Project

General

Profile

Windows Suite B Support with IKEv1 » History » Version 15

Andreas Steffen, 22.07.2009 15:41
fixed a typo

1 10 Andreas Steffen
h1. Windows Suite B Support with IKEv1
2 1 Andreas Steffen
3 3 Andreas Steffen
Windows Vista Service Pack 1, Windows Server 2008 and Windows 7 support the Suite B cryptographic algorithms for IPsec defined by "RFC 4869":http://tools.ietf.org/html/rfc4869. For Windows configuration details see http://support.microsoft.com/kb/949856/.
4 2 Andreas Steffen
5 15 Andreas Steffen
First we import an ECDSA-256 machine certificate into the local computer part of the Windows registry using the Microsoft Management Console (mmc):
6 14 Andreas Steffen
7 14 Andreas Steffen
!advfirewall_mmc.png!
8 14 Andreas Steffen
9 14 Andreas Steffen
Here some details of the imported ECDSA-256 certificate:
10 14 Andreas Steffen
11 14 Andreas Steffen
!advfirewall_ecdsa256_cert.png!
12 14 Andreas Steffen
13 14 Andreas Steffen
Next we create a new "VPN Suite B" security rule:
14 13 Andreas Steffen
15 13 Andreas Steffen
!advfirewall_security_rules.png!
16 13 Andreas Steffen
17 8 Andreas Steffen
The following command sets the IKEv1 Main Mode algorithms:
18 2 Andreas Steffen
19 1 Andreas Steffen
<pre>
20 1 Andreas Steffen
netsh advfirewall set global mainmode mmsecmethods ecdhp256:aes128-sha256,ecdhp384:aes192-sha384,dhgroup14:aes128-sha1
21 1 Andreas Steffen
</pre>
22 2 Andreas Steffen
23 2 Andreas Steffen
The currently configured algorithms can be checked using the command:
24 1 Andreas Steffen
25 1 Andreas Steffen
<pre>
26 1 Andreas Steffen
netsh advfirewall show global
27 1 Andreas Steffen
28 1 Andreas Steffen
Main Mode:
29 1 Andreas Steffen
KeyLifetime  480min,0sess
30 1 Andreas Steffen
SecMethods   ECDHP256-AES128-SHA256,ECDHP384-AES192-SHA384,DHGroup14-AES128-SHA1
31 1 Andreas Steffen
ForceDH      No
32 3 Andreas Steffen
</pre>
33 3 Andreas Steffen
34 11 Andreas Steffen
The following command sets the IKEv1 Quick Mode algorithms in the rule "VPN Suite B":
35 3 Andreas Steffen
36 3 Andreas Steffen
<pre>
37 11 Andreas Steffen
netsh advfirewall consec set rule name="VPN Suite B" new qmsecmethods=esp:aesgcm128-aesgcm128,esp:aesgcm192-aesgcm192,esp:aesgcm256-aesgcm256
38 3 Andreas Steffen
</pre>
39 4 Andreas Steffen
40 8 Andreas Steffen
The current rule settings are shown with the following command:
41 5 Andreas Steffen
42 5 Andreas Steffen
<pre>
43 11 Andreas Steffen
netsh advfirewall consec show rule name="VPN Suite B"
44 5 Andreas Steffen
45 11 Andreas Steffen
Rule Name:                            VPN Suite B
46 5 Andreas Steffen
----------------------------------------------------------------------
47 5 Andreas Steffen
Enabled:                              Yes
48 5 Andreas Steffen
Profiles:                             Domain,Private,Public
49 5 Andreas Steffen
Type:                                 Static
50 5 Andreas Steffen
Mode:                                 Tunnel
51 11 Andreas Steffen
LocalTunnelEndpoint:                  10.10.0.6
52 5 Andreas Steffen
RemoteTunnelEndpoint:                 10.10.0.1
53 5 Andreas Steffen
Endpoint1:                            10.10.0.6/32
54 5 Andreas Steffen
Endpoint2:                            10.10.1.0/24
55 5 Andreas Steffen
Protocol:                             Any
56 5 Andreas Steffen
Action:                               RequireInRequireOut
57 11 Andreas Steffen
Auth1:                                ComputerCertECDSAP256
58 11 Andreas Steffen
Auth1ECDSAP256CAName:                 C=CH, O=strongSec GmbH, CN=strongSec 2007 CA
59 11 Andreas Steffen
Auth1ECDSAP256CertMapping:            No
60 11 Andreas Steffen
Auth1ECDSAP256ExcludeCAName:          No
61 11 Andreas Steffen
Auth1ECDSAP256CertType:               Root
62 11 Andreas Steffen
Auth1ECDSAP256HealthCert:             No
63 5 Andreas Steffen
MainModeSecMethods:                   ECDHP256-AES128-SHA256,ECDHP384-AES192-SHA384,DHGroup14-AES128-SHA1
64 11 Andreas Steffen
QuickModeSecMethods:                  ESP:AESGCM128-AESGCM128+60min+100000kb,ESP:AESGCM192-AESGCM192+60min+100000kb,ESP:AESGCM256-AESGCM256+60min+100000kb
65 1 Andreas Steffen
ExemptIPsecProtectedConnections:      No
66 1 Andreas Steffen
ApplyAuthorization:                   No
67 5 Andreas Steffen
Ok.
68 1 Andreas Steffen
</pre>
69 5 Andreas Steffen
70 8 Andreas Steffen
On the strongSwan side the following entries are required in ipsec.conf for 128 bit security:
71 8 Andreas Steffen
72 1 Andreas Steffen
<pre>
73 11 Andreas Steffen
conn suiteB
74 12 Andreas Steffen
     left=10.10.0.1
75 12 Andreas Steffen
     leftcert=koala_ecCert.pem
76 12 Andreas Steffen
     leftid=@koala.strongsec.com
77 12 Andreas Steffen
     leftsubnet=10.10.1.0/24
78 12 Andreas Steffen
     leftfirewall=yes
79 12 Andreas Steffen
     lefthostaccess=yes
80 12 Andreas Steffen
     right=10.10.0.6
81 12 Andreas Steffen
     rightid="C=CH, O=strongSec GmbH, OU=ECDSA-256, CN=bonsai.strongsec.com"
82 12 Andreas Steffen
     rightca=%same
83 1 Andreas Steffen
     keyexchange=ikev1
84 1 Andreas Steffen
     ike=aes128-sha256-ecp256!
85 1 Andreas Steffen
     esp=aes128gcm16!
86 10 Andreas Steffen
     pfs=no
87 12 Andreas Steffen
     dpdaction=clear
88 12 Andreas Steffen
     dpddelay=300s
89 12 Andreas Steffen
     rekey=no
90 10 Andreas Steffen
     auto=add
91 1 Andreas Steffen
</pre>
92 1 Andreas Steffen
93 15 Andreas Steffen
Pinging host 10.10.1.11 behind the Linux VPN gateway from the Windows host triggers the IKEv1 tunnel setup.
94 13 Andreas Steffen
The following Windows status information is available for the Main Mode:
95 13 Andreas Steffen
96 13 Andreas Steffen
!advfirewall_main_mode_128.png!
97 13 Andreas Steffen
98 13 Andreas Steffen
and the established Quick Mode:
99 13 Andreas Steffen
100 13 Andreas Steffen
!advfirewall_quick_mode_128.png!
101 13 Andreas Steffen
102 13 Andreas Steffen
And here the resulting status output on the Linux side:
103 8 Andreas Steffen
104 8 Andreas Steffen
<pre>
105 12 Andreas Steffen
root@koala:~# ipsec statusall suiteB
106 8 Andreas Steffen
107 12 Andreas Steffen
Status of IKEv1 pluto daemon (strongSwan 4.3.3):
108 12 Andreas Steffen
loaded plugins: curl test-vectors aes des sha1 sha2 md5 gmp openssl pubkey random hmac 
109 12 Andreas Steffen
debug options: control
110 10 Andreas Steffen
 
