Project

General

Profile

Windows Suite B Support with IKEv1 » History » Version 9

« Previous - Version 9/26 (diff) - Next » - Current version
Andreas Steffen, 13.07.2009 06:18
extended strongSwan configuration


Windows Suite B Support

Windows Vista Service Pack 1, Windows Server 2008 and Windows 7 support the Suite B cryptographic algorithms for IPsec defined by RFC 4869. For Windows configuration details see http://support.microsoft.com/kb/949856/.

The following command sets the IKEv1 Main Mode algorithms:

netsh advfirewall set global mainmode mmsecmethods ecdhp256:aes128-sha256,ecdhp384:aes192-sha384,dhgroup14:aes128-sha1

The currently configured algorithms can be checked using the command:

netsh advfirewall show global

Main Mode:
KeyLifetime  480min,0sess
SecMethods   ECDHP256-AES128-SHA256,ECDHP384-AES192-SHA384,DHGroup14-AES128-SHA1
ForceDH      No

The following command sets the IKEv1 Quick Mode algorithms in the rule "VPN ECP":

netsh advfirewall consec set rule name="VPN ECP" new qmsecmethods=esp:aesgcm192-aesgcm192,esp:aesgcm128-aesgcm128,esp:sha1-aes128

The current rule settings are shown with the following command:

netsh advfirewall consec show rule name="VPN ECP" 

Rule Name:                            VPN ECP
----------------------------------------------------------------------
Enabled:                              Yes
Profiles:                             Domain,Private,Public
Type:                                 Static
Mode:                                 Tunnel
LocalTunnelEndpoint:                  Any
RemoteTunnelEndpoint:                 10.10.0.1
Endpoint1:                            10.10.0.6/32
Endpoint2:                            10.10.1.0/24
Protocol:                             Any
Action:                               RequireInRequireOut
Auth1:                                ComputerCert
Auth1CAName:                          C=CH, O=strongSwan Project, CN=strongSwan 2009 CA
Auth1CertMapping:                     No
Auth1ExcludeCAName:                   No
Auth1CertType:                        Root
Auth1HealthCert:                      No
MainModeSecMethods:                   ECDHP256-AES128-SHA256,ECDHP384-AES192-SHA384,DHGroup14-AES128-SHA1
QuickModeSecMethods:                  ESP:AESGCM192-AESGCM192+60min+100000kb,ESP:AESGCM128-AESGCM128+60min+100000kb,ESP:SHA1-AES128+60min+100000kb
ExemptIPsecProtectedConnections:      No
ApplyAuthorization:                   No
Ok.

On the strongSwan side the following entries are required in ipsec.conf for 128 bit security:

conn ecp
     keyexchange=ikev1
     ike=aes128-sha256-ecp256!
     esp=aes128gcm16!
     pfs=no

and for 192 bit security:

conn ecp
     keyexchange=ikev1
     ike=aes192-sha384-ecp384!
     esp=aes192gcm16!
     pfs=no

Here the status output for 128 bit security:

ipsec statusall ecp

"ecp": 10.10.1.0/24===10.10.0.1[@vpn.strongswan.org]...10.10.0.6[C=CH, O=strongSwan Project, CN=win.strongswan.org]; erouted; eroute owner: #12
"ecp":   CAs: 'C=CH, O=strongSwan Project, CN=strongSwan 2009 CA'...'C=CH, O=strongSwan Project, CN=strongSwan 2009 CA'
"ecp":   ike_life: 10800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3
"ecp":   dpd_action: clear; dpd_delay: 300s; dpd_timeout: 150s;
"ecp":   policy: PUBKEY+ENCRYPT+TUNNEL+DONTREKEY; prio: 24,32; interface: eth1; 
"ecp":   newest ISAKMP SA: #11; newest IPsec SA: #12; 
"ecp":   IKE proposal: AES_CBC_128/HMAC_SHA2_256/ECP_256
"ecp":   ESP proposal: AES_GCM_16_128/AUTH_NONE/<N/A>

#12: "ecp" STATE_QUICK_R2 (IPsec SA established); EVENT_SA_EXPIRE in 3422s; newest IPSEC; eroute owner
#12: "ecp" esp.3ca2dd6b@10.10.0.6 (180 bytes, 172s ago) esp.368105e6@10.10.0.1 (240 bytes, 172s ago); tunnel
#11: "ecp" STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_EXPIRE in 28622s; newest ISAKMP

and 192 bit security:

ipsec statusall ecp

"ecp": 10.10.1.0/24===10.10.0.1[@vpn.strongswan.org]...10.10.0.6[C=CH, O=strongSwan Project, CN=win.strongswan.org]; erouted; eroute owner: #16
"ecp":   CAs: 'C=CH, O=strongSwan Project, CN=strongSwan 2009 CA'...'C=CH, O=strongSwan Project, CN=strongSwan 2009 CA'
"ecp":   ike_life: 10800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3
"ecp":   dpd_action: clear; dpd_delay: 300s; dpd_timeout: 150s;
"ecp":   policy: PUBKEY+ENCRYPT+TUNNEL+DONTREKEY; prio: 24,32; interface: eth1; 
"ecp":   newest ISAKMP SA: #15; newest IPsec SA: #16; 
"ecp":   IKE proposal: AES_CBC_192/HMAC_SHA2_384/ECP_384
"ecp":   ESP proposal: AES_GCM_16_192/AUTH_NONE/<N/A>

#16: "ecp" STATE_QUICK_R2 (IPsec SA established); EVENT_SA_EXPIRE in 3584s; newest IPSEC; eroute owner
#16: "ecp" esp.5ee37f6a@10.10.0.6 (180 bytes, 10s ago) esp.a350055d@10.10.0.1 (240 bytes, 10s ago); tunnel
#15: "ecp" STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_EXPIRE in 28783s; newest ISAKMP