Project

General

Profile

Windows Suite B Support with IKEv1 » History » Version 4

Andreas Steffen, 11.07.2009 23:24
set quickmode methods

1 1 Andreas Steffen
h1. Windows Suite B Support
2 1 Andreas Steffen
3 3 Andreas Steffen
Windows Vista Service Pack 1, Windows Server 2008 and Windows 7 support the Suite B cryptographic algorithms for IPsec defined by "RFC 4869":http://tools.ietf.org/html/rfc4869. For Windows configuration details see http://support.microsoft.com/kb/949856/.
4 2 Andreas Steffen
5 2 Andreas Steffen
The following command sets the IKEv1 main mode algorithms:
6 2 Andreas Steffen
7 1 Andreas Steffen
<pre>
8 1 Andreas Steffen
netsh advfirewall set global mainmode mmsecmethods ecdhp256:aes128-sha256,ecdhp384:aes192-sha384,dhgroup14:aes128-sha1
9 1 Andreas Steffen
</pre>
10 2 Andreas Steffen
11 2 Andreas Steffen
The currently configured algorithms can be checked using the command:
12 1 Andreas Steffen
13 1 Andreas Steffen
<pre>
14 1 Andreas Steffen
netsh advfirewall show global
15 1 Andreas Steffen
16 1 Andreas Steffen
Main Mode:
17 1 Andreas Steffen
KeyLifetime  480min,0sess
18 1 Andreas Steffen
SecMethods   ECDHP256-AES128-SHA256,ECDHP384-AES192-SHA384,DHGroup14-AES128-SHA1
19 1 Andreas Steffen
ForceDH      No
20 3 Andreas Steffen
</pre>
21 3 Andreas Steffen
22 3 Andreas Steffen
On the strongSwan side the following entries are required in ipsec.conf for the DH group 19 ECP_256
23 3 Andreas Steffen
24 3 Andreas Steffen
<pre>
25 3 Andreas Steffen
ike=aes128-sha256-ecp256!
26 3 Andreas Steffen
</pre>
27 3 Andreas Steffen
28 3 Andreas Steffen
or for the DH group 20 ECP_384
29 3 Andreas Steffen
30 3 Andreas Steffen
<pre>
31 3 Andreas Steffen
ike=aes192-sha384-ecp384!
32 1 Andreas Steffen
</pre>
33 4 Andreas Steffen
34 4 Andreas Steffen
<pre>
35 4 Andreas Steffen
netsh advfirewall consec set rule name="VPN ECP" new qmsecmethods=esp:aesgcm192-aesgcm192,esp:aesgcm128-aesgcm128,esp:sha1-aes128
36 4 Andreas Steffen
</pre>