Test IKEv2.EN.I.1.2.3.4: Sending Multiple Transform
Part B: Multiple Integrity Algorithms (ADVANCED)
To verify an IKEv2 device properly transmits CREATE_CHILD_SA request with multiple
transforms to rekey CHILD_SA.
* [RFC 4306] - Sections 2.7 and 3.3
* Network Topology
Connect the devices according to the Common Topology.
* Configuration
In each part, configure the devices according to the following configuration:
|
CREATE_CHILD_SA exchanges Algorithms |
| Encryption |
Integrity |
ESN |
| Part B |
ENCR_3DES |
AUTH_HMAC_SHA1_96
AUTH_AES_XCBC_96 |
No ESN |
* Pre-Sequence and Cleanup Sequence
IKEv2 on the NUT is disabled after each part.
NUT TN1
(End-Node) (End-Node)
| |
|------------------->| IKE_SA_INIT request (HDR, SAi1, KEi, Ni)
| | (Judgement #1)
|<-------------------| IKE_SA_INIT Response (HDR, SAr1, KEr, Nr)
| | (Packet #1)
| |
|------------------->| IKE_AUTH request (HDR, SK {IDi, AUTH, N+, SAi2, TSi, TSr})
| | (Judgement #2)
|<-------------------| IKE_AUTH Response (HDR, SK {IDr, AUTH, N+, SAr2, TSi, TSr})
| | (Packet #2)
| |
--- ---
| | ---
|<-------------------| IPSec {Echo Request} |
| | (Packet #3) |
|------------------->| IPSec {Echo Reply} | repeat Echo exchange until lifetime of SA is expired
| | (Judgement #3) |
| | ---
--- ---
| |
|------------------->| CREATE_CHILD_SA request (HDR, SK {N, N+, SA, Ni, TSi, TSr})
| | (Judgement #4)
| |
V V
N: REKEY_SA
N+: USE_TRANSPORT_MODE
| Packet #1 |
See Common Packet #2 |
| Packet #2 |
See Common Packet #4 |
| Packet #3 |
See Common Packet #19 |
Part B: Multiple Integrity Algorithms (ADVANCED)
10. NUT starts to negotiate with TN1 by sending IKE_SA_INIT request.
11. Observe the messages transmitted on Link A.
12. TN1 responds with an IKE_SA_INIT response to the NUT.
13. Observe the messages transmitted on Link A.
14. After reception of IKE_AUTH request from the NUT, TN1 responds with an IKE_AUTH
response to the NUT
15. TN1 transmits an Echo Request with IPsec ESP using corresponding algorithms to NUT.
16. Observe the messages transmitted on Link A.
17. Repeat Steps 15 and 16 until lifetime of SA is expired for 30 seconds.
18. Observe the messages transmitted on Link A.
Part B
Step 11: Judgment #1
The NUT transmits an IKE_SA_INIT request including "ENCR_3DES",
"PRF_HMAC_SHA1", "AUTH_HMAC_SHA1_96" and "D-H group 2" as proposed
algorithms.
Step 13: Judgment #2
The NUT transmits an IKE_AUTH request including "ENCR_3DES",
"AUTH_HMAC_SHA1_96" and "No Extended Sequence Numbers" as proposed algorithms.
Step 16: Judgment #3
The NUT transmits an Echo Reply with IPsec ESP using corresponding algorithms.
Step 18: Judgment #4
The NUT transmits a CREATE_CHILD_SA request including "ENCR_3DES",
"AUTH_HMAC_SHA1_96", "AUTH_AES_XCBC_96" and "No Extended Sequence
Numbers" as proposed algorithms. And the CREATE_CHILD_SA request includes a Notify
payload of type REKEY_SA containing rekeyed CHILD_SA's SPI value in the SPI field.
* Each NUT has the different lifetime of SA.