Project

General

Profile

Windows Suite B Support with IKEv1 » History » Version 7

Andreas Steffen, 11.07.2009 23:47
added ipsec statusall output

1 1 Andreas Steffen
h1. Windows Suite B Support
2 1 Andreas Steffen
3 3 Andreas Steffen
Windows Vista Service Pack 1, Windows Server 2008 and Windows 7 support the Suite B cryptographic algorithms for IPsec defined by "RFC 4869":http://tools.ietf.org/html/rfc4869. For Windows configuration details see http://support.microsoft.com/kb/949856/.
4 2 Andreas Steffen
5 2 Andreas Steffen
The following command sets the IKEv1 main mode algorithms:
6 2 Andreas Steffen
7 1 Andreas Steffen
<pre>
8 1 Andreas Steffen
netsh advfirewall set global mainmode mmsecmethods ecdhp256:aes128-sha256,ecdhp384:aes192-sha384,dhgroup14:aes128-sha1
9 1 Andreas Steffen
</pre>
10 2 Andreas Steffen
11 2 Andreas Steffen
The currently configured algorithms can be checked using the command:
12 1 Andreas Steffen
13 1 Andreas Steffen
<pre>
14 1 Andreas Steffen
netsh advfirewall show global
15 1 Andreas Steffen
16 1 Andreas Steffen
Main Mode:
17 1 Andreas Steffen
KeyLifetime  480min,0sess
18 1 Andreas Steffen
SecMethods   ECDHP256-AES128-SHA256,ECDHP384-AES192-SHA384,DHGroup14-AES128-SHA1
19 1 Andreas Steffen
ForceDH      No
20 3 Andreas Steffen
</pre>
21 3 Andreas Steffen
22 3 Andreas Steffen
On the strongSwan side the following entries are required in ipsec.conf for the DH group 19 ECP_256
23 3 Andreas Steffen
24 3 Andreas Steffen
<pre>
25 3 Andreas Steffen
ike=aes128-sha256-ecp256!
26 3 Andreas Steffen
</pre>
27 3 Andreas Steffen
28 3 Andreas Steffen
or for the DH group 20 ECP_384
29 3 Andreas Steffen
30 3 Andreas Steffen
<pre>
31 3 Andreas Steffen
ike=aes192-sha384-ecp384!
32 1 Andreas Steffen
</pre>
33 4 Andreas Steffen
34 4 Andreas Steffen
<pre>
35 4 Andreas Steffen
netsh advfirewall consec set rule name="VPN ECP" new qmsecmethods=esp:aesgcm192-aesgcm192,esp:aesgcm128-aesgcm128,esp:sha1-aes128
36 4 Andreas Steffen
</pre>
37 5 Andreas Steffen
38 5 Andreas Steffen
<pre>
39 5 Andreas Steffen
netsh advfirewall consec show rule name="VPN ECP"
40 5 Andreas Steffen
41 5 Andreas Steffen
Rule Name:                            VPN ECP
42 5 Andreas Steffen
----------------------------------------------------------------------
43 5 Andreas Steffen
Enabled:                              Yes
44 5 Andreas Steffen
Profiles:                             Domain,Private,Public
45 5 Andreas Steffen
Type:                                 Static
46 5 Andreas Steffen
Mode:                                 Tunnel
47 5 Andreas Steffen
LocalTunnelEndpoint:                  Any
48 5 Andreas Steffen
RemoteTunnelEndpoint:                 10.10.0.1
49 5 Andreas Steffen
Endpoint1:                            10.10.0.6/32
50 5 Andreas Steffen
Endpoint2:                            10.10.1.0/24
51 5 Andreas Steffen
Protocol:                             Any
52 5 Andreas Steffen
Action:                               RequireInRequireOut
53 5 Andreas Steffen
Auth1:                                ComputerCert
54 5 Andreas Steffen
Auth1CAName:                          C=CH, O=strongSwan Project, CN=strongSwan 2009 CA
55 5 Andreas Steffen
Auth1CertMapping:                     No
56 5 Andreas Steffen
Auth1ExcludeCAName:                   No
57 5 Andreas Steffen
Auth1CertType:                        Root
58 5 Andreas Steffen
Auth1HealthCert:                      No
59 5 Andreas Steffen
MainModeSecMethods:                   ECDHP256-AES128-SHA256,ECDHP384-AES192-SHA384,DHGroup14-AES128-SHA1
60 5 Andreas Steffen
QuickModeSecMethods:                  ESP:AESGCM192-AESGCM192+60min+100000kb,ESP:AESGCM128-AESGCM128+60min+100000kb,ESP:SHA1-AES128+60min+100000kb
61 5 Andreas Steffen
ExemptIPsecProtectedConnections:      No
62 5 Andreas Steffen
ApplyAuthorization:                   No
63 5 Andreas Steffen
Ok.
64 5 Andreas Steffen
</pre>
65 6 Andreas Steffen
66 6 Andreas Steffen
<pre>
67 6 Andreas Steffen
esp=aes128gcm16!
68 6 Andreas Steffen
</pre>
69 6 Andreas Steffen
70 6 Andreas Steffen
<pre>
71 6 Andreas Steffen
esp=aes192gcm16!
72 6 Andreas Steffen
</pre>
73 7 Andreas Steffen
74 7 Andreas Steffen
<pre>
75 7 Andreas Steffen
ipsec statusall ecp
76 7 Andreas Steffen
77 7 Andreas Steffen
"ecp": 10.10.1.0/24===10.10.0.1[@vpn.strongswan.org]...10.10.0.6[C=CH, O=strongSwan Project, CN=win.strongswan.org]; erouted; eroute owner: #12
78 7 Andreas Steffen
"ecp":   CAs: 'C=CH, O=strongSwan Project, CN=strongSwan 2009 CA'...'C=CH, O=strongSwan Project, CN=strongSwan 2009 CA'
79 7 Andreas Steffen
"ecp":   ike_life: 10800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3
80 7 Andreas Steffen
"ecp":   dpd_action: clear; dpd_delay: 300s; dpd_timeout: 150s;
81 7 Andreas Steffen
"ecp":   policy: PUBKEY+ENCRYPT+TUNNEL+DONTREKEY; prio: 24,32; interface: eth1; 
82 7 Andreas Steffen
"ecp":   newest ISAKMP SA: #11; newest IPsec SA: #12; 
83 7 Andreas Steffen
"ecp":   IKE proposal: AES_CBC_128/HMAC_SHA2_256/ECP_256
84 7 Andreas Steffen
"ecp":   ESP proposal: AES_GCM_16_128/AUTH_NONE/<N/A>
85 7 Andreas Steffen
86 7 Andreas Steffen
#12: "ecp" STATE_QUICK_R2 (IPsec SA established); EVENT_SA_EXPIRE in 3422s; newest IPSEC; eroute owner
87 7 Andreas Steffen
#12: "ecp" esp.3ca2dd6b@10.10.0.6 (180 bytes, 172s ago) esp.368105e6@10.10.0.1 (240 bytes, 172s ago); tunnel
88 7 Andreas Steffen
#11: "ecp" STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_EXPIRE in 28622s; newest ISAKMP
89 7 Andreas Steffen
</pre>