IPsec - Internet Protocol Security
What is IPsec?
IPsec (Internet Protocol Security) is a suite of protocols that secures IP communications by encrypting and authenticating each IP packet. When used outside of VPN, IPsec operates directly between endpoints (e.g., host-to-host or network-to-network) without creating a virtual tunnel. Think of it as a secure envelope for each individual IP packet, without the need for a full VPN tunnel.
Why is IPsec important outside VPN?
Data Confidentiality: Encrypts individual IP packets to prevent unauthorized access.
Data Integrity: Ensures packets haven’t been altered during transit.
Authentication: Verifies the identity of communicating devices.
Granular Security: Secures specific traffic flows without tunneling all traffic.
Low Overhead: No need for virtual interfaces or VPN clients.
How IPsec works (in simple steps):
Negotiation: Devices agree on security parameters using IKE (Internet Key Exchange).
Authentication: Devices authenticate using pre-shared keys or certificates.
Encryption & Integrity: Each IP packet is encrypted and signed.
Transmission: Secure packets are sent directly between endpoints.
Decryption: Receiving device decrypts and verifies each packet.
Where is IPsec used?
Host-to-Host Security: Direct secure communication between two servers or endpoints.
Intranet Protection: Secures internal traffic within a corporate LAN or WAN.
IoT Security: Protects data exchanged between IoT devices and control systems.
Mobile IP: Maintains secure sessions as users move across networks.
VoIP & Video: Secures real-time communication without tunneling overhead.
Why OSI Layer: Network Layer (Layer 3)?
IPsec operates directly on IP packets, securing all traffic regardless of application.
It works below the transport layer (TCP/UDP) and above the data link layer, making it part of the Network Layer.
This allows IPsec to secure all communication without modifying higher-layer protocols.
Is IPsec Windows specific?
No, IPsec (Internet Protocol Security) is not Windows specific. It is a widely supported standard across multiple platforms including Windows, Linux, macOS, and network appliances.
Is IPsec Linux specific?
No, IPsec is not Linux specific. While tools like strongSwan, Libreswan, and Openswan are common on Linux, IPsec is also supported on Windows, macOS, and embedded systems.
Which Transport Protocol is used by IPsec?
IPsec uses the following transport protocols: - Protocol 50 for ESP (Encapsulating Security Payload) - Protocol 51 for AH (Authentication Header) - UDP for IKE (Internet Key Exchange) (port 500 and 4500 for NAT traversal)
Which Port is used by IPsec?
UDP port 500 for IKE (Internet Key Exchange)
UDP port 4500 for IKE with NAT traversal (NAT-T)
No port numbers are used for ESP (Protocol 50) and AH (Protocol 51) as they are IP layer protocols, not TCP/UDP-based
Is IPsec using Client server model?
Yes, IPsec often operates using a client-server model in VPN scenarios, where: - The client (user device) initiates the secure tunnel - The server (VPN gateway or firewall) accepts the connection and establishes a secure channel
Topics in this section,
In this section, you are going to learn
Terminology
Version Info
IPsec Version |
RFC |
Year |
Core Idea / Contribution |
|---|---|---|---|
IPsec v1 |
|||
RFC 18251829 |
1995 |
Initial IPsec architecture, ESP, AH, and key management (ISAKMP). |
|
IPsec v2 |
|||
RFC 24012412 |
1998 |
Revised architecture, ESP/AH updates, IKE v1 introduced. |
|
IPsec v3 |
|||
RFC 4301 |
2005 |
Updated architecture with better support for NAT, mobility, and modularity |
|
ESP Enhancements |
|||
RFC 4303 |
2005 |
Defines the Encapsulating Security Payload (ESP) protocol. |
|
AH Enhancements |
|||
RFC 4302 |
2005 |
Defines the Authentication Header (AH) protocol. |
|
Algorithm Support |
|||
RFC 4305 |
2005 |
Cryptographic algorithm requirements for ESP and AH. |
|
RFC 4835 |
2007 |
Updates algorithm requirements. |
|
RFC 8221 |
2017 |
Further updates to cryptographic algorithm usage. |
|
NAT Traversal |
|||
RFC 3947, 3948 |
2005 |
NAT traversal for IPsec using UDP encapsulation. |
|
Mobility Support |
|||
RFC 4555 |
2006 |
IPsec support for Mobile IPv6. |
|
Roadmap |
|||
RFC 6071 |
2011 |
Comprehensive roadmap of IPsec and IKE-related RFCs. |
Setup
Setup
Transport Mode with AH
S.No |
Protocol Packets |
Description |
Size(Bytes) |
|---|---|---|---|
1 |
Transport Mode with AH |
Adds authentication to the original IP packet without encryption |
~4484 bytes |
IP Header |
Original IP header of the packet. |
20 (IPv4) / 40 (IPv6) |
|
Next Header |
Identifies the type of the next payload (e.g., TCP, UDP). |
1 |
|
Payload Length |
Length of the AH header in 32-bit words, minus 2. |
1 |
|
Reserved |
Reserved for future use; must be zero. |
2 |
|
Security Parameters Index (SPI) |
Identifies the security association. |
4 |
|
Sequence Number |
Increments with each packet to prevent replay attacks. |
4 |
|
Authentication Data |
Integrity Check Value (ICV) for the entire packet. |
12-32 |
|
Payload |
Original transport layer data (e.g., TCP/UDP + application data). |
Variable |
Transport Mode with ESP
S.No |
Protocol Packets |
Description |
Size(Bytes) |
|---|---|---|---|
2 |
Transport Mode with ESP |
Encrypts and optionally authenticates the transport layer payload. |
~60100+ bytes |
IP Header |
Original IP header of the packet. |
20 (IPv4) / 40 (IPv6) |
|
ESP Header |
Contains SPI and Sequence Number. |
8 |
|
Payload Data |
Encrypted transport layer data (e.g., TCP/UDP + application data). |
Variable |
|
Padding |
Aligns payload to encryption block size. |
0-255 |
|
Pad Length |
Length of the padding. |
1 |
|
Next Header |
Identifies the type of data in the payload (e.g., TCP, UDP). |
1 |
|
Authentication Data (optional) |
Integrity Check Value (ICV) for the encrypted portion. |
1232 |
S.no |
Use Case |
Description |
|---|---|---|
1 |
Host-to-Host Security |
Secures communication between two individual devices (e.g., server-to-server). |
2 |
Intranet Protection |
Encrypts internal traffic within a corporate LAN or WAN. |
3 |
Data Confidentiality |
Ensures privacy of IP packets without requiring a VPN tunnel. |
4 |
Data Integrity |
Verifies that data hasnt been altered during transit. |
5 |
Authentication |
Confirms the identity of endpoints using keys or certificates. |
6 |
Secure VoIP and Video |
Protects real-time communication from eavesdropping and tampering. |
7 |
Mobile IP Security |
Maintains secure sessions as users move across networks. |
8 |
IoT Device Protection |
Secures communication between IoT devices and control systems. |
9 |
Lightweight Security |
Provides encryption/authentication without full VPN overhead. |
10 |
Application-Agnostic Security |
Secures all IP traffic regardless of the application layer. |
S.no |
Feature |
Description |
|---|---|---|
1 |
Encryption |
Encrypts individual IP packets to ensure confidentiality of data in transit. |
2 |
Authentication |
Verifies the identity of peers using pre-shared keys or digital certificates. |
3 |
Integrity Checking |
Ensures data hasnt been altered during transmission using hashing algorithms. |
4 |
Transport Mode Support |
Encrypts only the payload of IP packets, suitable for host-to-host security. |
5 |
Key Exchange (IKE/IKEv2) |
Negotiates security associations and keys between endpoints. |
6 |
Security Associations (SAs) |
Defines parameters for secure communication between hosts. |
7 |
Protocol Support (ESP & AH) |
Uses ESP for encryption and AH for integrity/authentication. |
