7.3.5. IPSec - Tunnels and Transport¶
7.3.5.1. eth2p-ethip4ipsectnl-ip4base-func¶
IPv4 IPsec tunnel mode test suite.
- [Top] Network topologies: TG-DUT1 2-node topology with one link between nodes.
- [Cfg] DUT configuration: On DUT1 create loopback interface, configure loopback an physical interface IPv4 addresses, static ARP record, route and IPsec manual keyed connection in tunnel mode.
- [Ver] TG verification: ESP packet is sent from TG to DUT1. ESP packet is received on TG from DUT1.
- [Ref] Applicable standard specifications: RFC4303.
| Name | Documentation | Status |
|---|---|---|
| TC01: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity | [Top] TG-DUT1. [Ref] RFC4303. [Cfg] On DUT1 configure IPsec manual keyed connection with encryption algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel mode. [Ver] Send and receive ESP packet between TG and VPP node. |
PASS |
| TC05: VPP process ESP packet in Tunnel Mode with AES-CBC-192 encryption and SHA-256-128 integrity | [Top] TG-DUT1. [Ref] RFC4303. [Cfg] On DUT1 configure IPsec manual keyed connection with encryption algorithm AES-CBC-192 and integrity algorithm SHA-256-128 in tunnel mode. [Ver] Send and receive ESP packet between TG and VPP node. |
PASS |
| TC09: VPP process ESP packet in Tunnel Mode with AES-CBC-256 encryption and SHA-384-192 integrity | [Top] TG-DUT1. [Ref] RFC4303. [Cfg] On DUT1 configure IPsec manual keyed connection with encryption algorithm AES-CBC-256 and integrity algorithm SHA-384-192 in tunnel mode. [Ver] Send and receive ESP packet between TG and VPP node. |
PASS |
| TC12: VPP process ESP packet in Tunnel Mode with AES-CBC-256 encryption and SHA-512-256 integrity | [Top] TG-DUT1. [Ref] RFC4303. [Cfg] On DUT1 configure IPsec manual keyed connection with encryption algorithm AES-CBC-256 and integrity algorithm SHA-512-256 in tunnel mode. [Ver] Send and receive ESP packet between TG and VPP node. |
PASS |
| TC13: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity - different encryption alogrithms used | [Top] TG-DUT1. [Cfg] On DUT1 configure IPsec manual keyed connection with encryption algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel mode. [Ver] Send an ESP packet encrypted by encryption key different from encryption key stored on VPP node from TG to VPP node and expect no response to be received on TG. [Ref] RFC4303. |
PASS |
| TC14: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity - different integrity alogrithms used | [Top] TG-DUT1. [Cfg] On DUT1 configure IPsec manual keyed connection with encryption algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel mode. [Ver] Send an ESP packet authenticated by integrity key different from integrity key stored on VPP node from TG to VPP node and expect no response to be received on TG. [Ref] RFC4303. |
PASS |
| TC15: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity - different encryption and integrity alogrithms used | [Top] TG-DUT1. [Cfg] On DUT1 configure IPsec manual keyed connection with encryption algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel mode. [Ver] Send an ESP packet authenticated by integrity key and encrypted by encryption key different from integrity and encryption keys stored on VPP node from TG to VPP node and expect no response to be received on TG. [Ref] RFC4303. |
PASS |
| TC16: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys | [Top] TG-DUT1. [Ref] RFC4303. [Cfg] On DUT1 configure IPsec manual keyed connection with encryption algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel mode. Then update SA keys - use new keys. [Ver] Send and receive ESP packet between TG and VPP node before and after SA keys update. |
PASS |
| TC17: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys - different encryption alogrithms used | [Top] TG-DUT1. [Ref] RFC4303. [Cfg] On DUT1 configure IPsec manual keyed connection with encryption algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel mode. Then update SA keys - use new keys. [Ver] Send an ESP packet encrypted by encryption key different from encryption key stored on VPP node from TG to VPP node and expect no response to be received on TG before and after SA keys update. |
PASS |
| TC18: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys - different integrity alogrithms used | [Top] TG-DUT1. [Ref] RFC4303. [Cfg] On DUT1 configure IPsec manual keyed connection with encryption algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel mode. Then update SA keys - use new keys. [Ver] Send an ESP packet authenticated by integrity key different from integrity key stored on VPP node from TG to VPP node and expect no response to be received on TG before and after SA keys update. |
PASS |
| TC19: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys - different encryption and integrity alogrithms used | [Top] TG-DUT1. [Ref] RFC4303. [Cfg] On DUT1 configure IPsec manual keyed connection with encryption algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel mode. Then update SA keys - use new keys. [Ver] Send an ESP packet authenticated by integrity key and encrypted by encryption key different from integrity and encryption keys stored on VPP node from TG to VPP node and expect no response to be received on TG before and after SA keys update. |
PASS |
7.3.5.2. eth2p-ethip4ipsectpt-ip4base-func¶
IPv4 IPsec transport mode test suite.
