Windows Suite B Support with IKEv1 » History » Version 9
« Previous -
Version 9/26
(diff) -
Next » -
Current version
Andreas Steffen, 13.07.2009 06:18
extended strongSwan configuration
Windows Suite B Support¶
Windows Vista Service Pack 1, Windows Server 2008 and Windows 7 support the Suite B cryptographic algorithms for IPsec defined by RFC 4869. For Windows configuration details see http://support.microsoft.com/kb/949856/.
The following command sets the IKEv1 Main Mode algorithms:
netsh advfirewall set global mainmode mmsecmethods ecdhp256:aes128-sha256,ecdhp384:aes192-sha384,dhgroup14:aes128-sha1
The currently configured algorithms can be checked using the command:
netsh advfirewall show global Main Mode: KeyLifetime 480min,0sess SecMethods ECDHP256-AES128-SHA256,ECDHP384-AES192-SHA384,DHGroup14-AES128-SHA1 ForceDH No
The following command sets the IKEv1 Quick Mode algorithms in the rule "VPN ECP":
netsh advfirewall consec set rule name="VPN ECP" new qmsecmethods=esp:aesgcm192-aesgcm192,esp:aesgcm128-aesgcm128,esp:sha1-aes128
The current rule settings are shown with the following command:
netsh advfirewall consec show rule name="VPN ECP" Rule Name: VPN ECP ---------------------------------------------------------------------- Enabled: Yes Profiles: Domain,Private,Public Type: Static Mode: Tunnel LocalTunnelEndpoint: Any RemoteTunnelEndpoint: 10.10.0.1 Endpoint1: 10.10.0.6/32 Endpoint2: 10.10.1.0/24 Protocol: Any Action: RequireInRequireOut Auth1: ComputerCert Auth1CAName: C=CH, O=strongSwan Project, CN=strongSwan 2009 CA Auth1CertMapping: No Auth1ExcludeCAName: No Auth1CertType: Root Auth1HealthCert: No MainModeSecMethods: ECDHP256-AES128-SHA256,ECDHP384-AES192-SHA384,DHGroup14-AES128-SHA1 QuickModeSecMethods: ESP:AESGCM192-AESGCM192+60min+100000kb,ESP:AESGCM128-AESGCM128+60min+100000kb,ESP:SHA1-AES128+60min+100000kb ExemptIPsecProtectedConnections: No ApplyAuthorization: No Ok.
On the strongSwan side the following entries are required in ipsec.conf for 128 bit security:
conn ecp keyexchange=ikev1 ike=aes128-sha256-ecp256! esp=aes128gcm16! pfs=no
and for 192 bit security:
conn ecp keyexchange=ikev1 ike=aes192-sha384-ecp384! esp=aes192gcm16! pfs=no
Here the status output for 128 bit security:
ipsec statusall ecp "ecp": 10.10.1.0/24===10.10.0.1[@vpn.strongswan.org]...10.10.0.6[C=CH, O=strongSwan Project, CN=win.strongswan.org]; erouted; eroute owner: #12 "ecp": CAs: 'C=CH, O=strongSwan Project, CN=strongSwan 2009 CA'...'C=CH, O=strongSwan Project, CN=strongSwan 2009 CA' "ecp": ike_life: 10800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3 "ecp": dpd_action: clear; dpd_delay: 300s; dpd_timeout: 150s; "ecp": policy: PUBKEY+ENCRYPT+TUNNEL+DONTREKEY; prio: 24,32; interface: eth1; "ecp": newest ISAKMP SA: #11; newest IPsec SA: #12; "ecp": IKE proposal: AES_CBC_128/HMAC_SHA2_256/ECP_256 "ecp": ESP proposal: AES_GCM_16_128/AUTH_NONE/<N/A> #12: "ecp" STATE_QUICK_R2 (IPsec SA established); EVENT_SA_EXPIRE in 3422s; newest IPSEC; eroute owner #12: "ecp" esp.3ca2dd6b@10.10.0.6 (180 bytes, 172s ago) esp.368105e6@10.10.0.1 (240 bytes, 172s ago); tunnel #11: "ecp" STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_EXPIRE in 28622s; newest ISAKMP
and 192 bit security:
ipsec statusall ecp "ecp": 10.10.1.0/24===10.10.0.1[@vpn.strongswan.org]...10.10.0.6[C=CH, O=strongSwan Project, CN=win.strongswan.org]; erouted; eroute owner: #16 "ecp": CAs: 'C=CH, O=strongSwan Project, CN=strongSwan 2009 CA'...'C=CH, O=strongSwan Project, CN=strongSwan 2009 CA' "ecp": ike_life: 10800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3 "ecp": dpd_action: clear; dpd_delay: 300s; dpd_timeout: 150s; "ecp": policy: PUBKEY+ENCRYPT+TUNNEL+DONTREKEY; prio: 24,32; interface: eth1; "ecp": newest ISAKMP SA: #15; newest IPsec SA: #16; "ecp": IKE proposal: AES_CBC_192/HMAC_SHA2_384/ECP_384 "ecp": ESP proposal: AES_GCM_16_192/AUTH_NONE/<N/A> #16: "ecp" STATE_QUICK_R2 (IPsec SA established); EVENT_SA_EXPIRE in 3584s; newest IPSEC; eroute owner #16: "ecp" esp.5ee37f6a@10.10.0.6 (180 bytes, 10s ago) esp.a350055d@10.10.0.1 (240 bytes, 10s ago); tunnel #15: "ecp" STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_EXPIRE in 28783s; newest ISAKMP