AES support in Windows Vista IPsecurity configuration

  • Thread starter Thread starter Preethi
  • Start date Start date
P

Preethi

I am using Windows vista Enterprise edition. I am trying to configure AES
encryption using IPSEC setting tab in "Widnows Firewall with Advanced
Security" tab. I am able to see "AES-128" as an option for Encryption
algorithm under "Main Mode" or "Quick Mode" in this menu. The same connection
security rules I am trying to configure using Netsh from the command prompt,
under IPsec I am unable to select AES as the configuration algorithm for
mmsecmethods or qmsec,methods. Only DES or 3DES are the available options.

netsh ipsec dynamic>add qmpolicy help

Usage:
qmpolicy [ name = ] <string>
[ [ soft = ] (yes | no) ]
[ [ pfsgroup = ] (GRP1 | GRP2 | GRP3 | GRPMM | NOPFS) ]
[ [ qmsecmethods = ] (neg#1 neg#2 ... neg#n) ]

Adds a quick mode policy to SPD.

Parameters:

Tag Value
name -Name of the quick mode policy.
soft -Allow unsecured communication with non-IPsec-aware
computers.
This takes a value of either `yes' or `no'.
pfsgroup -GRP1,GRP2,GRP3,GRPMM,NOPFS(default).
qmsecmethods -IPsec offer in one of the following formats:
ESP[ConfAlg,AuthAlg]:k/s
AH[HashAlg]:k/s
AH[HashAlg]+ESP[ConfAlg,AuthAlg]:k/s
where ConfAlg can be DES or 3DES or None.
where AuthAlg can be MD5 or SHA1 or None.
where HashAlg is MD5 or SHA1.
where k is lifetime in kilobytes.
where s is lifetime in seconds.

Remarks: The use of DES and MD5 is not recommended. These cryptographic
algorithms are provided for backward compatibility only.

Examples: add qmpolicy name=qmp
qmsec="AH[MD5]:10000k/24800s ESP[DES,SHA1]:30000k/300s"


netsh ipsec dynamic>

I need to test with AES as Configuration alg, SHA1 as the Hash algorithm. Is
there an option to add AES as the configuation algorithm in Vista using
command line?
 
From: "Preethi" <Preethi @discussions.microsoft.com>

| I am using Windows vista Enterprise edition. I am trying to configure AES

Then post in a Vista related news group, not an XP group.
 
Preethi said:
I am using Windows vista Enterprise edition. I am trying to configure AES
encryption using IPSEC setting tab in "Widnows Firewall with Advanced
Security" tab. I am able to see "AES-128" as an option for Encryption
algorithm under "Main Mode" or "Quick Mode" in this menu. The same
connection
security rules I am trying to configure using Netsh from the command
prompt,
under IPsec I am unable to select AES as the configuration algorithm for
mmsecmethods or qmsec,methods. Only DES or 3DES are the available options.

netsh ipsec dynamic>add qmpolicy help

Usage:
qmpolicy [ name = ] <string>
[ [ soft = ] (yes | no) ]
[ [ pfsgroup = ] (GRP1 | GRP2 | GRP3 | GRPMM | NOPFS) ]
[ [ qmsecmethods = ] (neg#1 neg#2 ... neg#n) ]

Adds a quick mode policy to SPD.

Parameters:

Tag Value
name -Name of the quick mode policy.
soft -Allow unsecured communication with
non-IPsec-aware
computers.
This takes a value of either `yes' or `no'.
pfsgroup -GRP1,GRP2,GRP3,GRPMM,NOPFS(default).
qmsecmethods -IPsec offer in one of the following formats:
ESP[ConfAlg,AuthAlg]:k/s
AH[HashAlg]:k/s
AH[HashAlg]+ESP[ConfAlg,AuthAlg]:k/s
where ConfAlg can be DES or 3DES or None.
where AuthAlg can be MD5 or SHA1 or None.
where HashAlg is MD5 or SHA1.
where k is lifetime in kilobytes.
where s is lifetime in seconds.

Remarks: The use of DES and MD5 is not recommended. These cryptographic
algorithms are provided for backward compatibility only.

Examples: add qmpolicy name=qmp
qmsec="AH[MD5]:10000k/24800s ESP[DES,SHA1]:30000k/300s"


netsh ipsec dynamic>

I need to test with AES as Configuration alg, SHA1 as the Hash algorithm.
Is
there an option to add AES as the configuation algorithm in Vista using
command line?
Please post in `microsoft.public.windows.vista.security' NG or in a Vista
security forum as David Lipman suggests.
 
Back
Top