Azure site to site proposals with Strongswan IPSec

Question

I'm here trying to connect a Linux Ubuntu VPC Machine to Azure Cloud network interface, only thing I can't suss out is how to config my IKE and ESP at my end to match the Below -

IKEv2 Encryption | GCMAES256, AES256

IKEv2 Integrity | GCMAES256, SHA384, SHA256, SHA1

DH Group | DHGroup2

IPsec Encryption | GCMAES256, AES256

IPsec Integrity | GCMAES256, SHA256

PFS Group | None, PFS24, ECP384, ECP256, PFS2048, PFS2, PFS1

Every variation I've tried so far

#ike=chacha20poly1305-sha512-curve25519-prfsha512,aes256gcm16-sha384-prfsha384-ecp384,aes256-sha1-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024! 
#ike=3des-sha1-modp1024! 
ike=aes256-sha256-modp1024,aes256-sha1-modp1024! 
#esp=chacha20poly1305-sha512,aes256gcm16-ecp384,aes256-sha256,aes256-sha1,3des-sha1! 
#esp=aes256-sha256-modp1024! 
esp=aes256-sha256-modp1024!

I've tried to follow and decipher things from -> https://docs.strongswan.org/docs/5.9/config/IKEv2CipherSuites.html but I can't figure out which ones to use

Answer 1

You can use the below given combination of key exchanges, hashing, authentication, and encryption algorithms or cipher suites that ‘Strongswan’ allows for different clients to use: -

ike=chacha20poly1305-sha512-curve25519-prfsha512,aes256gcm16-sha384-prfsha384-ecp384,aes256-sha1-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024!

esp=chacha20poly1305-sha512,aes256gcm16-ecp384,aes256-sha256,aes256-sha1,3des-sha1!

Ensure that the ‘IPSec.conf.inc’ in the ubuntu VM is configured with the above stated cipher suites since according to the link that you have given for ‘Strongswan’, the IKEv2 encryption cipher suite to be used should have encryption ‘x b w o g a’ scheme for the Ubuntu Linux VM’s VPN client.

• Also, ensure to use the ‘Commercial National Security Algorithm Suite’ which specifies the algorithm parameters given as below: -

Encryption
AES with 256-bit key length (aes256gcm16 or aes256)

Key Exchange
ECDH with NIST P-384 curve (ecp384)
DH with at least 3072-bit modulus (modp3072 or higher)

Pseudo-Random Function/Integrity Protection
SHA-384 (e.g. prfsha384 or sha384 if not using AES in GCM mode)

Digital Signatures
ECDSA with NIST P-384 curve
RSA with at least 3072-bit modulus

This would include all the required encryption and algorithm parameters as stated by you through the Azure cloud network interface.

• Also, please refer to the below image which represents the implementation of IPSec gateways in host-to-host scenarios which clearly shows the IPSec VPN key exchange implementation scenarios: -

Please refer to the below links for more information on this: -

https://www.digitalocean.com/community/tutorials/how-to-set-up-an-ikev2-vpn-server-with-strongswan-on-ubuntu-20-04

https://sysadmins.co.za/setup-a-site-to-site-ipsec-vpn-with-strongswan-on-ubuntu/