HP-UX IPSec Version A.03.02.02 Administrator's Guide HP-UX 11i version 2 and HP-UX 11i version 3 (762800-001, April 2014)
Additional Tips for Vista and Windows 2008
This section contains additional information for Vista and Windows 2008 systems.
• The IKEv1 default parameters on Vista and Windows 2008 systems are the same as the
defaults on Windows XP systems, so you must modify the IKE authentication method and hash
algorithm as described in the previous section.
• There are two types of IPsec rules:
◦ IPsec Policyagent rules. These rules are functionally the same as the IPsec rules on Windows
XP and Windows 2003 systems. They can be configured using the IPsec Policy
Management Microsoft Management Control (MMC) snap-in as documented in HP-UX
IPSec: Configuring Microsoft Windows IP Security to Operate with HP-UX IPSec
(J4256-90025). However, these rules do not support AES encryption for ESP.
◦ Connection security rules. These rules are supported on Vista and Windows 2008 system
and can be configured using the Windows Firewall with Advanced Security MMC snap-in.
However, this interface does not allow you to configure IPsec rules for specific port numbers
or protocols. To configure an IPsec rule for specific ports or protocols, you must use the
Microsoft netsh advfirewall command-line context. For example, the following
command configures a rule that applies IPsec security for the telnet (port 514) service
on the Windows 2008 server (10.0.0.208) from the HP-UX system (10.0.0.11):
netsh advfirewall consec add rule name=iop-rule enable=yes
endpoint1=10.0.0.208 endpoint2=10.0.0.11 protocol=tcp port1=514
action=requireinrequireout auth1=computerpsk auth1psk=MyKey
Rules configured using the netsh advfirewall command-line context are bidirectional.
IPsec will be used for TCP packets from 10.0.0.11 to port 514 on 10.0.0.208 and for
packets in the reverse direction.
The default IPsec transform is ESP with AES-128 encryption and SHA-1 authentication.
• In addition to configuring IPsec rules, you must configure the firewall rules (accessible from
the Windows Firewall with Advanced Security MMC snap-in) and change the action for the
appropriate rule to secure. For example, the action for the inbound telnet server rule must be
set to secure to allow connection requests for the telnet server. The action secure also causes
Microsoft to apply the appropriate IPsec rule to the packets.
Interoperability with Windows 7 and Windows 2008 server R2
NOTE: Windows 2008 R2 and Windows 7 does not support IKEv2 for IPSec transport mode.
Windows support only specific phase1 and phase2 algorithms.
Windows supports the following suite of algorithms in transport mode.
Phase 1: (IKEV1 only)
nl
Auth : MD5, SHA1, SHA-256, SHA-384.
nl
Encryption : DES, 3DES, AES-CBC-128, AES-CBC-192, AES-CBC-256
nl
DH group : 1,2,14, ECDH P-256, ECDH P-384.
nl
Phase 2:
nl
Encryption : DES, 3DES, AES-CBC-128, AES-CBC-192, AES-CBC-256,
AES-GCM-128,AES-GCM-192, AES-GCM-256.
nl
Authentication : MD5, SHA1, AES-GMAC-128, AES-GMAC-192, AES-GMAC-256,
AES-GCM-128,AES-GCM-192, AES-GCM-256.
In the above listed algorithms suite not all the algorithms are compatible with HP-UX IPSec or other
IPSec vendor implementations.
nl
166 Interoperability