SG_I_RFC3602_5_1 - [Initiator Test] Transform payload SA Attributes check (AES-128)
SGW
SG_I_RFC3602_5_1.seq [-tooloption ...] -pkt SG_I_RFC3602_5_1.def -tooloption : v6eval tool option
See also ike_common.def and ike_ipsec.def and ike_addr.def and ike_pkt_ph1_recv.def and ike_pkt_ph2_recv.def
HOST-2(TN)
|3ffe:501:ffff:104::11
|
Net-v --+------------------------+-------- 3ffe:501:ffff:104::/64
|
|
SGW-2(TN):responder
|3ffe:501:ffff:103::11
|
Net-w --+--------+------------------------ 3ffe:501:ffff:103::/64
|
|
ROUTER-2(TN)
| 3ffe:501:ffff:102::11
|
Net-x --+--------+------------------------ 3ffe:501:ffff:102::/64
|
|3ffe:501:ffff:102::1
SGW-1(NUT):initiator
|3ffe:501:ffff:101::1
|
Net-y --+--------+------------------------ 3ffe:501:ffff:101::/64
|
| 3ffe:501:ffff:101::11
ROUTER-1(TN)
|
|
Net-z -----------+---------------+-------- 3ffe:501:ffff:100::/64
|
|3ffe:501:ffff:100::13
HOST-1(TN)
| Parameter | Value | |
| ISAKMP | SA Attributes | - AES-128 in CBC mode - MD5 - Authentication via pre-shared keys. - MODP over default group number one. |
| Machine | Src | Dest | Phase I | Phase II | ||||||||||||||
| Ex mode | Key Value | Enc Alg | Hash Alg | Auth Method | DH Group | PH1 Lt | IDx | Proto ID | Trans ID | Mode | Auth Alg | PH2 Lt | IDci | IDcr | Upper | |||
| SGW-1 | SGW-1 addr | SGW-2 addr | Main | IKE-TEST | AES | SHA* | pre-shared key* | 2* | 8 Hour | SGW-1 addr | PROTO_IPSEC_ESP | ESP_3DES | Tunnel | HMAC-SHA | 8 Hour | Net-z addr | Net-v addr | any |
| SGW-2 | SGW-2 addr | SGW-1 addr | Main | IKE-TEST | AES | SHA | pre-shared key | 2 | 8 Hour | SGW-2 addr | PROTO_IPSEC_ESP | ESP_3DES | Tunnel | HMAC-SHA | 8 Hour | Net-z addr | Net-v addr | any |
In order to start the negotiation of IKE,
TN(HOST-1) transmits Echo Request to TN(HOST-2).
This test check is following.
IDENTITY PROTECTION EXCHANGE
# Initiator(NUT) Direction Responder(TN) (1) HDR; SA ========> Judgement (Check *1)
1. Receive the first message from NUT In the first message (1), the initiator generates a proposal it considers adequate to protect traffic for the given situation. The Security Association, Proposal, and Transform payloads are included in the Security Association payload (for notation purposes).
The first message Attributes(AES-CBC:7) must be included.
And must conform to above Configuration.
Clean up SAD and SPD
RFC3602 5. IKE Interactions
5.1. Phase 1 Identifier
For Phase 1 negotiations, IANA has assigned an Encryption Algorithm ID of 7 for AES-CBC.
Algorithms for Internet Key Exchange version 1 (IKEv1) draft-hoffman-ikev1-algorithms-02.txt 3. New algorithm requirements
The new requirements for IKEv1 are:
o TripleDES for encryption MUST be supported o AES-128 in CBC mode [RFC3602] SHOULD be supported o SHA-1 for hashing and HMAC functions MUST be supported o Pre-shared secrets for authentication MUST be supported o AES-128 in CBC mode for HMAC functions ([RFC3566] and [RFC3664]) SHOULD be supported o Diffie-Hellman MODP group 2 (discrete log 1024 bits) MUST be supported o Diffie-Hellman MODP group 14 (discrete log 2048 bits) [RFC3526] SHOULD be supported o RSA for authentication with signatures SHOULD be supported
The other algorithms that were listed at MUST-level and SHOULD-level in RFC 2409 are now MAY-level. This includes DES for encryption, MD5 and Tiger for hashing, Diffie-Hellman MODP group 1, Diffie-Hellman MODP groups with elliptic curves, DSA for authentication with signatures, and RSA for authentication with encryption. DES for encryption, MD5 for hashing, Diffie-Hellman MODP group 1 are dropped to MAY due to cryptographic weakness. Tiger for hashing, Diffie-Hellman MODP groups with elliptic curves, DSA for authentication with signatures, and RSA for authentication with encryption are dropped due to lack of any significant deployment and interoperability.
perldoc V6evalTool
IKE.html IKE Test Common Utility