Windows Suite B Support with IKEv1 » History » Version 18
Andreas Steffen, 22.07.2009 17:43
added Linux suiteB-384 information
1 | 10 | Andreas Steffen | h1. Windows Suite B Support with IKEv1 |
---|---|---|---|
2 | 1 | Andreas Steffen | |
3 | 3 | Andreas Steffen | Windows Vista Service Pack 1, Windows Server 2008 and Windows 7 support the Suite B cryptographic algorithms for IPsec defined by "RFC 4869":http://tools.ietf.org/html/rfc4869. For Windows configuration details see http://support.microsoft.com/kb/949856/. |
4 | 2 | Andreas Steffen | |
5 | 16 | Andreas Steffen | h2. Preparations |
6 | 1 | Andreas Steffen | |
7 | 16 | Andreas Steffen | h3. Import of Windows Machine Certificates |
8 | 16 | Andreas Steffen | |
9 | 16 | Andreas Steffen | First we import an ECDSA-256 and an ECDSA-384 machine certificate into the local computer part of the Windows registry using the Microsoft Management Console (mmc): |
10 | 16 | Andreas Steffen | |
11 | 14 | Andreas Steffen | !advfirewall_mmc.png! |
12 | 14 | Andreas Steffen | |
13 | 17 | Andreas Steffen | Here are some details of the imported ECDSA-256 certificate: |
14 | 14 | Andreas Steffen | |
15 | 1 | Andreas Steffen | !advfirewall_ecdsa256_cert.png! |
16 | 1 | Andreas Steffen | |
17 | 16 | Andreas Steffen | and here of the imported ECDSA-384 certificate: |
18 | 13 | Andreas Steffen | |
19 | 16 | Andreas Steffen | !advfirewall_ecdsa384_cert.png! |
20 | 1 | Andreas Steffen | |
21 | 16 | Andreas Steffen | h3. Windows Suite B IKEv1 Main Mode Security Methods |
22 | 13 | Andreas Steffen | |
23 | 16 | Andreas Steffen | The following command sets the IKEv1 Main Mode security methods: |
24 | 16 | Andreas Steffen | |
25 | 1 | Andreas Steffen | <pre> |
26 | 1 | Andreas Steffen | netsh advfirewall set global mainmode mmsecmethods ecdhp256:aes128-sha256,ecdhp384:aes192-sha384,dhgroup14:aes128-sha1 |
27 | 1 | Andreas Steffen | </pre> |
28 | 2 | Andreas Steffen | |
29 | 2 | Andreas Steffen | The currently configured algorithms can be checked using the command: |
30 | 1 | Andreas Steffen | |
31 | 1 | Andreas Steffen | <pre> |
32 | 1 | Andreas Steffen | netsh advfirewall show global |
33 | 1 | Andreas Steffen | |
34 | 1 | Andreas Steffen | Main Mode: |
35 | 1 | Andreas Steffen | KeyLifetime 480min,0sess |
36 | 1 | Andreas Steffen | SecMethods ECDHP256-AES128-SHA256,ECDHP384-AES192-SHA384,DHGroup14-AES128-SHA1 |
37 | 1 | Andreas Steffen | ForceDH No |
38 | 1 | Andreas Steffen | </pre> |
39 | 1 | Andreas Steffen | |
40 | 16 | Andreas Steffen | h2. Suite B with 128 Bit Security |
41 | 1 | Andreas Steffen | |
42 | 16 | Andreas Steffen | h3. Windows Connection Security Rule |
43 | 16 | Andreas Steffen | |
44 | 16 | Andreas Steffen | First we create a new "VPN Suite B 256" security rule: |
45 | 16 | Andreas Steffen | |
46 | 16 | Andreas Steffen | !advfirewall_security_rule_256.png! |
47 | 16 | Andreas Steffen | |
48 | 16 | Andreas Steffen | The following command sets the IKEv1 Quick Mode algorithms in the rule "VPN Suite B 256": |
