[Swan] authentication method: IKEv2_AUTH_ECDSA_P384 not supported in I2 Auth Payload

Manfred mx2927 at gmail.com
Fri Dec 11 18:59:59 UTC 2020 


On 12/11/2020 7:29 PM, Paul Wouters wrote:
> On Dec 11, 2020, at 13:16, Manfred <mx2927 at gmail.com> wrote:
>>
>> Hi Paul,
>>
>> Thank you very much for the answer.
>> About "much better" I see in RFC 7427 that its main purpose is to generalize the IKEv2 authentication method for ECDSA:
>> "The current version only includes support for three Elliptic Curve groups, and there is a fixed hash algorithm tied to each group. This document generalizes..."
>>
>> That is to say that the "old" methods (9, 10, 11) don't seem to be deemed cryptographically weak or obsolete, do I understand this right?
> 
> 
> Correct. It’s main goal is to support new authentication algorithms without requiring an RFC per signature+hash combination.
>>
>> The other end I need to connect to is Windows 10 which indeed appears to use methods 9, 10, and 11 in combination with ECDSA certificates.
>> More specifically, if e.g. DH ECP384 is set (via Set-VpnConnectionIPsecConfiguration) then only an ECDSA certificate with the P-384 curve is allowed (others are rejected with error 13806)
> 
> That’s unfortunate. We were hoping to avoid having toads support for it.
> 
>> Reason I mention this is that methods 9, 10 11 could be an interoperability consideration, that is /iif/ they are cryptographically sound, if not I'd like to know.
>> (if EC ciphers can't be used the best it can be done with Windows and libreswan seems to be MODP2048)
> 
> I know Windows can do modp8192 and 4096, but the DH groups are a separate issue from the authentication method we were talking about. Libreswan supports the ECP DH groups (and curve25519 / curve448)

I know that DH and the authentication method are different things, but 
apparently Windows hardcouples the auth method to the DH group selected. 
See the last answer in:
https://social.technet.microsoft.com/Forums/ie/en-US/b1d8b473-b05d-413b-8afe-2eeab00d263a/ike-failed-to-find-valid-machine-certificate?forum=win10itprosecurity

I have verified that if an ECP DH group is selected, then only an ECDSA 
certificate is accepted as machine certificate (with the same key bit 
length), which leads to the original problem of my question.
(I have also seen that Libreswan supports the ECP DH groups, it shows up 
clearly in the logs, that's why I was surprised by this auth failure)

BTW. How does Windows support modp8192 and 4096? I have seen that it can 
use 4096-bit RSA certificates, is this what you mean, or otherwise how 
would you select these stronger encryption ciphers (they don't appear in 
Set-VpnConnectionIPsecConfiguration)?

> 
> Paul
>

More information about the Swan mailing list