- [Top] Network topologies: TG-DUT1 2-node topology with one link between nodes.
- [Cfg] DUT configuration: On DUT1 create loopback interface, configure loopback an physical interface IPv4 addresses, static ARP record, route and IPsec manual keyed connection in transport mode.
- [Ver] TG verification: ESP packet is sent from TG to DUT1. ESP packet is received on TG from DUT1.
- [Ref] Applicable standard specifications: RFC4303.
| Name | Documentation | Status |
|---|---|---|
| TC01: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity | [Top] TG-DUT1. [Ref] RFC4303. [Cfg] On DUT1 configure IPsec manual keyed connection with encryption algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport mode. [Ver] Send and receive ESP packet between TG and VPP node. |
PASS |
| TC05: VPP process ESP packet in Transport Mode with AES-CBC-192 encryption and SHA-256-128 integrity | [Top] TG-DUT1. [Ref] RFC4303. [Cfg] On DUT1 configure IPsec manual keyed connection with encryption algorithm AES-CBC-192 and integrity algorithm SHA-256-128 in transport mode. [Ver] Send and receive ESP packet between TG and VPP node. |
PASS |
| TC09: VPP process ESP packet in Transport Mode with AES-CBC-256 encryption and SHA-384-192 integrity | [Top] TG-DUT1. [Ref] RFC4303. [Cfg] On DUT1 configure IPsec manual keyed connection with encryption algorithm AES-CBC-256 and integrity algorithm SHA-384-192 in transport mode. [Ver] Send and receive ESP packet between TG and VPP node. |
PASS |
| TC12: VPP process ESP packet in Transport Mode with AES-CBC-256 encryption and SHA-512-256 integrity | [Top] TG-DUT1. [Ref] RFC4303. [Cfg] On DUT1 configure IPsec manual keyed connection with encryption algorithm AES-CBC-256 and integrity algorithm SHA-512-256 in transport mode. [Ver] Send and receive ESP packet between TG and VPP node. |
PASS |
| TC13: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity - different encryption alogrithms used | [Top] TG-DUT1. [Cfg] On DUT1 configure IPsec manual keyed connection with encryption algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport mode. [Ver] Send an ESP packet encrypted by encryption key different from encryption key stored on VPP node from TG to VPP node and expect no response to be received on TG. [Ref] RFC4303. |
PASS |
| TC14: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity - different integrity alogrithms used | [Top] TG-DUT1. [Cfg] On DUT1 configure IPsec manual keyed connection with encryption algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport mode. [Ver] Send an ESP packet authenticated by integrity key different from integrity key stored on VPP node from TG to VPP node and expect no response to be received on TG. [Ref] RFC4303. |
PASS |
| TC15: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity - different encryption and integrity alogrithms used | [Top] TG-DUT1. [Cfg] On DUT1 configure IPsec manual keyed connection with encryption algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport mode. [Ver] Send an ESP packet authenticated by integrity key and encrypted by encryption key different from integrity and encryption keys stored on VPP node from TG to VPP node and expect no response to be received on TG. [Ref] RFC4303. |
PASS |
| TC16: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys | [Top] TG-DUT1. [Ref] RFC4303. [Cfg] On DUT1 configure IPsec manual keyed connection with encryption algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport mode. Then update SA keys - use new keys. [Ver] Send and receive ESP packet between TG and VPP node before and after SA keys update. |
PASS |
| TC17: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys - different encryption alogrithms used | [Top] TG-DUT1. [Ref] RFC4303. [Cfg] On DUT1 configure IPsec manual keyed connection with encryption algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport mode. Then update SA keys - use new keys. [Ver] Send an ESP packet encrypted by encryption key different from encryption key stored on VPP node from TG to VPP node and expect no response to be received on TG before and after SA keys update. |
PASS |
| TC18: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys - different integrity alogrithms used | [Top] TG-DUT1. [Ref] RFC4303. [Cfg] On DUT1 configure IPsec manual keyed connection with encryption algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport mode. Then update SA keys - use new keys. [Ver] Send an ESP packet authenticated by integrity key different from integrity key stored on VPP node from TG to VPP node and expect no response to be received on TG before and after SA keys update. |
PASS |
| TC19: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys - different encryption and integrity alogrithms used | [Top] TG-DUT1. [Ref] RFC4303. [Cfg] On DUT1 configure IPsec manual keyed connection with encryption algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport mode. Then update SA keys - use new keys. [Ver] Send an ESP packet authenticated by integrity key and encrypted by encryption key different from integrity and encryption keys stored on VPP node from TG to VPP node and expect no response to be received on TG before and after SA keys update. |
PASS |
7.3.5.3. eth2p-ethip6ipsectnl-ip6base-func¶
IPv6 IPsec tunnel mode test suite.
