Project

General

Profile

Windows Suite B Support with IKEv1 » History » Version 18

Andreas Steffen, 22.07.2009 17:43
added Linux suiteB-384 information

1 10 Andreas Steffen
h1. Windows Suite B Support with IKEv1
2 1 Andreas Steffen
3 3 Andreas Steffen
Windows Vista Service Pack 1, Windows Server 2008 and Windows 7 support the Suite B cryptographic algorithms for IPsec defined by "RFC 4869":http://tools.ietf.org/html/rfc4869. For Windows configuration details see http://support.microsoft.com/kb/949856/.
4 2 Andreas Steffen
5 16 Andreas Steffen
h2. Preparations
6 1 Andreas Steffen
7 16 Andreas Steffen
h3. Import of Windows Machine Certificates
8 16 Andreas Steffen
9 16 Andreas Steffen
First we import an ECDSA-256 and an ECDSA-384 machine certificate into the local computer part of the Windows registry using the Microsoft Management Console (mmc):
10 16 Andreas Steffen
11 14 Andreas Steffen
!advfirewall_mmc.png!
12 14 Andreas Steffen
13 17 Andreas Steffen
Here are some details of the imported ECDSA-256 certificate:
14 14 Andreas Steffen
15 1 Andreas Steffen
!advfirewall_ecdsa256_cert.png!
16 1 Andreas Steffen
17 16 Andreas Steffen
and here of the imported ECDSA-384 certificate:
18 13 Andreas Steffen
19 16 Andreas Steffen
!advfirewall_ecdsa384_cert.png!
20 1 Andreas Steffen
21 16 Andreas Steffen
h3. Windows Suite B IKEv1 Main Mode Security Methods
22 13 Andreas Steffen
23 16 Andreas Steffen
The following command sets the IKEv1 Main Mode security methods:
24 16 Andreas Steffen
25 1 Andreas Steffen
<pre>
26 1 Andreas Steffen
netsh advfirewall set global mainmode mmsecmethods ecdhp256:aes128-sha256,ecdhp384:aes192-sha384,dhgroup14:aes128-sha1
27 1 Andreas Steffen
</pre>
28 2 Andreas Steffen
29 2 Andreas Steffen
The currently configured algorithms can be checked using the command:
30 1 Andreas Steffen
31 1 Andreas Steffen
<pre>
32 1 Andreas Steffen
netsh advfirewall show global
33 1 Andreas Steffen
34 1 Andreas Steffen
Main Mode:
35 1 Andreas Steffen
KeyLifetime  480min,0sess
36 1 Andreas Steffen
SecMethods   ECDHP256-AES128-SHA256,ECDHP384-AES192-SHA384,DHGroup14-AES128-SHA1
37 1 Andreas Steffen
ForceDH      No
38 1 Andreas Steffen
</pre>
39 1 Andreas Steffen
40 16 Andreas Steffen
h2. Suite B with 128 Bit Security
41 1 Andreas Steffen
42 16 Andreas Steffen
h3. Windows Connection Security Rule
43 16 Andreas Steffen
44 16 Andreas Steffen
First we create a new "VPN Suite B 256" security rule:
45 16 Andreas Steffen
46 16 Andreas Steffen
!advfirewall_security_rule_256.png!
