SG_R_RFC3602_5_1 - [Responder Test]Transform payload SA Attributes check (AES-128,SHA,PSK,DH2)
SGW
SG_R_RFC3602_5_1.seq [-tooloption ...] -pkt SG_R_RFC3602_5_1.def -tooloption : v6eval tool option
See also ike_common.def and ike_ipsec.def and ike_addr.def and ike_pkt_ph1_recv.def and ike_pkt_ph2_recv.def
HOST-2(TN)
|3ffe:501:ffff:104::11
|
Net-v --+------------------------+-------- 3ffe:501:ffff:104::/64
|
|
SGW-2(TN):initiator
|3ffe:501:ffff:103::11
|
Net-w --+--------+------------------------ 3ffe:501:ffff:103::/64
|
|
ROUTER-2(TN)
| 3ffe:501:ffff:102::11
|
Net-x --+--------+------------------------ 3ffe:501:ffff:102::/64
|
|3ffe:501:ffff:102::1
SGW-1(NUT):responder
|3ffe:501:ffff:101::1
|
Net-y --+--------+------------------------ 3ffe:501:ffff:101::/64
|
| 3ffe:501:ffff:101::11
ROUTER-1(TN)
|
|
Net-z -----------+---------------+-------- 3ffe:501:ffff:100::/64
|
|3ffe:501:ffff:100::13
HOST-1(TN)
| Parameter | Value | |
| ISAKMP | SA Attributes | - AES-128 in CBC mode - SHA - Authentication via pre-shared keys. - MODP over group number two. |
| Machine | Src | Dest | Phase I | Phase II | ||||||||||||||
| Ex mode | Key Value | Enc Alg | Hash Alg | Auth Method | DH Group | PH1 Lt | IDx | Proto ID | Trans ID | Mode | Auth Alg | PH2 Lt | IDci | IDcr | Upper | |||
| SGW-1 | SGW-1 addr | SGW-2 addr | Main | IKE-TEST | AES | SHA | pre-shared key | 2 | 8 Hour | SGW-1 addr | PROTO_IPSEC_ESP | ESP_3DES | Tunnel | HMAC-SHA | 8 Hour | Net-v addr | Net-z addr | any |
| SGW-2 | SGW-2 addr | SGW-1 addr | Main | IKE-TEST | AES | SHA | pre-shared key | 2 | 8 Hour | SGW-2 addr | PROTO_IPSEC_ESP | ESP_3DES | Tunnel | HMAC-SHA | 8 Hour | Net-v addr | Net-z addr | any |
This test check is following.
IDENTITY PROTECTION EXCHANGE
# Initiator(TN) Direction Responder(NUT) (1) HDR; SA ========>
(2) <======== HDR; SA Judgement (Check *1)
1. Send the first message from TN In the first message (1), the initiator generates a proposal it considers adequate to protect traffic for the given situation. The Security Association, Proposal, and Transform payloads are included in the Security Association payload (for notation purposes).
2. Receive the second message from NUT In the second message (2), the responder indicates the protection suite it has accepted with the Security Association, Proposal, and Transform payloads.
The first message must be accepted. And the second message must be returned.
The second message Attributes(AES:7,SHA:2,PSK:1,DH2:2) must be correct.
And must conform to above Configuration.
Clean up SAD and SPD
RFC3602 5. IKE Interactions
5.1. Phase 1 Identifier
For Phase 1 negotiations, IANA has assigned an Encryption Algorithm ID of 7 for AES-CBC.
Algorithms for Internet Key Exchange version 1 (IKEv1) draft-hoffman-ikev1-algorithms-02.txt 3. New algorithm requirements
The new requirements for IKEv1 are:
o TripleDES for encryption MUST be supported o AES-128 in CBC mode [RFC3602] SHOULD be supported o SHA-1 for hashing and HMAC functions MUST be supported o Pre-shared secrets for authentication MUST be supported o AES-128 in CBC mode for HMAC functions ([RFC3566] and [RFC3664]) SHOULD be supported o Diffie-Hellman MODP group 2 (discrete log 1024 bits) MUST be supported o Diffie-Hellman MODP group 14 (discrete log 2048 bits) [RFC3526] SHOULD be supported o RSA for authentication with signatures SHOULD be supported
The other algorithms that were listed at MUST-level and SHOULD-level in RFC 2409 are now MAY-level. This includes DES for encryption, MD5 and Tiger for hashing, Diffie-Hellman MODP group 1, Diffie-Hellman MODP groups with elliptic curves, DSA for authentication with signatures, and RSA for authentication with encryption. DES for encryption, MD5 for hashing, Diffie-Hellman MODP group 1 are dropped to MAY due to cryptographic weakness. Tiger for hashing, Diffie-Hellman MODP groups with elliptic curves, DSA for authentication with signatures, and RSA for authentication with encryption are dropped due to lack of any significant deployment and interoperability.
perldoc V6evalTool
IKE.html IKE Test Common Utility