7.3.5. IPSec - Tunnels and Transport

7.3.5.1. eth2p-ethip4ipsectnl-ip4base-func

IPv4 IPsec tunnel mode test suite.

  • [Top] Network topologies: TG-DUT1 2-node topology with one link between nodes.
  • [Cfg] DUT configuration: On DUT1 create loopback interface, configure loopback an physical interface IPv4 addresses, static ARP record, route and IPsec manual keyed connection in tunnel mode.
  • [Ver] TG verification: ESP packet is sent from TG to DUT1. ESP packet is received on TG from DUT1.
  • [Ref] Applicable standard specifications: RFC4303.
Name Documentation Status
TC01: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity [Top] TG-DUT1.
[Ref] RFC4303.
[Cfg] On DUT1 configure IPsec manual keyed connection with encryption algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel mode.
[Ver] Send and receive ESP packet between TG and VPP node.
PASS
TC05: VPP process ESP packet in Tunnel Mode with AES-CBC-192 encryption and SHA-256-128 integrity [Top] TG-DUT1.
[Ref] RFC4303.
[Cfg] On DUT1 configure IPsec manual keyed connection with encryption algorithm AES-CBC-192 and integrity algorithm SHA-256-128 in tunnel mode.
[Ver] Send and receive ESP packet between TG and VPP node.
PASS
TC09: VPP process ESP packet in Tunnel Mode with AES-CBC-256 encryption and SHA-384-192 integrity [Top] TG-DUT1.
[Ref] RFC4303.
[Cfg] On DUT1 configure IPsec manual keyed connection with encryption algorithm AES-CBC-256 and integrity algorithm SHA-384-192 in tunnel mode.
[Ver] Send and receive ESP packet between TG and VPP node.
PASS
TC12: VPP process ESP packet in Tunnel Mode with AES-CBC-256 encryption and SHA-512-256 integrity [Top] TG-DUT1.
[Ref] RFC4303.
[Cfg] On DUT1 configure IPsec manual keyed connection with encryption algorithm AES-CBC-256 and integrity algorithm SHA-512-256 in tunnel mode.
[Ver] Send and receive ESP packet between TG and VPP node.
PASS
TC13: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity - different encryption alogrithms used [Top] TG-DUT1.
[Cfg] On DUT1 configure IPsec manual keyed connection with encryption algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel mode.
[Ver] Send an ESP packet encrypted by encryption key different from encryption key stored on VPP node from TG to VPP node and expect no response to be received on TG.
[Ref] RFC4303.
PASS
TC14: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity - different integrity alogrithms used [Top] TG-DUT1.
[Cfg] On DUT1 configure IPsec manual keyed connection with encryption algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel mode.
[Ver] Send an ESP packet authenticated by integrity key different from integrity key stored on VPP node from TG to VPP node and expect no response to be received on TG.
[Ref] RFC4303.
PASS
TC15: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity - different encryption and integrity alogrithms used [Top] TG-DUT1.
[Cfg] On DUT1 configure IPsec manual keyed connection with encryption algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel mode.
[Ver] Send an ESP packet authenticated by integrity key and encrypted by encryption key different from integrity and encryption keys stored on VPP node from TG to VPP node and expect no response to be received on TG.
[Ref] RFC4303.
PASS
TC16: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys [Top] TG-DUT1.
[Ref] RFC4303.
[Cfg] On DUT1 configure IPsec manual keyed connection with encryption algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel mode. Then update SA keys - use new keys.
[Ver] Send and receive ESP packet between TG and VPP node before and after SA keys update.
PASS
TC17: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys - different encryption alogrithms used [Top] TG-DUT1.
[Ref] RFC4303.
[Cfg] On DUT1 configure IPsec manual keyed connection with encryption algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel mode. Then update SA keys - use new keys.
[Ver] Send an ESP packet encrypted by encryption key different from encryption key stored on VPP node from TG to VPP node and expect no response to be received on TG before and after SA keys update.
PASS
TC18: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys - different integrity alogrithms used [Top] TG-DUT1.
[Ref] RFC4303.
[Cfg] On DUT1 configure IPsec manual keyed connection with encryption algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel mode. Then update SA keys - use new keys.
[Ver] Send an ESP packet authenticated by integrity key different from integrity key stored on VPP node from TG to VPP node and expect no response to be received on TG before and after SA keys update.
PASS
TC19: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys - different encryption and integrity alogrithms used [Top] TG-DUT1.
[Ref] RFC4303.
[Cfg] On DUT1 configure IPsec manual keyed connection with encryption algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel mode. Then update SA keys - use new keys.
[Ver] Send an ESP packet authenticated by integrity key and encrypted by encryption key different from integrity and encryption keys stored on VPP node from TG to VPP node and expect no response to be received on TG before and after SA keys update.
PASS

7.3.5.2. eth2p-ethip4ipsectpt-ip4base-func

IPv4 IPsec transport mode test suite.

