Product
Search Results

CDRouter IKE Test Summaries

Test Case Summaries

  • Modules: 2
  • Test Cases: 58

Below is a summary of the testcases in each module


ike.tcl

IKEv1 site-to-site tunnel testing

Test Name Synopsis
ike_1 Verify gateway can act as tunnel initiator
ike_2 Verify gateway can act as tunnel responder
ike_4 Verify traffic is not sent in the clear when all Phase 2 SAs are deleted
ike_5 Verify traffic is not sent in the clear when all Phase 1 and 2 SAs are deleted
ike_10 Verify gateway switches to new Phase 2 SA after peer initiates new Phase 2 SA
ike_12 Verify gateway switches to new Phase 2 SA after peer initiates new Phase 1 and 2 SA
ike_14 Verify deletion of old Phase 1 and 2 SAs does not stop traffic over new SA
ike_16 Verify old Phase SA continues to work after new Phase 2 SA is initiated
ike_30 Verify gateway has retransmission strategy for Phase 1 establishment
ike_31 Verify gateway has retransmission strategy for Phase 2 establishment
ike_40 Verify gateway sends Phase 1 delete notification after Phase 1 lifetime expires (initiator)
ike_41 Verify gateway sends Phase 2 delete notification after Phase 2 lifetime expires (initiator)
ike_42 Verify gateway deletes Phase 1 SA after Phase 1 lifetime expires (initiator)
ike_43 Verify gateway deletes Phase 2 SA after Phase 2 lifetime expires (initiator)
ike_50 Verify gateway sends delete notification after Phase 1 lifetime expires (responder)
ike_51 Verify gateway sends delete notification after Phase 2 lifetime expires (responder)
ike_52 Verify gateway deletes Phase 1 SA after Phase 1 lifetime expires (responder)
ike_53 Verify gateway deletes Phase 2 SA after Phase 2 lifetime expires (responder)
ike_70 Verify gateway sends NOTIFY message when tunnel specification does not match
ike_72 Verify gateway reuses Phase 1 SA when Phase 2 setup fails
ike_73 Verify gateway reuses Phase 1 SA when Phase 2 is deleted
ike_80 Verify gateway deletes existing Phase 2 SAs when INITIAL-CONTACT message is received during new Phase 1
ike_81 Verify gateway deletes existing Phase 2 SAs when INITIAL-CONTACT message is received during new Phase 2
ike_82 Verify INITIAL-CONTACT is ignored if not protected under IKE SA
ike_85 Verify gateway deletes existing Phase 2 SAs when INITIAL-CONTACT message is received from NOTIFY
ike_100 Verify the maximum number of Phase 2 SAs that can be established with remote gateway
ike_110 Verify Phase 1 SA can be established when unknown Vendor IDs are included
ike_122 Verify gateway rejects Phase 2 proposals with unknown payloads
ike_130 Verify starting ESP sequence number for new phase SA is 1
ike_135 Verify gateway anti-replay detection
ike_136 Verify out of sequence ESP packets to not trigger replay detection
ike_140 Verify IPSEC window moves forward
ike_200 Verify gateway responds to Dead Peer detection R-U-THERE requests
ike_300 Verify gateway supports peer IDs of type ID_FQDN
ike_301 Verify gateway supports peer IDs of type ID_USER_FQDN
ike_302 Verify gateway gracefully fails when ID type is unknown
ike_310 Verify gateway ignores unknown transform in Phase 1 proposal
ike_311 Verify gateway can find valid transform in large list of transforms
ike_312 Verify gateway recovers gracefully if no valid transform is found in proposal
ike_320 Verify gateway ignores unknown transform in Phase 2 proposal
ike_321 Verify gateway handles large transform list during Phase 2
ike_330 Verify new Phase 2 can be established with SA Lifetime using both seconds and bytes
ike_350 Verify Phase 2 SA setup using small Nonce sizes (8)
ike_351 Verify Phase 2 SA setup using large Nonce sizes (256)
ike_360 Verify gateway can act as tunnel initiator and responder at the same time
ike_365 Verify gateway handles Diffie-Hellman public keys with leading zeros
ike_366 Verify gateway handles ephemeral Diffie-Hellman shared secret with leading zeros
ike_370 Verify gateway accepts fragmented IKE packets
ike_371 Verify gateway accepts fragmented IKE packets in reverse order
ike_380 Verify gateway ignores IKE packets with an invalid UDP checksum

ike-natt.tcl

IKEv1 NAT-Traversal testing

Test Name Synopsis
ike_natt_1 Verify gateway detects NAT and uses NAT-T in initiator mode
ike_natt_2 Verify gateway detects NAT and uses NAT-T in responder mode
ike_natt_10 Verify gateway sends NAT-T Keep Alives in initiator mode
ike_natt_11 Verify gateway sends NAT-T Keep-alives in responder mode
ike_natt_20 When floating NAT-T header is used, IKE responses are sent to source port
ike_natt_30 Allow IKE negotiations to begin on port 4500
ike_natt_40 No UDP encapsulation when NAT not detected in initiator mode
ike_natt_41 No UDP encapsulation when NAT not detected in responder mode