49 | 16 | Andreas Steffen | |
50 | 1 | Andreas Steffen | <pre> |
51 | 16 | Andreas Steffen | netsh advfirewall consec set rule name="VPN Suite B 256" new qmsecmethods=esp:aesgcm128-aesgcm128,esp:aesgcm192-aesgcm192,esp:aesgcm256-aesgcm256 |
52 | 3 | Andreas Steffen | </pre> |
53 | 4 | Andreas Steffen | |
54 | 8 | Andreas Steffen | The current rule settings are shown with the following command: |
55 | 5 | Andreas Steffen | |
56 | 5 | Andreas Steffen | <pre> |
57 | 16 | Andreas Steffen | netsh advfirewall consec show rule name="VPN Suite B 256" |
58 | 5 | Andreas Steffen | |
59 | 16 | Andreas Steffen | Rule Name: VPN Suite B 256 |
60 | 5 | Andreas Steffen | ---------------------------------------------------------------------- |
61 | 5 | Andreas Steffen | Enabled: Yes |
62 | 5 | Andreas Steffen | Profiles: Domain,Private,Public |
63 | 5 | Andreas Steffen | Type: Static |
64 | 5 | Andreas Steffen | Mode: Tunnel |
65 | 11 | Andreas Steffen | LocalTunnelEndpoint: 10.10.0.6 |
66 | 5 | Andreas Steffen | RemoteTunnelEndpoint: 10.10.0.1 |
67 | 5 | Andreas Steffen | Endpoint1: 10.10.0.6/32 |
68 | 5 | Andreas Steffen | Endpoint2: 10.10.1.0/24 |
69 | 5 | Andreas Steffen | Protocol: Any |
70 | 5 | Andreas Steffen | Action: RequireInRequireOut |
71 | 11 | Andreas Steffen | Auth1: ComputerCertECDSAP256 |
72 | 11 | Andreas Steffen | Auth1ECDSAP256CAName: C=CH, O=strongSec GmbH, CN=strongSec 2007 CA |
73 | 11 | Andreas Steffen | Auth1ECDSAP256CertMapping: No |
74 | 11 | Andreas Steffen | Auth1ECDSAP256ExcludeCAName: No |
75 | 11 | Andreas Steffen | Auth1ECDSAP256CertType: Root |
76 | 1 | Andreas Steffen | Auth1ECDSAP256HealthCert: No |
77 | 1 | Andreas Steffen | MainModeSecMethods: ECDHP256-AES128-SHA256,ECDHP384-AES192-SHA384,DHGroup14-AES128-SHA1 |
78 | 11 | Andreas Steffen | QuickModeSecMethods: ESP:AESGCM128-AESGCM128+60min+100000kb,ESP:AESGCM192-AESGCM192+60min+100000kb,ESP:AESGCM256-AESGCM256+60min+100000kb |
79 | 5 | Andreas Steffen | ExemptIPsecProtectedConnections: No |
80 | 11 | Andreas Steffen | ApplyAuthorization: No |
81 | 1 | Andreas Steffen | Ok. |
82 | 1 | Andreas Steffen | </pre> |
83 | 5 | Andreas Steffen | |
84 | 16 | Andreas Steffen | h3. strongSwan Connection Definition |
85 | 16 | Andreas Steffen | |
86 | 8 | Andreas Steffen | On the strongSwan side the following entries are required in ipsec.conf for 128 bit security: |
87 | 8 | Andreas Steffen | |
88 | 1 | Andreas Steffen | <pre> |
89 | 17 | Andreas Steffen | conn suiteB-256 |
90 | 17 | Andreas Steffen | leftcert=koala_ec256Cert.pem |
91 | 17 | Andreas Steffen | rightid="C=CH, O=strongSec GmbH, OU=ECDSA-256, CN=bonsai.strongsec.com" |
92 | 17 | Andreas Steffen | ike=aes128-sha256-ecp256! |
93 | 17 | Andreas Steffen | esp=aes128gcm16! |
94 | 17 | Andreas Steffen | also=suiteB |
95 | 17 | Andreas Steffen | auto=add |
96 | 17 | Andreas Steffen | |
97 | 1 | Andreas Steffen | conn suiteB |
98 | 12 | Andreas Steffen | left=10.10.0.1 |
99 | 12 | Andreas Steffen | leftsubnet=10.10.1.0/24 |
