CDRouter IKE Test Summaries
Test Case Summaries
- Modules: 2
- Test Cases: 58
Below is a summary of the testcases in each module
ike.tcl
IKEv1 site-to-site tunnel testing
| Test Name | Synopsis |
|---|---|
ike_1 |
Verify gateway can act as tunnel initiator |
ike_2 |
Verify gateway can act as tunnel responder |
ike_4 |
Verify traffic is not sent in the clear when all Phase 2 SAs are deleted |
ike_5 |
Verify traffic is not sent in the clear when all Phase 1 and 2 SAs are deleted |
ike_10 |
Verify gateway switches to new Phase 2 SA after peer initiates new Phase 2 SA |
ike_12 |
Verify gateway switches to new Phase 2 SA after peer initiates new Phase 1 and 2 SA |
ike_14 |
Verify deletion of old Phase 1 and 2 SAs does not stop traffic over new SA |
ike_16 |
Verify old Phase SA continues to work after new Phase 2 SA is initiated |
ike_30 |
Verify gateway has retransmission strategy for Phase 1 establishment |
ike_31 |
Verify gateway has retransmission strategy for Phase 2 establishment |
ike_40 |
Verify gateway sends Phase 1 delete notification after Phase 1 lifetime expires (initiator) |
ike_41 |
Verify gateway sends Phase 2 delete notification after Phase 2 lifetime expires (initiator) |
ike_42 |
Verify gateway deletes Phase 1 SA after Phase 1 lifetime expires (initiator) |
ike_43 |
Verify gateway deletes Phase 2 SA after Phase 2 lifetime expires (initiator) |
ike_50 |
Verify gateway sends delete notification after Phase 1 lifetime expires (responder) |
ike_51 |
Verify gateway sends delete notification after Phase 2 lifetime expires (responder) |
ike_52 |
Verify gateway deletes Phase 1 SA after Phase 1 lifetime expires (responder) |
ike_53 |
Verify gateway deletes Phase 2 SA after Phase 2 lifetime expires (responder) |
ike_70 |
Verify gateway sends NOTIFY message when tunnel specification does not match |
ike_72 |
Verify gateway reuses Phase 1 SA when Phase 2 setup fails |
ike_73 |
Verify gateway reuses Phase 1 SA when Phase 2 is deleted |
ike_80 |
Verify gateway deletes existing Phase 2 SAs when INITIAL-CONTACT message is received during new Phase 1 |
ike_81 |
Verify gateway deletes existing Phase 2 SAs when INITIAL-CONTACT message is received during new Phase 2 |
ike_82 |
Verify INITIAL-CONTACT is ignored if not protected under IKE SA |
ike_85 |
Verify gateway deletes existing Phase 2 SAs when INITIAL-CONTACT message is received from NOTIFY |
ike_100 |
Verify the maximum number of Phase 2 SAs that can be established with remote gateway |
ike_110 |
Verify Phase 1 SA can be established when unknown Vendor IDs are included |
ike_122 |
Verify gateway rejects Phase 2 proposals with unknown payloads |
ike_130 |
Verify starting ESP sequence number for new phase SA is 1 |
ike_135 |
Verify gateway anti-replay detection |
ike_136 |
Verify out of sequence ESP packets to not trigger replay detection |
ike_140 |
Verify IPSEC window moves forward |
ike_200 |
Verify gateway responds to Dead Peer detection R-U-THERE requests |
ike_300 |
Verify gateway supports peer IDs of type ID_FQDN |
ike_301 |
Verify gateway supports peer IDs of type ID_USER_FQDN |
ike_302 |
Verify gateway gracefully fails when ID type is unknown |
ike_310 |
Verify gateway ignores unknown transform in Phase 1 proposal |
ike_311 |
Verify gateway can find valid transform in large list of transforms |
ike_312 |
Verify gateway recovers gracefully if no valid transform is found in proposal |
ike_320 |
Verify gateway ignores unknown transform in Phase 2 proposal |
ike_321 |
Verify gateway handles large transform list during Phase 2 |
ike_330 |
Verify new Phase 2 can be established with SA Lifetime using both seconds and bytes |
ike_350 |
Verify Phase 2 SA setup using small Nonce sizes (8) |
ike_351 |
Verify Phase 2 SA setup using large Nonce sizes (256) |
ike_360 |
Verify gateway can act as tunnel initiator and responder at the same time |
ike_365 |
Verify gateway handles Diffie-Hellman public keys with leading zeros |
ike_366 |
Verify gateway handles ephemeral Diffie-Hellman shared secret with leading zeros |
ike_370 |
Verify gateway accepts fragmented IKE packets |
ike_371 |
Verify gateway accepts fragmented IKE packets in reverse order |
ike_380 |
Verify gateway ignores IKE packets with an invalid UDP checksum |
ike-natt.tcl
IKEv1 NAT-Traversal testing
| Test Name | Synopsis |
|---|---|
ike_natt_1 |
Verify gateway detects NAT and uses NAT-T in initiator mode |
ike_natt_2 |
Verify gateway detects NAT and uses NAT-T in responder mode |
ike_natt_10 |
Verify gateway sends NAT-T Keep Alives in initiator mode |
ike_natt_11 |
Verify gateway sends NAT-T Keep-alives in responder mode |
ike_natt_20 |
When floating NAT-T header is used, IKE responses are sent to source port |
ike_natt_30 |
Allow IKE negotiations to begin on port 4500 |
ike_natt_40 |
No UDP encapsulation when NAT not detected in initiator mode |
ike_natt_41 |
No UDP encapsulation when NAT not detected in responder mode |
