none
IPSec qmsecmethods, does it support AES?

    Question

  • IPSec qmsecmethods, does it support AES?

    From http://technet.microsoft.com/en-us/library/cc739550%28v=WS.10%29.aspx,

    ConfAlg
    Specifies the encryption algorithm. ConfigAlg can be DES (Data Encryption Standard), 3DES, or none.

    But in http://technet.microsoft.com/en-us/library/dd125380%28v=WS.10%29.aspx , aes192, aes256 are supported. Is it possible to use AES in MS IPSec? What happens if none is chosen?

    Wednesday, October 09, 2013 9:09 PM

All replies

  • Hi,

    The first link applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

    http://technet.microsoft.com/en-us/library/cc739550%28v=WS.10%29.aspx

    XP/2003 do not support AES with IPSec and also cannot accept the new "Windows Firewall with Advanced Security" group policy settings. 

    The second link applies To: Windows Server 2008, Windows Vista:

    http://technet.microsoft.com/en-us/library/dd125380(v=WS.10).aspx


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time.
    Thanks for helping make community forums a great place.


    Friday, October 11, 2013 5:40 AM
  • HI,I see that I should be using http://technet.microsoft.com/en-us/library/dd736198%28v=WS.10%29.aspx for windows 2008 R2. When I run secpol.msc I don't see the options like aesgmac128 or aesgmac192 for Integrity or aes128, aes192 for Encryption Algorithm in IP Security Policies on Local Computer. Please advise if there is a newer command to bring up IP Securites polices in Win2008 so that I can see the newer Integrity and Encryption options?

    Regards,

    Mike

    Integrity
    Specifies an integrity algorithm. Integrity can be md5, sha1, sha256, aesgmac128, aesgmac192, aesgmac256, aesgcm128, aesgcm192, aesgcm256, or none. To specify that you do not want to use AH, do not include the ah:Integrity portion of the parameter. MD5 and SHA1 are available on all supported versions of Windows. The other integrity algorithms are supported only on Windows Vista with Service Pack 1 and later versions of Windows.
    Encryption
    Specifies the encryption algorithm used. Encryption can be des, 3des, aes128, aes192, aes256, aesgcm128, aesgcm192, aesgcm256, or none. DES and 3DES are available on all supported versions of Windows. The other integrity algorithms are supported only on Windows Vista with Service Pack 1 and later versions of Windows.

    Friday, October 11, 2013 1:14 PM
  • http://technet.microsoft.com/en-us/library/cc754655.aspx document for Windows 2008 R2 "IPSEC filter action" only has MD5/SHA1(Integrity Algorithm) and DES/3DES Encryption Algorithm. Please advise if I can use following command to createto mmsecmethods

    windows 2003: netsh ipsec static add policy ipsec-windows2008r2 mmpfs=no qmpermm=0 mmlifetime=1440 activatedefaultrule=no assign=no mmsecmethods="3DES-SHA1-2"

    windows 2008 http://technet.microsoft.com/en-us/library/dd736198%28v=WS.10%29.aspx,  i cannot see the mmsecmethods option? Please advise.

    windows 2003: netsh IPsec static add filteraction name="ipsec-windows2008r2" qmpfs=yes inpass=no soft=no action=negotiate qmsecmethods="ESP[3DES,SHA1]:1000000k/3600s"

    windows 2008: qmsecmethods=ESP[AES128,SHA1]:100000kb/3600s" as in ESP:SHA1-AES128+60min+100000kb ?

    Currently following command fails:netsh ipsec static add policy ipsec-windows2008r2 mmpfs=no qmpermm=0 mmlifetime=1440 activatedefaultrule=no assign=no mmsecmethods="AES128-SHA1-2"
    ERR IPsec[01033] : Invalid MMOFFER is specified

    How to to something like following to work?

    netsh ipsec static add policy ipsec-windows2008r2 mmpfs=no qmpermm=0 mmlifetime=1440 activatedefaultrule=no assign=no mmsecmethods="AES128-SHA1-2"
    netsh IPsec static add filterlist name="ipsec-windows2008r2" description="ipsec-windows2008r2"
    netsh IPsec static add filter filterlist="ipsec-windows2008r2"  srcaddr=192.168.76.7 dstaddr=192.168.76.9 protocol=any mirrored=yes
    netsh IPsec static add filteraction name="ipsec-windows2008r2" qmpfs=yes inpass=no soft=no action=negotiate qmsecmethods="ESP[AES128,SHA1]:1000000k/3600s"
    netsh IPsec static add rule name="ipsec-windows2008r2" policy="ipsec-windows2008r2" filterlist="ipsec-windows2008r2" filteraction="ipsec-windows2008r2" conntype=all kerberos=no psk=complex-secret-name

    Friday, October 11, 2013 1:51 PM