Hello,
https://help.mikrotik.com/docs/spaces/ROS/pages/11993097/IPsec#IPsec-Windowsclientconfiguration
The following link states that for Windows 10:
-
The only supported DH is modp1024 (group 2) which is not secure enough (i.e Cisco marks it as AVOID: https://sec.cloudapps.cisco.com/security/center/resources/next_generation_cryptography)
-
Child SAs do not support AES-GCM (those are AEAD ciphers: they do not use hash, but require PRF). Instead, it suggests either AES-CBS with sha1 hmac (not so secure hash) or DES which is deprecated for a long time.
-
Child SAs do not support PFS (which is quite important!)
However, all three claims are not true.
Windows supports all these things, but one has to do the following:
1.Enable modp2048 (aka Group 14) NegotiateDH2048_AES256, for example:
reg add HKLM\SYSTEM\CurrentControlSet\Services\RasMan\Parameters /t REG_DWORD /v NegotiateDH2048_AES256 /d 0x2 /f
- Configure VPN connection explicitly using
Set-VpnConnectionIPsecConfiguration(there is no UI, sorry).
–
Here is my configuration:
Profile: hash, prf – sha256, enc aes256, dh modp2048.
Proposal: Auth: nothing (we do need them for AEAD). enc aes-256 gcm, pfs modp2048.
Set-VpnConnectionIPsecConfiguration -Name $ConnName -AuthenticationTransformConstants GCMAES256 -EncryptionMethod GCMAES256 -CipherTransformConstants GCMAES256 -IntegrityCheckMethod SHA256 -PfsGroup PFS2048 -DHGroup Group14 -force
So, I asked for: modp2048 PFS, DH 14 (which is also modp2048) and AES-256 CGM.
VOILÀ:
[foo@bar] /ip/ipsec/installed-sa> print proplist=enc-algorithm,enc-algorithm,enc-key-size,hw-aead
Flags: S - SEEN-TRAFFIC; H - HW-AEAD; E - ESP
Columns: ENC-ALGORITHM, ENC-ALGORITHM, ENC-KEY-SIZE, HW-AEAD
# ENC-ALGORITHM ENC-ALGORITHM ENC-KEY-SIZE HW-AEAD
0 SHE aes-gcm aes-gcm 288 yes
1 SHE aes-gcm aes-gcm 288 yes
2 SHE aes-gcm aes-gcm 288 yes
3 SHE aes-gcm aes-gcm 288 yes
(why does it show 288 key size? Seems like a bug: http://forum.mikrotik.com/t/ipsec-proposal-invalid-key-length-when-using-gcm/112976/1 , but Windows seems to accept it)
I enjoy hardware accelerated GCM AES.
And from the Windows side:
PS C:\> Get-NetIPsecMainModeSA | select -Property CipherAlgorithm, HashAlgorithm, GroupId, KeyModule
CipherAlgorithm HashAlgorithm GroupId KeyModule
--------------- ------------- ------- ---------
AES256 SHA256 DH14 IkeV2
PS C:\> Get-NetIPsecQuickModeSA | select -Property FirstIntegrityAlgorithm,FirstTransformType,FirstCipherAlgorithm
FirstIntegrityAlgorithm FirstTransformType FirstCipherAlgorithm
----------------------- ------------------ --------------------
AESGMAC256 EspAuthAndCipher AESGCM256
AESGMAC256 EspAuthAndCipher AESGCM256
For the Phase1 and I have DH14 (modp2048) and for the second phase it is AES-256-GCM.
AES-CBC 256 also works, and it supports SHA256 hmac:
Mikrotik:
4 SHE aes-cbc aes-cbc 256 yes
Windows:
CipherAlgorithm HashAlgorithm GroupId KeyModule
--------------- ------------- ------- ---------
AES256 SHA256 DH14 IkeV2
Should we fix documentation to help people configure Windows clients in a more secure manner?