Windows Suite B Support with IKEv1 » History » Version 7

Version 6 (Andreas Steffen, 11.07.2009 23:43) → Version 7/26 (Andreas Steffen, 11.07.2009 23:47)

h1. Windows Suite B Support

Windows Vista Service Pack 1, Windows Server 2008 and Windows 7 support the Suite B cryptographic algorithms for IPsec defined by "RFC 4869": For Windows configuration details see

The following command sets the IKEv1 main mode algorithms:

netsh advfirewall set global mainmode mmsecmethods ecdhp256:aes128-sha256,ecdhp384:aes192-sha384,dhgroup14:aes128-sha1

The currently configured algorithms can be checked using the command:

netsh advfirewall show global

Main Mode:
KeyLifetime 480min,0sess
SecMethods ECDHP256-AES128-SHA256,ECDHP384-AES192-SHA384,DHGroup14-AES128-SHA1
ForceDH No

On the strongSwan side the following entries are required in ipsec.conf for the DH group 19 ECP_256


or for the DH group 20 ECP_384


netsh advfirewall consec set rule name="VPN ECP" new qmsecmethods=esp:aesgcm192-aesgcm192,esp:aesgcm128-aesgcm128,esp:sha1-aes128

netsh advfirewall consec show rule name="VPN ECP"

Rule Name: VPN ECP
Enabled: Yes
Profiles: Domain,Private,Public
Type: Static
Mode: Tunnel
LocalTunnelEndpoint: Any
Protocol: Any
Action: RequireInRequireOut
Auth1: ComputerCert
Auth1CAName: C=CH, O=strongSwan Project, CN=strongSwan 2009 CA
Auth1CertMapping: No
Auth1ExcludeCAName: No
Auth1CertType: Root
Auth1HealthCert: No
MainModeSecMethods: ECDHP256-AES128-SHA256,ECDHP384-AES192-SHA384,DHGroup14-AES128-SHA1
QuickModeSecMethods: ESP:AESGCM192-AESGCM192+60min+100000kb,ESP:AESGCM128-AESGCM128+60min+100000kb,ESP:SHA1-AES128+60min+100000kb
ExemptIPsecProtectedConnections: No
ApplyAuthorization: No



ipsec statusall ecp

"ecp":[]...[C=CH, O=strongSwan Project,]; erouted; eroute owner: #12
"ecp": CAs: 'C=CH, O=strongSwan Project, CN=strongSwan 2009 CA'...'C=CH, O=strongSwan Project, CN=strongSwan 2009 CA'
"ecp": ike_life: 10800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3
"ecp": dpd_action: clear; dpd_delay: 300s; dpd_timeout: 150s;
"ecp": policy: PUBKEY+ENCRYPT+TUNNEL+DONTREKEY; prio: 24,32; interface: eth1;
"ecp": newest ISAKMP SA: #11; newest IPsec SA: #12;
"ecp": IKE proposal: AES_CBC_128/HMAC_SHA2_256/ECP_256
"ecp": ESP proposal: AES_GCM_16_128/AUTH_NONE/<N/A>

#12: "ecp" STATE_QUICK_R2 (IPsec SA established); EVENT_SA_EXPIRE in 3422s; newest IPSEC; eroute owner
#12: "ecp" esp.3ca2dd6b@ (180 bytes, 172s ago) esp.368105e6@ (240 bytes, 172s ago); tunnel
#11: "ecp" STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_EXPIRE in 28622s; newest ISAKMP