Project

General

Profile

Windows Suite B Support with IKEv1 » History » Version 19

Andreas Steffen, 22.07.2009 17:54
completed Linux information

1 10 Andreas Steffen
h1. Windows Suite B Support with IKEv1
2 1 Andreas Steffen
3 3 Andreas Steffen
Windows Vista Service Pack 1, Windows Server 2008 and Windows 7 support the Suite B cryptographic algorithms for IPsec defined by "RFC 4869":http://tools.ietf.org/html/rfc4869. For Windows configuration details see http://support.microsoft.com/kb/949856/.
4 2 Andreas Steffen
5 16 Andreas Steffen
h2. Preparations
6 1 Andreas Steffen
7 16 Andreas Steffen
h3. Import of Windows Machine Certificates
8 16 Andreas Steffen
9 16 Andreas Steffen
First we import an ECDSA-256 and an ECDSA-384 machine certificate into the local computer part of the Windows registry using the Microsoft Management Console (mmc):
10 16 Andreas Steffen
11 14 Andreas Steffen
!advfirewall_mmc.png!
12 14 Andreas Steffen
13 17 Andreas Steffen
Here are some details of the imported ECDSA-256 certificate:
14 14 Andreas Steffen
15 1 Andreas Steffen
!advfirewall_ecdsa256_cert.png!
16 1 Andreas Steffen
17 16 Andreas Steffen
and here of the imported ECDSA-384 certificate:
18 13 Andreas Steffen
19 16 Andreas Steffen
!advfirewall_ecdsa384_cert.png!
20 1 Andreas Steffen
21 16 Andreas Steffen
h3. Windows Suite B IKEv1 Main Mode Security Methods
22 13 Andreas Steffen
23 19 Andreas Steffen
The following command sets the IKEv1 Main Mode security methods globally:
24 16 Andreas Steffen
25 1 Andreas Steffen
<pre>
26 1 Andreas Steffen
netsh advfirewall set global mainmode mmsecmethods ecdhp256:aes128-sha256,ecdhp384:aes192-sha384,dhgroup14:aes128-sha1
27 1 Andreas Steffen
</pre>
28 2 Andreas Steffen
29 2 Andreas Steffen
The currently configured algorithms can be checked using the command:
30 1 Andreas Steffen
31 1 Andreas Steffen
<pre>
32 1 Andreas Steffen
netsh advfirewall show global
33 1 Andreas Steffen
34 1 Andreas Steffen
Main Mode:
35 1 Andreas Steffen
KeyLifetime  480min,0sess
36 1 Andreas Steffen
SecMethods   ECDHP256-AES128-SHA256,ECDHP384-AES192-SHA384,DHGroup14-AES128-SHA1
37 1 Andreas Steffen
ForceDH      No
38 1 Andreas Steffen
</pre>
39 1 Andreas Steffen
40 19 Andreas Steffen
h3. Import of strongSwan Private Keys
41 19 Andreas Steffen
42 19 Andreas Steffen
The path to RSA and ECDSA private keys are defined in /etc/ipsec.secrets:
43 19 Andreas Steffen
44 19 Andreas Steffen
<pre>
45 19 Andreas Steffen
# /etc/ipsec.secrets - strongSwan IPsec secrets file
46 19 Andreas Steffen
47 19 Andreas Steffen
: RSA vpnKey.pem
48 19 Andreas Steffen
49 19 Andreas Steffen
: ECDSA koala_ec256Key.pem
50 19 Andreas Steffen
51 19 Andreas Steffen
: ECDSA koala_ec384Key.pem
52 19 Andreas Steffen
53 19 Andreas Steffen
</pre>
54 19 Andreas Steffen
55 16 Andreas Steffen
h2. Suite B with 128 Bit Security
56 1 Andreas Steffen
57 16 Andreas Steffen
h3. Windows Connection Security Rule
58 16 Andreas Steffen
59 16 Andreas Steffen
First we create a new "VPN Suite B 256" security rule:
60 16 Andreas Steffen
61 16 Andreas Steffen
!advfirewall_security_rule_256.png!