- [Top] Network topologies: TG-DUT1 2-node topology with one link between nodes.
- [Cfg] DUT configuration: On DUT1 create loopback interface, configure loopback an physical interface IPv6 addresses, static ARP record, route and IPsec manual keyed connection in tunnel mode.
- [Ver] TG verification: ESP packet is sent from TG to DUT1. ESP packet is received on TG from DUT1.
- [Ref] Applicable standard specifications: RFC4303.
| Name | Documentation | Status |
|---|---|---|
| TC01: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity | [Top] TG-DUT1. [Ref] RFC4303. [Cfg] On DUT1 configure IPsec manual keyed connection with encryption algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel mode. [Ver] Send and receive ESP packet between TG and VPP node. |
PASS |
| TC05: VPP process ESP packet in Tunnel Mode with AES-CBC-192 encryption and SHA-256-128 integrity | [Top] TG-DUT1. [Ref] RFC4303. [Cfg] On DUT1 configure IPsec manual keyed connection with encryption algorithm AES-CBC-192 and integrity algorithm SHA-256-128 in tunnel mode. [Ver] Send and receive ESP packet between TG and VPP node. |
PASS |
| TC09: VPP process ESP packet in Tunnel Mode with AES-CBC-256 encryption and SHA-384-192 integrity | [Top] TG-DUT1. [Ref] RFC4303. [Cfg] On DUT1 configure IPsec manual keyed connection with encryption algorithm AES-CBC-256 and integrity algorithm SHA-384-192 in tunnel mode. [Ver] Send and receive ESP packet between TG and VPP node. |
PASS |
| TC12: VPP process ESP packet in Tunnel Mode with AES-CBC-256 encryption and SHA-512-256 integrity | [Top] TG-DUT1. [Ref] RFC4303. [Cfg] On DUT1 configure IPsec manual keyed connection with encryption algorithm AES-CBC-256 and integrity algorithm SHA-512-256 in tunnel mode. [Ver] Send and receive ESP packet between TG and VPP node. |
PASS |
| TC13: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity - different encryption alogrithms used | [Top] TG-DUT1. [Cfg] On DUT1 configure IPsec manual keyed connection with encryption algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel mode. [Ver] Send an ESP packet encrypted by encryption key different from encryption key stored on VPP node from TG to VPP node and expect no response to be received on TG. [Ref] RFC4303. |
PASS |
| TC14: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity - different integrity alogrithms used | [Top] TG-DUT1. [Cfg] On DUT1 configure IPsec manual keyed connection with encryption algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel mode. [Ver] Send an ESP packet authenticated by integrity key different from integrity key stored on VPP node from TG to VPP node and expect no response to be received on TG. [Ref] RFC4303. |
PASS |
| TC15: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity - different encryption and integrity alogrithms used | [Top] TG-DUT1. [Cfg] On DUT1 configure IPsec manual keyed connection with encryption algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel mode. [Ver] Send an ESP packet authenticated by integrity key and encrypted by encryption key different from integrity and encryption keys stored on VPP node from TG to VPP node and expect no response to be received on TG. [Ref] RFC4303. |
PASS |
| TC16: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys | [Top] TG-DUT1. [Ref] RFC4303. [Cfg] On DUT1 configure IPsec manual keyed connection with encryption algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel mode. Then update SA keys - use new keys. [Ver] Send and receive ESP packet between TG and VPP node before and after SA keys update. |
PASS |
| TC17: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys - different encryption alogrithms used | [Top] TG-DUT1. [Ref] RFC4303. [Cfg] On DUT1 configure IPsec manual keyed connection with encryption algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel mode. Then update SA keys - use new keys. [Ver] Send an ESP packet encrypted by encryption key different from encryption key stored on VPP node from TG to VPP node and expect no response to be received on TG before and after SA keys update. |
PASS |
| TC18: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys - different integrity alogrithms used | [Top] TG-DUT1. [Ref] RFC4303. [Cfg] On DUT1 configure IPsec manual keyed connection with encryption algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel mode. Then update SA keys - use new keys. [Ver] Send an ESP packet authenticated by integrity key different from integrity key stored on VPP node from TG to VPP node and expect no response to be received on TG before and after SA keys update. |
PASS |
| TC19: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys - different encryption and integrity alogrithms used | [Top] TG-DUT1. [Ref] RFC4303. [Cfg] On DUT1 configure IPsec manual keyed connection with encryption algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel mode. Then update SA keys - use new keys. [Ver] Send an ESP packet authenticated by integrity key and encrypted by encryption key different from integrity and encryption keys stored on VPP node from TG to VPP node and expect no response to be received on TG before and after SA keys update. |
PASS |
7.3.5.4. eth2p-ethip6ipsectpt-ip6base-func¶
IPv6 IPsec transport mode test suite.
