Project

General

Profile

Windows Suite B Support with IKEv1 » History » Version 16

« Previous - Version 16/26 (diff) - Next » - Current version
Andreas Steffen, 22.07.2009 17:07
both ECDSA-256 and ECDSA-384


Windows Suite B Support with IKEv1

Windows Vista Service Pack 1, Windows Server 2008 and Windows 7 support the Suite B cryptographic algorithms for IPsec defined by RFC 4869. For Windows configuration details see http://support.microsoft.com/kb/949856/.

Preparations

Import of Windows Machine Certificates

First we import an ECDSA-256 and an ECDSA-384 machine certificate into the local computer part of the Windows registry using the Microsoft Management Console (mmc):

Here some details of the imported ECDSA-256 certificate:

and here of the imported ECDSA-384 certificate:

Windows Suite B IKEv1 Main Mode Security Methods

The following command sets the IKEv1 Main Mode security methods:

netsh advfirewall set global mainmode mmsecmethods ecdhp256:aes128-sha256,ecdhp384:aes192-sha384,dhgroup14:aes128-sha1

The currently configured algorithms can be checked using the command:

netsh advfirewall show global

Main Mode:
KeyLifetime  480min,0sess
SecMethods   ECDHP256-AES128-SHA256,ECDHP384-AES192-SHA384,DHGroup14-AES128-SHA1
ForceDH      No

Suite B with 128 Bit Security

Windows Connection Security Rule

First we create a new "VPN Suite B 256" security rule:

The following command sets the IKEv1 Quick Mode algorithms in the rule "VPN Suite B 256":

netsh advfirewall consec set rule name="VPN Suite B 256" new qmsecmethods=esp:aesgcm128-aesgcm128,esp:aesgcm192-aesgcm192,esp:aesgcm256-aesgcm256

The current rule settings are shown with the following command:

netsh advfirewall consec show rule name="VPN Suite B 256" 

Rule Name:                            VPN Suite B 256
----------------------------------------------------------------------
Enabled:                              Yes
Profiles:                             Domain,Private,Public
Type:                                 Static
Mode:                                 Tunnel
LocalTunnelEndpoint:                  10.10.0.6
RemoteTunnelEndpoint:                 10.10.0.1
Endpoint1:                            10.10.0.6/32
Endpoint2:                            10.10.1.0/24
Protocol:                             Any
Action:                               RequireInRequireOut
Auth1:                                ComputerCertECDSAP256
Auth1ECDSAP256CAName:                 C=CH, O=strongSec GmbH, CN=strongSec 2007 CA
Auth1ECDSAP256CertMapping:            No
Auth1ECDSAP256ExcludeCAName:          No
Auth1ECDSAP256CertType:               Root
Auth1ECDSAP256HealthCert:             No
MainModeSecMethods:                   ECDHP256-AES128-SHA256,ECDHP384-AES192-SHA384,DHGroup14-AES128-SHA1
QuickModeSecMethods:                  ESP:AESGCM128-AESGCM128+60min+100000kb,ESP:AESGCM192-AESGCM192+60min+100000kb,ESP:AESGCM256-AESGCM256+60min+100000kb
ExemptIPsecProtectedConnections:      No
ApplyAuthorization:                   No
Ok.

strongSwan Connection Definition

On the strongSwan side the following entries are required in ipsec.conf for 128 bit security:

conn suiteB
     left=10.10.0.1
     leftcert=koala_ecCert.pem
     leftid=@koala.strongsec.com
     leftsubnet=10.10.1.0/24
     leftfirewall=yes
     lefthostaccess=yes
     right=10.10.0.6
     rightid="C=CH, O=strongSec GmbH, OU=ECDSA-256, CN=bonsai.strongsec.com" 
     rightca=%same
     keyexchange=ikev1
     ike=aes128-sha256-ecp256!
     esp=aes128gcm16!
     pfs=no
     dpdaction=clear
     dpddelay=300s
     rekey=no
     auto=add

Windows Security Association Monitoring

Pinging host 10.10.1.11 behind the Linux VPN gateway from the Windows host triggers the IKEv1 tunnel setup.
The following Windows status information is available for the Main Mode:

and the established Quick Mode:

strongSwan IPsec Status Information

Here the resulting status output on the Linux side:

root@koala:~# ipsec statusall suiteB

Status of IKEv1 pluto daemon (strongSwan 4.3.3):
loaded plugins: curl test-vectors aes des sha1 sha2 md5 gmp openssl pubkey random hmac 
debug options: control

"suiteB": 10.10.1.0/24===10.10.0.1[@koala.strongsec.com]...10.10.0.6[C=CH, O=strongSec GmbH, OU=ECDSA-256, CN=bonsai.strongsec.com]; erouted; eroute owner: !#21
"suiteB":   CAs: 'C=CH, O=strongSec GmbH, CN=strongSec 2007 CA'...'C=CH, O=strongSec GmbH, CN=strongSec 2007 CA'
"suiteB":   ike_life: 10800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3
"suiteB":   dpd_action: clear; dpd_delay: 300s; dpd_timeout: 150s;
"suiteB":   policy: PUBKEY+ENCRYPT+TUNNEL+DONTREKEY; prio: 24,32; interface: eth1; 
"suiteB":   newest ISAKMP SA: !#20; newest IPsec SA: !#21; 
"suiteB":   IKE proposal: AES_CBC_128/HMAC_SHA2_256/ECP_256
"suiteB":   ESP proposal: AES_GCM_16_128/AUTH_NONE/<N/A>

!#21: "suiteB" STATE_QUICK_R2 (IPsec SA established); EVENT_SA_EXPIRE in 3580s; newest IPSEC; eroute owner
!#21: "suiteB" esp.671c2d71@10.10.0.6 (180 bytes, 14s ago) esp.9f12330a@10.10.0.1 (240 bytes, 14s ago); tunnel
!#20: "suiteB" STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_EXPIRE in 28780s; newest ISAKMP

Suite B with 192 Bit Security

Windows Connection Security Rule

C:\Windows\system32>netsh advfirewall consec show rule name="VPN Suite B 384" 

Rule Name:                            VPN Suite B 384
----------------------------------------------------------------------
Enabled:                              Yes
Profiles:                             Domain,Private,Public
Type:                                 Static
Mode:                                 Tunnel
LocalTunnelEndpoint:                  10.10.0.6
RemoteTunnelEndpoint:                 10.10.0.1
Endpoint1:                            10.10.0.6/32
Endpoint2:                            10.10.1.0/24
Protocol:                             Any
Action:                               RequireInRequireOut
Auth1:                                ComputerCertECDSAP384
Auth1ECDSAP384CAName:                 C=CH, O=strongSec GmbH, CN=strongSec 2007 CA
Auth1ECDSAP384CertMapping:            No
Auth1ECDSAP384ExcludeCAName:          No
Auth1ECDSAP384CertType:               Root
Auth1ECDSAP384HealthCert:             No
MainModeSecMethods:                   ECDHP256-AES128-SHA256,ECDHP384-AES192-SHA384,DHGroup14-AES128-SHA1
QuickModeSecMethods:                  ESP:AESGCM128-AESGCM128+60min+100000kb,ESP:AESGCM192-AESGCM192+60min+100000kb,ESP:AESGCM256-AESGCM256+60min+100000kb
ExemptIPsecProtectedConnections:      No
ApplyAuthorization:                   No
Ok.

Windows Security Association Monitoring

strongSwan IPsec Status

Here the resulting status output on the Linux side: