Project

General

Profile

Windows Suite B Support with IKEv1 » History » Version 6

Version 5 (Andreas Steffen, 11.07.2009 23:29) → Version 6/26 (Andreas Steffen, 11.07.2009 23:43)

h1. Windows Suite B Support

Windows Vista Service Pack 1, Windows Server 2008 and Windows 7 support the Suite B cryptographic algorithms for IPsec defined by "RFC 4869":http://tools.ietf.org/html/rfc4869. For Windows configuration details see http://support.microsoft.com/kb/949856/.

The following command sets the IKEv1 main mode algorithms:

<pre>
netsh advfirewall set global mainmode mmsecmethods ecdhp256:aes128-sha256,ecdhp384:aes192-sha384,dhgroup14:aes128-sha1
</pre>

The currently configured algorithms can be checked using the command:

<pre>
netsh advfirewall show global

Main Mode:
KeyLifetime 480min,0sess
SecMethods ECDHP256-AES128-SHA256,ECDHP384-AES192-SHA384,DHGroup14-AES128-SHA1
ForceDH No
</pre>

On the strongSwan side the following entries are required in ipsec.conf for the DH group 19 ECP_256

<pre>
ike=aes128-sha256-ecp256!
</pre>

or for the DH group 20 ECP_384

<pre>
ike=aes192-sha384-ecp384!
</pre>

<pre>
netsh advfirewall consec set rule name="VPN ECP" new qmsecmethods=esp:aesgcm192-aesgcm192,esp:aesgcm128-aesgcm128,esp:sha1-aes128
</pre>

<pre>
netsh advfirewall consec show rule name="VPN ECP"

Rule Name: VPN ECP
----------------------------------------------------------------------
Enabled: Yes
Profiles: Domain,Private,Public
Type: Static
Mode: Tunnel
LocalTunnelEndpoint: Any
RemoteTunnelEndpoint: 10.10.0.1
Endpoint1: 10.10.0.6/32
Endpoint2: 10.10.1.0/24
Protocol: Any
Action: RequireInRequireOut
Auth1: ComputerCert
Auth1CAName: C=CH, O=strongSwan Project, CN=strongSwan 2009 CA
Auth1CertMapping: No
Auth1ExcludeCAName: No
Auth1CertType: Root
Auth1HealthCert: No
MainModeSecMethods: ECDHP256-AES128-SHA256,ECDHP384-AES192-SHA384,DHGroup14-AES128-SHA1
QuickModeSecMethods: ESP:AESGCM192-AESGCM192+60min+100000kb,ESP:AESGCM128-AESGCM128+60min+100000kb,ESP:SHA1-AES128+60min+100000kb
ExemptIPsecProtectedConnections: No
ApplyAuthorization: No
Ok.
</pre>

<pre>
esp=aes128gcm16!
</pre>

<pre>
esp=aes192gcm16!
</pre>