47 16 Andreas Steffen
48 16 Andreas Steffen
The following command sets the IKEv1 Quick Mode algorithms in the rule "VPN Suite B 256":
49 16 Andreas Steffen
50 1 Andreas Steffen
<pre>
51 16 Andreas Steffen
netsh advfirewall consec set rule name="VPN Suite B 256" new qmsecmethods=esp:aesgcm128-aesgcm128,esp:aesgcm192-aesgcm192,esp:aesgcm256-aesgcm256
52 3 Andreas Steffen
</pre>
53 4 Andreas Steffen
54 8 Andreas Steffen
The current rule settings are shown with the following command:
55 5 Andreas Steffen
56 5 Andreas Steffen
<pre>
57 16 Andreas Steffen
netsh advfirewall consec show rule name="VPN Suite B 256"
58 5 Andreas Steffen
59 16 Andreas Steffen
Rule Name:                            VPN Suite B 256
60 5 Andreas Steffen
----------------------------------------------------------------------
61 5 Andreas Steffen
Enabled:                              Yes
62 5 Andreas Steffen
Profiles:                             Domain,Private,Public
63 5 Andreas Steffen
Type:                                 Static
64 5 Andreas Steffen
Mode:                                 Tunnel
65 11 Andreas Steffen
LocalTunnelEndpoint:                  10.10.0.6
66 5 Andreas Steffen
RemoteTunnelEndpoint:                 10.10.0.1
67 5 Andreas Steffen
Endpoint1:                            10.10.0.6/32
68 5 Andreas Steffen
Endpoint2:                            10.10.1.0/24
69 5 Andreas Steffen
Protocol:                             Any
70 5 Andreas Steffen
Action:                               RequireInRequireOut
71 11 Andreas Steffen
Auth1:                                ComputerCertECDSAP256
72 11 Andreas Steffen
Auth1ECDSAP256CAName:                 C=CH, O=strongSec GmbH, CN=strongSec 2007 CA
73 11 Andreas Steffen
Auth1ECDSAP256CertMapping:            No
74 11 Andreas Steffen
Auth1ECDSAP256ExcludeCAName:          No
75 11 Andreas Steffen
Auth1ECDSAP256CertType:               Root
76 1 Andreas Steffen
Auth1ECDSAP256HealthCert:             No
77 1 Andreas Steffen
MainModeSecMethods:                   ECDHP256-AES128-SHA256,ECDHP384-AES192-SHA384,DHGroup14-AES128-SHA1
78 11 Andreas Steffen
QuickModeSecMethods:                  ESP:AESGCM128-AESGCM128+60min+100000kb,ESP:AESGCM192-AESGCM192+60min+100000kb,ESP:AESGCM256-AESGCM256+60min+100000kb
79 5 Andreas Steffen
ExemptIPsecProtectedConnections:      No
80 11 Andreas Steffen
ApplyAuthorization:                   No
81 1 Andreas Steffen
Ok.
82 1 Andreas Steffen
</pre>
83 5 Andreas Steffen
84 16 Andreas Steffen
h3. strongSwan Connection Definition
85 16 Andreas Steffen
86 8 Andreas Steffen
On the strongSwan side the following entries are required in ipsec.conf for 128 bit security:
87 8 Andreas Steffen
88 1 Andreas Steffen
<pre>
89 17 Andreas Steffen
conn suiteB-256
90 17 Andreas Steffen
     leftcert=koala_ec256Cert.pem
91 17 Andreas Steffen
     rightid="C=CH, O=strongSec GmbH, OU=ECDSA-256, CN=bonsai.strongsec.com"
92 17 Andreas Steffen
     ike=aes128-sha256-ecp256!
93 17 Andreas Steffen
     esp=aes128gcm16!
94 17 Andreas Steffen
     also=suiteB
95 17 Andreas Steffen
     auto=add
96 17 Andreas Steffen
97 1 Andreas Steffen
conn suiteB
98 12 Andreas Steffen
     left=10.10.0.1
99 12 Andreas Steffen
     leftsubnet=10.10.1.0/24
100 17 Andreas Steffen
     leftid=@koala.strongsec.com
101 1 Andreas Steffen
     leftfirewall=yes
102 1 Andreas Steffen
     lefthostaccess=yes
103 1 Andreas Steffen
     right=10.10.0.6
104 1 Andreas Steffen
     rightca=%same
105 1 Andreas Steffen
     keyexchange=ikev1
106 10 Andreas Steffen
     pfs=no
107 12 Andreas Steffen
     dpdaction=clear
108 12 Andreas Steffen
     dpddelay=300s
109 12 Andreas Steffen
     rekey=no
110 10 Andreas Steffen
</pre>
111 1 Andreas Steffen
112 16 Andreas Steffen
h3. Windows Security Association Monitoring
113 16 Andreas Steffen
114 1 Andreas Steffen
Pinging host 10.10.1.11 behind the Linux VPN gateway from the Windows host triggers the IKEv1 tunnel setup.
115 13 Andreas Steffen
The following Windows status information is available for the Main Mode:
116 1 Andreas Steffen
117 1 Andreas Steffen
!advfirewall_main_mode_128.png!
118 13 Andreas Steffen
119 13 Andreas Steffen
and the established Quick Mode:
120 1 Andreas Steffen
121 13 Andreas Steffen
!advfirewall_quick_mode_128.png!