  • [Top] Network topologies: TG-DUT1 2-node topology with one link between nodes.
  • [Cfg] DUT configuration: On DUT1 create loopback interface, configure loopback an physical interface IPv4 addresses, static ARP record, route and IPsec manual keyed connection in transport mode.
  • [Ver] TG verification: ESP packet is sent from TG to DUT1. ESP packet is received on TG from DUT1.
  • [Ref] Applicable standard specifications: RFC4303.
Name Documentation Status
TC01: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity [Top] TG-DUT1.
[Ref] RFC4303.
[Cfg] On DUT1 configure IPsec manual keyed connection with encryption algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport mode.
[Ver] Send and receive ESP packet between TG and VPP node.
PASS
TC05: VPP process ESP packet in Transport Mode with AES-CBC-192 encryption and SHA-256-128 integrity [Top] TG-DUT1.
[Ref] RFC4303.
[Cfg] On DUT1 configure IPsec manual keyed connection with encryption algorithm AES-CBC-192 and integrity algorithm SHA-256-128 in transport mode.
[Ver] Send and receive ESP packet between TG and VPP node.
PASS
TC09: VPP process ESP packet in Transport Mode with AES-CBC-256 encryption and SHA-384-192 integrity [Top] TG-DUT1.
[Ref] RFC4303.
[Cfg] On DUT1 configure IPsec manual keyed connection with encryption algorithm AES-CBC-256 and integrity algorithm SHA-384-192 in transport mode.
[Ver] Send and receive ESP packet between TG and VPP node.
PASS
TC12: VPP process ESP packet in Transport Mode with AES-CBC-256 encryption and SHA-512-256 integrity [Top] TG-DUT1.
[Ref] RFC4303.
[Cfg] On DUT1 configure IPsec manual keyed connection with encryption algorithm AES-CBC-256 and integrity algorithm SHA-512-256 in transport mode.
[Ver] Send and receive ESP packet between TG and VPP node.
PASS
TC13: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity - different encryption alogrithms used [Top] TG-DUT1.
[Cfg] On DUT1 configure IPsec manual keyed connection with encryption algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport mode.
[Ver] Send an ESP packet encrypted by encryption key different from encryption key stored on VPP node from TG to VPP node and expect no response to be received on TG.
[Ref] RFC4303.
PASS
TC14: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity - different integrity alogrithms used [Top] TG-DUT1.
[Cfg] On DUT1 configure IPsec manual keyed connection with encryption algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport mode.
[Ver] Send an ESP packet authenticated by integrity key different from integrity key stored on VPP node from TG to VPP node and expect no response to be received on TG.
[Ref] RFC4303.
PASS
TC15: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity - different encryption and integrity alogrithms used [Top] TG-DUT1.
[Cfg] On DUT1 configure IPsec manual keyed connection with encryption algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport mode.
[Ver] Send an ESP packet authenticated by integrity key and encrypted by encryption key different from integrity and encryption keys stored on VPP node from TG to VPP node and expect no response to be received on TG.
[Ref] RFC4303.
PASS
TC16: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys [Top] TG-DUT1.
[Ref] RFC4303.
[Cfg] On DUT1 configure IPsec manual keyed connection with encryption algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport mode. Then update SA keys - use new keys.
[Ver] Send and receive ESP packet between TG and VPP node before and after SA keys update.
PASS
TC17: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys - different encryption alogrithms used [Top] TG-DUT1.
[Ref] RFC4303.
[Cfg] On DUT1 configure IPsec manual keyed connection with encryption algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport mode. Then update SA keys - use new keys.
[Ver] Send an ESP packet encrypted by encryption key different from encryption key stored on VPP node from TG to VPP node and expect no response to be received on TG before and after SA keys update.
PASS
TC18: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys - different integrity alogrithms used [Top] TG-DUT1.
[Ref] RFC4303.
[Cfg] On DUT1 configure IPsec manual keyed connection with encryption algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport mode. Then update SA keys - use new keys.
[Ver] Send an ESP packet authenticated by integrity key different from integrity key stored on VPP node from TG to VPP node and expect no response to be received on TG before and after SA keys update.
PASS
TC19: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys - different encryption and integrity alogrithms used [Top] TG-DUT1.
[Ref] RFC4303.
[Cfg] On DUT1 configure IPsec manual keyed connection with encryption algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport mode. Then update SA keys - use new keys.
[Ver] Send an ESP packet authenticated by integrity key and encrypted by encryption key different from integrity and encryption keys stored on VPP node from TG to VPP node and expect no response to be received on TG before and after SA keys update.
PASS

7.3.5.3. eth2p-ethip6ipsectnl-ip6base-func

IPv6 IPsec tunnel mode test suite.

