Windows Suite B Support with IKEv1 » History » Version 7
Andreas Steffen, 11.07.2009 23:47
added ipsec statusall output
| 1 | 1 | Andreas Steffen | h1. Windows Suite B Support |
|---|---|---|---|
| 2 | 1 | Andreas Steffen | |
| 3 | 3 | Andreas Steffen | Windows Vista Service Pack 1, Windows Server 2008 and Windows 7 support the Suite B cryptographic algorithms for IPsec defined by "RFC 4869":http://tools.ietf.org/html/rfc4869. For Windows configuration details see http://support.microsoft.com/kb/949856/. |
| 4 | 2 | Andreas Steffen | |
| 5 | 2 | Andreas Steffen | The following command sets the IKEv1 main mode algorithms: |
| 6 | 2 | Andreas Steffen | |
| 7 | 1 | Andreas Steffen | <pre> |
| 8 | 1 | Andreas Steffen | netsh advfirewall set global mainmode mmsecmethods ecdhp256:aes128-sha256,ecdhp384:aes192-sha384,dhgroup14:aes128-sha1 |
| 9 | 1 | Andreas Steffen | </pre> |
| 10 | 2 | Andreas Steffen | |
| 11 | 2 | Andreas Steffen | The currently configured algorithms can be checked using the command: |
| 12 | 1 | Andreas Steffen | |
| 13 | 1 | Andreas Steffen | <pre> |
| 14 | 1 | Andreas Steffen | netsh advfirewall show global |
| 15 | 1 | Andreas Steffen | |
| 16 | 1 | Andreas Steffen | Main Mode: |
| 17 | 1 | Andreas Steffen | KeyLifetime 480min,0sess |
| 18 | 1 | Andreas Steffen | SecMethods ECDHP256-AES128-SHA256,ECDHP384-AES192-SHA384,DHGroup14-AES128-SHA1 |
| 19 | 1 | Andreas Steffen | ForceDH No |
| 20 | 3 | Andreas Steffen | </pre> |
| 21 | 3 | Andreas Steffen | |
| 22 | 3 | Andreas Steffen | On the strongSwan side the following entries are required in ipsec.conf for the DH group 19 ECP_256 |
| 23 | 3 | Andreas Steffen | |
| 24 | 3 | Andreas Steffen | <pre> |
| 25 | 3 | Andreas Steffen | ike=aes128-sha256-ecp256! |
| 26 | 3 | Andreas Steffen | </pre> |
| 27 | 3 | Andreas Steffen | |
| 28 | 3 | Andreas Steffen | or for the DH group 20 ECP_384 |
| 29 | 3 | Andreas Steffen | |
| 30 | 3 | Andreas Steffen | <pre> |
| 31 | 3 | Andreas Steffen | ike=aes192-sha384-ecp384! |
| 32 | 1 | Andreas Steffen | </pre> |
| 33 | 4 | Andreas Steffen | |
| 34 | 4 | Andreas Steffen | <pre> |
| 35 | 4 | Andreas Steffen | netsh advfirewall consec set rule name="VPN ECP" new qmsecmethods=esp:aesgcm192-aesgcm192,esp:aesgcm128-aesgcm128,esp:sha1-aes128 |
| 36 | 4 | Andreas Steffen | </pre> |
| 37 | 5 | Andreas Steffen | |
| 38 | 5 | Andreas Steffen | <pre> |
| 39 | 5 | Andreas Steffen | netsh advfirewall consec show rule name="VPN ECP" |
| 40 | 5 | Andreas Steffen | |
| 41 | 5 | Andreas Steffen | Rule Name: VPN ECP |
| 42 | 5 | Andreas Steffen | ---------------------------------------------------------------------- |
| 43 | 5 | Andreas Steffen | Enabled: Yes |
| 44 | 5 | Andreas Steffen | Profiles: Domain,Private,Public |
| 45 | 5 | Andreas Steffen | Type: Static |
| 46 | 5 | Andreas Steffen | Mode: Tunnel |
| 47 | 5 | Andreas Steffen | LocalTunnelEndpoint: Any |
| 48 | 5 | Andreas Steffen | RemoteTunnelEndpoint: 10.10.0.1 |
| 49 | 5 | Andreas Steffen | Endpoint1: 10.10.0.6/32 |
| 50 | 5 | Andreas Steffen | Endpoint2: 10.10.1.0/24 |
| 51 | 5 | Andreas Steffen | Protocol: Any |
| 52 | 5 | Andreas Steffen | Action: RequireInRequireOut |
| 53 | 5 | Andreas Steffen | Auth1: ComputerCert |
| 54 | 5 | Andreas Steffen | Auth1CAName: C=CH, O=strongSwan Project, CN=strongSwan 2009 CA |
| 55 | 5 | Andreas Steffen | Auth1CertMapping: No |
| 56 | 5 | Andreas Steffen | Auth1ExcludeCAName: No |
| 57 | 5 | Andreas Steffen | Auth1CertType: Root |
| 58 | 5 | Andreas Steffen | Auth1HealthCert: No |
| 59 | 5 | Andreas Steffen | MainModeSecMethods: ECDHP256-AES128-SHA256,ECDHP384-AES192-SHA384,DHGroup14-AES128-SHA1 |
| 60 | 5 | Andreas Steffen | QuickModeSecMethods: ESP:AESGCM192-AESGCM192+60min+100000kb,ESP:AESGCM128-AESGCM128+60min+100000kb,ESP:SHA1-AES128+60min+100000kb |
| 61 | 5 | Andreas Steffen | ExemptIPsecProtectedConnections: No |
| 62 | 5 | Andreas Steffen | ApplyAuthorization: No |
| 63 | 5 | Andreas Steffen | Ok. |
| 64 | 5 | Andreas Steffen | </pre> |
| 65 | 6 | Andreas Steffen | |
| 66 | 6 | Andreas Steffen | <pre> |
| 67 | 6 | Andreas Steffen | esp=aes128gcm16! |
| 68 | 6 | Andreas Steffen | </pre> |
| 69 | 6 | Andreas Steffen | |
| 70 | 6 | Andreas Steffen | <pre> |
| 71 | 6 | Andreas Steffen | esp=aes192gcm16! |
| 72 | 6 | Andreas Steffen | </pre> |
| 73 | 7 | Andreas Steffen | |
| 74 | 7 | Andreas Steffen | <pre> |
| 75 | 7 | Andreas Steffen | ipsec statusall ecp |
| 76 | 7 | Andreas Steffen | |
| 77 | 7 | Andreas Steffen | "ecp": 10.10.1.0/24===10.10.0.1[@vpn.strongswan.org]...10.10.0.6[C=CH, O=strongSwan Project, CN=win.strongswan.org]; erouted; eroute owner: #12 |
| 78 | 7 | Andreas Steffen | "ecp": CAs: 'C=CH, O=strongSwan Project, CN=strongSwan 2009 CA'...'C=CH, O=strongSwan Project, CN=strongSwan 2009 CA' |
| 79 | 7 | Andreas Steffen | "ecp": ike_life: 10800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3 |
| 80 | 7 | Andreas Steffen | "ecp": dpd_action: clear; dpd_delay: 300s; dpd_timeout: 150s; |
| 81 | 7 | Andreas Steffen | "ecp": policy: PUBKEY+ENCRYPT+TUNNEL+DONTREKEY; prio: 24,32; interface: eth1; |
| 82 | 7 | Andreas Steffen | "ecp": newest ISAKMP SA: #11; newest IPsec SA: #12; |
| 83 | 7 | Andreas Steffen | "ecp": IKE proposal: AES_CBC_128/HMAC_SHA2_256/ECP_256 |
| 84 | 7 | Andreas Steffen | "ecp": ESP proposal: AES_GCM_16_128/AUTH_NONE/<N/A> |
| 85 | 7 | Andreas Steffen | |
| 86 | 7 | Andreas Steffen | #12: "ecp" STATE_QUICK_R2 (IPsec SA established); EVENT_SA_EXPIRE in 3422s; newest IPSEC; eroute owner |
| 87 | 7 | Andreas Steffen | #12: "ecp" esp.3ca2dd6b@10.10.0.6 (180 bytes, 172s ago) esp.368105e6@10.10.0.1 (240 bytes, 172s ago); tunnel |
| 88 | 7 | Andreas Steffen | #11: "ecp" STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_EXPIRE in 28622s; newest ISAKMP |
| 89 | 7 | Andreas Steffen | </pre> |