Project

General

Profile

Windows Suite B Support with IKEv1 » History » Version 16

Andreas Steffen, 22.07.2009 17:07
both ECDSA-256 and ECDSA-384

1 10 Andreas Steffen
h1. Windows Suite B Support with IKEv1
2 1 Andreas Steffen
3 3 Andreas Steffen
Windows Vista Service Pack 1, Windows Server 2008 and Windows 7 support the Suite B cryptographic algorithms for IPsec defined by "RFC 4869":http://tools.ietf.org/html/rfc4869. For Windows configuration details see http://support.microsoft.com/kb/949856/.
4 2 Andreas Steffen
5 16 Andreas Steffen
h2. Preparations
6 1 Andreas Steffen
7 16 Andreas Steffen
h3. Import of Windows Machine Certificates
8 16 Andreas Steffen
9 16 Andreas Steffen
First we import an ECDSA-256 and an ECDSA-384 machine certificate into the local computer part of the Windows registry using the Microsoft Management Console (mmc):
10 16 Andreas Steffen
11 14 Andreas Steffen
!advfirewall_mmc.png!
12 14 Andreas Steffen
13 14 Andreas Steffen
Here some details of the imported ECDSA-256 certificate:
14 14 Andreas Steffen
15 1 Andreas Steffen
!advfirewall_ecdsa256_cert.png!
16 1 Andreas Steffen
17 16 Andreas Steffen
and here of the imported ECDSA-384 certificate:
18 13 Andreas Steffen
19 16 Andreas Steffen
!advfirewall_ecdsa384_cert.png!
20 1 Andreas Steffen
21 16 Andreas Steffen
h3. Windows Suite B IKEv1 Main Mode Security Methods
22 13 Andreas Steffen
23 16 Andreas Steffen
The following command sets the IKEv1 Main Mode security methods:
24 16 Andreas Steffen
25 1 Andreas Steffen
<pre>
26 1 Andreas Steffen
netsh advfirewall set global mainmode mmsecmethods ecdhp256:aes128-sha256,ecdhp384:aes192-sha384,dhgroup14:aes128-sha1
27 1 Andreas Steffen
</pre>
28 2 Andreas Steffen
29 2 Andreas Steffen
The currently configured algorithms can be checked using the command:
30 1 Andreas Steffen
31 1 Andreas Steffen
<pre>
32 1 Andreas Steffen
netsh advfirewall show global
33 1 Andreas Steffen
34 1 Andreas Steffen
Main Mode:
35 1 Andreas Steffen
KeyLifetime  480min,0sess
36 1 Andreas Steffen
SecMethods   ECDHP256-AES128-SHA256,ECDHP384-AES192-SHA384,DHGroup14-AES128-SHA1
37 1 Andreas Steffen
ForceDH      No
38 1 Andreas Steffen
</pre>
39 1 Andreas Steffen
40 16 Andreas Steffen
h2. Suite B with 128 Bit Security
41 1 Andreas Steffen
42 16 Andreas Steffen
h3. Windows Connection Security Rule
43 16 Andreas Steffen
44 16 Andreas Steffen
First we create a new "VPN Suite B 256" security rule:
45 16 Andreas Steffen
46 16 Andreas Steffen
!advfirewall_security_rule_256.png!
47 16 Andreas Steffen
48 16 Andreas Steffen
The following command sets the IKEv1 Quick Mode algorithms in the rule "VPN Suite B 256":
49 16 Andreas Steffen
50 1 Andreas Steffen
<pre>
51 16 Andreas Steffen
netsh advfirewall consec set rule name="VPN Suite B 256" new qmsecmethods=esp:aesgcm128-aesgcm128,esp:aesgcm192-aesgcm192,esp:aesgcm256-aesgcm256
52 3 Andreas Steffen
</pre>
53 4 Andreas Steffen
54 8 Andreas Steffen
The current rule settings are shown with the following command:
55 5 Andreas Steffen
56 5 Andreas Steffen
<pre>
57 16 Andreas Steffen
netsh advfirewall consec show rule name="VPN Suite B 256"
58 5 Andreas Steffen
59 16 Andreas Steffen
Rule Name:                            VPN Suite B 256
60 5 Andreas Steffen
----------------------------------------------------------------------
61 5 Andreas Steffen
Enabled:                              Yes
62 5 Andreas Steffen
Profiles:                             Domain,Private,Public
63 5 Andreas Steffen
Type:                                 Static
64 5 Andreas Steffen
Mode:                                 Tunnel
65 11 Andreas Steffen