8 |
NAT Traversal |
Enables IPsec to work through NAT devices using UDP encapsulation. |
9 |
Replay Protection |
Prevents attackers from reusing captured packets using sequence numbers. |
10 |
Flexible Algorithm Support |
Supports various encryption and hashing algorithms (e.g., AES, SHA-2). |
Encryption - Testcases
# |
Test Case |
Description |
Expected Result |
|---|---|---|---|
1 |
IPsec Initialization |
Enable IPsec on device |
IPsec stack initializes successfully |
2 |
SPI Generation |
Generate Security Parameter Index |
SPI is unique and valid |
3 |
SA Creation |
Create Security Association |
SA is created with correct parameters |
4 |
SA Deletion |
Delete Security Association |
SA is removed from system |
5 |
SA Lifetime Expiry |
Wait for SA to expire |
SA is deleted automatically |
6 |
Manual Keying |
Configure manual keys |
Keys are accepted and used |
7 |
Replay Protection |
Send duplicate packets |
Packets are dropped |
8 |
Encryption Algorithm Test |
Use AES-CBC |
Packet payload is encrypted |
9 |
Authentication Algorithm Test |
Use HMAC-SHA1 |
Packet integrity is verified |
10 |
ESP Packet Format |
Send ESP packet |
Packet follows RFC format |
11 |
AH Packet Format |
Send AH packet |
Packet follows RFC format |
12 |
Inbound Packet Decryption |
Receive encrypted packet |
Payload is decrypted correctly |
13 |
Outbound Packet Encryption |
Send packet |
Payload is encrypted before transmission |
14 |
Integrity Check Failure |
Modify packet |
Packets are dropped due to hash mismatch |
15 |
Encryption Key Rotation |
Change encryption key |
New key is used for encryption |
16 |
Authentication Key Rotation |
Change auth key |
New key is used for integrity |
17 |
SA Negotiation |
Negotiate SA manually |
SA parameters match |
18 |
Traffic Selector Match |
Send matching traffic |
Traffic is encrypted |
19 |
Traffic Selector Mismatch |
Send non-matching traffic |
Traffic is not encrypted |
20 |
Packet Size Limit |
Send large packet |
Packet is fragmented or dropped |
21 |
ICMP Packet Encryption |
Send ICMP packet |
Packet is encrypted |
22 |
TCP Packet Encryption |
Send TCP packet |
Packet is encrypted |
23 |
UDP Packet Encryption |
Send UDP packet |
Packet is encrypted |
24 |
Multicast Packet Handling |
Send multicast packet |
Packet is dropped or bypassed |
25 |
IPv6 Support |
Send IPv6 packet |
Packet is encrypted |
26 |
IPv4 Support |
Send IPv4 packet |
Packet is encrypted |
27 |
SA Database Inspection |
List active SAs |
Correct SAs are listed |
28 |
Replay Window Size |
Set replay window |
Window size is respected |
29 |
Packet Reordering |
Send out-of-order packets |
Packets are accepted if within window |
30 |
SA Bundling |
Use multiple SAs |
Packets use correct SA |
31 |
ESP Tunnel Mode |
Send packet in tunnel mode |
Outer IP header is added |
32 |
ESP Transport Mode |
Send packet in transport mode |
Original IP header is retained |
33 |
AH Tunnel Mode |
Send packet in AH tunnel mode |
Outer IP header is added |
34 |
AH Transport Mode |
Send packet in AH transport mode |
Original IP header is retained |
35 |
SA with No Encryption |
Use null encryption |
Payload is not encrypted |
36 |
SA with No Authentication |
Use null authentication |
Payload is not authenticated |
37 |
SA with Both Null |
Use null encryption and auth |
Payload is sent as-is |
38 |
SA with AES-GCM |
Use AES-GCM algorithm |
Payload is encrypted and authenticated |
39 |
SA with ChaCha20-Poly1305 |
Use ChaCha20-Poly1305 |
Payload is encrypted and authenticated |
40 |
SA with DES |
Use DES algorithm |
Payload is encrypted (legacy) |
41 |
SA with Triple DES |
Use 3DES algorithm |
Payload is encrypted |
42 |
SA with SHA-256 |
Use SHA-256 for auth |
Payload is authenticated |
43 |
SA with SHA-512 |
