Title

  Test IKEv2.EN.I.2.1.2.2: Receipt of CFG_REPLY
  Part A (ADVANCED)


Purpose

  To verify an IKEv2 device properly handles the Initial Exchanges using Pre-shared key


References

  * [RFC 4306] - Sections 2.19 and 3.15


Test Setup

  * Network Topology
      Connect the devices according to the following topology.
   NUT
(End-Node)
    |
----+-------+--- Link A (Prefix A, MTU=1500)
            |
           TR1
         (Router)
            |
----+-------+--- Link X (Prefix X, MTU=1500)
    |
   TN1
  (SGW)
    |
----+-------+--- Link Y (Prefix Y, MTU=1500)
            |
           TH1
          (Host)

Prefix A = 2001:0db8:0001:0001::/64 Prefix X = 2001:0db8:000f:0001::/64 Prefix Y = 2001:0db8:000f:0002::/64
NUT End-Node Link A Prefix A::any_interface_ID (External Address)
Prefix Y::1 (Internal Address) (assigned by CP)
TR1 Router Link A fe80::f
TN1 SGW Link X Prefix X::1
TH1 Host Link Y Prefix Y::f
  * Configuration
      In each part, configure NUT according to the Common Configuration except the traffic
      selector. Configure NUT to transmit CFG_REQUEST for
      INTERNAL_IP6_ADDRESS. The traffic selector must be configured by the following
      table.
Traffic Selector
Source
Destination
Address
Range
Next Layer
Protocol
Port
Range
Address
Range
Next Layer
Protocol
Port
Range
Inbound Link Y ANY ANY NUT
(internal address)
ANY ANY
Outbound NUT
(internal address)
ANY ANY Link Y ANY ANY
NUT must propose Traffic Selector covering above address range.
  * Pre-Sequence and Cleanup Sequence
      IKEv2 on the NUT is disabled after each part.


Procedure


   NUT            TN1           TH1
(End-Node)       (SGW)         (Host)
    |              |             |
    |------------->|             | IKE_SA_INIT request (HDR, SAi1, KEi, Ni)
    |              |             | (Judgement #1)
    |<-------------|             | IKE_SA_INIT Response (HDR, SAr1, KEr, Nr)
    |              |             | (Packet #1)
    |              |             |
    |------------->|             | IKE_AUTH request (HDR, SK {IDi, AUTH,
    |              |             |                            CP(CFG_REQUEST), SAi2, TSi, TSr})
    |              |             | (Judgement #2)
    |<-------------|             | IKE_AUTH Response (HDR, SK {IDr, AUTH, CP(CFG_REPLY), SAr2, TSi, TSr})
    |              |             | (Packet #2)
    |              |             |
    |<=============+-------------| IPsec {Echo Request (sent to NUT internal address)}
    |              |             | (Packet #3)
    |==============+------------>| IPsec {Echo Reply (sent from NUT internal address)}
    |              |             | (Judgement #3)
    |              |             |
    V              V             V
Packet #1 See Common Packet #2
Packet #2 See Below
Packet #3 See Below
Packet #2: IKE_AUTH response packet
IPv6 Header Same as Common Packet #6
UDP Header Same as Common Packet #6
IKEv2 Header Same as Common Packet #6
E Payloa Same as Common Packet #6
IDr Payload Same as Common Packet #6
AUTH Payload Next Payload 47 (CP)
Other fields are same as Common Packet #6
CP Payload Next Payload 33 (SA)
Critical 0
Reserved 0
Payload Length 29
CFG Type 2 (CFG_REPLY)
RESERVED 0
Configuration Attributes See below
SA Payload Same as Common Packet #6
TSi Payload Other fields are same as Common Packet #6
Traffic Selectors See below
TSr Payload Same as Common Packet #6
Configuration Attributes Reserved 0
Attribute Type INTERNAL_IP6_ADDRESS
Length 17
Value IPv6 address Prefix Y::1
Prefix-length 128
Traffic Selector TS Type 8 (IPV6_ADDR_RANGE)
IP Protocol ID 0 (any)
Selector Length 40
Start Port 0
End Port 65535
Starting Address Prefix Y::1
Ending Address Prefix Y::1


Packet #3: Echo Request packet
IPv6 Header Same as Common Packet #20
ESP Same as Common Packet #20
IPv6 Header Source Address Prefyx Y::f
Destination Address Prefix Y::1
ICMPv6 Header Same as Common Packet #20
  Part A (ADVANCED)
       1. NUT starts to negotiate with TN1 by sending IKE_SA_INIT request.
       2. Observe the messages transmitted on Link A.
       3. TN1 responds with an IKE_SA_INIT response to the NUT.
       4. Observe the messages transmitted on Link A.
       5. After reception of IKE_AUTH request from the NUT, TN1 responds with an IKE_AUTH
          response to the NUT
       6. TH1 transmits an Echo Request to NUT internal address and TN1 forwards an Echo Request
          with IPsec ESP using ENCR_3DES an AUTH_HMAC_SHA1_96.
       7. Observe the messages transmitted on Link A.


Observable Result

  Part A
    Step 2: Judgment #1
      The NUT transmits an IKE_SA_INIT request including "ENCR_3DES",
      "PRF_HMAC_SHA1", "AUTH_HMAC_SHA1_96" and "D-H group 2" as proposed
      algorithms.
  
    Step 4: Judgment #2
      The NUT transmits an IKE_AUTH request including "ENCR_3DES",
      "AUTH_HMAC_SHA1_96" and "No Extended Sequence Numbers" as proposed
      algorithms.
   
    Step 7: Judgment #3
      The NUT transmits an Echo Reply with IPsec ESP using ENCR_3DES an
      AUTH_HMAC_SHA1_96. The inner packet is sent from NUT internal address.


Possible Problems

  * None