Test IKEv2.EN.I.2.1.2.4: Receipt of IKE_AUTH response without CFG_REPLY Part A (ADVANCED)
To verify an IKEv2 device properly handles the Initial Exchanges using Pre-shared key
* [RFC 4718] - Sections 6.8
* Network Topology Connect the devices according to the following topology.
NUT (End-Node) | ----+-------+--- Link A (Prefix A, MTU=1500) | TR1 (Router) | ----+-------+--- Link X (Prefix X, MTU=1500) | TN1 (SGW) | ----+-------+--- Link Y (Prefix Y, MTU=1500) | TH1 (Host)
Prefix A = 2001:0db8:0001:0001::/64 Prefix X = 2001:0db8:000f:0001::/64 Prefix Y = 2001:0db8:000f:0002::/64
NUT End-Node Link A Prefix A::any_interface_ID (External Address) Prefix Y::1 (Internal Address) (assigned by CP) TR1 Router Link A fe80::f TN1 SGW Link X Prefix X::1 TH1 Host Link Y Prefix Y::f
* Configuration In each part, configure NUT according to the Common Configuration except the traffic selector. Configure NUT to transmit CFG_REQUEST for INTERNAL_IP6_ADDRESS. The traffic selector must be configured by the following table.
NUT must propose Traffic Selector covering above address range.
Traffic Selector Source Destination Address
RangeNext Layer
ProtocolPort
RangeAddress
RangeNext Layer
ProtocolPort
RangeInbound Link Y ANY ANY NUT
(internal address)ANY ANY Outbound NUT
(internal address)ANY ANY Link Y ANY ANY
* Pre-Sequence and Cleanup Sequence IKEv2 on the NUT is disabled after each part.
NUT TN1 (End-Node) (End-Node) | | |------------------->| IKE_SA_INIT request (HDR, SAi1, KEi, Ni) | | (Judgement #1) |<-------------------| IKE_SA_INIT Response (HDR, SAr1, KEr, Nr) | | (Packet #1) | | |------------------->| IKE_AUTH request (HDR, SK {IDi, AUTH, N, CP(CFG_REQUEST), SAi2, TSi, TSr}) | | (Judgement #2) |<-------------------| IKE_AUTH Response (HDR, SK {IDr, AUTH, N, SAr2, TSi, TSr}) | | (Packet #2) | | |<-------------------| INFORMATIONAL request (HDR, SK {}) | | (Packet #3) |------------------->| INFORMATIONAL response (HDR, SK {}) | | (Judgement #3) | | V V
Packet #1 See Common Packet #2 Packet #2 See Below Packet #3 See Common Packet #17
Packet #2: IKE_AUTH response packet
IPv6 Header Same as Common Packet #6 UDP Header Same as Common Packet #6 IKEv2 Header Same as Common Packet #6 E Payloa Same as Common Packet #6 IDr Payload Same as Common Packet #6 AUTH Payload Next Payload 33 (SA) Other fields are same as Common Packet #6 SA Payload Same as Common Packet #6 TSi Payload Other fields are same as Common Packet #6 Traffic Selectors See below TSr Payload Same as Common Packet #6
Traffic Selector TS Type 8 (IPV6_ADDR_RANGE) IP Protocol ID 0 (any) Selector Length 40 Start Port 0 End Port 65535 Starting Address Prefix Y::1 Ending Address Prefix Y::1
Part A (ADVANCED) 1. NUT starts to negotiate with TN1 by sending IKE_SA_INIT request. 2. Observe the messages transmitted on Link A. 3. TN1 responds with an IKE_SA_INIT response to the NUT. 4. Observe the messages transmitted on Link A. 5. After reception of IKE_AUTH request from the NUT, TN1 responds with an IKE_AUTH response to the NUT. The message does not include any Configuration payloads. 6. TH1 transmits an INFORMATIONAL request with no payload to NUT. 7. Observe the messages transmitted on Link A.
Part A Step 2: Judgment #1 The NUT transmits an IKE_SA_INIT request including "ENCR_3DES", "PRF_HMAC_SHA1", "AUTH_HMAC_SHA1_96" and "D-H group 2" as proposed algorithms.
Step 4: Judgment #2 The NUT transmits an IKE_AUTH request including "ENCR_3DES", "AUTH_HMAC_SHA1_96" and "No Extended Sequence Numbers" as proposed algorithms.
Step 7: Judgment #3 The NUT transmits an INFORMATIONAL response with no payload to the TN1.
* None