LocalTunnelEndpoint:                  10.10.0.6
66 5 Andreas Steffen
RemoteTunnelEndpoint:                 10.10.0.1
67 5 Andreas Steffen
Endpoint1:                            10.10.0.6/32
68 5 Andreas Steffen
Endpoint2:                            10.10.1.0/24
69 5 Andreas Steffen
Protocol:                             Any
70 5 Andreas Steffen
Action:                               RequireInRequireOut
71 11 Andreas Steffen
Auth1:                                ComputerCertECDSAP256
72 11 Andreas Steffen
Auth1ECDSAP256CAName:                 C=CH, O=strongSec GmbH, CN=strongSec 2007 CA
73 11 Andreas Steffen
Auth1ECDSAP256CertMapping:            No
74 11 Andreas Steffen
Auth1ECDSAP256ExcludeCAName:          No
75 11 Andreas Steffen
Auth1ECDSAP256CertType:               Root
76 1 Andreas Steffen
Auth1ECDSAP256HealthCert:             No
77 1 Andreas Steffen
MainModeSecMethods:                   ECDHP256-AES128-SHA256,ECDHP384-AES192-SHA384,DHGroup14-AES128-SHA1
78 11 Andreas Steffen
QuickModeSecMethods:                  ESP:AESGCM128-AESGCM128+60min+100000kb,ESP:AESGCM192-AESGCM192+60min+100000kb,ESP:AESGCM256-AESGCM256+60min+100000kb
79 5 Andreas Steffen
ExemptIPsecProtectedConnections:      No
80 11 Andreas Steffen
ApplyAuthorization:                   No
81 1 Andreas Steffen
Ok.
82 1 Andreas Steffen
</pre>
83 5 Andreas Steffen
84 16 Andreas Steffen
h3. strongSwan Connection Definition
85 16 Andreas Steffen
86 8 Andreas Steffen
On the strongSwan side the following entries are required in ipsec.conf for 128 bit security:
87 8 Andreas Steffen
88 1 Andreas Steffen
<pre>
89 11 Andreas Steffen
conn suiteB
90 12 Andreas Steffen
     left=10.10.0.1
91 12 Andreas Steffen
     leftcert=koala_ecCert.pem
92 12 Andreas Steffen
     leftid=@koala.strongsec.com
93 12 Andreas Steffen
     leftsubnet=10.10.1.0/24
94 12 Andreas Steffen
     leftfirewall=yes
95 12 Andreas Steffen
     lefthostaccess=yes
96 12 Andreas Steffen
     right=10.10.0.6
97 12 Andreas Steffen
     rightid="C=CH, O=strongSec GmbH, OU=ECDSA-256, CN=bonsai.strongsec.com"
98 1 Andreas Steffen
     rightca=%same
99 1 Andreas Steffen
     keyexchange=ikev1
100 1 Andreas Steffen
     ike=aes128-sha256-ecp256!
101 1 Andreas Steffen
     esp=aes128gcm16!
102 1 Andreas Steffen
     pfs=no
103 10 Andreas Steffen
     dpdaction=clear
104 12 Andreas Steffen
     dpddelay=300s
105 12 Andreas Steffen
     rekey=no
106 12 Andreas Steffen
     auto=add
107 10 Andreas Steffen
</pre>
108 1 Andreas Steffen
109 16 Andreas Steffen
h3. Windows Security Association Monitoring
110 16 Andreas Steffen
111 1 Andreas Steffen
Pinging host 10.10.1.11 behind the Linux VPN gateway from the Windows host triggers the IKEv1 tunnel setup.
112 13 Andreas Steffen
The following Windows status information is available for the Main Mode:
113 1 Andreas Steffen
114 1 Andreas Steffen
!advfirewall_main_mode_128.png!
115 13 Andreas Steffen
116 13 Andreas Steffen
and the established Quick Mode:
117 13 Andreas Steffen
118 13 Andreas Steffen
!advfirewall_quick_mode_128.png!
119 13 Andreas Steffen
120 16 Andreas Steffen
h3. strongSwan IPsec Status Information
121 13 Andreas Steffen
122 16 Andreas Steffen
Here the resulting status output on the Linux side:
123 16 Andreas Steffen
124 8 Andreas Steffen
<pre>
125 12 Andreas Steffen
root@koala:~# ipsec statusall suiteB
126 8 Andreas Steffen
127 12 Andreas Steffen
Status of IKEv1 pluto daemon (strongSwan 4.3.3):
128 12 Andreas Steffen
loaded plugins: curl test-vectors aes des sha1 sha2 md5 gmp openssl pubkey random hmac 
129 12 Andreas Steffen
debug options: control
130 10 Andreas Steffen
 
