steffen
+The following Windows status information is available for the Main Mode:
 Andreas Steffen
-Andreas Steffen
+!advfirewall_main_mode_128.png!
 Andreas Steffen
-Andreas Steffen
+and the established Quick Mode:
 Andreas Steffen
-Andreas Steffen
+!advfirewall_quick_mode_128.png!
 Andreas Steffen
-Andreas Steffen
+And here the resulting status output on the Linux side:
 Andreas Steffen
-Andreas Steffen
+<pre>
-Andreas Steffen
+root@koala:~# ipsec statusall suiteB
 Andreas Steffen
-Andreas Steffen
+Status of IKEv1 pluto daemon (strongSwan 4.3.3):
-Andreas Steffen
+loaded plugins: curl test-vectors aes des sha1 sha2 md5 gmp openssl pubkey random hmac
-Andreas Steffen
+debug options: control
 Andreas Steffen
-Andreas Steffen
+"suiteB": 10.10.1.0/24===10.10.0.1[@koala.strongsec.com]...10.10.0.6[C=CH, O=strongSec GmbH, OU=ECDSA-256, CN=bonsai.strongsec.com]; erouted; eroute owner: !#21
-Andreas Steffen
+"suiteB":   CAs: 'C=CH, O=strongSec GmbH, CN=strongSec 2007 CA'...'C=CH, O=strongSec GmbH, CN=strongSec 2007 CA'
-Andreas Steffen
+"suiteB":   ike_life: 10800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3
-Andreas Steffen
+"suiteB":   dpd_action: clear; dpd_delay: 300s; dpd_timeout: 150s;
-Andreas Steffen
+"suiteB":   policy: PUBKEY+ENCRYPT+TUNNEL+DONTREKEY; prio: 24,32; interface: eth1;
-Andreas Steffen
+"suiteB":   newest ISAKMP SA: !#20; newest IPsec SA: !#21;
-Andreas Steffen
+"suiteB":   IKE proposal: AES_CBC_128/HMAC_SHA2_256/ECP_256
-Andreas Steffen
+"suiteB":   ESP proposal: AES_GCM_16_128/AUTH_NONE/<N/A>
 Andreas Steffen
-Andreas Steffen
+!#21: "suiteB" STATE_QUICK_R2 (IPsec SA established); EVENT_SA_EXPIRE in 3580s; newest IPSEC; eroute owner
-Andreas Steffen
+!#21: "suiteB" esp.671c2d71@10.10.0.6 (180 bytes, 14s ago) esp.9f12330a@10.10.0.1 (240 bytes, 14s ago); tunnel
-Andreas Steffen
+!#20: "suiteB" STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_EXPIRE in 28780s; newest ISAKMP
-Andreas Steffen
+</pre>

Project

General

Profile

strongSwan

Windows Suite B Support with IKEv1 » History » Version 14