Test Case Summaries
- Modules: 2
- Test Cases: 58
Below is a summary of the testcases in each module
ike.tcl
IKEv1 site-to-site tunnel testing
| Test Name | Module | Synopsis |
|---|---|---|
ike_1 |
ike.tcl | Verify gateway can act as tunnel initiator |
ike_2 |
ike.tcl | Verify gateway can act as tunnel responder |
ike_4 |
ike.tcl | Verify traffic is not sent in the clear when all Phase 2 SAs are deleted |
ike_5 |
ike.tcl | Verify traffic is not sent in the clear when all Phase 1 and 2 SAs are deleted |
ike_10 |
ike.tcl | Verify gateway switches to new Phase 2 SA after peer initiates new Phase 2 SA |
ike_12 |
ike.tcl | Verify gateway switches to new Phase 2 SA after peer initiates new Phase 1 and 2 SA |
ike_14 |
ike.tcl | Verify deletion of old Phase 1 and 2 SAs does not stop traffic over new SA |
ike_16 |
ike.tcl | Verify old Phase SA continues to work after new Phase 2 SA is initiated |
ike_30 |
ike.tcl | Verify gateway has retransmission strategy for Phase 1 establishment |
ike_31 |
ike.tcl | Verify gateway has retransmission strategy for Phase 2 establishment |
ike_40 |
ike.tcl | Verify gateway sends Phase 1 delete notification after Phase 1 lifetime expires (initiator) |
ike_41 |
ike.tcl | Verify gateway sends Phase 2 delete notification after Phase 2 lifetime expires (initiator) |
ike_42 |
ike.tcl | Verify gateway deletes Phase 1 SA after Phase 1 lifetime expires (initiator) |
ike_43 |
ike.tcl | Verify gateway deletes Phase 2 SA after Phase 2 lifetime expires (initiator) |
ike_50 |
ike.tcl | Verify gateway sends delete notification after Phase 1 lifetime expires (responder) |
ike_51 |
ike.tcl | Verify gateway sends delete notification after Phase 2 lifetime expires (responder) |
ike_52 |
ike.tcl | Verify gateway deletes Phase 1 SA after Phase 1 lifetime expires (responder) |
ike_53 |
ike.tcl | Verify gateway deletes Phase 2 SA after Phase 2 lifetime expires (responder) |
ike_70 |
ike.tcl | Verify gateway sends NOTIFY message when tunnel specification does not match |
ike_72 |
ike.tcl | Verify gateway reuses Phase 1 SA when Phase 2 setup fails |
ike_73 |
ike.tcl | Verify gateway reuses Phase 1 SA when Phase 2 is deleted |
ike_80 |
ike.tcl | Verify gateway deletes existing Phase 2 SAs when INITIAL-CONTACT message is received during new Phase 1 |
ike_81 |
ike.tcl | Verify gateway deletes existing Phase 2 SAs when INITIAL-CONTACT message is received during new Phase 2 |
ike_82 |
ike.tcl | Verify INITIAL-CONTACT is ignored if not protected under IKE SA |
ike_85 |
ike.tcl | Verify gateway deletes existing Phase 2 SAs when INITIAL-CONTACT message is received from NOTIFY |
ike_100 |
ike.tcl | Verify the maximum number of Phase 2 SAs that can be established with remote gateway |
ike_110 |
ike.tcl | Verify Phase 1 SA can be established when unknown Vendor IDs are included |
ike_122 |
ike.tcl | Verify gateway rejects Phase 2 proposals with unknown payloads |
ike_130 |
ike.tcl | Verify starting ESP sequence number for new phase SA is 1 |
ike_135 |
ike.tcl | Verify gateway anti-replay detection |
ike_136 |
ike.tcl | Verify out of sequence ESP packets to not trigger replay detection |
ike_140 |
ike.tcl | Verify IPSEC window moves forward |
ike_200 |
ike.tcl | Verify gateway responds to Dead Peer detection R-U-THERE requests |
ike_300 |
ike.tcl | Verify gateway supports peer IDs of type ID_FQDN |
ike_301 |
ike.tcl | Verify gateway supports peer IDs of type ID_USER_FQDN |
ike_302 |
ike.tcl | Verify gateway gracefully fails when ID type is unknown |
ike_310 |
ike.tcl | Verify gateway ignores unknown transform in Phase 1 proposal |
ike_311 |
ike.tcl | Verify gateway can find valid transform in large list of transforms |
ike_312 |
ike.tcl | Verify gateway recovers gracefully if no valid transform is found in proposal |
ike_320 |
ike.tcl | Verify gateway ignores unknown transform in Phase 2 proposal |
ike_321 |
ike.tcl | Verify gateway handles large transform list during Phase 2 |
ike_330 |
ike.tcl | Verify new Phase 2 can be established with SA Lifetime using both seconds and bytes |
ike_350 |
ike.tcl | Verify Phase 2 SA setup using small Nonce sizes (8) |
ike_351 |
ike.tcl | Verify Phase 2 SA setup using large Nonce sizes (256) |
ike_360 |
ike.tcl | Verify gateway can act as tunnel initiator and responder at the same time |
ike_365 |
ike.tcl | Verify gateway handles Diffie-Hellman public keys with leading zeros |
ike_366 |
ike.tcl | Verify gateway handles ephemeral Diffie-Hellman shared secret with leading zeros |
ike_370 |
ike.tcl | Verify gateway accepts fragmented IKE packets |
ike_371 |
ike.tcl | Verify gateway accepts fragmented IKE packets in reverse order |
ike_380 |
ike.tcl | Verify gateway ignores IKE packets with an invalid UDP checksum |
ike-natt.tcl
IKEv1 NAT-Traversal testing
| Test Name | Module | Synopsis |
|---|---|---|
ike_natt_1 |
ike-natt.tcl | Verify gateway detects NAT and uses NAT-T in initiator mode |
ike_natt_2 |
ike-natt.tcl | Verify gateway detects NAT and uses NAT-T in responder mode |
ike_natt_10 |
ike-natt.tcl | Verify gateway sends NAT-T Keep Alives in initiator mode |
ike_natt_11 |
ike-natt.tcl | Verify gateway sends NAT-T Keep-alives in responder mode |
ike_natt_20 |
ike-natt.tcl | When floating NAT-T header is used, IKE responses are sent to source port |
ike_natt_30 |
ike-natt.tcl | Allow IKE negotiations to begin on port 4500 |
ike_natt_40 |
ike-natt.tcl | No UDP encapsulation when NAT not detected in initiator mode |
ike_natt_41 |
ike-natt.tcl | No UDP encapsulation when NAT not detected in responder mode |
