Windows Suite B Support with IKEv1 » History » Version 18
« Previous -
Version 18/26
(diff) -
Next » -
Current version
Andreas Steffen, 22.07.2009 17:43
added Linux suiteB-384 information
Windows Suite B Support with IKEv1¶
Windows Vista Service Pack 1, Windows Server 2008 and Windows 7 support the Suite B cryptographic algorithms for IPsec defined by RFC 4869. For Windows configuration details see http://support.microsoft.com/kb/949856/.
Preparations¶
Import of Windows Machine Certificates¶
First we import an ECDSA-256 and an ECDSA-384 machine certificate into the local computer part of the Windows registry using the Microsoft Management Console (mmc):
Here are some details of the imported ECDSA-256 certificate:
and here of the imported ECDSA-384 certificate:
Windows Suite B IKEv1 Main Mode Security Methods¶
The following command sets the IKEv1 Main Mode security methods:
netsh advfirewall set global mainmode mmsecmethods ecdhp256:aes128-sha256,ecdhp384:aes192-sha384,dhgroup14:aes128-sha1
The currently configured algorithms can be checked using the command:
netsh advfirewall show global Main Mode: KeyLifetime 480min,0sess SecMethods ECDHP256-AES128-SHA256,ECDHP384-AES192-SHA384,DHGroup14-AES128-SHA1 ForceDH No
Suite B with 128 Bit Security¶
Windows Connection Security Rule¶
First we create a new "VPN Suite B 256" security rule:
The following command sets the IKEv1 Quick Mode algorithms in the rule "VPN Suite B 256":
netsh advfirewall consec set rule name="VPN Suite B 256" new qmsecmethods=esp:aesgcm128-aesgcm128,esp:aesgcm192-aesgcm192,esp:aesgcm256-aesgcm256
The current rule settings are shown with the following command:
netsh advfirewall consec show rule name="VPN Suite B 256" Rule Name: VPN Suite B 256 ---------------------------------------------------------------------- Enabled: Yes Profiles: Domain,Private,Public Type: Static Mode: Tunnel LocalTunnelEndpoint: 10.10.0.6 RemoteTunnelEndpoint: 10.10.0.1 Endpoint1: 10.10.0.6/32 Endpoint2: 10.10.1.0/24 Protocol: Any Action: RequireInRequireOut Auth1: ComputerCertECDSAP256 Auth1ECDSAP256CAName: C=CH, O=strongSec GmbH, CN=strongSec 2007 CA Auth1ECDSAP256CertMapping: No Auth1ECDSAP256ExcludeCAName: No Auth1ECDSAP256CertType: Root Auth1ECDSAP256HealthCert: No MainModeSecMethods: ECDHP256-AES128-SHA256,ECDHP384-AES192-SHA384,DHGroup14-AES128-SHA1 QuickModeSecMethods: ESP:AESGCM128-AESGCM128+60min+100000kb,ESP:AESGCM192-AESGCM192+60min+100000kb,ESP:AESGCM256-AESGCM256+60min+100000kb ExemptIPsecProtectedConnections: No ApplyAuthorization: No Ok.
strongSwan Connection Definition¶
On the strongSwan side the following entries are required in ipsec.conf for 128 bit security:
conn suiteB-256
leftcert=koala_ec256Cert.pem
rightid="C=CH, O=strongSec GmbH, OU=ECDSA-256, CN=bonsai.strongsec.com"
ike=aes128-sha256-ecp256!
esp=aes128gcm16!
also=suiteB
auto=add
conn suiteB
left=10.10.0.1
leftsubnet=10.10.1.0/24
leftid=@koala.strongsec.com
leftfirewall=yes
lefthostaccess=yes
right=10.10.0.6
rightca=%same
keyexchange=ikev1
pfs=no
dpdaction=clear
dpddelay=300s
rekey=no
Windows Security Association Monitoring¶
Pinging host 10.10.1.11 behind the Linux VPN gateway from the Windows host triggers the IKEv1 tunnel setup.