62 16 Andreas Steffen
63 16 Andreas Steffen
The following command sets the IKEv1 Quick Mode algorithms in the rule "VPN Suite B 256":
64 16 Andreas Steffen
65 1 Andreas Steffen
<pre>
66 16 Andreas Steffen
netsh advfirewall consec set rule name="VPN Suite B 256" new qmsecmethods=esp:aesgcm128-aesgcm128,esp:aesgcm192-aesgcm192,esp:aesgcm256-aesgcm256
67 3 Andreas Steffen
</pre>
68 4 Andreas Steffen
69 8 Andreas Steffen
The current rule settings are shown with the following command:
70 5 Andreas Steffen
71 5 Andreas Steffen
<pre>
72 16 Andreas Steffen
netsh advfirewall consec show rule name="VPN Suite B 256"
73 5 Andreas Steffen
74 16 Andreas Steffen
Rule Name:                            VPN Suite B 256
75 5 Andreas Steffen
----------------------------------------------------------------------
76 5 Andreas Steffen
Enabled:                              Yes
77 5 Andreas Steffen
Profiles:                             Domain,Private,Public
78 5 Andreas Steffen
Type:                                 Static
79 5 Andreas Steffen
Mode:                                 Tunnel
80 11 Andreas Steffen
LocalTunnelEndpoint:                  10.10.0.6
81 5 Andreas Steffen
RemoteTunnelEndpoint:                 10.10.0.1
82 5 Andreas Steffen
Endpoint1:                            10.10.0.6/32
83 5 Andreas Steffen
Endpoint2:                            10.10.1.0/24
84 5 Andreas Steffen
Protocol:                             Any
85 5 Andreas Steffen
Action:                               RequireInRequireOut
86 11 Andreas Steffen
Auth1:                                ComputerCertECDSAP256
87 11 Andreas Steffen
Auth1ECDSAP256CAName:                 C=CH, O=strongSec GmbH, CN=strongSec 2007 CA
88 11 Andreas Steffen
Auth1ECDSAP256CertMapping:            No
89 11 Andreas Steffen
Auth1ECDSAP256ExcludeCAName:          No
90 11 Andreas Steffen
Auth1ECDSAP256CertType:               Root
91 1 Andreas Steffen
Auth1ECDSAP256HealthCert:             No
92 1 Andreas Steffen
MainModeSecMethods:                   ECDHP256-AES128-SHA256,ECDHP384-AES192-SHA384,DHGroup14-AES128-SHA1
93 11 Andreas Steffen
QuickModeSecMethods:                  ESP:AESGCM128-AESGCM128+60min+100000kb,ESP:AESGCM192-AESGCM192+60min+100000kb,ESP:AESGCM256-AESGCM256+60min+100000kb
94 5 Andreas Steffen
ExemptIPsecProtectedConnections:      No
95 11 Andreas Steffen
ApplyAuthorization:                   No
96 1 Andreas Steffen
Ok.
97 1 Andreas Steffen
</pre>
98 5 Andreas Steffen
99 16 Andreas Steffen
h3. strongSwan Connection Definition
100 16 Andreas Steffen
101 8 Andreas Steffen
On the strongSwan side the following entries are required in ipsec.conf for 128 bit security:
102 8 Andreas Steffen
103 1 Andreas Steffen
<pre>
104 17 Andreas Steffen
conn suiteB-256
105 17 Andreas Steffen
     leftcert=koala_ec256Cert.pem
106 17 Andreas Steffen
     rightid="C=CH, O=strongSec GmbH, OU=ECDSA-256, CN=bonsai.strongsec.com"
107 17 Andreas Steffen
     ike=aes128-sha256-ecp256!
108 17 Andreas Steffen
     esp=aes128gcm16!
109 17 Andreas Steffen
     also=suiteB
110 17 Andreas Steffen
     auto=add
111 17 Andreas Steffen
112 1 Andreas Steffen
conn suiteB
113 12 Andreas Steffen
     left=10.10.0.1
114 12 Andreas Steffen
     leftsubnet=10.10.1.0/24
115 17 Andreas Steffen
     leftid=@koala.strongsec.com
116 1 Andreas Steffen
     leftfirewall=yes
117 1 Andreas Steffen
     lefthostaccess=yes
118 1 Andreas Steffen
     right=10.10.0.6
119 1 Andreas Steffen
     rightca=%same
120 1 Andreas Steffen
     keyexchange=ikev1
121 10 Andreas Steffen
     pfs=no
122 12 Andreas Steffen
     dpdaction=clear
123 12 Andreas Steffen
     dpddelay=300s
124 12 Andreas Steffen
     rekey=no
125 10 Andreas Steffen
</pre>
126 1 Andreas Steffen
127 16 Andreas Steffen
h3. Windows Security Association Monitoring
128 16 Andreas Steffen
129 1 Andreas Steffen
Pinging host 10.10.1.11 behind the Linux VPN gateway from the Windows host triggers the IKEv1 tunnel setup.
130 13 Andreas Steffen
The following Windows status information is available for the Main Mode:
131 1 Andreas Steffen
132 1 Andreas Steffen
!advfirewall_main_mode_128.png!
133 13 Andreas Steffen
134 13 Andreas Steffen
and the established Quick Mode:
135 1 Andreas Steffen
136 13 Andreas Steffen
!advfirewall_quick_mode_128.png!
137 13 Andreas Steffen
138 1 Andreas Steffen
h3. strongSwan IPsec Status Information
139 1 Andreas Steffen
140 1 Andreas Steffen
Here the resulting status output on the Linux side:
141 1 Andreas Steffen
142 1 Andreas Steffen
<pre>
143 17 Andreas Steffen
root@koala:~# ipsec statusall suiteB-256
144 1 Andreas Steffen
145 1 Andreas Steffen
Status of IKEv1 pluto daemon (strongSwan 4.3.3):
146 17 Andreas Steffen
interface eth1/eth1 10.10.0.1:4500
147 17 Andreas Steffen
interface eth1/eth1 10.10.0.1:500
148 1 Andreas Steffen
loaded plugins: curl test-vectors aes des sha1 sha2 md5 gmp openssl pubkey random hmac 
149 1 Andreas Steffen
debug options: control
150 17 Andreas Steffen
151 17 Andreas Steffen
"suiteB-256": 10.10.1.0/24===10.10.0.1[@koala.strongsec.com]...10.10.0.6[C=CH, O=strongSec GmbH, OU=ECDSA-256, CN=bonsai.strongsec.com]; erouted; eroute owner: !#2
152 17 Andreas Steffen
"suiteB-256":   CAs: 'C=CH, O=strongSec GmbH, CN=strongSec 2007 CA'...'C=CH, O=strongSec GmbH, CN=strongSec 2007 CA'
153 17 Andreas Steffen
"suiteB-256":   ike_life: 10800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3
154 17 Andreas Steffen
"suiteB-256":   dpd_action: clear; dpd_delay: 300s; dpd_timeout: 150s;
155 17 Andreas Steffen
"suiteB-256":   policy: PUBKEY+ENCRYPT+TUNNEL+DONTREKEY; prio: 24,32; interface: eth1; 
156 17 Andreas Steffen
"suiteB-256":   newest ISAKMP SA: !#1; newest IPsec SA: !#2; 
157 17 Andreas Steffen
"suiteB-256":   IKE proposal: AES_CBC_128/HMAC_SHA2_256/ECP_256
158 17 Andreas Steffen
"suiteB-256":   ESP proposal: AES_GCM_16_128/AUTH_NONE/<N/A>
159 1 Andreas Steffen
 
160 17 Andreas Steffen
!#2: "suiteB-256" STATE_QUICK_R2 (IPsec SA established); EVENT_SA_EXPIRE in 3579s; newest IPSEC; eroute owner
161 17 Andreas Steffen
!#2: "suiteB-256" esp.aa4cf272@10.10.0.6 (180 bytes, 16s ago) esp.cdf37664@10.10.0.1 (240 bytes, 16s ago); tunnel
162 17 Andreas Steffen
!#1: "suiteB-256" STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_EXPIRE in 28778s; newest ISAKMP
163 17 Andreas Steffen
164 16 Andreas Steffen
</pre>
165 16 Andreas Steffen
166 16 Andreas Steffen
h2. Suite B with 192 Bit Security
167 16 Andreas Steffen
168 16 Andreas Steffen
h3. Windows Connection Security Rule
169 16 Andreas Steffen
170 18 Andreas Steffen
We create a "VPN Suite B 384" security rule:
171 18 Andreas Steffen
172 18 Andreas Steffen
!advfirewall_security_rule_384.png!
