Title

  Test IKEv2.EN.R.1.1.3.3: Close connections when receiving INITIAL_CONTACT
  Part A: (ADVANCED)


Purpose

  To verify an IKEv2 device closes connections when receiving INITIAL_CONTACT.


References

  * [RFC 4306] - Sections 2.1, 2.2 and 2.4
  * [RFC 4718] - Sections 7.9


Test Setup

  * Network Topology
      Connect the devices according to the Common Topology.
  * Configuration
      In each part, configure the devices according to the Common Configuration.
  * Pre-Sequence and Cleanup Sequence
      IKEv2 on the NUT is disabled after each part.


Procedure

   NUT                  TN1
(End-Node)           (End-Node)
    |                    |
    |<-------------------| IKE_SA_INIT request (HDR, SAi1, KEi, Ni)
    |                    | (Packet #1)
    |------------------->| IKE_SA_INIT response (HDR, SAr1, KEr, Nr)
    |                    | (Judgement #1)
    |                    |
    |<-------------------| IKE_AUTH request (HDR, SK {IDi, AUTH, N, SAi2, TSi, TSr})
    |                    | (Packet #2)
    |------------------->| IKE_AUTH response (HDR, SK {IDr, AUTH, N, SAr2, TSi, TSr})
    |                    | (Judgement #2)
    |                    |
    |<-------------------| IPsec {Echo Request}
    |                    | (Packet #3)
    |------------------->| IPsec {Echo Reply}
    |                    | (Judgement #3)
    |                    |
    |<-------------------| IKE_SA_INIT request (HDR, SAi1, KEi, Ni)
    |                    | (Packet #4)
    |------------------->| IKE_SA_INIT response (HDR, SAr1, KEr, Nr)
    |                    | (Judgement #4)
    |                    |
    |<-------------------| IKE_AUTH request (HDR, SK {IDi, N(INITIAL_CONTACT), AUTH, N, SAi2, TSi, TSr})
    |                    | (Packet #5)
    |------------------->| IKE_AUTH response (HDR, SK {IDr, AUTH, N, SAr2, TSi, TSr})
    |                    | (Judgement #5)
    |                    |
    |<-------------------| IPsec {Echo Request} (old CHILD_SA)
    |                    | (Packet #6)
    |------------------->| IPsec {Echo Reply}
    |                    | (Judgement #6)
    |                    |
    |<-------------------| IKE_SA_INIT request (HDR, SAi1, KEi, Ni) (new CHILD_SA)
    |                    | (Packet #7)
    |------------------->| IKE_SA_INIT response (HDR, SAr1, KEr, Nr)
    |                    | (Judgement #7)
    |                    |
    V                    V
N: USE_TRANSPORT_MODE
Packet #1 See Common Packet #1
Packet #2 See Common Packet #3
Packet #3 See Common Packet #19
Packet #4 See Common Packet #1
Packet #5 See Common Packet #3
Packet #6 See Common Packet #19
This packet is cryptographically
protected by the CHILD_SA
negotia ted at Step 1 to Step 4.
Packet #7 See Common Packet #19
This packet is cryptographically
protected by the CHILD_SA
negotiated at Step 7 to Step 10.
  Part A: (ADVANCED)
       1. TN1 starts to negotiate with NUT by sending IKE_SA_INIT request.
       2. Observe the messages transmitted on Link A.
       3. After reception of IKE_AUTH response from the NUT, TN1 transmits an IKE_AUTH
          request to the NUT.
       4. Observe the messages transmitted on Link A.
       5. After reception of IKE_AUTH response from the NUT, TN1 transmits an Echo Request
          with IPsec ESP using corresponding algorithms to NUT.
       6. Observe the messages transmitted on Link A.
       7. After reception of an Echo Reply from NUT, TN1 transmits IKE_SA_INIT request to the
          NUT.
       8. Observe the messages transmitted on Link A.
       9. After reception of IKE_SA_INIT response from the NUT, TN1 transmits IKE_AUTH
          response with a Notify payload of type INITIAL_CONTACT to the NUT.
      10. Observe the messages transmitted on Link A.
      11. After reception of IKE_AUTH response from the NUT, TN1 transmits an Echo Request
          with IPsec ESP using the first negotiated algorithm.
      12. Observe the messages transmitted on Link A.
      13. After reception of IKE_AUTH response from the NUT, TN1 transmits an Echo Request
          with IPsec ESP using the second negotiated algorithm.
      14. Observe the messages transmitted on Link A.


Observable Result

  Part A
    Step 2: Judgment #1
      The NUT transmits an IKE_SA_INIT response including "ENCR_3DES",
      "PRF_HMAC_SHA1", "AUTH_HMAC_SHA1_96" and "D-H group 2" as accepted
      algorithms.
  
    Step 4: Judgment #2
      The NUT transmits an IKE_AUTH response including "ENCR_3DES",
      "AUTH_HMAC_SHA1_96" and "No Extended Sequence Numbers" as accepted algorithms.
  
    Step 6: Judgment #3
      The NUT transmits an Echo Reply with IPsec ESP using corresponding algorithms.
  
    Step 8: Judgment #4
      The NUT transmits an IKE_SA_INIT response including "ENCR_3DES",
      "PRF_HMAC_SHA1", "AUTH_HMAC_SHA1_96" and "D-H group 2" as accepted
      algorithms.
  
    Step 10: Judgment #5
      The NUT transmits an IKE_AUTH response including "ENCR_3DES",
      "AUTH_HMAC_SHA1_96" and "No Extended Sequence Numbers" as accepted algorithms.
  
    Step 12: Judgment #6
      The NUT never transmits an Echo Reply using the first negotiated algorithms or the second
      negotiated algorithms.
  
    Step 14: Judgment #7
       The NUT transmits an Echo Reply with IPsec ESP using the second negotiated algorithms.


Possible Problems

  * None.