CDRouter Support

CDRouter IKE Test Summaries

test-summary version 11.1

Test Case Summaries

  • Modules: 2
  • Test Cases: 58

Below is a summary of the testcases in each module

ike.tcl

IKEv1 site-to-site tunnel testing

Test Name Module Synopsis
ike_1 ike.tcl Verify gateway can act as tunnel initiator
ike_2 ike.tcl Verify gateway can act as tunnel responder
ike_4 ike.tcl Verify traffic is not sent in the clear when all Phase 2 SAs are deleted
ike_5 ike.tcl Verify traffic is not sent in the clear when all Phase 1 and 2 SAs are deleted
ike_10 ike.tcl Verify gateway switches to new Phase 2 SA after peer initiates new Phase 2 SA
ike_12 ike.tcl Verify gateway switches to new Phase 2 SA after peer initiates new Phase 1 and 2 SA
ike_14 ike.tcl Verify deletion of old Phase 1 and 2 SAs does not stop traffic over new SA
ike_16 ike.tcl Verify old Phase SA continues to work after new Phase 2 SA is initiated
ike_30 ike.tcl Verify gateway has retransmission strategy for Phase 1 establishment
ike_31 ike.tcl Verify gateway has retransmission strategy for Phase 2 establishment
ike_40 ike.tcl Verify gateway sends Phase 1 delete notification after Phase 1 lifetime expires (initiator)
ike_41 ike.tcl Verify gateway sends Phase 2 delete notification after Phase 2 lifetime expires (initiator)
ike_42 ike.tcl Verify gateway deletes Phase 1 SA after Phase 1 lifetime expires (initiator)
ike_43 ike.tcl Verify gateway deletes Phase 2 SA after Phase 2 lifetime expires (initiator)
ike_50 ike.tcl Verify gateway sends delete notification after Phase 1 lifetime expires (responder)
ike_51 ike.tcl Verify gateway sends delete notification after Phase 2 lifetime expires (responder)
ike_52 ike.tcl Verify gateway deletes Phase 1 SA after Phase 1 lifetime expires (responder)
ike_53 ike.tcl Verify gateway deletes Phase 2 SA after Phase 2 lifetime expires (responder)
ike_70 ike.tcl Verify gateway sends NOTIFY message when tunnel specification does not match
ike_72 ike.tcl Verify gateway reuses Phase 1 SA when Phase 2 setup fails
ike_73 ike.tcl Verify gateway reuses Phase 1 SA when Phase 2 is deleted
ike_80 ike.tcl Verify gateway deletes existing Phase 2 SAs when INITIAL-CONTACT message is received during new Phase 1
ike_81 ike.tcl Verify gateway deletes existing Phase 2 SAs when INITIAL-CONTACT message is received during new Phase 2
ike_82 ike.tcl Verify INITIAL-CONTACT is ignored if not protected under IKE SA
ike_85 ike.tcl Verify gateway deletes existing Phase 2 SAs when INITIAL-CONTACT message is received from NOTIFY
ike_100 ike.tcl Verify the maximum number of Phase 2 SAs that can be established with remote gateway
ike_110 ike.tcl Verify Phase 1 SA can be established when unknown Vendor IDs are included
ike_122 ike.tcl Verify gateway rejects Phase 2 proposals with unknown payloads
ike_130 ike.tcl Verify starting ESP sequence number for new phase SA is 1
ike_135 ike.tcl Verify gateway anti-replay detection
ike_136 ike.tcl Verify out of sequence ESP packets to not trigger replay detection
ike_140 ike.tcl Verify IPSEC window moves forward
ike_200 ike.tcl Verify gateway responds to Dead Peer detection R-U-THERE requests
ike_300 ike.tcl Verify gateway supports peer IDs of type ID_FQDN
ike_301 ike.tcl Verify gateway supports peer IDs of type ID_USER_FQDN
ike_302 ike.tcl Verify gateway gracefully fails when ID type is unknown
ike_310 ike.tcl Verify gateway ignores unknown transform in Phase 1 proposal
ike_311 ike.tcl Verify gateway can find valid transform in large list of transforms
ike_312 ike.tcl Verify gateway recovers gracefully if no valid transform is found in proposal
ike_320 ike.tcl Verify gateway ignores unknown transform in Phase 2 proposal
ike_321 ike.tcl Verify gateway handles large transform list during Phase 2
ike_330 ike.tcl Verify new Phase 2 can be established with SA Lifetime using both seconds and bytes
ike_350 ike.tcl Verify Phase 2 SA setup using small Nonce sizes (8)
ike_351 ike.tcl Verify Phase 2 SA setup using large Nonce sizes (256)
ike_360 ike.tcl Verify gateway can act as tunnel initiator and responder at the same time
ike_365 ike.tcl Verify gateway handles Diffie-Hellman public keys with leading zeros
ike_366 ike.tcl Verify gateway handles ephemeral Diffie-Hellman shared secret with leading zeros
ike_370 ike.tcl Verify gateway accepts fragmented IKE packets
ike_371 ike.tcl Verify gateway accepts fragmented IKE packets in reverse order
ike_380 ike.tcl Verify gateway ignores IKE packets with an invalid UDP checksum

ike-natt.tcl

IKEv1 NAT-Traversal testing

Test Name Module Synopsis
ike_natt_1 ike-natt.tcl Verify gateway detects NAT and uses NAT-T in initiator mode
ike_natt_2 ike-natt.tcl Verify gateway detects NAT and uses NAT-T in responder mode
ike_natt_10 ike-natt.tcl Verify gateway sends NAT-T Keep Alives in initiator mode
ike_natt_11 ike-natt.tcl Verify gateway sends NAT-T Keep-alives in responder mode
ike_natt_20 ike-natt.tcl When floating NAT-T header is used, IKE responses are sent to source port
ike_natt_30 ike-natt.tcl Allow IKE negotiations to begin on port 4500
ike_natt_40 ike-natt.tcl No UDP encapsulation when NAT not detected in initiator mode
ike_natt_41 ike-natt.tcl No UDP encapsulation when NAT not detected in responder mode

Contents

Open content in new tab

×
 

About CDRouter

CDRouter is made by QA Cafe, a technology company based in Portsmouth, NH.

Get in touch via our Contact page or by following us on your favorite service: