| Test Name |
Module |
Synopsis |
| 1 ike_1 |
ike.tcl |
Verify gateway can act as tunnel initiator |
| 2 ike_2 |
ike.tcl |
Verify gateway can act as tunnel responder |
| 3 ike_4 |
ike.tcl |
Verify traffic is not sent in the clear when all Phase 2 SAs are deleted |
| 4 ike_5 |
ike.tcl |
Verify traffic is not sent in the clear when all Phase 1 and 2 SAs are deleted |
| 5 ike_10 |
ike.tcl |
Verify gateway switches to new Phase 2 SA after peer initiates new Phase 2 SA |
| 6 ike_12 |
ike.tcl |
Verify gateway switches to new Phase 2 SA after peer initiates new Phase 1 and 2 SA |
| 7 ike_14 |
ike.tcl |
Verify deletion of old Phase 1 and 2 SAs does not stop traffic over new SA |
| 8 ike_16 |
ike.tcl |
Verify old Phase SA continues to work after new Phase 2 SA is initiated |
| 9 ike_30 |
ike.tcl |
Verify gateway has retransmission strategy for Phase 1 establishment |
| 10 ike_31 |
ike.tcl |
Verify gateway has retransmission strategy for Phase 2 establishment |
| 11 ike_40 |
ike.tcl |
Verify gateway sends Phase 1 delete notification after Phase 1 lifetime expires (initiator) |
| 12 ike_41 |
ike.tcl |
Verify gateway sends Phase 2 delete notification after Phase 2 lifetime expires (initiator) |
| 13 ike_42 |
ike.tcl |
Verify gateway deletes Phase 1 SA after Phase 1 lifetime expires (initiator) |
| 14 ike_43 |
ike.tcl |
Verify gateway deletes Phase 2 SA after Phase 2 lifetime expires (initiator) |
| 15 ike_50 |
ike.tcl |
Verify gateway sends delete notification after Phase 1 lifetime expires (responder) |
| 16 ike_51 |
ike.tcl |
Verify gateway sends delete notification after Phase 2 lifetime expires (responder) |
| 17 ike_52 |
ike.tcl |
Verify gateway deletes Phase 1 SA after Phase 1 lifetime expires (responder) |
| 18 ike_53 |
ike.tcl |
Verify gateway deletes Phase 2 SA after Phase 2 lifetime expires (responder) |
| 19 ike_70 |
ike.tcl |
Verify gateway sends NOTIFY message when tunnel specification does not match |
| 20 ike_72 |
ike.tcl |
Verify gateway reuses Phase 1 SA when Phase 2 setup fails |
| 21 ike_73 |
ike.tcl |
Verify gateway reuses Phase 1 SA when Phase 2 is deleted |
| 22 ike_80 |
ike.tcl |
Verify gateway deletes existing Phase 2 SAs when INITIAL-CONTACT message is received during new Phase 1 |
| 23 ike_81 |
ike.tcl |
Verify gateway deletes existing Phase 2 SAs when INITIAL-CONTACT message is received during new Phase 2 |
| 24 ike_82 |
ike.tcl |
Verify INITIAL-CONTACT is ignored if not protected under IKE SA |
| 25 ike_85 |
ike.tcl |
Verify gateway deletes existing Phase 2 SAs when INITIAL-CONTACT message is received from NOTIFY |
| 26 ike_100 |
ike.tcl |
Verify the maximum number of Phase 2 SAs that can be established with remote gateway |
| 27 ike_110 |
ike.tcl |
Verify Phase 1 SA can be established when unknown Vendor IDs are included |
| 28 ike_122 |
ike.tcl |
Verify gateway rejects Phase 2 proposals with unknown payloads |
| 29 ike_130 |
ike.tcl |
Verify starting ESP sequence number for new phase SA is 1 |
| 30 ike_135 |
ike.tcl |
Verify gateway anti-replay detection |
| 31 ike_136 |
ike.tcl |
Verify out of sequence ESP packets to not trigger replay detection |
| 32 ike_140 |
ike.tcl |
Verify IPSEC window moves forward |
| 33 ike_200 |
ike.tcl |
Verify gateway responds to Dead Peer detection R-U-THERE requests |
| 34 ike_300 |
ike.tcl |
Verify gateway supports peer IDs of type ID_FQDN |
| 35 ike_301 |
ike.tcl |
Verify gateway supports peer IDs of type ID_USER_FQDN |
| 36 ike_302 |
ike.tcl |
Verify gateway gracefully fails when ID type is unknown |
| 37 ike_310 |
ike.tcl |
Verify gateway ignores unknown transform in Phase 1 proposal |
| 38 ike_311 |
ike.tcl |
Verify gateway can find valid transform in large list of transforms |
| 39 ike_312 |
ike.tcl |
Verify gateway recovers gracefully if no valid transform is found in proposal |
| 40 ike_320 |
ike.tcl |
Verify gateway ignores unknown transform in Phase 2 proposal |
| 41 ike_321 |
ike.tcl |
Verify gateway handles large transform list during Phase 2 |
| 42 ike_330 |
ike.tcl |
Verify new Phase 2 can be established with SA Lifetime using both seconds and bytes |
| 43 ike_350 |
ike.tcl |
Verify Phase 2 SA setup using small Nonce sizes (8) |
| 44 ike_351 |
ike.tcl |
Verify Phase 2 SA setup using large Nonce sizes (256) |
| 45 ike_360 |
ike.tcl |
Verify gateway can act as tunnel initiator and responder at the same time |
| 46 ike_365 |
ike.tcl |
Verify gateway handles Diffie-Hellman public keys with leading zeros |
| 47 ike_366 |
ike.tcl |
Verify gateway handles ephermeral Diffie-Hellman shared secret with leading zeros |
| 48 ike_370 |
ike.tcl |
Verify gateway accepts fragmented IKE packets |
| 49 ike_371 |
ike.tcl |
Verify gateway accepts fragmented IKE packets in reverse order |
| 50 ike_380 |
ike.tcl |
Verify gateway ignores IKE packets with an invalid UDP checksum |
| 51 ike_natt_1 |
ike-natt.tcl |
Verify gateway detects NAT and uses NAT-T in initiator mode |
| 52 ike_natt_2 |
ike-natt.tcl |
Verify gateway detects NAT and uses NAT-T in responder mode |
| 53 ike_natt_10 |
ike-natt.tcl |
Verify gateway sends NAT-T Keep Alives in initiator mode |
| 54 ike_natt_11 |
ike-natt.tcl |
Verify gateway sends NAT-T Keep-alives in responder mode |
| 55 ike_natt_20 |
ike-natt.tcl |
When floating NAT-T header is used, IKE responses are sent to source port |
| 56 ike_natt_30 |
ike-natt.tcl |
Allow IKE negotiations to begin on port 4500 |
| 57 ike_natt_40 |
ike-natt.tcl |
No UDP encapsulation when NAT not detected in initiator mode |
| 58 ike_natt_41 |
ike-natt.tcl |
No UDP encapsulation when NAT not detected in responder mode |