Windows Suite B Support with IKEv1 » History » Version 4
Andreas Steffen, 11.07.2009 23:24
set quickmode methods
1 | 1 | Andreas Steffen | h1. Windows Suite B Support |
---|---|---|---|
2 | 1 | Andreas Steffen | |
3 | 3 | Andreas Steffen | Windows Vista Service Pack 1, Windows Server 2008 and Windows 7 support the Suite B cryptographic algorithms for IPsec defined by "RFC 4869":http://tools.ietf.org/html/rfc4869. For Windows configuration details see http://support.microsoft.com/kb/949856/. |
4 | 2 | Andreas Steffen | |
5 | 2 | Andreas Steffen | The following command sets the IKEv1 main mode algorithms: |
6 | 2 | Andreas Steffen | |
7 | 1 | Andreas Steffen | <pre> |
8 | 1 | Andreas Steffen | netsh advfirewall set global mainmode mmsecmethods ecdhp256:aes128-sha256,ecdhp384:aes192-sha384,dhgroup14:aes128-sha1 |
9 | 1 | Andreas Steffen | </pre> |
10 | 2 | Andreas Steffen | |
11 | 2 | Andreas Steffen | The currently configured algorithms can be checked using the command: |
12 | 1 | Andreas Steffen | |
13 | 1 | Andreas Steffen | <pre> |
14 | 1 | Andreas Steffen | netsh advfirewall show global |
15 | 1 | Andreas Steffen | |
16 | 1 | Andreas Steffen | Main Mode: |
17 | 1 | Andreas Steffen | KeyLifetime 480min,0sess |
18 | 1 | Andreas Steffen | SecMethods ECDHP256-AES128-SHA256,ECDHP384-AES192-SHA384,DHGroup14-AES128-SHA1 |
19 | 1 | Andreas Steffen | ForceDH No |
20 | 3 | Andreas Steffen | </pre> |
21 | 3 | Andreas Steffen | |
22 | 3 | Andreas Steffen | On the strongSwan side the following entries are required in ipsec.conf for the DH group 19 ECP_256 |
23 | 3 | Andreas Steffen | |
24 | 3 | Andreas Steffen | <pre> |
25 | 3 | Andreas Steffen | ike=aes128-sha256-ecp256! |
26 | 3 | Andreas Steffen | </pre> |
27 | 3 | Andreas Steffen | |
28 | 3 | Andreas Steffen | or for the DH group 20 ECP_384 |
29 | 3 | Andreas Steffen | |
30 | 3 | Andreas Steffen | <pre> |
31 | 3 | Andreas Steffen | ike=aes192-sha384-ecp384! |
32 | 1 | Andreas Steffen | </pre> |
33 | 4 | Andreas Steffen | |
34 | 4 | Andreas Steffen | <pre> |
35 | 4 | Andreas Steffen | netsh advfirewall consec set rule name="VPN ECP" new qmsecmethods=esp:aesgcm192-aesgcm192,esp:aesgcm128-aesgcm128,esp:sha1-aes128 |
36 | 4 | Andreas Steffen | </pre> |