The following Windows status information is available for the Main Mode:
and the established Quick Mode:
strongSwan IPsec Status Information¶
Here the resulting status output on the Linux side:
root@koala:~# ipsec statusall suiteB-256 Status of IKEv1 pluto daemon (strongSwan 4.3.3): interface eth1/eth1 10.10.0.1:4500 interface eth1/eth1 10.10.0.1:500 loaded plugins: curl test-vectors aes des sha1 sha2 md5 gmp openssl pubkey random hmac debug options: control "suiteB-256": 10.10.1.0/24===10.10.0.1[@koala.strongsec.com]...10.10.0.6[C=CH, O=strongSec GmbH, OU=ECDSA-256, CN=bonsai.strongsec.com]; erouted; eroute owner: !#2 "suiteB-256": CAs: 'C=CH, O=strongSec GmbH, CN=strongSec 2007 CA'...'C=CH, O=strongSec GmbH, CN=strongSec 2007 CA' "suiteB-256": ike_life: 10800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3 "suiteB-256": dpd_action: clear; dpd_delay: 300s; dpd_timeout: 150s; "suiteB-256": policy: PUBKEY+ENCRYPT+TUNNEL+DONTREKEY; prio: 24,32; interface: eth1; "suiteB-256": newest ISAKMP SA: !#1; newest IPsec SA: !#2; "suiteB-256": IKE proposal: AES_CBC_128/HMAC_SHA2_256/ECP_256 "suiteB-256": ESP proposal: AES_GCM_16_128/AUTH_NONE/<N/A> !#2: "suiteB-256" STATE_QUICK_R2 (IPsec SA established); EVENT_SA_EXPIRE in 3579s; newest IPSEC; eroute owner !#2: "suiteB-256" esp.aa4cf272@10.10.0.6 (180 bytes, 16s ago) esp.cdf37664@10.10.0.1 (240 bytes, 16s ago); tunnel !#1: "suiteB-256" STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_EXPIRE in 28778s; newest ISAKMP
Suite B with 192 Bit Security¶
Windows Connection Security Rule¶
We create a "VPN Suite B 384" security rule:
The following command sets the IKEv1 Quick Mode algorithms in the rule "VPN Suite B 384":
netsh advfirewall consec set rule name="VPN Suite B 384" new qmsecmethods=esp:aesgcm128-aesgcm128,esp:aesgcm192-aesgcm192,esp:aesgcm256-aesgcm256
The current rule settings are shown with the following command:
netsh advfirewall consec show rule name="VPN Suite B 384" Rule Name: VPN Suite B 384 ---------------------------------------------------------------------- Enabled: Yes Profiles: Domain,Private,Public Type: Static Mode: Tunnel LocalTunnelEndpoint: 10.10.0.6 RemoteTunnelEndpoint: 10.10.0.1 Endpoint1: 10.10.0.6/32 Endpoint2: 10.10.1.0/24 Protocol: Any Action: RequireInRequireOut Auth1: ComputerCertECDSAP384 Auth1ECDSAP384CAName: C=CH, O=strongSec GmbH, CN=strongSec 2007 CA Auth1ECDSAP384CertMapping: No Auth1ECDSAP384ExcludeCAName: No Auth1ECDSAP384CertType: Root Auth1ECDSAP384HealthCert: No MainModeSecMethods: ECDHP256-AES128-SHA256,ECDHP384-AES192-SHA384,DHGroup14-AES128-SHA1 QuickModeSecMethods: ESP:AESGCM128-AESGCM128+60min+100000kb,ESP:AESGCM192-AESGCM192+60min+100000kb,ESP:AESGCM256-AESGCM256+60min+100000kb ExemptIPsecProtectedConnections: No ApplyAuthorization: No Ok.
Windows Security Association Monitoring¶
Pinging host 10.10.1.11 behind the Linux VPN gateway from the Windows host triggers the IKEv1 tunnel setup.
The following Windows status information is available for the Main Mode:
and the established Quick Mode:
strongSwan IPsec Status Information¶
Here the resulting status output on the Linux side:
root@koala:~# ipsec statusall suiteB-384 Status of IKEv1 pluto daemon (strongSwan 4.3.3): interface eth1/eth1 10.10.0.1:4500 interface eth1/eth1 10.10.0.1:500 loaded plugins: curl test-vectors aes des sha1 sha2 md5 gmp openssl pubkey random hmac debug options: control "suiteB-384": 10.10.1.0/24===10.10.0.1[@koala.strongsec.com]...10.10.0.6[C=CH, O=strongSec GmbH, OU=ECDSA-384, CN=bonsai.strongsec.com]; erouted; eroute owner: !#6 "suiteB-384": CAs: 'C=CH, O=strongSec GmbH, CN=strongSec 2007 CA'...'C=CH, O=strongSec GmbH, CN=strongSec 2007 CA' "suiteB-384": ike_life: 10800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3 "suiteB-384": dpd_action: clear; dpd_delay: 300s; dpd_timeout: 150s; "suiteB-384": policy: PUBKEY+ENCRYPT+TUNNEL+DONTREKEY; prio: 24,32; interface: eth1; "suiteB-384": newest ISAKMP SA: !#5; newest IPsec SA: !#6; "suiteB-384": IKE proposal: AES_CBC_192/HMAC_SHA2_384/ECP_384 "suiteB-384": ESP proposal: AES_GCM_16_192/AUTH_NONE/<N/A> !#6: "suiteB-384" STATE_QUICK_R2 (IPsec SA established); EVENT_SA_EXPIRE in 3591s; newest IPSEC; eroute owner !#6: "suiteB-384" esp.f54365c2@10.10.0.6 (180 bytes, 4s ago) esp.9f80bd7e@10.10.0.1 (240 bytes, 4s ago); tunnel !#5: "suiteB-384" STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_EXPIRE in 28790s; newest ISAKMP