ecdsa, thank you for your response, which is what I suspected the answer would be. I was finally successful in generating a new ECDSA CA Key & CACERT and a 384-bit ECDSA X.509 client certificate, installing the ECDSA X.509 client certificate on my Windows 10 computer, and configuring the Windows 10 VPN client and my strongSwan VPN server to use IKEv2 DHGroup ECP384 key exchange with CNSA-compliant AES256GCM encryption. I am posting here the pertinent commands and portions of configuration files that finally got it working for me in the hopes that they will help others who want to do what I have done.
Powershell commandlet configuration:
PS C:\WINDOWS\system32> Set-VpnConnectionIPsecConfiguration -ConnectionName "WSL VPN (X.509)" -AuthenticationTransformConstants GCMAES256 -CipherTransformConstants GCMAES256 -EncryptionMethod GCMAES256 -IntegrityCheckMethod SHA384 -PfsGroup ECP384 -DHGroup ECP384 -PassThru -Force
AuthenticationTransformConstants : GCMAES256
CipherTransformConstants : GCMAES256
DHGroup : ECP384
IntegrityCheckMethod : SHA384
PfsGroup : ECP384
EncryptionMethod : GCMAES256
ipsec.conf:
# ipsec.conf - strongSwan IPsec configuration file
config setup
charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2, mgr 2"
uniqueids=no
conn %default
fragmentation=yes
forceencaps=yes
dpdaction=clear
dpddelay=300s
rekey=no
reauth=no
mobike=yes
conn roadwarrior-ECDSA
auto=add
compress=yes
type=tunnel
keyexchange=ikev2
ike=aes256-prfsha384-prfsha256-sha384-sha256-ecp384-ecp256-modp3072-modp2048,aes256gcm16-prfsha384-prfsha256-sha384-sha256-ecp384-ecp256-modp3072-modp2048!
esp=aes256-prfsha384-prfsha256-sha384-sha256-ecp384-ecp256-modp3072-modp2048,aes256gcm16-prfsha384-prfsha256-sha384-sha256-ecp384-ecp256-modp3072-modp2048!
left=%defaultroute
leftid=mail.example.com
leftsubnet=0.0.0.0/0
leftcert=vpnHostKeyECDSA.pem
leftsendcert=always
leftfirewall=yes
right=%any
rightid=%any
rightsourceip=192.168.109.0/24
rightdns=192.168.110.222,8.8.8.8,8.8.4.4
rightsendcert=never
rightfirewall=yes
auto=route
Snippet from strongSwan log:
roadwarrior-ECDSA[286]: ESTABLISHED 5 hours ago, 192.168.110.222[mail.example.com]...1.2.3.4[C=US, O=Will Snyder Industries, [email protected]]
roadwarrior-ECDSA[286]: IKEv2 SPIs: 41caec74d5829bc8_i 34766237017aa128_r*, rekeying disabled
roadwarrior-ECDSA[286]: IKE proposal: AES_GCM_16_256/PRF_HMAC_SHA2_384/ECP_384
roadwarrior-ECDSA{638}: INSTALLED, TUNNEL, reqid 135, ESP in UDP SPIs: ca9791fe_i 66112426_o
roadwarrior-ECDSA{638}: AES_GCM_16_256/ECP_384, 1841739 bytes_i (12768 pkts, 0s ago), 21381073 bytes_o (17487 pkts, 0s ago), rekeying disabled
roadwarrior-ECDSA{638}: 0.0.0.0/0 === 192.168.109.50/32
Will Snyder