100 | 17 | Andreas Steffen | leftid=@koala.strongsec.com |
101 | 1 | Andreas Steffen | leftfirewall=yes |
102 | 1 | Andreas Steffen | lefthostaccess=yes |
103 | 1 | Andreas Steffen | right=10.10.0.6 |
104 | 1 | Andreas Steffen | rightca=%same |
105 | 1 | Andreas Steffen | keyexchange=ikev1 |
106 | 10 | Andreas Steffen | pfs=no |
107 | 12 | Andreas Steffen | dpdaction=clear |
108 | 12 | Andreas Steffen | dpddelay=300s |
109 | 12 | Andreas Steffen | rekey=no |
110 | 10 | Andreas Steffen | </pre> |
111 | 1 | Andreas Steffen | |
112 | 16 | Andreas Steffen | h3. Windows Security Association Monitoring |
113 | 16 | Andreas Steffen | |
114 | 1 | Andreas Steffen | Pinging host 10.10.1.11 behind the Linux VPN gateway from the Windows host triggers the IKEv1 tunnel setup. |
115 | 13 | Andreas Steffen | The following Windows status information is available for the Main Mode: |
116 | 1 | Andreas Steffen | |
117 | 1 | Andreas Steffen | !advfirewall_main_mode_128.png! |
118 | 13 | Andreas Steffen | |
119 | 13 | Andreas Steffen | and the established Quick Mode: |
120 | 1 | Andreas Steffen | |
121 | 13 | Andreas Steffen | !advfirewall_quick_mode_128.png! |
122 | 13 | Andreas Steffen | |
123 | 1 | Andreas Steffen | h3. strongSwan IPsec Status Information |
124 | 1 | Andreas Steffen | |
125 | 1 | Andreas Steffen | Here the resulting status output on the Linux side: |
126 | 1 | Andreas Steffen | |
127 | 1 | Andreas Steffen | <pre> |
128 | 17 | Andreas Steffen | root@koala:~# ipsec statusall suiteB-256 |
129 | 1 | Andreas Steffen | |
130 | 1 | Andreas Steffen | Status of IKEv1 pluto daemon (strongSwan 4.3.3): |
131 | 17 | Andreas Steffen | interface eth1/eth1 10.10.0.1:4500 |
132 | 17 | Andreas Steffen | interface eth1/eth1 10.10.0.1:500 |
133 | 1 | Andreas Steffen | loaded plugins: curl test-vectors aes des sha1 sha2 md5 gmp openssl pubkey random hmac |
134 | 1 | Andreas Steffen | debug options: control |
135 | 17 | Andreas Steffen | |
136 | 17 | Andreas Steffen | "suiteB-256": 10.10.1.0/24===10.10.0.1[@koala.strongsec.com]...10.10.0.6[C=CH, O=strongSec GmbH, OU=ECDSA-256, CN=bonsai.strongsec.com]; erouted; eroute owner: !#2 |
137 | 17 | Andreas Steffen | "suiteB-256": CAs: 'C=CH, O=strongSec GmbH, CN=strongSec 2007 CA'...'C=CH, O=strongSec GmbH, CN=strongSec 2007 CA' |
138 | 17 | Andreas Steffen | "suiteB-256": ike_life: 10800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3 |
139 | 17 | Andreas Steffen | "suiteB-256": dpd_action: clear; dpd_delay: 300s; dpd_timeout: 150s; |
140 | 17 | Andreas Steffen | "suiteB-256": policy: PUBKEY+ENCRYPT+TUNNEL+DONTREKEY; prio: 24,32; interface: eth1; |
141 | 17 | Andreas Steffen | "suiteB-256": newest ISAKMP SA: !#1; newest IPsec SA: !#2; |
142 | 17 | Andreas Steffen | "suiteB-256": IKE proposal: AES_CBC_128/HMAC_SHA2_256/ECP_256 |
143 | 17 | Andreas Steffen | "suiteB-256": ESP proposal: AES_GCM_16_128/AUTH_NONE/<N/A> |
144 | 1 | Andreas Steffen | |
145 | 17 | Andreas Steffen | !#2: "suiteB-256" STATE_QUICK_R2 (IPsec SA established); EVENT_SA_EXPIRE in 3579s; newest IPSEC; eroute owner |
