Title

  Test IKEv2.EN.I.2.1.2.2: Receipt of CFG_REPLY
  Part A (ADVANCED)

Purpose

  To verify an IKEv2 device properly handles the Initial Exchanges using Pre-shared key

References

  * [RFC 4306] - Sections 2.19 and 3.15

Test Setup

  * Network Topology
      Connect the devices according to the following topology.

   NUT
(End-Node)
    |
----+-------+--- Link A (Prefix A, MTU=1500)
            |
           TR1
         (Router)
            |
----+-------+--- Link X (Prefix X, MTU=1500)
    |
   TN1
  (SGW)
    |
----+-------+--- Link Y (Prefix Y, MTU=1500)
            |
           TH1
          (Host)


Prefix A = 2001:0db8:0001:0001::/64
Prefix X = 2001:0db8:000f:0001::/64
Prefix Y = 2001:0db8:000f:0002::/64



NUT
End-Node
Link A
Prefix A::any_interface_ID (External Address) 


Prefix Y::1 (Internal Address) (assigned by CP)


TR1
Router
Link A
fe80::f 


TN1
SGW
Link X
Prefix X::1


TH1
Host 
Link Y
Prefix Y::f

  * Configuration
      In each part, configure NUT according to the Common Configuration except the traffic
      selector. Configure NUT to transmit CFG_REQUEST for
      INTERNAL_IP6_ADDRESS. The traffic selector must be configured by the following
      table.

	Traffic Selector
	Source			Destination
	Address Range	Next Layer Protocol	Port Range	Address Range	Next Layer Protocol	Port Range
Inbound	Link Y	ANY	ANY	NUT (internal address)	ANY	ANY
Outbound	NUT (internal address)	ANY	ANY	Link Y	ANY	ANY

NUT must propose Traffic Selector covering above address range.

  * Pre-Sequence and Cleanup Sequence
      IKEv2 on the NUT is disabled after each part.

Procedure

   NUT            TN1           TH1
(End-Node)       (SGW)         (Host)
    |              |             |
    |------------->|             | IKE_SA_INIT request (HDR, SAi1, KEi, Ni)
    |              |             | (Judgement #1)
    |<-------------|             | IKE_SA_INIT Response (HDR, SAr1, KEr, Nr)
    |              |             | (Packet #1)
    |              |             |
    |------------->|             | IKE_AUTH request (HDR, SK {IDi, AUTH,
    |              |             |                            CP(CFG_REQUEST), SAi2, TSi, TSr})
    |              |             | (Judgement #2)
    |<-------------|             | IKE_AUTH Response (HDR, SK {IDr, AUTH, CP(CFG_REPLY), SAr2, TSi, TSr})
    |              |             | (Packet #2)
    |              |             |
    |<=============+-------------| IPsec {Echo Request (sent to NUT internal address)}
    |              |             | (Packet #3)
    |==============+------------>| IPsec {Echo Reply (sent from NUT internal address)}
    |              |             | (Judgement #3)
    |              |             |
    V              V             V

Packet #1	See Common Packet #2
Packet #2	See Below
Packet #3	See Below

Packet #2: IKE_AUTH response packet

IPv6 Header	Same as Common Packet #6
UDP Header	Same as Common Packet #6
IKEv2 Header	Same as Common Packet #6
E Payloa	Same as Common Packet #6
IDr Payload	Same as Common Packet #6
AUTH Payload	Next Payload	47 (CP)
	Other fields are same as Common Packet #6
CP Payload	Next Payload	33 (SA)
	Critical	0
	Reserved	0
	Payload Length	29
	CFG Type	2 (CFG_REPLY)
	RESERVED	0
	Configuration Attributes	See below
SA Payload	Same as Common Packet #6
TSi Payload	Other fields are same as Common Packet #6
	Traffic Selectors	See below
TSr Payload	Same as Common Packet #6

Configuration Attributes	Reserved	0
	Attribute Type	INTERNAL_IP6_ADDRESS
	Length	17
	Value	IPv6 address	Prefix Y::1
		Prefix-length	128

Traffic Selector	TS Type	8 (IPV6_ADDR_RANGE)
	IP Protocol ID	0 (any)
	Selector Length	40
	Start Port	0
	End Port	65535
	Starting Address	Prefix Y::1
	Ending Address	Prefix Y::1

Packet #3: Echo Request packet

IPv6 Header	Same as Common Packet #20
ESP	Same as Common Packet #20
IPv6 Header	Source Address	Prefyx Y::f
	Destination Address	Prefix Y::1
ICMPv6 Header	Same as Common Packet #20

  Part A (ADVANCED)
       1. NUT starts to negotiate with TN1 by sending IKE_SA_INIT request.
       2. Observe the messages transmitted on Link A.
       3. TN1 responds with an IKE_SA_INIT response to the NUT.
       4. Observe the messages transmitted on Link A.
       5. After reception of IKE_AUTH request from the NUT, TN1 responds with an IKE_AUTH
          response to the NUT
       6. TH1 transmits an Echo Request to NUT internal address and TN1 forwards an Echo Request
          with IPsec ESP using ENCR_3DES an AUTH_HMAC_SHA1_96.
       7. Observe the messages transmitted on Link A.

Observable Result

  Part A
    Step 2: Judgment #1
      The NUT transmits an IKE_SA_INIT request including "ENCR_3DES",
      "PRF_HMAC_SHA1", "AUTH_HMAC_SHA1_96" and "D-H group 2" as proposed
      algorithms.
  
    Step 4: Judgment #2
      The NUT transmits an IKE_AUTH request including "ENCR_3DES",
      "AUTH_HMAC_SHA1_96" and "No Extended Sequence Numbers" as proposed
      algorithms.
   
    Step 7: Judgment #3
      The NUT transmits an Echo Reply with IPsec ESP using ENCR_3DES an
      AUTH_HMAC_SHA1_96. The inner packet is sent from NUT internal address.

Possible Problems

  * None