  • [Top] Network topologies: TG-DUT1 2-node topology with one link between nodes.
  • [Cfg] DUT configuration: On DUT1 create loopback interface, configure loopback an physical interface IPv6 addresses, static ARP record, route and IPsec manual keyed connection in tunnel mode.
  • [Ver] TG verification: ESP packet is sent from TG to DUT1. ESP packet is received on TG from DUT1.
  • [Ref] Applicable standard specifications: RFC4303.
Name Documentation Status
TC01: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity [Top] TG-DUT1.
[Ref] RFC4303.
[Cfg] On DUT1 configure IPsec manual keyed connection with encryption algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel mode.
[Ver] Send and receive ESP packet between TG and VPP node.
PASS
TC05: VPP process ESP packet in Tunnel Mode with AES-CBC-192 encryption and SHA-256-128 integrity [Top] TG-DUT1.
[Ref] RFC4303.
[Cfg] On DUT1 configure IPsec manual keyed connection with encryption algorithm AES-CBC-192 and integrity algorithm SHA-256-128 in tunnel mode.
[Ver] Send and receive ESP packet between TG and VPP node.
PASS
TC09: VPP process ESP packet in Tunnel Mode with AES-CBC-256 encryption and SHA-384-192 integrity [Top] TG-DUT1.
[Ref] RFC4303.
[Cfg] On DUT1 configure IPsec manual keyed connection with encryption algorithm AES-CBC-256 and integrity algorithm SHA-384-192 in tunnel mode.
[Ver] Send and receive ESP packet between TG and VPP node.
PASS
TC12: VPP process ESP packet in Tunnel Mode with AES-CBC-256 encryption and SHA-512-256 integrity [Top] TG-DUT1.
[Ref] RFC4303.
[Cfg] On DUT1 configure IPsec manual keyed connection with encryption algorithm AES-CBC-256 and integrity algorithm SHA-512-256 in tunnel mode.
[Ver] Send and receive ESP packet between TG and VPP node.
PASS
TC13: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity - different encryption alogrithms used [Top] TG-DUT1.
[Cfg] On DUT1 configure IPsec manual keyed connection with encryption algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel mode.
[Ver] Send an ESP packet encrypted by encryption key different from encryption key stored on VPP node from TG to VPP node and expect no response to be received on TG.
[Ref] RFC4303.
PASS
TC14: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity - different integrity alogrithms used [Top] TG-DUT1.
[Cfg] On DUT1 configure IPsec manual keyed connection with encryption algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel mode.
[Ver] Send an ESP packet authenticated by integrity key different from integrity key stored on VPP node from TG to VPP node and expect no response to be received on TG.
[Ref] RFC4303.
PASS
TC15: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity - different encryption and integrity alogrithms used [Top] TG-DUT1.
[Cfg] On DUT1 configure IPsec manual keyed connection with encryption algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel mode.
[Ver] Send an ESP packet authenticated by integrity key and encrypted by encryption key different from integrity and encryption keys stored on VPP node from TG to VPP node and expect no response to be received on TG.
[Ref] RFC4303.
PASS
TC16: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys [Top] TG-DUT1.
[Ref] RFC4303.
[Cfg] On DUT1 configure IPsec manual keyed connection with encryption algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel mode. Then update SA keys - use new keys.
[Ver] Send and receive ESP packet between TG and VPP node before and after SA keys update.
PASS
TC17: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys - different encryption alogrithms used [Top] TG-DUT1.
[Ref] RFC4303.
[Cfg] On DUT1 configure IPsec manual keyed connection with encryption algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel mode. Then update SA keys - use new keys.
[Ver] Send an ESP packet encrypted by encryption key different from encryption key stored on VPP node from TG to VPP node and expect no response to be received on TG before and after SA keys update.
PASS
TC18: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys - different integrity alogrithms used [Top] TG-DUT1.
[Ref] RFC4303.
[Cfg] On DUT1 configure IPsec manual keyed connection with encryption algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel mode. Then update SA keys - use new keys.
[Ver] Send an ESP packet authenticated by integrity key different from integrity key stored on VPP node from TG to VPP node and expect no response to be received on TG before and after SA keys update.
PASS
TC19: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys - different encryption and integrity alogrithms used [Top] TG-DUT1.
[Ref] RFC4303.
[Cfg] On DUT1 configure IPsec manual keyed connection with encryption algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel mode. Then update SA keys - use new keys.
[Ver] Send an ESP packet authenticated by integrity key and encrypted by encryption key different from integrity and encryption keys stored on VPP node from TG to VPP node and expect no response to be received on TG before and after SA keys update.
PASS

7.3.5.4. eth2p-ethip6ipsectpt-ip6base-func

IPv6 IPsec transport mode test suite.