173 18 Andreas Steffen
174 18 Andreas Steffen
The following command sets the IKEv1 Quick Mode algorithms in the rule "VPN Suite B 384":
175 18 Andreas Steffen
176 1 Andreas Steffen
<pre>
177 18 Andreas Steffen
netsh advfirewall consec set rule name="VPN Suite B 384" new qmsecmethods=esp:aesgcm128-aesgcm128,esp:aesgcm192-aesgcm192,esp:aesgcm256-aesgcm256
178 18 Andreas Steffen
</pre>
179 1 Andreas Steffen
180 18 Andreas Steffen
The current rule settings are shown with the following command:
181 18 Andreas Steffen
182 18 Andreas Steffen
<pre>
183 18 Andreas Steffen
netsh advfirewall consec show rule name="VPN Suite B 384"
184 18 Andreas Steffen
185 16 Andreas Steffen
Rule Name:                            VPN Suite B 384
186 16 Andreas Steffen
----------------------------------------------------------------------
187 16 Andreas Steffen
Enabled:                              Yes
188 16 Andreas Steffen
Profiles:                             Domain,Private,Public
189 16 Andreas Steffen
Type:                                 Static
190 16 Andreas Steffen
Mode:                                 Tunnel
191 16 Andreas Steffen
LocalTunnelEndpoint:                  10.10.0.6
192 16 Andreas Steffen
RemoteTunnelEndpoint:                 10.10.0.1
193 16 Andreas Steffen
Endpoint1:                            10.10.0.6/32
194 16 Andreas Steffen
Endpoint2:                            10.10.1.0/24
195 16 Andreas Steffen
Protocol:                             Any
196 16 Andreas Steffen
Action:                               RequireInRequireOut
197 16 Andreas Steffen
Auth1:                                ComputerCertECDSAP384
198 16 Andreas Steffen
Auth1ECDSAP384CAName:                 C=CH, O=strongSec GmbH, CN=strongSec 2007 CA
199 16 Andreas Steffen
Auth1ECDSAP384CertMapping:            No
200 16 Andreas Steffen
Auth1ECDSAP384ExcludeCAName:          No
201 16 Andreas Steffen
Auth1ECDSAP384CertType:               Root
202 16 Andreas Steffen
Auth1ECDSAP384HealthCert:             No
203 16 Andreas Steffen
MainModeSecMethods:                   ECDHP256-AES128-SHA256,ECDHP384-AES192-SHA384,DHGroup14-AES128-SHA1
204 16 Andreas Steffen
QuickModeSecMethods:                  ESP:AESGCM128-AESGCM128+60min+100000kb,ESP:AESGCM192-AESGCM192+60min+100000kb,ESP:AESGCM256-AESGCM256+60min+100000kb
205 16 Andreas Steffen
ExemptIPsecProtectedConnections:      No
206 16 Andreas Steffen
ApplyAuthorization:                   No
207 1 Andreas Steffen
Ok.
208 19 Andreas Steffen
</pre>
209 19 Andreas Steffen
210 19 Andreas Steffen
h3. strongSwan Connection Definition
211 19 Andreas Steffen
212 19 Andreas Steffen
On the strongSwan side the following entries are required in ipsec.conf for 192 bit security:
213 19 Andreas Steffen
214 19 Andreas Steffen
<pre>
215 19 Andreas Steffen
conn suiteB-384
216 19 Andreas Steffen
     leftcert=koala_ec384Cert.pem
217 19 Andreas Steffen
     rightid="C=CH, O=strongSec GmbH, OU=ECDSA-384, CN=bonsai.strongsec.com"
218 19 Andreas Steffen
     ike=aes192-sha384-ecp384!
