Title

  Test IKEv2.EN.I.2.1.2.4: Receipt of IKE_AUTH response without CFG_REPLY
  Part A (ADVANCED)


Purpose

  To verify an IKEv2 device properly handles the Initial Exchanges using Pre-shared key


References

  * [RFC 4718] - Sections 6.8


Test Setup

  * Network Topology
     Connect the devices according to the following topology.
   NUT
(End-Node)
    |
----+-------+--- Link A (Prefix A, MTU=1500)
            |
           TR1
         (Router)
            |
----+-------+--- Link X (Prefix X, MTU=1500)
    |
   TN1
  (SGW)
    |
----+-------+--- Link Y (Prefix Y, MTU=1500)
            |
           TH1
          (Host)

Prefix A = 2001:0db8:0001:0001::/64 Prefix X = 2001:0db8:000f:0001::/64 Prefix Y = 2001:0db8:000f:0002::/64
NUT End-Node Link A Prefix A::any_interface_ID (External Address)
Prefix Y::1 (Internal Address) (assigned by CP)
TR1 Router Link A fe80::f
TN1 SGW Link X Prefix X::1
TH1 Host Link Y Prefix Y::f
  * Configuration
     In each part, configure NUT according to the Common Configuration except the traffic
     selector. Configure NUT to transmit CFG_REQUEST for
     INTERNAL_IP6_ADDRESS. The traffic selector must be configured by the following
     table.
Traffic Selector
Source
Destination
Address
Range
Next Layer
Protocol
Port
Range
Address
Range
Next Layer
Protocol
Port
Range
Inbound Link Y ANY ANY NUT
(internal address)
ANY ANY
Outbound NUT
(internal address)
ANY ANY Link Y ANY ANY
NUT must propose Traffic Selector covering above address range.
  * Pre-Sequence and Cleanup Sequence
      IKEv2 on the NUT is disabled after each part.


Procedure


   NUT                  TN1
(End-Node)           (End-Node)
    |                    |
    |------------------->| IKE_SA_INIT request (HDR, SAi1, KEi, Ni)
    |                    | (Judgement #1)
    |<-------------------| IKE_SA_INIT Response (HDR, SAr1, KEr, Nr)
    |                    | (Packet #1)
    |                    |
    |------------------->| IKE_AUTH request (HDR, SK {IDi, AUTH, N, CP(CFG_REQUEST), SAi2, TSi, TSr})
    |                    | (Judgement #2)
    |<-------------------| IKE_AUTH Response (HDR, SK {IDr, AUTH, N, SAr2, TSi, TSr})
    |                    | (Packet #2)
    |                    |  
    |<-------------------| INFORMATIONAL request (HDR, SK {})
    |                    | (Packet #3)
    |------------------->| INFORMATIONAL response (HDR, SK {})
    |                    | (Judgement #3)
    |                    |
    V                    V
Packet #1 See Common Packet #2
Packet #2 See Below
Packet #3 See Common Packet #17
Packet #2: IKE_AUTH response packet
IPv6 Header Same as Common Packet #6
UDP Header Same as Common Packet #6
IKEv2 Header Same as Common Packet #6
E Payloa Same as Common Packet #6
IDr Payload Same as Common Packet #6
AUTH Payload Next Payload 33 (SA)
Other fields are same as Common Packet #6
SA Payload Same as Common Packet #6
TSi Payload Other fields are same as Common Packet #6
Traffic Selectors See below
TSr Payload Same as Common Packet #6
Traffic Selector TS Type 8 (IPV6_ADDR_RANGE)
IP Protocol ID 0 (any)
Selector Length 40
Start Port 0
End Port 65535
Starting Address Prefix Y::1
Ending Address Prefix Y::1


  Part A (ADVANCED)
     1. NUT starts to negotiate with TN1 by sending IKE_SA_INIT request.
     2. Observe the messages transmitted on Link A.
     3. TN1 responds with an IKE_SA_INIT response to the NUT.
     4. Observe the messages transmitted on Link A.
     5. After reception of IKE_AUTH request from the NUT, TN1 responds with an IKE_AUTH
         response to the NUT. The message does not include any Configuration payloads.
     6. TH1 transmits an INFORMATIONAL request with no payload to NUT.
     7. Observe the messages transmitted on Link A.


Observable Result

  Part A
       Step 2: Judgment #1
       The NUT transmits an IKE_SA_INIT request including "ENCR_3DES",
       "PRF_HMAC_SHA1", "AUTH_HMAC_SHA1_96" and "D-H group 2" as proposed
       algorithms.
       Step 4: Judgment #2
       The NUT transmits an IKE_AUTH request including "ENCR_3DES",
       "AUTH_HMAC_SHA1_96" and "No Extended Sequence Numbers" as proposed
       algorithms.
       Step 7: Judgment #3
       The NUT transmits an INFORMATIONAL response with no payload to the TN1.


Possible Problems

  * None