Use SHA-512 for auth |
Payload is authenticated |
44 |
SA with MD5 |
Use MD5 for auth |
Payload is authenticated (legacy) |
45 |
SA with AES-CTR |
Use AES-CTR |
Payload is encrypted |
46 |
SA with AES-CFB |
Use AES-CFB |
Payload is encrypted |
47 |
SA with AES-OFB |
Use AES-OFB |
Payload is encrypted |
48 |
SA with AES-XTS |
Use AES-XTS |
Payload is encrypted |
49 |
SA with AES-KW |
Use AES Key Wrap |
Payload is encrypted |
50 |
SA with Custom Algorithm |
Use custom crypto module |
Payload is encrypted using custom logic |
Authentication - Testcases
# |
Test Case |
Description |
Expected Result |
|---|---|---|---|
1 |
Authentication Initialization |
Enable IPsec authentication module |
Module initializes successfully |
2 |
SA with Authentication Only |
Create SA with only authentication |
Packets are authenticated, not encrypted |
3 |
AH Header Validation |
Inspect AH header |
Header conforms to RFC |
4 |
HMAC-SHA1 Test |
Use HMAC-SHA1 for authentication |
Packet integrity is verified |
5 |
HMAC-SHA256 Test |
Use HMAC-SHA256 for authentication |
Packet integrity is verified |
6 |
HMAC-SHA512 Test |
Use HMAC-SHA512 for authentication |
Packet integrity is verified |
7 |
MD5 Authentication Test |
Use MD5 for authentication |
Packet integrity is verified (legacy) |
8 |
Null Authentication |
Use null authentication |
No integrity check performed |
9 |
Replay Protection Enabled |
Enable replay protection |
Duplicate packets are dropped |
10 |
Replay Protection Disabled |
Disable replay protection |
Duplicate packets are accepted |
11 |
Authentication Key Rotation |
Change authentication key |
New key is used for integrity |
12 |
Authentication Failure |
Send tampered packet |
Packet is dropped due to hash mismatch |
13 |
Authentication Success |
Send valid packet |
Packet is accepted |
14 |
AH Transport Mode |
Use AH in transport mode |
Original IP header is retained |
15 |
AH Tunnel Mode |
Use AH in tunnel mode |
Outer IP header is added |
16 |
Authentication with IPv4 |
Send IPv4 packet |
Packet is authenticated |
17 |
Authentication with IPv6 |
Send IPv6 packet |
Packet is authenticated |
18 |
Authentication with TCP |
Send TCP packet |
Packet is authenticated |
19 |
Authentication with UDP |
Send UDP packet |
Packet is authenticated |
20 |
Authentication with ICMP |
Send ICMP packet |
Packet is authenticated |
21 |
Authentication with Fragmented Packet |
Send fragmented packet |
Packet fragments are authenticated |
22 |
Authentication with Large Packet |
Send large packet |
Packet is authenticated |
23 |
Authentication with Multicast |
Send multicast packet |
Packet may be dropped or bypassed |
24 |
Authentication with Broadcast |
Send broadcast packet |
Packet may be dropped or bypassed |
25 |
Authentication with ESP |
Use ESP with authentication |
Packet is encrypted and authenticated |
26 |
Authentication with AH |
Use AH protocol |
Packet is authenticated |
27 |
Authentication with Manual SA |
Configure SA manually |
Authentication works as configured |
28 |
Authentication with Dynamic SA |
Use dynamic SA negotiation |
Authentication works as negotiated |
29 |
Authentication with Multiple SAs |
Use multiple SAs |
Correct SA used for authentication |
30 |
Authentication with Traffic Selector |
Match traffic selector |
Packet is authenticated |
31 |
Authentication with Mismatched Selector |
Mismatch selector |
Packet is not authenticated |
32 |
Authentication with Expired SA |
Use expired SA |
Packet is dropped |
33 |
Authentication with Invalid SPI |
Use invalid SPI |
Packet is dropped |
34 |
Authentication with Valid SPI |
Use valid SPI |
Packet is authenticated |
35 |
Authentication with Custom Algorithm |
Use custom auth algorithm |
Packet is authenticated |
36 |
Authentication with AES-GCM |
