[strongSwan] Windows IKE and PFS settings
Victor Sudakov
vas at sibptus.ru
Wed Jan 15 04:30:07 CET 2020
Dear Colleagues,
I'm setting up a transport mode IPSec connection between FreeBSD and
Windows (10 and 2016). In the Windows IPSec GPO, there are two options
(knobs) for PFS:
1. "Master key PFS" in IKE settings: http://admin.sibptus.ru/~vas/pfs_ike.jpg
2. "Use session key PFS" in ESP settings: http://admin.sibptus.ru/~vas/pfs_esp.jpg
Which connection parameters in Strongswan do they correspond to?
A simple Strongswan configuration is like this:
conn Win2016
keyexchange = ikev1
ike=3des-sha1-modp2048!
esp=3des-sha1!
left=x.x.x.1
right=x.x.x.14
type=transport
authby=psk
auto=route
It even works provided those two PFS knobs in Windows are unchecked.
Please note that:
1. The DF group for IKE is configured separately in Windows, and can be
set to 1, 2, or 2048 (this goes into the ike= parameter, I chose 2048 on
both sides).
2. Windows cannot configure IKEv2 from GPO, only from PowerShell. I'm
not quite ready for that yet, please do not advise to switch to IKEv2.
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/49 at fidonet http://vas.tomsk.ru/
More information about the Users
mailing list