- [Top] Network topologies: TG-DUT1 2-node topology with one link between nodes.
- [Cfg] DUT configuration: On DUT1 create loopback interface, configure loopback an physical interface IPv6 addresses, static ARP record, route and IPsec manual keyed connection in transport mode.
- [Ver] TG verification: ESP packet is sent from TG to DUT1. ESP packet is received on TG from DUT1.
- [Ref] Applicable standard specifications: RFC4303.
| Name | Documentation | Status |
|---|---|---|
| TC01: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity | [Top] TG-DUT1. [Ref] RFC4303. [Cfg] On DUT1 configure IPsec manual keyed connection with encryption algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport mode. [Ver] Send and receive ESP packet between TG and VPP node. |
PASS |
| TC05: VPP process ESP packet in Transport Mode with AES-CBC-192 encryption and SHA-256-128 integrity | [Top] TG-DUT1. [Ref] RFC4303. [Cfg] On DUT1 configure IPsec manual keyed connection with encryption algorithm AES-CBC-192 and integrity algorithm SHA-256-128 in transport mode. [Ver] Send and receive ESP packet between TG and VPP node. |
PASS |
| TC09: VPP process ESP packet in Transport Mode with AES-CBC-256 encryption and SHA-384-192 integrity | [Top] TG-DUT1. [Ref] RFC4303. [Cfg] On DUT1 configure IPsec manual keyed connection with encryption algorithm AES-CBC-256 and integrity algorithm SHA-384-192 in transport mode. [Ver] Send and receive ESP packet between TG and VPP node. |
PASS |
| TC12: VPP process ESP packet in Transport Mode with AES-CBC-256 encryption and SHA-512-256 integrity | [Top] TG-DUT1. [Ref] RFC4303. [Cfg] On DUT1 configure IPsec manual keyed connection with encryption algorithm AES-CBC-256 and integrity algorithm SHA-512-256 in transport mode. [Ver] Send and receive ESP packet between TG and VPP node. |
PASS |
| TC13: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity - different encryption alogrithms used | [Top] TG-DUT1. [Cfg] On DUT1 configure IPsec manual keyed connection with encryption algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport mode. [Ver] Send an ESP packet encrypted by encryption key different from encryption key stored on VPP node from TG to VPP node and expect no response to be received on TG. [Ref] RFC4303. |
PASS |
| TC14: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity - different integrity alogrithms used | [Top] TG-DUT1. [Cfg] On DUT1 configure IPsec manual keyed connection with encryption algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport mode. [Ver] Send an ESP packet authenticated by integrity key different from integrity key stored on VPP node from TG to VPP node and expect no response to be received on TG. [Ref] RFC4303. |
PASS |
| TC15: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity - different encryption and integrity alogrithms used | [Top] TG-DUT1. [Cfg] On DUT1 configure IPsec manual keyed connection with encryption algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport mode. [Ver] Send an ESP packet authenticated by integrity key and encrypted by encryption key different from integrity and encryption keys stored on VPP node from TG to VPP node and expect no response to be received on TG. [Ref] RFC4303. |
PASS |
| TC16: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys | [Top] TG-DUT1. [Ref] RFC4303. [Cfg] On DUT1 configure IPsec manual keyed connection with encryption algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport mode. Then update SA keys - use new keys. [Ver] Send and receive ESP packet between TG and VPP node before and after SA keys update. |
PASS |
| TC17: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys - different encryption alogrithms used | [Top] TG-DUT1. [Ref] RFC4303. [Cfg] On DUT1 configure IPsec manual keyed connection with encryption algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport mode. Then update SA keys - use new keys. [Ver] Send an ESP packet encrypted by encryption key different from encryption key stored on VPP node from TG to VPP node and expect no response to be received on TG before and after SA keys update. |
PASS |
| TC18: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys - different integrity alogrithms used | [Top] TG-DUT1. [Ref] RFC4303. [Cfg] On DUT1 configure IPsec manual keyed connection with encryption algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport mode. Then update SA keys - use new keys. [Ver] Send an ESP packet authenticated by integrity key different from integrity key stored on VPP node from TG to VPP node and expect no response to be received on TG before and after SA keys update. |
PASS |
| TC19: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys - different encryption and integrity alogrithms used | [Top] TG-DUT1. [Ref] RFC4303. [Cfg] On DUT1 configure IPsec manual keyed connection with encryption algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport mode. Then update SA keys - use new keys. [Ver] Send an ESP packet authenticated by integrity key and encrypted by encryption key different from integrity and encryption keys stored on VPP node from TG to VPP node and expect no response to be received on TG before and after SA keys update. |
PASS |