TAHI IPsec IPv4 conformance test http://www.tahi.org/ [INDEX] IPsec IPv4 Test Menu Configuration for NUT Configuration for NUT (Host) Configuration for NUT (Router) [IPsec IPv4 Test Menu] A1. Host Transport AH Outbound Configure network topology and SA (see Configuration for NUT (Host)) Run the following tests No.2 Outbound AH packet (HMAC-MD5) A2. Host Transport AH Inbound Configure network topology and SA (see Configuration for NUT (Host)) Run the following tests No.3 Inbound AH packet (HMAC-MD5) #No.4 Detect modification of IPv6 header IP src address with AH B1. Host Transport ESP Outbound Configure network topology and SA (see Configuration for NUT (Host)) Run the following tests No.5 Outbound ESP packet (DES-CBC) No.6 Outbound Padding (DES-CBC) ####+HMAC-MD5 B2. Host Transport ESP Inbound Configure network topology and SA (see Configuration for NUT (Host)) Run the following tests No.7 Inbound ESP packet (DES-CBC) No.8 Inbound ESP packet (Invalid Encryption Key) No.9 Inbound Padding (DES-CBC) ####+HMAC-MD5 No.10 Padding Length is 255 (max) C. Router Tunnel AH Outbound/Inbound Configure network topology and SA (see Configuration for NUT (Router)) Run the following tests No.12 Outbound AH packet (HMAC-MD5) No.13 Inbound AH packet (HMAC-MD5) #No.14 Detect modification of IPv6 header IP src address with AH D. Router Tunnel ESP Outbound/Inbound Configure network topology and SA (see Configuration for NUT (Router)) Run the following tests No.15 Outbound ESP packet (DES-CBC) No.16 Outbound Padding (DES-CBC) ####+HMAC-MD5 No.17 Inbound ESP packet (DES-CBC) No.18 Inbound ESP packet (Invalid Encryption Key) No.19 Inbound Padding (DES-CBC) ####+HMAC-MD5 No.20 Padding Length is 255 (max) [Configuration for NUT] * Set NUT's IPv4 related parameters to default value. * Disable (if possible) IPv6 and IPv4 network service or application which sends packets actively. - Delete default route entry in NUT's routing table. - Disable routing daemon. (ex. routed) - Disable resolving domain name. - Disable periodical RA sending (if NUT is a router) - etc... - No need to disable services which reply packets passively. (ex. inetd daemon) [Configuration for NUT (Host)] * configure NUT as a host * reboot * set global address 192.168.103.20 for Link0 * set static route ---------------------------------------------------------------------- prefix gateway ---------------------------------------------------------------------- 192.168.105.0/24 192.168.103.10 (NET5) (ROUTER_NET3) ---------------------------------------------------------------------- * logical network topology of the IPsec test TN : Tester Node NUT: Node Under Test (target implementation) +-------+ | NUT | +---+---+ NUT_NET3 |192.168.103.20 | --------------+--------(Link0)-------+--------- NET3 192.168.103.0/24 | |192.168.103.10 (Default Gateway for NUT) +---+---+ ROUTER_NET3 | TN as | | ROUTER| +---+---+ ROUTER_NET5 |192.168.105.10 | --------------+----------------------+--------- NET5 192.168.105.0/24 | |192.168.105.31 +---+---+ HOST1_NET5 | TN as | | HOST1 | +-------+ * SA configuration A1. SA configuration for "Host Transport AH Outbound" HOST1_NET5 -- Router -- NUT | | <--transport(Out)-- SAD for transport(Out) src="192.168.103.20" dst="192.168.105.31" spi=0x1000 mode=transport protocol=ah aalgo=hmac-md5 aalgokey="0123456789ABCDEF" (30313233 34353637 38394142 43444546) SPD for transport(Out) src="192.168.103.20" dst="192.168.105.31" upperspec=any direction=out protocol=ah mode=transport A2. SA configuration for "Host Transport AH Inbound" HOST1_NET5 -- Router -- NUT | | --transport(In)--> SAD for transport(In) src="192.168.105.31" dst="192.168.103.20" spi=0x1000 mode=transport protocol=ah aalgo=hmac-md5 aalgokey="0123456789ABCDEF" (30313233 34353637 38394142 43444546) SPD for transport(In) src="192.168.105.31" dst="192.168.103.20" upperspec=any direction=in protocol=ah mode=transport NOTE: Sequence number check should be disabled on NUT, nor resetting sequence number for every test is required. B1. SA configuration for "Host Transport ESP Outbound" HOST1_NET5 -- Router -- NUT | | <--transport(Out)-- SAD for transport(In) src="192.168.103.20" dst="192.168.105.31" spi=0x1000 mode=transport protocol=esp ealgo=des-cbc ealgokey="01234567" (30313233 34353637) SPD for transport(In) src="192.168.103.20" dst="192.168.105.31" upperspec=any direction=out protocol=esp mode=transport B2. SA configuration for "Host Transport ESP Inbound" HOST1_NET5 -- Router -- NUT | | --transport(In)--> SAD for transport(In) src="192.168.105.31" dst="192.168.103.20" spi=0x1000 mode=transport protocol=esp ealgo=des-cbc ealgokey="01234567" (30313233 34353637) SPD for transport(In) src="192.168.105.31" dst="192.168.103.20" upperspec=any direction=in protocol=esp mode=transport NOTE: Sequence number check should be disabled on NUT, nor resetting sequence number for every test is required. [Configuration for NUT (Router)] * configure NUT as a router * reboot * set global address 192.168.100.20 for Link0 192.168.101.21 for Link1 * set static route ---------------------------------------------------------------------- prefix gateway ---------------------------------------------------------------------- 192.168.102.0/24 192.168.100.10 (NET2) (ROUTER_NET0) 192.168.104.0/24 192.168.100.10 (NET4) (ROUTER_NET0) ---------------------------------------------------------------------- * logical network topology of the IPsec test TN : Tester Node NUT: Node Under Test (target implementation) +-------+ | TN as | | HOST1 | +---+---+ HOST1_NET1 |192.168.101.31 | --------------+------------+----(Link1)---------- NET1 192.168.101.0/24 | |192.168.101.21 +---+---+ NUT_NET1 | NUT | +---+---+ NUT_NET0 |192.168.100.20 | --------------+------------+----(Link0)---------- NET0 192.168.100.0/24 | |192.168.100.10 +---+---+ ROUTER_NET0 | TN as | | ROUTER| +---+---+ ROUTER_NET2 |192.168.102.10 | --------------+------------+--------------------- NET2 192.168.102.0/24 | |192.168.102.11 +---+---+ SG1_NET2 | TN as | | SG1 | +---+---+ SG1_NET4 |192.168.104.10 | --------------+------------+--------------------- NET4 192.168.104.0/24 |192.168.104.31 +---+---+ HOST1_NET4 | TN as | | HOST1 | +-------+ * SA configuration C. SA configuration for "Router Tunnel AH Outbound/Inbound" HOST1_NET4 -- SG1 -- Router -- NUT -- HOST1_NET1 | | <===tunnel(Out)=== ====tunnel(In)===> SAD for tunnel(Out) tunnel src="192.168.100.20" tunnel dst="192.168.102.11" spi=0x1000 mode=tunnel direction=out protocol=ah aalgo=hmac-md5 aalgokey="0123456789ABCDEF" (30313233 34353637 38394142 43444546) SPD for tunnel(Out) packet src="192.168.101.0/24" packet dst="192.168.104.0/24" upperspec=any direction=out protocol=ah mode=tunnel tunnel src="192.168.100.20" tunnel dst="192.168.102.11" SAD for tunnel(In) tunnel src="192.168.102.11" tunnel dst="192.168.100.20" spi=0x1000 mode=tunnel direction=in protocol=ah aalgo=hmac-md5 aalgokey="0123456789ABCDEF" (30313233 34353637 38394142 43444546) SPD for tunnel(In) no policy or you may set the appropriate policy for packet src="192.168.104.0/24" packet dst="192.168.101.0/24" NOTE: Sequence number check should be disabled on NUT, nor resetting sequence number for every test is required. D. SA configuration for "Router Tunnel ESP Outbound/Inbound" HOST1_NET4 -- SG1 -- Router -- NUT -- HOST1_NET1 | | <===tunnel(Out)=== ====tunnel(In)===> SAD for tunnel(Out) tunnel src="192.168.100.20" tunnel dst="192.168.102.11" spi=0x1000 mode=tunnel direction=out protocol=esp ealgo=des-cbc ealgokey="01234567" (30313233 34353637) SPD for tunnel(Out) packet src="192.168.101.0/24" packet dst="192.168.104.0/24" upperspec=any direction=out protocol=esp mode=tunnel tunnel src="192.168.100.20" tunnel dst="192.168.102.11" SAD for tunnel(In) tunnel src="192.168.102.11" tunnel dst="192.168.100.20" spi=0x1000 mode=tunnel direction=in protocol=esp ealgo=des-cbc ealgokey="01234567" (30313233 34353637) SPD for tunnel(In) no policy or you may set the appropriate policy for packet src="192.168.104.0/24" packet dst="192.168.101.0/24" NOTE: Sequence number check should be disabled on NUT, nor resetting sequence number for every test is required. ----EOF