Use AES-GCM for combined auth/encryption |
Packet is authenticated and encrypted |
37 |
Authentication with ChaCha20-Poly1305 |
Use ChaCha20-Poly1305 |
Packet is authenticated and encrypted |
38 |
Authentication with SHA-1 |
Use SHA-1 |
Packet is authenticated |
39 |
Authentication with SHA-256 |
Use SHA-256 |
Packet is authenticated |
40 |
Authentication with SHA-512 |
Use SHA-512 |
Packet is authenticated |
41 |
Authentication with MD5 |
Use MD5 |
Packet is authenticated (legacy) |
42 |
Authentication with AES-XCBC |
Use AES-XCBC-MAC |
Packet is authenticated |
43 |
Authentication with AES-CMAC |
Use AES-CMAC |
Packet is authenticated |
44 |
Authentication with AES-KMAC |
Use AES-KMAC |
Packet is authenticated |
45 |
Authentication with Key Mismatch |
Use incorrect key |
Packet is dropped |
46 |
Authentication with Key Match |
Use correct key |
Packet is authenticated |
47 |
Authentication with SA Inspection |
Inspect SA database |
Authentication parameters are correct |
48 |
Authentication with Logging |
Enable logging |
Logs show authentication events |
49 |
Authentication with Monitoring |
Monitor traffic |
Authenticated packets are visible |
50 |
Authentication with Wireshark |
Capture packets |
AH/ESP headers visible in capture |
Integrity Checking - Testcases
# |
Test Case |
Description |
Expected Result |
|---|---|---|---|
1 |
Integrity Module Initialization |
Enable integrity checking module |
Module initializes successfully |
2 |
HMAC-SHA1 Integrity Check |
Use HMAC-SHA1 for integrity |
Packet integrity is verified |
3 |
HMAC-SHA256 Integrity Check |
Use HMAC-SHA256 for integrity |
Packet integrity is verified |
4 |
HMAC-SHA512 Integrity Check |
Use HMAC-SHA512 for integrity |
Packet integrity is verified |
5 |
MD5 Integrity Check |
Use MD5 for integrity |
Packet integrity is verified (legacy) |
6 |
Null Integrity Check |
Use null integrity algorithm |
No integrity check performed |
7 |
Integrity Check Failure |
Modify packet content |
Packet is dropped due to hash mismatch |
8 |
Integrity Check Success |
Send unmodified packet |
Packet is accepted |
9 |
Integrity with AH Protocol |
Use AH for integrity |
Packet is authenticated |
10 |
Integrity with ESP Protocol |
Use ESP with integrity enabled |
Packet is authenticated |
11 |
Integrity with AES-GCM |
Use AES-GCM for combined encryption/integrity |
Packet is encrypted and authenticated |
12 |
Integrity with ChaCha20-Poly1305 |
Use ChaCha20-Poly1305 |
Packet is encrypted and authenticated |
13 |
Integrity with AES-CMAC |
Use AES-CMAC for integrity |
Packet is authenticated |
14 |
Integrity with AES-XCBC |
Use AES-XCBC-MAC |
Packet is authenticated |
15 |
Integrity with AES-KMAC |
Use AES-KMAC |
Packet is authenticated |
16 |
Integrity with SHA-1 |
Use SHA-1 algorithm |
Packet is authenticated |
17 |
Integrity with SHA-256 |
Use SHA-256 algorithm |
Packet is authenticated |
18 |
Integrity with SHA-512 |
Use SHA-512 algorithm |
Packet is authenticated |
19 |
Integrity with Manual SA |
Configure SA manually |
Integrity check works as configured |
20 |
Integrity with Dynamic SA |
Use dynamic SA negotiation |
Integrity check works as negotiated |
21 |
Integrity with IPv4 |
Send IPv4 packet |
Packet is authenticated |
22 |
Integrity with IPv6 |
Send IPv6 packet |
Packet is authenticated |
23 |
Integrity with TCP |
Send TCP packet |
Packet is authenticated |
24 |
Integrity with UDP |
Send UDP packet |
Packet is authenticated |
25 |
Integrity with ICMP |
Send ICMP packet |
Packet is authenticated |
26 |
Integrity with Fragmented Packet |
Send fragmented packet |
Packet fragments are authenticated |
27 |
Integrity with Large Packet |
Send large packet |
Packet is authenticated |
28 |
Integrity with Multicast Packet |
Send multicast packet |
Packet may be dropped or bypassed |