122 13 Andreas Steffen
123 1 Andreas Steffen
h3. strongSwan IPsec Status Information
124 1 Andreas Steffen
125 1 Andreas Steffen
Here the resulting status output on the Linux side:
126 1 Andreas Steffen
127 1 Andreas Steffen
<pre>
128 17 Andreas Steffen
root@koala:~# ipsec statusall suiteB-256
129 1 Andreas Steffen
130 1 Andreas Steffen
Status of IKEv1 pluto daemon (strongSwan 4.3.3):
131 17 Andreas Steffen
interface eth1/eth1 10.10.0.1:4500
132 17 Andreas Steffen
interface eth1/eth1 10.10.0.1:500
133 1 Andreas Steffen
loaded plugins: curl test-vectors aes des sha1 sha2 md5 gmp openssl pubkey random hmac 
134 1 Andreas Steffen
debug options: control
135 17 Andreas Steffen
136 17 Andreas Steffen
"suiteB-256": 10.10.1.0/24===10.10.0.1[@koala.strongsec.com]...10.10.0.6[C=CH, O=strongSec GmbH, OU=ECDSA-256, CN=bonsai.strongsec.com]; erouted; eroute owner: !#2
137 17 Andreas Steffen
"suiteB-256":   CAs: 'C=CH, O=strongSec GmbH, CN=strongSec 2007 CA'...'C=CH, O=strongSec GmbH, CN=strongSec 2007 CA'
138 17 Andreas Steffen
"suiteB-256":   ike_life: 10800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3
139 17 Andreas Steffen
"suiteB-256":   dpd_action: clear; dpd_delay: 300s; dpd_timeout: 150s;
140 17 Andreas Steffen
"suiteB-256":   policy: PUBKEY+ENCRYPT+TUNNEL+DONTREKEY; prio: 24,32; interface: eth1; 
141 17 Andreas Steffen
"suiteB-256":   newest ISAKMP SA: !#1; newest IPsec SA: !#2; 
142 17 Andreas Steffen
"suiteB-256":   IKE proposal: AES_CBC_128/HMAC_SHA2_256/ECP_256
143 17 Andreas Steffen
"suiteB-256":   ESP proposal: AES_GCM_16_128/AUTH_NONE/<N/A>
144 1 Andreas Steffen
 
145 17 Andreas Steffen
!#2: "suiteB-256" STATE_QUICK_R2 (IPsec SA established); EVENT_SA_EXPIRE in 3579s; newest IPSEC; eroute owner
146 17 Andreas Steffen
!#2: "suiteB-256" esp.aa4cf272@10.10.0.6 (180 bytes, 16s ago) esp.cdf37664@10.10.0.1 (240 bytes, 16s ago); tunnel
147 17 Andreas Steffen
!#1: "suiteB-256" STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_EXPIRE in 28778s; newest ISAKMP
148 17 Andreas Steffen
149 16 Andreas Steffen
</pre>
150 16 Andreas Steffen
151 16 Andreas Steffen
h2. Suite B with 192 Bit Security
152 16 Andreas Steffen
153 16 Andreas Steffen
h3. Windows Connection Security Rule
154 16 Andreas Steffen
155 18 Andreas Steffen
We create a "VPN Suite B 384" security rule:
156 18 Andreas Steffen
157 18 Andreas Steffen
!advfirewall_security_rule_384.png!
158 18 Andreas Steffen
159 18 Andreas Steffen
The following command sets the IKEv1 Quick Mode algorithms in the rule "VPN Suite B 384":
160 18 Andreas Steffen
161 1 Andreas Steffen
<pre>
162 18 Andreas Steffen
netsh advfirewall consec set rule name="VPN Suite B 384" new qmsecmethods=esp:aesgcm128-aesgcm128,esp:aesgcm192-aesgcm192,esp:aesgcm256-aesgcm256
163 18 Andreas Steffen
</pre>
164 1 Andreas Steffen
165 18 Andreas Steffen
The current rule settings are shown with the following command:
166 18 Andreas Steffen
167 18 Andreas Steffen
<pre>
168 18 Andreas Steffen
netsh advfirewall consec show rule name="VPN Suite B 384"
169 18 Andreas Steffen
170 16 Andreas Steffen
Rule Name:                            VPN Suite B 384
171 16 Andreas Steffen
----------------------------------------------------------------------
172 16 Andreas Steffen
Enabled:                              Yes
173 16 Andreas Steffen
Profiles:                             Domain,Private,Public
174 16 Andreas Steffen
Type:                                 Static
175 16 Andreas Steffen
Mode:                                 Tunnel
176 16 Andreas Steffen
LocalTunnelEndpoint:                  10.10.0.6
177 16 Andreas Steffen
RemoteTunnelEndpoint:                 10.10.0.1
178 16 Andreas Steffen
Endpoint1:                            10.10.0.6/32
179 16 Andreas Steffen
Endpoint2:                            10.10.1.0/24
180 16 Andreas Steffen
Protocol:                             Any
181 16 Andreas Steffen
Action:                               RequireInRequireOut
182 16 Andreas Steffen
Auth1:                                ComputerCertECDSAP384
183 16 Andreas Steffen
Auth1ECDSAP384CAName:                 C=CH, O=strongSec GmbH, CN=strongSec 2007 CA
184 16 Andreas Steffen
Auth1ECDSAP384CertMapping:            No
185 16 Andreas Steffen
Auth1ECDSAP384ExcludeCAName:          No
186 16 Andreas Steffen
Auth1ECDSAP384CertType:               Root
187 16 Andreas Steffen
Auth1ECDSAP384HealthCert:             No
188 16 Andreas Steffen
MainModeSecMethods:                   ECDHP256-AES128-SHA256,ECDHP384-AES192-SHA384,DHGroup14-AES128-SHA1
189 16 Andreas Steffen
QuickModeSecMethods:                  ESP:AESGCM128-AESGCM128+60min+100000kb,ESP:AESGCM192-AESGCM192+60min+100000kb,ESP:AESGCM256-AESGCM256+60min+100000kb
190 16 Andreas Steffen
ExemptIPsecProtectedConnections:      No
191 16 Andreas Steffen
ApplyAuthorization:                   No
192 16 Andreas Steffen
Ok.