146 | 17 | Andreas Steffen | !#2: "suiteB-256" esp.aa4cf272@10.10.0.6 (180 bytes, 16s ago) esp.cdf37664@10.10.0.1 (240 bytes, 16s ago); tunnel |
147 | 17 | Andreas Steffen | !#1: "suiteB-256" STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_EXPIRE in 28778s; newest ISAKMP |
148 | 17 | Andreas Steffen | |
149 | 16 | Andreas Steffen | </pre> |
150 | 16 | Andreas Steffen | |
151 | 16 | Andreas Steffen | h2. Suite B with 192 Bit Security |
152 | 16 | Andreas Steffen | |
153 | 16 | Andreas Steffen | h3. Windows Connection Security Rule |
154 | 16 | Andreas Steffen | |
155 | 18 | Andreas Steffen | We create a "VPN Suite B 384" security rule: |
156 | 18 | Andreas Steffen | |
157 | 18 | Andreas Steffen | !advfirewall_security_rule_384.png! |
158 | 18 | Andreas Steffen | |
159 | 18 | Andreas Steffen | The following command sets the IKEv1 Quick Mode algorithms in the rule "VPN Suite B 384": |
160 | 18 | Andreas Steffen | |
161 | 1 | Andreas Steffen | <pre> |
162 | 18 | Andreas Steffen | netsh advfirewall consec set rule name="VPN Suite B 384" new qmsecmethods=esp:aesgcm128-aesgcm128,esp:aesgcm192-aesgcm192,esp:aesgcm256-aesgcm256 |
163 | 18 | Andreas Steffen | </pre> |
164 | 1 | Andreas Steffen | |
165 | 18 | Andreas Steffen | The current rule settings are shown with the following command: |
166 | 18 | Andreas Steffen | |
167 | 18 | Andreas Steffen | <pre> |
168 | 18 | Andreas Steffen | netsh advfirewall consec show rule name="VPN Suite B 384" |
169 | 18 | Andreas Steffen | |
170 | 16 | Andreas Steffen | Rule Name: VPN Suite B 384 |
171 | 16 | Andreas Steffen | ---------------------------------------------------------------------- |
172 | 16 | Andreas Steffen | Enabled: Yes |
173 | 16 | Andreas Steffen | Profiles: Domain,Private,Public |
174 | 16 | Andreas Steffen | Type: Static |
175 | 16 | Andreas Steffen | Mode: Tunnel |
176 | 16 | Andreas Steffen | LocalTunnelEndpoint: 10.10.0.6 |
177 | 16 | Andreas Steffen | RemoteTunnelEndpoint: 10.10.0.1 |
178 | 16 | Andreas Steffen | Endpoint1: 10.10.0.6/32 |
179 | 16 | Andreas Steffen | Endpoint2: 10.10.1.0/24 |
180 | 16 | Andreas Steffen | Protocol: Any |
181 | 16 | Andreas Steffen | Action: RequireInRequireOut |
182 | 16 | Andreas Steffen | Auth1: ComputerCertECDSAP384 |
183 | 16 | Andreas Steffen | Auth1ECDSAP384CAName: C=CH, O=strongSec GmbH, CN=strongSec 2007 CA |
184 | 16 | Andreas Steffen | Auth1ECDSAP384CertMapping: No |
185 | 16 | Andreas Steffen | Auth1ECDSAP384ExcludeCAName: No |
186 | 16 | Andreas Steffen | Auth1ECDSAP384CertType: Root |
187 | 16 | Andreas Steffen | Auth1ECDSAP384HealthCert: No |
188 | 16 | Andreas Steffen | MainModeSecMethods: ECDHP256-AES128-SHA256,ECDHP384-AES192-SHA384,DHGroup14-AES128-SHA1 |
189 | 16 | Andreas Steffen | QuickModeSecMethods: ESP:AESGCM128-AESGCM128+60min+100000kb,ESP:AESGCM192-AESGCM192+60min+100000kb,ESP:AESGCM256-AESGCM256+60min+100000kb |
190 | 16 | Andreas Steffen | ExemptIPsecProtectedConnections: No |