29 |
Integrity with Broadcast Packet |
Send broadcast packet |
Packet may be dropped or bypassed |
30 |
Integrity with Expired SA |
Use expired SA |
Packet is dropped |
31 |
Integrity with Invalid SPI |
Use invalid SPI |
Packet is dropped |
32 |
Integrity with Valid SPI |
Use valid SPI |
Packet is authenticated |
33 |
Integrity with Key Rotation |
Change integrity key |
New key is used for integrity |
34 |
Integrity with Key Mismatch |
Use incorrect key |
Packet is dropped |
35 |
Integrity with Key Match |
Use correct key |
Packet is authenticated |
36 |
Integrity with Replay Protection |
Enable replay protection |
Duplicate packets are dropped |
37 |
Integrity with Logging |
Enable logging |
Logs show integrity check results |
38 |
Integrity with Monitoring |
Monitor traffic |
Authenticated packets are visible |
39 |
Integrity with Wireshark |
Capture packets |
AH/ESP headers visible in capture |
40 |
Integrity with Packet Reordering |
Send out-of-order packets |
Packets accepted if within replay window |
41 |
Integrity with Packet Loss |
Drop some packets |
Remaining packets are authenticated |
42 |
Integrity with VLANs |
Send packets across VLANs |
Integrity check works if routing is correct |
43 |
Integrity with NAT |
Send packets through NAT |
Integrity check may fail if headers are changed |
44 |
Integrity with Tunneling |
Use tunnel mode |
Outer headers are authenticated |
45 |
Integrity with Transport Mode |
Use transport mode |
Original headers are authenticated |
46 |
Integrity with Custom Algorithm |
Use custom integrity algorithm |
Packet is authenticated |
47 |
Integrity with Multiple SAs |
Use multiple SAs |
Correct SA used for integrity |
48 |
Integrity with Traffic Selector |
Match traffic selector |
Packet is authenticated |
49 |
Integrity with Mismatched Selector |
Mismatch traffic selector |
Packet is not authenticated |
50 |
Integrity with SA Inspection |
Inspect SA database |
Integrity parameters are correct |
Transport Mode Support - Testcases
# |
Test Case |
Description |
Expected Result |
|---|---|---|---|
1 |
Transport Mode Initialization |
Enable IPsec transport mode |
Transport mode is activated |
2 |
SA Creation in Transport Mode |
Create SA for transport mode |
SA is created with transport mode parameters |
3 |
SA Deletion in Transport Mode |
Delete transport mode SA |
SA is removed successfully |
4 |
Transport Mode with IPv4 |
Send IPv4 packet |
Packet is processed in transport mode |
5 |
Transport Mode with IPv6 |
Send IPv6 packet |
Packet is processed in transport mode |
6 |
ESP in Transport Mode |
Use ESP protocol in transport mode |
Payload is encrypted, IP header retained |
7 |
AH in Transport Mode |
Use AH protocol in transport mode |
Payload is authenticated, IP header retained |
8 |
Combined ESP+AH Transport Mode |
Use both ESP and AH |
Packet is encrypted and authenticated |
9 |
Transport Mode with TCP |
Send TCP packet |
Packet is secured in transport mode |
10 |
Transport Mode with UDP |
Send UDP packet |
Packet is secured in transport mode |
11 |
Transport Mode with ICMP |
Send ICMP packet |
Packet is secured in transport mode |
12 |
Transport Mode with Fragmented Packet |
Send fragmented packet |
Fragments are handled correctly |
13 |
Transport Mode with Large Packet |
Send large packet |
Packet is processed or fragmented |
14 |
Transport Mode with Replay Protection |
Enable replay protection |
Duplicate packets are dropped |
15 |
Transport Mode with HMAC-SHA1 |
Use HMAC-SHA1 for integrity |
Packet integrity is verified |
16 |
Transport Mode with HMAC-SHA256 |
Use HMAC-SHA256 for integrity |
Packet integrity is verified |
17 |
Transport Mode with AES-CBC |
Use AES-CBC for encryption |
Packet payload is encrypted |
18 |
Transport Mode with AES-GCM |
