IPsec/L2TP and AES

[Brian]

I'm researching the options I have for deploying AES as the algorithm for
IPsec transport mode encryption using the built in Windows IP Security
policies. I understand that MS hasn't implemented AES currently so I was
wondering if anyone knows of a method to add it (commercial or otherwise) as
one of the algorithms for IPsec in Windows? I know there are numerous third
party clients out there that support AES however we currently have an in
house app that manages rules/filter lists etc. for 300+ servers and the goal
is not to change it aside from setting the algorithm.

Thanks,

- Brian

 

[S. Pidgorny]

Never heard of the way of adding 3rd-party encryption algorithms for IPsec.
May I wonder where the requirement for AES comes from? With all the other
mature algorithms and rekeying also supported, current Windows IPsec is
quite secure.

 

[Brian]

The requirement comes from the certification level we need for the data
(FIPS-140). AES is the only method that will give us the level we need.


- Brian

 

[S. Pidgorny]

Regulatory requirements... *&^*^... suspected that. Cheers!

 

[Herb Martin]

My guess is Microsoft will add this in the next product iteration.

SSH has it. They must keep up with the (OPEN) Joneses

 

[S. Pidgorny]

OpenSSH does support AES encryption, but SSH protocols are not functional
equivalent of IPsec. I think that Linux FreeS/WAN, the most popular freeware
IPsec implementation, doesn't feature AES - some assembly's required.

 

[Herb Martin]

OpenSSH does support AES encryption, but SSH protocols are not functional

equivalent of IPsec. I think that Linux FreeS/WAN, the most popular freeware
IPsec implementation, doesn't feature AES - some assembly's required.

Depends on what you mean by "functionally equivalent".

SSH is sometimes used for the same purpose as a VPN -- to tunnel
or transport other protocols.

Microsoft could do worse than add SSH support to Windows.

 

[S. Pidgorny]

No, SSH only allows TCP tunneling, and tunnel for each TCP port needs to be
established separately.

However, I'd support idea of Microsoft adding SSH support to Windows.

 

[Herb Martin]

No, SSH only allows TCP tunneling, and tunnel for each TCP port needs to
be

established separately.

I indicated it sometimes is used to transport other protocols -- which is
what you
have both disagreed with and confirmed above.

--
Herb Martin

No, SSH only allows TCP tunneling, and tunnel for each TCP port needs to be
established separately.

However, I'd support idea of Microsoft adding SSH support to Windows.

 

[S. Pidgorny]

Herb,

Let's make it clear - I never contradicted myself.

You said: "SSH has it." (AES encryption)
I replied: "SSH protocols are not functional equivalent of IPsec"
You: "Depends on what you mean by 'functionally equivalent'. SSH is
sometimes used for the same purpose as a VPN -- to tunnel or transport other
protocols."
I: "SSH only allows TCP tunneling"

Probably I'd have to elaborate on support of UDP, ICMP and other IP
protocols but TCP, and no need for individual configuration for every port,
as well as possibility to route client-to-LAN and LAN-to-LAN traffic - areas
where SSH lacks badly.

--
Svyatoslav Pidgorny, MVP, MCSE
-= F1 is the key =-

No, SSH only allows TCP tunneling, and tunnel for each TCP port needs to be
established separately.

I indicated it sometimes is used to transport other protocols -- which is
what you
have both disagreed with and confirmed above.