[strongSwan] Security Comparison

Christian Salway christian.salway at naimuri.com
Thu Jul 19 11:25:38 CEST 2018


I used

PS C:\> Add-VpnConnection -Name "Contoso" -ServerAddress 176.16.1.2 -TunnelType "Ikev2"
PS C:\> Set-VpnConnectionIPsecConfiguration -ConnectionName "Contoso" -AuthenticationTransformConstants None -CipherTransformConstants AES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA384 -PfsGroup None -DHGroup ECP384 -PassThru -Force

and the result was:

Jul 19 09:22:24 05[CFG] received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_2048
Jul 19 09:22:24 05[CFG] configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256/MODP_2048
Jul 19 09:22:24 05[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048

ie, still no ECP.



Kind regards,

Christian Salway
IT Consultant - Naimuri

T: +44 7463 331432
E: christian.salway at naimuri.com
A: Naimuri Ltd, Capstan House, Manchester M50 2UW

> On 19 Jul 2018, at 10:07, Dirk Hartmann <dha at heise.de> wrote:
> 
> 
> 
> --On Thursday, July 19, 2018 09:58:51 AM +0100 Christian Salway <christian.salway at naimuri.com <mailto:christian.salway at naimuri.com>> wrote:
> 
>> 
>> Thanks. answers inline
>> 
>> 
>>> On 19 Jul 2018, at 09:38, Tobias Brunner <tobias at strongswan.org>
>>> wrote:
>>> 
>>> Hi Christian,
>>> 
>>>> I am also
>>>> limited to the native OSX/Windows VPN clients which currently
>>>> support a maximum of aes256-sha256-prfsha256-ecp256-modp2048
>>>> (Windows does not support ecp)
>>> 
>>> It does (at least on Windows 10), you just have to enable it via
>>> PowerShell (see [1]).
>> 
>> Even with the registry key added, the IKE ciphers are as follows:
>> 
>> WINDOWS 10
>> IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
>> IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
>> IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_2048
> 
> Have a look here:
> <https://docs.microsoft.com/en-us/powershell/module/vpnclient/set-vpnconnectionipsecconfiguration?view=win10-ps <https://docs.microsoft.com/en-us/powershell/module/vpnclient/set-vpnconnectionipsecconfiguration?view=win10-ps>>
> 
> Regards,
> Dirk

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180719/75f17bcd/attachment-0001.html>


More information about the Users mailing list