219 19 Andreas Steffen
     esp=aes192gcm16!
220 19 Andreas Steffen
     also=suiteB
221 19 Andreas Steffen
     auto=add
222 16 Andreas Steffen
</pre>
223 16 Andreas Steffen
224 1 Andreas Steffen
h3. Windows Security Association Monitoring
225 1 Andreas Steffen
226 18 Andreas Steffen
Pinging host 10.10.1.11 behind the Linux VPN gateway from the Windows host triggers the IKEv1 tunnel setup.
227 18 Andreas Steffen
The following Windows status information is available for the Main Mode:
228 1 Andreas Steffen
229 18 Andreas Steffen
!advfirewall_main_mode_192.png!
230 18 Andreas Steffen
231 18 Andreas Steffen
and the established Quick Mode:
232 18 Andreas Steffen
233 18 Andreas Steffen
!advfirewall_quick_mode_192.png!
234 18 Andreas Steffen
235 18 Andreas Steffen
h3. strongSwan IPsec Status Information
236 18 Andreas Steffen
237 1 Andreas Steffen
Here the resulting status output on the Linux side:
238 18 Andreas Steffen
239 18 Andreas Steffen
<pre>
240 18 Andreas Steffen
root@koala:~# ipsec statusall suiteB-384
241 18 Andreas Steffen
242 18 Andreas Steffen
Status of IKEv1 pluto daemon (strongSwan 4.3.3):
243 18 Andreas Steffen
interface eth1/eth1 10.10.0.1:4500
244 18 Andreas Steffen
interface eth1/eth1 10.10.0.1:500
245 18 Andreas Steffen
loaded plugins: curl test-vectors aes des sha1 sha2 md5 gmp openssl pubkey random hmac 
246 18 Andreas Steffen
debug options: control
247 18 Andreas Steffen
248 18 Andreas Steffen
"suiteB-384": 10.10.1.0/24===10.10.0.1[@koala.strongsec.com]...10.10.0.6[C=CH, O=strongSec GmbH, OU=ECDSA-384, CN=bonsai.strongsec.com]; erouted; eroute owner: !#6
249 18 Andreas Steffen
"suiteB-384":   CAs: 'C=CH, O=strongSec GmbH, CN=strongSec 2007 CA'...'C=CH, O=strongSec GmbH, CN=strongSec 2007 CA'
250 18 Andreas Steffen
"suiteB-384":   ike_life: 10800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3
251 18 Andreas Steffen
"suiteB-384":   dpd_action: clear; dpd_delay: 300s; dpd_timeout: 150s;
252 18 Andreas Steffen
"suiteB-384":   policy: PUBKEY+ENCRYPT+TUNNEL+DONTREKEY; prio: 24,32; interface: eth1; 
253 18 Andreas Steffen
"suiteB-384":   newest ISAKMP SA: !#5; newest IPsec SA: !#6; 
254 18 Andreas Steffen
"suiteB-384":   IKE proposal: AES_CBC_192/HMAC_SHA2_384/ECP_384
255 18 Andreas Steffen
"suiteB-384":   ESP proposal: AES_GCM_16_192/AUTH_NONE/<N/A>
256 18 Andreas Steffen
257 18 Andreas Steffen
!#6: "suiteB-384" STATE_QUICK_R2 (IPsec SA established); EVENT_SA_EXPIRE in 3591s; newest IPSEC; eroute owner
258 18 Andreas Steffen
!#6: "suiteB-384" esp.f54365c2@10.10.0.6 (180 bytes, 4s ago) esp.9f80bd7e@10.10.0.1 (240 bytes, 4s ago); tunnel
259 18 Andreas Steffen
!#5: "suiteB-384" STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_EXPIRE in 28790s; newest ISAKMP
260 18 Andreas Steffen
</pre>