Use AES-GCM for encryption and integrity |
Packet is encrypted and authenticated |
19 |
Transport Mode with ChaCha20-Poly1305 |
Use ChaCha20-Poly1305 |
Packet is encrypted and authenticated |
20 |
Transport Mode with Manual SA |
Configure SA manually |
Transport mode works as configured |
21 |
Transport Mode with Dynamic SA |
Use dynamic SA negotiation |
Transport mode works as negotiated |
22 |
Transport Mode with Expired SA |
Use expired SA |
Packet is dropped |
23 |
Transport Mode with Invalid SPI |
Use invalid SPI |
Packet is dropped |
24 |
Transport Mode with Valid SPI |
Use valid SPI |
Packet is processed |
25 |
Transport Mode with NAT |
Send packet through NAT |
Packet may be dropped or modified |
26 |
Transport Mode with VLANs |
Send packet across VLANs |
Packet is processed if routing is correct |
27 |
Transport Mode with Broadcast |
Send broadcast packet |
Packet may be dropped or bypassed |
28 |
Transport Mode with Multicast |
Send multicast packet |
Packet may be dropped or bypassed |
29 |
Transport Mode with Replay Window |
Set replay window size |
Replay protection respects window size |
30 |
Transport Mode with Packet Reordering |
Send out-of-order packets |
Packets accepted if within replay window |
31 |
Transport Mode with Packet Loss |
Drop some packets |
Remaining packets are processed |
32 |
Transport Mode with Logging |
Enable logging |
Logs show transport mode activity |
33 |
Transport Mode with Monitoring |
Monitor traffic |
Transport mode packets are visible |
34 |
Transport Mode with Wireshark |
Capture packets |
ESP/AH headers visible, IP header retained |
35 |
Transport Mode with Key Rotation |
Change encryption/authentication keys |
New keys are used |
36 |
Transport Mode with Key Mismatch |
Use incorrect key |
Packet is dropped |
37 |
Transport Mode with Key Match |
Use correct key |
Packet is processed |
38 |
Transport Mode with Custom Algorithm |
Use custom crypto module |
Packet is processed using custom logic |
39 |
Transport Mode with Traffic Selector |
Match traffic selector |
Packet is processed |
40 |
Transport Mode with Mismatched Selector |
Mismatch selector |
Packet is not processed |
41 |
Transport Mode with Multiple SAs |
Use multiple SAs |
Correct SA is selected |
42 |
Transport Mode with SA Inspection |
Inspect SA database |
Transport mode parameters are correct |
43 |
Transport Mode with TTL Handling |
Send packet with low TTL |
Packet may be dropped |
44 |
Transport Mode with QoS Tags |
Send packet with QoS tags |
Tags are preserved |
45 |
Transport Mode with DSCP Tags |
Send packet with DSCP tags |
Tags are preserved |
46 |
Transport Mode with TOS Bits |
Send packet with TOS bits |
Bits are preserved |
47 |
Transport Mode with IPv6 Extension Headers |
Send IPv6 packet with extensions |
Headers are preserved |
48 |
Transport Mode with IPv4 Options |
Send IPv4 packet with options |
Options are preserved |
49 |
Transport Mode with Tunnel Mode Comparison |
Compare with tunnel mode |
Transport mode retains original IP header |
50 |
Transport Mode with Performance Test |
Measure latency and throughput |
Performance metrics are within expected range |
Key Exchange (IKE/IKEv2) - Testcases
# |
Test Case |
Description |
Expected Result |
|---|---|---|---|
1 |
IKE Initialization |
Start IKE daemon |
IKE service starts successfully |
2 |
IKEv2 Initialization |
Start IKEv2 daemon |
IKEv2 service starts successfully |
3 |
SA Negotiation Start |
Initiate SA negotiation |
SA negotiation begins |
4 |
SA Negotiation Success |
Complete SA negotiation |
SA is established |
5 |
SA Negotiation Failure |
Use mismatched parameters |
SA negotiation fails |
6 |
Authentication with Pre-Shared Key |
Use PSK for authentication |
SA is authenticated |
7 |
Authentication with Certificates |
