Title

  Test IKEv2.EN.R.1.1.3.1: State Synchronization with ICMP messages
  Part A: (BASIC)


Purpose

  To verify that an IKEv2 device doesn't conclude that the other endpoint has faild by receiving
  ICMP Error messages.


References

  * [RFC 4306] - Sections 2.1, 2.2 and 2.4


Test Setup

  * Network Topology
      Connect the devices according to the Common Topology.
  * Configuration
      In each part, configure the devices according to the Common Configuration.
  * Pre-Sequence and Cleanup Sequence
      IKEv2 on the NUT is disabled after each part.


Procedure

   NUT            TR1           TN1
(End-Node)     (Router)      (End-Node)
    |              |             |
    |<-------------+-------------| IKE_SA_INIT request (HDR, SAi1, KEi, Ni)
    |              |             | (Packet #1)
    |--------------+------------>| IKE_SA_INIT Response (HDR, SAr1, KEr, Nr)
    |              |             | (Judgement #1)
    |              |             |
    |<-------------+-------------| IKE_AUTH request (HDR, SK {IDi, AUTH, N, SAi2, TSi, TSr})
    |              |             | (Packet #2)
    |--------------+------------>| IKE_AUTH Response (HDR, SK {IDr, AUTH, N, SAr2, TSi, TSr})
    |              |             | (Judgement #2)
    |              |             |
    |<-------------+-------------| IPsec {Echo Request}
    |              |             | (Packet #3)
    |--------------+------------>| IPsec {Echo Reply}
    |              |             | (Judgement #3)
    |              |             |
    |<-------------|             | Destination Unreachable (No route to destination)
    |              |             | (Packet #4)
    |              |             |
    |<-------------+-------------| IPsec {Echo Request}
    |              |             | (Packet #5)
    |--------------+------------>| IPsec {Echo Reply}
    |              |             | (Judgement #4)
    |              |             |
    V              V             V

N: USE_TRANSPORT_MODE
Packet #1 See Common Packet #2
Packet #2 See Common Packet #4
Packet #3 See Common Packet #19
Packet #4 See below
Packet #5 See Common Packet #19

* Packet #4: ICMPv6 Destination Unreachable
IPv6 Header Source Address TR1's Global Address on Link A
Destination Address NUT's Global Address on Link A
ICMPv6 Header Type 1
Code 0
  Part A: (BASIC)
       1. TN1 starts to negotiate with NUT by sending IKE_SA_INIT request.
       2. Observe the messages transmitted on Link A.
       3. After reception of IKE_SA_INIT response from the NUT, TN1 transmits an IKE_AUTH
          request to the NUT.
       4. Observe the messages transmitted on Link A.
       5. After reception of IKE_AUTH response from the NUT, TN1 transmits an Echo Request
          with IPsec ESP using corresponding algorithms to NUT.
       6. Observe the messages transmitted on Link A.
       7. After reception of an Echo Reply from NUT, TR1 transmits ICMP Destination Unreachable
          Message to the NUT.
       8. TN1 transmits an Echo Request with IPsec ESP using corresponding algorithms to NUT.
       9. Observe the messages transmitted on Link A.


Observable Result

  Part A
    Step 2: Judgment #1
      The NUT transmits an IKE_SA_INIT response including "ENCR_3DES",
      "PRF_HMAC_SHA1", "AUTH_HMAC_SHA1_96" and "D-H group 2" as accepted
      algorithms.
  
    Step 4: Judgment #2
      The NUT transmits an IKE_AUTH response including "ENCR_3DES",
      "AUTH_HMAC_SHA1_96" and "No Extended Sequence Numbers" as accepted algorithms.
  
    Step 6: Judgment #3
      The NUT transmits an Echo Reply with IPsec ESP using corresponding algorithms.
  
    Step 9: Judgment #4
      The NUT transmits an Echo Reply with IPsec ESP using corresponding algorithms.


Possible Problems

  * None.