191 | 16 | Andreas Steffen | ApplyAuthorization: No |
192 | 16 | Andreas Steffen | Ok. |
193 | 16 | Andreas Steffen | </pre> |
194 | 16 | Andreas Steffen | |
195 | 1 | Andreas Steffen | h3. Windows Security Association Monitoring |
196 | 1 | Andreas Steffen | |
197 | 18 | Andreas Steffen | Pinging host 10.10.1.11 behind the Linux VPN gateway from the Windows host triggers the IKEv1 tunnel setup. |
198 | 18 | Andreas Steffen | The following Windows status information is available for the Main Mode: |
199 | 1 | Andreas Steffen | |
200 | 18 | Andreas Steffen | !advfirewall_main_mode_192.png! |
201 | 18 | Andreas Steffen | |
202 | 18 | Andreas Steffen | and the established Quick Mode: |
203 | 18 | Andreas Steffen | |
204 | 18 | Andreas Steffen | !advfirewall_quick_mode_192.png! |
205 | 18 | Andreas Steffen | |
206 | 18 | Andreas Steffen | h3. strongSwan IPsec Status Information |
207 | 18 | Andreas Steffen | |
208 | 1 | Andreas Steffen | Here the resulting status output on the Linux side: |
209 | 18 | Andreas Steffen | |
210 | 18 | Andreas Steffen | <pre> |
211 | 18 | Andreas Steffen | root@koala:~# ipsec statusall suiteB-384 |
212 | 18 | Andreas Steffen | |
213 | 18 | Andreas Steffen | Status of IKEv1 pluto daemon (strongSwan 4.3.3): |
214 | 18 | Andreas Steffen | interface eth1/eth1 10.10.0.1:4500 |
215 | 18 | Andreas Steffen | interface eth1/eth1 10.10.0.1:500 |
216 | 18 | Andreas Steffen | loaded plugins: curl test-vectors aes des sha1 sha2 md5 gmp openssl pubkey random hmac |
217 | 18 | Andreas Steffen | debug options: control |
218 | 18 | Andreas Steffen | |
219 | 18 | Andreas Steffen | "suiteB-384": 10.10.1.0/24===10.10.0.1[@koala.strongsec.com]...10.10.0.6[C=CH, O=strongSec GmbH, OU=ECDSA-384, CN=bonsai.strongsec.com]; erouted; eroute owner: !#6 |
220 | 18 | Andreas Steffen | "suiteB-384": CAs: 'C=CH, O=strongSec GmbH, CN=strongSec 2007 CA'...'C=CH, O=strongSec GmbH, CN=strongSec 2007 CA' |
221 | 18 | Andreas Steffen | "suiteB-384": ike_life: 10800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3 |
222 | 18 | Andreas Steffen | "suiteB-384": dpd_action: clear; dpd_delay: 300s; dpd_timeout: 150s; |
223 | 18 | Andreas Steffen | "suiteB-384": policy: PUBKEY+ENCRYPT+TUNNEL+DONTREKEY; prio: 24,32; interface: eth1; |
224 | 18 | Andreas Steffen | "suiteB-384": newest ISAKMP SA: !#5; newest IPsec SA: !#6; |
225 | 18 | Andreas Steffen | "suiteB-384": IKE proposal: AES_CBC_192/HMAC_SHA2_384/ECP_384 |
226 | 18 | Andreas Steffen | "suiteB-384": ESP proposal: AES_GCM_16_192/AUTH_NONE/<N/A> |
227 | 18 | Andreas Steffen | |
228 | 18 | Andreas Steffen | !#6: "suiteB-384" STATE_QUICK_R2 (IPsec SA established); EVENT_SA_EXPIRE in 3591s; newest IPSEC; eroute owner |
229 | 18 | Andreas Steffen | !#6: "suiteB-384" esp.f54365c2@10.10.0.6 (180 bytes, 4s ago) esp.9f80bd7e@10.10.0.1 (240 bytes, 4s ago); tunnel |
230 | 18 | Andreas Steffen | !#5: "suiteB-384" STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_EXPIRE in 28790s; newest ISAKMP |
231 | 18 | Andreas Steffen | </pre> |