qacafe - ip test solutions

CDRouter IKE

CDRouter-IKE is an add-on module for CDRouter that provides IPSEC and VPN testing support to CDRouter. CDRouter-IKE is used to test IP routers that contain VPN security gateway functionality based on IKE.

CDRouter-IKE Environment

CDRouter-IKE establishes IKE based VPN connections with the router under test by emulating VPN gateways and clients. Several automated functional test cases verify the behavior of the IKE protocol and verify that VPN connections are secure and robust. The CDRouter-IKE functionality can also be combined with CDRouter’s existing application tests to allow application traffic to run over VPN connections.

CDRouter-IKE offers a blend of testing styles including conformance, functional, and negative. Many of the test cases focus on the underlying problems encountered during interoperability testing.

CDRouter-IKE Test Coverage

  • IKEv1
  • IKE Main Mode, Aggressive Mode, and Quick Mode
  • Encryption: DES, 3DES, AES-128, AES-196, AES-256
  • Authentication: SHA1, MD5
  • Diffie-Hellman Groups: 1, 2, 5, 14-18
  • Pre-shared key authentication
  • NAT-Traversal support and testing
  • Up to 4096 site-to-site tunnels
  • 50+ test cases

CDRouter-IKE includes several test cases that go way beyond the simple packet verification and negative testing of conformance-only test suites. Some of the testing areas include:

Rekeying Verification

Besides verifying both responder and initiator behavior for IKE based connections, CDRouter-IKE attempts several rekeying exchanges to verify that new key exchanges are successfull and that traffic is always using the correct IPSEC SAs.

Maximum number of Phase 2 exchanges

CDRouter-IKE can verify the maximum number of Phase 2 exchanges that can be established.

Key Interoperability

CDRouter-IKE can verify known interoperabilty problems generating Diffie-Hellman public keys and Ephemeral keys during Phase 1 and Phase 2 exchanges. These test cases can quickly determine if the IKE implementation is at risk for key interoperability problems.

NAT and IPSEC

All of CDRouter's existing NAT tests can be run over IKE based tunnels. This allows verification of NAT functionality along with IPSEC.

Multiple Tunnels

CDRouter-IKE supports multiple tunnels making it possible to verify several different transforms during a single test run. CDRouter can switch its testing focus between different tunnels to verify that all tunnels are operating correctly.

At A Glance

IKE Whitepaper

Interoperability Problems Still Common in IKE - Learn how short Diffie-Hellman secrets can break IKE interoperability

Read the Whitepaper

CDRouter Add-On

CDRouter-IKE is an add-on module for the growing suite of CDRouter products.