  • [Top] Network topologies: TG-DUT1 2-node topology with one link between nodes.
  • [Cfg] DUT configuration: On DUT1 create loopback interface, configure loopback an physical interface IPv6 addresses, static ARP record, route and IPsec manual keyed connection in transport mode.
  • [Ver] TG verification: ESP packet is sent from TG to DUT1. ESP packet is received on TG from DUT1.
  • [Ref] Applicable standard specifications: RFC4303.
Name Documentation Status
TC01: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity [Top] TG-DUT1.
[Ref] RFC4303.
[Cfg] On DUT1 configure IPsec manual keyed connection with encryption algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport mode.
[Ver] Send and receive ESP packet between TG and VPP node.
PASS
TC05: VPP process ESP packet in Transport Mode with AES-CBC-192 encryption and SHA-256-128 integrity [Top] TG-DUT1.
[Ref] RFC4303.
[Cfg] On DUT1 configure IPsec manual keyed connection with encryption algorithm AES-CBC-192 and integrity algorithm SHA-256-128 in transport mode.
[Ver] Send and receive ESP packet between TG and VPP node.
PASS
TC09: VPP process ESP packet in Transport Mode with AES-CBC-256 encryption and SHA-384-192 integrity [Top] TG-DUT1.
[Ref] RFC4303.
[Cfg] On DUT1 configure IPsec manual keyed connection with encryption algorithm AES-CBC-256 and integrity algorithm SHA-384-192 in transport mode.
[Ver] Send and receive ESP packet between TG and VPP node.
PASS
TC12: VPP process ESP packet in Transport Mode with AES-CBC-256 encryption and SHA-512-256 integrity [Top] TG-DUT1.
[Ref] RFC4303.
[Cfg] On DUT1 configure IPsec manual keyed connection with encryption algorithm AES-CBC-256 and integrity algorithm SHA-512-256 in transport mode.
[Ver] Send and receive ESP packet between TG and VPP node.
PASS
TC13: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity - different encryption alogrithms used [Top] TG-DUT1.
[Cfg] On DUT1 configure IPsec manual keyed connection with encryption algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport mode.
[Ver] Send an ESP packet encrypted by encryption key different from encryption key stored on VPP node from TG to VPP node and expect no response to be received on TG.
[Ref] RFC4303.
PASS
TC14: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity - different integrity alogrithms used [Top] TG-DUT1.
[Cfg] On DUT1 configure IPsec manual keyed connection with encryption algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport mode.
[Ver] Send an ESP packet authenticated by integrity key different from integrity key stored on VPP node from TG to VPP node and expect no response to be received on TG.
[Ref] RFC4303.
PASS
TC15: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity - different encryption and integrity alogrithms used [Top] TG-DUT1.
[Cfg] On DUT1 configure IPsec manual keyed connection with encryption algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport mode.
[Ver] Send an ESP packet authenticated by integrity key and encrypted by encryption key different from integrity and encryption keys stored on VPP node from TG to VPP node and expect no response to be received on TG.
[Ref] RFC4303.
PASS
TC16: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys [Top] TG-DUT1.
[Ref] RFC4303.
[Cfg] On DUT1 configure IPsec manual keyed connection with encryption algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport mode. Then update SA keys - use new keys.
[Ver] Send and receive ESP packet between TG and VPP node before and after SA keys update.
PASS
TC17: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys - different encryption alogrithms used [Top] TG-DUT1.
[Ref] RFC4303.
[Cfg] On DUT1 configure IPsec manual keyed connection with encryption algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport mode. Then update SA keys - use new keys.
[Ver] Send an ESP packet encrypted by encryption key different from encryption key stored on VPP node from TG to VPP node and expect no response to be received on TG before and after SA keys update.
PASS
TC18: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys - different integrity alogrithms used [Top] TG-DUT1.
[Ref] RFC4303.
[Cfg] On DUT1 configure IPsec manual keyed connection with encryption algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport mode. Then update SA keys - use new keys.
[Ver] Send an ESP packet authenticated by integrity key different from integrity key stored on VPP node from TG to VPP node and expect no response to be received on TG before and after SA keys update.
PASS
TC19: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys - different encryption and integrity alogrithms used [Top] TG-DUT1.
[Ref] RFC4303.
[Cfg] On DUT1 configure IPsec manual keyed connection with encryption algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport mode. Then update SA keys - use new keys.
[Ver] Send an ESP packet authenticated by integrity key and encrypted by encryption key different from integrity and encryption keys stored on VPP node from TG to VPP node and expect no response to be received on TG before and after SA keys update.
PASS