131 12 Andreas Steffen
"suiteB": 10.10.1.0/24===10.10.0.1[@koala.strongsec.com]...10.10.0.6[C=CH, O=strongSec GmbH, OU=ECDSA-256, CN=bonsai.strongsec.com]; erouted; eroute owner: !#21
132 12 Andreas Steffen
"suiteB":   CAs: 'C=CH, O=strongSec GmbH, CN=strongSec 2007 CA'...'C=CH, O=strongSec GmbH, CN=strongSec 2007 CA'
133 12 Andreas Steffen
"suiteB":   ike_life: 10800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3
134 12 Andreas Steffen
"suiteB":   dpd_action: clear; dpd_delay: 300s; dpd_timeout: 150s;
135 1 Andreas Steffen
"suiteB":   policy: PUBKEY+ENCRYPT+TUNNEL+DONTREKEY; prio: 24,32; interface: eth1; 
136 1 Andreas Steffen
"suiteB":   newest ISAKMP SA: !#20; newest IPsec SA: !#21; 
137 1 Andreas Steffen
"suiteB":   IKE proposal: AES_CBC_128/HMAC_SHA2_256/ECP_256
138 1 Andreas Steffen
"suiteB":   ESP proposal: AES_GCM_16_128/AUTH_NONE/<N/A>
139 1 Andreas Steffen
 
140 1 Andreas Steffen
!#21: "suiteB" STATE_QUICK_R2 (IPsec SA established); EVENT_SA_EXPIRE in 3580s; newest IPSEC; eroute owner
141 1 Andreas Steffen
!#21: "suiteB" esp.671c2d71@10.10.0.6 (180 bytes, 14s ago) esp.9f12330a@10.10.0.1 (240 bytes, 14s ago); tunnel
142 1 Andreas Steffen
!#20: "suiteB" STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_EXPIRE in 28780s; newest ISAKMP
143 1 Andreas Steffen
</pre>
144 16 Andreas Steffen
145 16 Andreas Steffen
h2. Suite B with 192 Bit Security
146 16 Andreas Steffen
147 16 Andreas Steffen
h3. Windows Connection Security Rule
148 16 Andreas Steffen
149 16 Andreas Steffen
<pre>
150 16 Andreas Steffen
C:\Windows\system32>netsh advfirewall consec show rule name="VPN Suite B 384"
151 16 Andreas Steffen
152 16 Andreas Steffen
Rule Name:                            VPN Suite B 384
153 16 Andreas Steffen
----------------------------------------------------------------------
154 16 Andreas Steffen
Enabled:                              Yes
155 16 Andreas Steffen
Profiles:                             Domain,Private,Public
156 16 Andreas Steffen
Type:                                 Static
157 16 Andreas Steffen
Mode:                                 Tunnel
158 16 Andreas Steffen
LocalTunnelEndpoint:                  10.10.0.6
159 16 Andreas Steffen
RemoteTunnelEndpoint:                 10.10.0.1
160 16 Andreas Steffen
Endpoint1:                            10.10.0.6/32
161 16 Andreas Steffen
Endpoint2:                            10.10.1.0/24
162 16 Andreas Steffen
Protocol:                             Any
163 16 Andreas Steffen
Action:                               RequireInRequireOut
164 16 Andreas Steffen
Auth1:                                ComputerCertECDSAP384
165 16 Andreas Steffen
Auth1ECDSAP384CAName:                 C=CH, O=strongSec GmbH, CN=strongSec 2007 CA
166 16 Andreas Steffen
Auth1ECDSAP384CertMapping:            No
167 16 Andreas Steffen
Auth1ECDSAP384ExcludeCAName:          No
168 16 Andreas Steffen
Auth1ECDSAP384CertType:               Root
169 16 Andreas Steffen
Auth1ECDSAP384HealthCert:             No
170 16 Andreas Steffen
MainModeSecMethods:                   ECDHP256-AES128-SHA256,ECDHP384-AES192-SHA384,DHGroup14-AES128-SHA1
171 16 Andreas Steffen
QuickModeSecMethods:                  ESP:AESGCM128-AESGCM128+60min+100000kb,ESP:AESGCM192-AESGCM192+60min+100000kb,ESP:AESGCM256-AESGCM256+60min+100000kb
172 16 Andreas Steffen
ExemptIPsecProtectedConnections:      No
173 16 Andreas Steffen
ApplyAuthorization:                   No
174 16 Andreas Steffen
Ok.
175 16 Andreas Steffen
</pre>
176 16 Andreas Steffen
177 16 Andreas Steffen
h3. Windows Security Association Monitoring
178 16 Andreas Steffen
179 16 Andreas Steffen
h3. strongSwan IPsec Status
180 16 Andreas Steffen
181 16 Andreas Steffen
Here the resulting status output on the Linux side: