Windows Suite B Support with IKEv1 » History » Version 5

« Previous - Version 5/26 (diff) - Next » - Current version
Andreas Steffen, 11.07.2009 23:29
show rule

Windows Suite B Support

Windows Vista Service Pack 1, Windows Server 2008 and Windows 7 support the Suite B cryptographic algorithms for IPsec defined by RFC 4869. For Windows configuration details see

The following command sets the IKEv1 main mode algorithms:

netsh advfirewall set global mainmode mmsecmethods ecdhp256:aes128-sha256,ecdhp384:aes192-sha384,dhgroup14:aes128-sha1

The currently configured algorithms can be checked using the command:

netsh advfirewall show global

Main Mode:
KeyLifetime  480min,0sess
SecMethods   ECDHP256-AES128-SHA256,ECDHP384-AES192-SHA384,DHGroup14-AES128-SHA1
ForceDH      No

On the strongSwan side the following entries are required in ipsec.conf for the DH group 19 ECP_256


or for the DH group 20 ECP_384

netsh advfirewall consec set rule name="VPN ECP" new qmsecmethods=esp:aesgcm192-aesgcm192,esp:aesgcm128-aesgcm128,esp:sha1-aes128
netsh advfirewall consec show rule name="VPN ECP" 

Rule Name:                            VPN ECP
Enabled:                              Yes
Profiles:                             Domain,Private,Public
Type:                                 Static
Mode:                                 Tunnel
LocalTunnelEndpoint:                  Any
Protocol:                             Any
Action:                               RequireInRequireOut
Auth1:                                ComputerCert
Auth1CAName:                          C=CH, O=strongSwan Project, CN=strongSwan 2009 CA
Auth1CertMapping:                     No
Auth1ExcludeCAName:                   No
Auth1CertType:                        Root
Auth1HealthCert:                      No
MainModeSecMethods:                   ECDHP256-AES128-SHA256,ECDHP384-AES192-SHA384,DHGroup14-AES128-SHA1
QuickModeSecMethods:                  ESP:AESGCM192-AESGCM192+60min+100000kb,ESP:AESGCM128-AESGCM128+60min+100000kb,ESP:SHA1-AES128+60min+100000kb
ExemptIPsecProtectedConnections:      No
ApplyAuthorization:                   No