Test IKEv2.EN.R.1.2.6.2: Receipt of cryptographically valid message on the old SA Part A: (BASIC)
To verify an IKEv2 device properly uses old IKE_SA.
* [RFC 4306] - Sections 2.8
* Network Topology Connect the devices according to the Common Topology. * Configuration In each part, configure the devices according to the Common Configuration. * Pre-Sequence and Cleanup Sequence IKEv2 on the NUT is disabled after each part.
NUT TN1 (End-Node) (End-Node) | | |<-------------------| IKE_SA_INIT request (HDR, SAi1, KEi, Ni) | | (Packet #1) |------------------->| IKE_SA_INIT response (HDR, SAr1, KEr, Nr) | | (Judgement #1) | | |<-------------------| IKE_AUTH request (HDR, SK {IDi, AUTH, N, SAi2, TSi, TSr}) | | (Packet #2) |------------------->| IKE_AUTH response (HDR, SK {IDr, AUTH, N, SAr2, TSi, TSr}) | | (Judgement #2) | | |<-------------------| IPsec {Echo Request} | | (Packet #3) |------------------->| IPsec {Echo Reply} | | (Judgement #3) | | |<-------------------| CREATE_CHILD_SA request (HDR, SK {SA, Ni}) | | (Packet #4) |------------------->| CREATE_CHILD_SA response (HDR, SK {SA, Nr}) | | (Judgement #4) | | |<-------------------| INFORMATIONAL request (HDR, SK {}) (old IKE_SA) | | (Packet #5) |------------------->| INFORMATIONAL response (HDR, SK {}) (old IKE_SA) | | (Judgement #5) | | V V
N: USE_TRANSPORT_MODE
Packet #1 See Common Packet #1 Packet #2 See Common Packet #3 Packet #3 See Common Packet #19 Packet #4 See Common Packet #11 Packet #5 See Common Packet #17
(CHILD_SA is negotiated by steps 1 through 4.)
Part A: (BASIC) 1. TN1 starts to negotiate with NUT by sending IKE_SA_INIT request. 2. Observe the messages transmitted on Link A. 3. After reception of IKE_SA_INIT response from the NUT, TN1 transmits an IKE_AUTH request to the NUT. 4. Observe the messages transmitted on Link A. 5. TN1 transmits an Echo Request with IPsec ESP using corresponding algorithms to NUT. 6. Observe the messages transmitted on Link A. 7. TN1 transmits a CREATE_CHILD_SA request to the NUT. 8. Observe the messages transmitted on Link A. 9. TN1 transmits an INFORMATIONAL request with no payloads protected by the old IKE_SA. 10. Observe the messages transmitted on Link A.
Part A Step 2: Judgment #1 The NUT transmits an IKE_SA_INIT response including "ENCR_3DES", "PRF_HMAC_SHA1", "AUTH_HMAC_SHA1_96" and "D-H group 2" as accepted algorithms.
Step 4: Judgment #2 The NUT transmits an IKE_AUTH response including "ENCR_3DES", "AUTH_HMAC_SHA1_96" and "No Extended Sequence Numbers" as accepted algorithms.
Step 6: Judgment #3 The NUT transmits an Echo Reply with IPsec ESP using corresponding algorithms.
Step 8: Judgment #4 The NUT transmits a CREATE_CHILD_SA response including "ENCR_3DES", "PRF_HMAC_SHA1", "AUTH_HMAC_SHA1_96" and "D-H group 2" as proposed algorithms. And the proposal in the SA payload Response includes 1 (IKE) in the Protocol ID field, 8 in the SPI size field and rekeyed IKE_SA's responder's SPI value in the SPI field.
Step 10: Judgment #5 The NUT responds with an INFORMATIONAL response with no payloads protected by the old IKE_SA.
* none.