Windows Suite B Support with IKEv1 » History » Version 3
Version 2 (Andreas Steffen, 08.07.2009 09:38) → Version 3/26 (Andreas Steffen, 08.07.2009 22:42)
h1. Windows Suite B Support
Windows Vista Service Pack 1, Windows Server 2008 and Windows 7 support the Suite B cryptographic algorithms for IPsec defined by "RFC 4869":http://tools.ietf.org/html/rfc4869. Suite B. For Windows configuration details see http://support.microsoft.com/kb/949856/.
The following command sets the IKEv1 main mode algorithms:
<pre>
netsh advfirewall set global mainmode mmsecmethods ecdhp256:aes128-sha256,ecdhp384:aes192-sha384,dhgroup14:aes128-sha1
</pre>
The currently configured algorithms can be checked using the command:
<pre>
netsh advfirewall show global
Main Mode:
KeyLifetime 480min,0sess
SecMethods ECDHP256-AES128-SHA256,ECDHP384-AES192-SHA384,DHGroup14-AES128-SHA1
ForceDH No
</pre>
On the strongSwan side the following entries are required in ipsec.conf for the DH group 19 ECP_256
<pre>
ike=aes128-sha256-ecp256!
</pre>
or for the DH group 20 ECP_384
<pre>
ike=aes192-sha384-ecp384!
</pre>
Windows Vista Service Pack 1, Windows Server 2008 and Windows 7 support the Suite B cryptographic algorithms for IPsec defined by "RFC 4869":http://tools.ietf.org/html/rfc4869. Suite B. For Windows configuration details see http://support.microsoft.com/kb/949856/.
The following command sets the IKEv1 main mode algorithms:
<pre>
netsh advfirewall set global mainmode mmsecmethods ecdhp256:aes128-sha256,ecdhp384:aes192-sha384,dhgroup14:aes128-sha1
</pre>
The currently configured algorithms can be checked using the command:
<pre>
netsh advfirewall show global
Main Mode:
KeyLifetime 480min,0sess
SecMethods ECDHP256-AES128-SHA256,ECDHP384-AES192-SHA384,DHGroup14-AES128-SHA1
ForceDH No
</pre>
On the strongSwan side the following entries are required in ipsec.conf for the DH group 19 ECP_256
<pre>
ike=aes128-sha256-ecp256!
</pre>
or for the DH group 20 ECP_384
<pre>
ike=aes192-sha384-ecp384!
</pre>