111 12 Andreas Steffen
"suiteB": 10.10.1.0/24===10.10.0.1[@koala.strongsec.com]...10.10.0.6[C=CH, O=strongSec GmbH, OU=ECDSA-256, CN=bonsai.strongsec.com]; erouted; eroute owner: !#21
112 12 Andreas Steffen
"suiteB":   CAs: 'C=CH, O=strongSec GmbH, CN=strongSec 2007 CA'...'C=CH, O=strongSec GmbH, CN=strongSec 2007 CA'
113 12 Andreas Steffen
"suiteB":   ike_life: 10800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3
114 12 Andreas Steffen
"suiteB":   dpd_action: clear; dpd_delay: 300s; dpd_timeout: 150s;
115 12 Andreas Steffen
"suiteB":   policy: PUBKEY+ENCRYPT+TUNNEL+DONTREKEY; prio: 24,32; interface: eth1; 
116 12 Andreas Steffen
"suiteB":   newest ISAKMP SA: !#20; newest IPsec SA: !#21; 
117 12 Andreas Steffen
"suiteB":   IKE proposal: AES_CBC_128/HMAC_SHA2_256/ECP_256
118 12 Andreas Steffen
"suiteB":   ESP proposal: AES_GCM_16_128/AUTH_NONE/<N/A>
119 12 Andreas Steffen
 
120 12 Andreas Steffen
!#21: "suiteB" STATE_QUICK_R2 (IPsec SA established); EVENT_SA_EXPIRE in 3580s; newest IPSEC; eroute owner
121 12 Andreas Steffen
!#21: "suiteB" esp.671c2d71@10.10.0.6 (180 bytes, 14s ago) esp.9f12330a@10.10.0.1 (240 bytes, 14s ago); tunnel
122 12 Andreas Steffen
!#20: "suiteB" STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_EXPIRE in 28780s; newest ISAKMP
123 1 Andreas Steffen
</pre>