Version 4 - History - Windows Suite B Support with IKEv1 - strongSwan

Windows Suite B Support with IKEv1 » History » Version 4

Andreas Steffen, 11.07.2009 23:24
set quickmode methods

-Andreas Steffen
+h1. Windows Suite B Support
 Andreas Steffen
-Andreas Steffen
+Windows Vista Service Pack 1, Windows Server 2008 and Windows 7 support the Suite B cryptographic algorithms for IPsec defined by "RFC 4869":http://tools.ietf.org/html/rfc4869. For Windows configuration details see http://support.microsoft.com/kb/949856/.
 Andreas Steffen
-Andreas Steffen
+The following command sets the IKEv1 main mode algorithms:
 Andreas Steffen
-Andreas Steffen
+<pre>
-Andreas Steffen
+netsh advfirewall set global mainmode mmsecmethods ecdhp256:aes128-sha256,ecdhp384:aes192-sha384,dhgroup14:aes128-sha1
-Andreas Steffen
+</pre>
 Andreas Steffen
-Andreas Steffen
+The currently configured algorithms can be checked using the command:
 Andreas Steffen
-Andreas Steffen
+<pre>
-Andreas Steffen
+netsh advfirewall show global
 Andreas Steffen
-Andreas Steffen
+Main Mode:
-Andreas Steffen
+KeyLifetime  480min,0sess
-Andreas Steffen
+SecMethods   ECDHP256-AES128-SHA256,ECDHP384-AES192-SHA384,DHGroup14-AES128-SHA1
-Andreas Steffen
+ForceDH      No
-Andreas Steffen
+</pre>
 Andreas Steffen
-Andreas Steffen
+On the strongSwan side the following entries are required in ipsec.conf for the DH group 19 ECP_256
 Andreas Steffen
-Andreas Steffen
+<pre>
-Andreas Steffen
+ike=aes128-sha256-ecp256!
-Andreas Steffen
+</pre>
 Andreas Steffen
-Andreas Steffen
+or for the DH group 20 ECP_384
 Andreas Steffen
-Andreas Steffen
+<pre>
-Andreas Steffen
+ike=aes192-sha384-ecp384!
-Andreas Steffen
+</pre>
 Andreas Steffen
-Andreas Steffen
+<pre>
-Andreas Steffen
+netsh advfirewall consec set rule name="VPN ECP" new qmsecmethods=esp:aesgcm192-aesgcm192,esp:aesgcm128-aesgcm128,esp:sha1-aes128
-Andreas Steffen
+</pre>

Project

General

Profile

strongSwan

Windows Suite B Support with IKEv1 » History » Version 4