193 16 Andreas Steffen
</pre>
194 16 Andreas Steffen
195 1 Andreas Steffen
h3. Windows Security Association Monitoring
196 1 Andreas Steffen
197 18 Andreas Steffen
Pinging host 10.10.1.11 behind the Linux VPN gateway from the Windows host triggers the IKEv1 tunnel setup.
198 18 Andreas Steffen
The following Windows status information is available for the Main Mode:
199 1 Andreas Steffen
200 18 Andreas Steffen
!advfirewall_main_mode_192.png!
201 18 Andreas Steffen
202 18 Andreas Steffen
and the established Quick Mode:
203 18 Andreas Steffen
204 18 Andreas Steffen
!advfirewall_quick_mode_192.png!
205 18 Andreas Steffen
206 18 Andreas Steffen
h3. strongSwan IPsec Status Information
207 18 Andreas Steffen
208 1 Andreas Steffen
Here the resulting status output on the Linux side:
209 18 Andreas Steffen
210 18 Andreas Steffen
<pre>
211 18 Andreas Steffen
root@koala:~# ipsec statusall suiteB-384
212 18 Andreas Steffen
213 18 Andreas Steffen
Status of IKEv1 pluto daemon (strongSwan 4.3.3):
214 18 Andreas Steffen
interface eth1/eth1 10.10.0.1:4500
215 18 Andreas Steffen
interface eth1/eth1 10.10.0.1:500
216 18 Andreas Steffen
loaded plugins: curl test-vectors aes des sha1 sha2 md5 gmp openssl pubkey random hmac 
217 18 Andreas Steffen
debug options: control
218 18 Andreas Steffen
219 18 Andreas Steffen
"suiteB-384": 10.10.1.0/24===10.10.0.1[@koala.strongsec.com]...10.10.0.6[C=CH, O=strongSec GmbH, OU=ECDSA-384, CN=bonsai.strongsec.com]; erouted; eroute owner: !#6
220 18 Andreas Steffen
"suiteB-384":   CAs: 'C=CH, O=strongSec GmbH, CN=strongSec 2007 CA'...'C=CH, O=strongSec GmbH, CN=strongSec 2007 CA'
221 18 Andreas Steffen
"suiteB-384":   ike_life: 10800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3
222 18 Andreas Steffen
"suiteB-384":   dpd_action: clear; dpd_delay: 300s; dpd_timeout: 150s;
223 18 Andreas Steffen
"suiteB-384":   policy: PUBKEY+ENCRYPT+TUNNEL+DONTREKEY; prio: 24,32; interface: eth1; 
224 18 Andreas Steffen
"suiteB-384":   newest ISAKMP SA: !#5; newest IPsec SA: !#6; 
225 18 Andreas Steffen
"suiteB-384":   IKE proposal: AES_CBC_192/HMAC_SHA2_384/ECP_384
226 18 Andreas Steffen
"suiteB-384":   ESP proposal: AES_GCM_16_192/AUTH_NONE/<N/A>
227 18 Andreas Steffen
228 18 Andreas Steffen
!#6: "suiteB-384" STATE_QUICK_R2 (IPsec SA established); EVENT_SA_EXPIRE in 3591s; newest IPSEC; eroute owner
229 18 Andreas Steffen
!#6: "suiteB-384" esp.f54365c2@10.10.0.6 (180 bytes, 4s ago) esp.9f80bd7e@10.10.0.1 (240 bytes, 4s ago); tunnel
230 18 Andreas Steffen
!#5: "suiteB-384" STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_EXPIRE in 28790s; newest ISAKMP
231 18 Andreas Steffen
</pre>