Title

  Test IKEv2.EN.I.1.1.6.11: Receipt of INVALID_KE_PAYLOAD in Initial Exchange 
  Part B: IKE_SA Responder's SPI is not zero (ADVANCED)


Purpose

  To verify an IKEv2 device properly handles IKE_SA_INIT Response with a Notify payload
  of type INVALID_KE_PAYLOAD.


References

  * [RFC 4306] - Sections 2.7, 3.4 and 3.10.1
  * [RFC 4718] - Sections 2.1 and 2.2


Test Setup

  * Network Topology
      Connect the devices according to the Common Topology.
  * Configuration
      In each part, configure the devices according to the Common Configuration.
  * Pre-Sequence and Cleanup Sequence
      IKEv2 on the NUT is disabled after each part.


Procedure

   NUT                  TN1
(End-Node)           (End-Node)
    |                    |
    |------------------->| IKE_SA_INIT request (HDR, SAi1(DH#2, DH#14), KEi(DH#14), Ni)
    |                    | (Judgement #1)
    |<-------------------| IKE_SA_INIT Response (HDR, N(INVALID_KE_PAYLOAD(DH#2)))
    |                    | (Packet #1)
    |                    |
    |------------------->| IKE_SA_INIT request (HDR, SAi1(DH#2, DH#14), KEi'(DH#2), Ni)
    |                    | (Judgement #2)
    |                    |
    V                    V
  
Packet #1 See below
Packet #1: IKE_SA_INIT response
IPv6 Header Same as the Common Packet #2
UDP Header Same as the Common Packet #2
IKEv2 Header Same as the Common Packet #2
IKE_SA Responder's SPI See each Part
N Payload Next Payload 0
Critical 0
Reserved 0
Payload Length 10
Protocol ID 0
SPI Size 0
Notify Message Type INVALID_KE_PAYLOAD (17)
Notification Data The accepted D-H Group # (2)
  Part B: IKE_SA Responder's SPI is not zero (BASIC)
     5. NUT starts to negotiate with TN1 by sending IKE_SA_INIT request.
     6. Observe the messages transmitted on Link A.
     7. TN1 responds with an IKE_SA_INIT Response including a Notify payload of type
         INVALID_KE_PAYLOAD containing 2 (1024 Bit MODP) as Notification Data to the NUT.
         The message's IKE_SA Responder's SPI is set to one.
     8. Observe the messages transmitted on Link A.


Observable Result

  Part B
       Step 6: Judgment #1
       The NUT transmits an IKE_SA_INIT Request including
       "ENCR_3DES", "PRF_HMAC_SHA1", "AUTH_HMAC_SHA1_96", "D-H group 2" and "D-H
       group 14" as proposed algorithms. KEi payload must carry "D-H group 14" public key
       value.
       Step 8: Judgment #2
       The NUT transmits an IKE_SA_INIT request including a Key Exchange payoad which
       contains "D-H group 2" public key value. All other payloads are unchanged.


Possible Problems

  * None.