Windows Suite B Support with IKEv1 » History » Version 5
« Previous -
Version 5/26
(diff) -
Next » -
Current version
Andreas Steffen, 11.07.2009 23:29
show rule
Windows Suite B Support¶
Windows Vista Service Pack 1, Windows Server 2008 and Windows 7 support the Suite B cryptographic algorithms for IPsec defined by RFC 4869. For Windows configuration details see http://support.microsoft.com/kb/949856/.
The following command sets the IKEv1 main mode algorithms:
netsh advfirewall set global mainmode mmsecmethods ecdhp256:aes128-sha256,ecdhp384:aes192-sha384,dhgroup14:aes128-sha1
The currently configured algorithms can be checked using the command:
netsh advfirewall show global Main Mode: KeyLifetime 480min,0sess SecMethods ECDHP256-AES128-SHA256,ECDHP384-AES192-SHA384,DHGroup14-AES128-SHA1 ForceDH No
On the strongSwan side the following entries are required in ipsec.conf for the DH group 19 ECP_256
ike=aes128-sha256-ecp256!
or for the DH group 20 ECP_384
ike=aes192-sha384-ecp384!
netsh advfirewall consec set rule name="VPN ECP" new qmsecmethods=esp:aesgcm192-aesgcm192,esp:aesgcm128-aesgcm128,esp:sha1-aes128
netsh advfirewall consec show rule name="VPN ECP" Rule Name: VPN ECP ---------------------------------------------------------------------- Enabled: Yes Profiles: Domain,Private,Public Type: Static Mode: Tunnel LocalTunnelEndpoint: Any RemoteTunnelEndpoint: 10.10.0.1 Endpoint1: 10.10.0.6/32 Endpoint2: 10.10.1.0/24 Protocol: Any Action: RequireInRequireOut Auth1: ComputerCert Auth1CAName: C=CH, O=strongSwan Project, CN=strongSwan 2009 CA Auth1CertMapping: No Auth1ExcludeCAName: No Auth1CertType: Root Auth1HealthCert: No MainModeSecMethods: ECDHP256-AES128-SHA256,ECDHP384-AES192-SHA384,DHGroup14-AES128-SHA1 QuickModeSecMethods: ESP:AESGCM192-AESGCM192+60min+100000kb,ESP:AESGCM128-AESGCM128+60min+100000kb,ESP:SHA1-AES128+60min+100000kb ExemptIPsecProtectedConnections: No ApplyAuthorization: No Ok.