Use X.509 certificates |
SA is authenticated |
8 |
Authentication with EAP |
Use EAP method |
SA is authenticated |
9 |
Diffie-Hellman Group 2 |
Use DH Group 2 |
Key exchange completes |
10 |
Diffie-Hellman Group 14 |
Use DH Group 14 |
Key exchange completes |
11 |
Diffie-Hellman Group 19 |
Use DH Group 19 (Elliptic Curve) |
Key exchange completes |
12 |
Diffie-Hellman Group Mismatch |
Use mismatched DH groups |
Key exchange fails |
13 |
IKEv2 Fragmentation |
Enable fragmentation |
Large messages are fragmented |
14 |
IKEv2 Reauthentication |
Trigger reauthentication |
SA is reauthenticated |
15 |
IKEv2 Rekeying |
Trigger rekeying |
New keys are generated |
16 |
IKEv2 MOBIKE Support |
Change IP address |
SA remains valid |
17 |
IKEv2 NAT Detection |
Detect NAT presence |
NAT detected |
18 |
IKEv2 Keepalive |
Enable keepalive |
Connection remains active |
19 |
IKEv2 Dead Peer Detection |
Enable DPD |
Dead peer is detected |
20 |
IKEv2 Cookie Mechanism |
Trigger cookie exchange |
Cookie is exchanged |
21 |
IKEv2 Vendor ID Exchange |
Send vendor ID |
Vendor ID is received |
22 |
IKEv2 Notify Payload |
Send notify payload |
Notification is received |
23 |
IKEv2 Configuration Payload |
Send configuration payload |
Configuration is applied |
24 |
IKEv2 Traffic Selector Negotiation |
Negotiate traffic selectors |
Selectors are agreed upon |
25 |
IKEv2 Child SA Creation |
Create child SA |
Child SA is created |
26 |
IKEv2 Child SA Deletion |
Delete child SA |
Child SA is removed |
27 |
IKEv2 Multiple Child SAs |
Create multiple child SAs |
All SAs are created successfully |
28 |
IKEv2 SA Lifetime Expiry |
Wait for SA to expire |
SA is deleted automatically |
29 |
IKEv2 SA Manual Deletion |
Manually delete SA |
SA is removed |
30 |
IKEv2 SA Inspection |
Inspect SA database |
SA parameters are correct |
31 |
IKEv2 with IPv4 |
Use IPv4 for negotiation |
SA is established |
32 |
IKEv2 with IPv6 |
Use IPv6 for negotiation |
SA is established |
33 |
IKEv2 with Fragmented Packets |
Send fragmented packets |
Packets are reassembled |
34 |
IKEv2 with Large Payloads |
Send large payloads |
Payloads are handled correctly |
35 |
IKEv2 with Invalid Payload |
Send malformed payload |
Negotiation fails |
36 |
IKEv2 with Logging Enabled |
Enable logging |
Logs show negotiation steps |
37 |
IKEv2 with Monitoring |
Monitor negotiation |
Exchange is visible |
38 |
IKEv2 with Wireshark |
Capture packets |
IKEv2 packets are visible |
39 |
IKEv2 with NAT-T |
Enable NAT traversal |
Negotiation succeeds through NAT |
40 |
IKEv2 with Firewall |
Block IKE ports |
Negotiation fails |
41 |
IKEv2 with Port Change |
Change IKE port |
Negotiation adapts or fails |
42 |
IKEv2 with Certificate Revocation |
Use revoked certificate |
Authentication fails |
43 |
IKEv2 with Certificate Expiry |
Use expired certificate |
Authentication fails |
44 |
IKEv2 with Valid Certificate |
Use valid certificate |
Authentication succeeds |
45 |
IKEv2 with CRL Check |
Enable CRL check |
Revoked certs are rejected |
46 |
IKEv2 with OCSP Check |
Enable OCSP validation |
Cert status is verified |
47 |
IKEv2 with PSK Mismatch |
Use incorrect PSK |
Authentication fails |
48 |
IKEv2 with PSK Match |
Use correct PSK |
Authentication succeeds |
49 |
IKEv2 with Custom DH Group |
Use custom DH group |
Key exchange completes |
50 |
IKEv2 Performance Test |
Measure negotiation time |
Time is within expected range |
Security Associations (SAs) - Testcases
# |
Test Case |
Description |
Expected Result |
|---|---|---|---|
1 |
SA Initialization |
Initiate SA between two hosts |
SA established successfully |
2 |
SA Negotiation |
Exchange IKE messages |
SA parameters agreed |
3 |
SA Rekeying |
Trigger rekeying manually |
New SA replaces old one |
4 |
SA Lifetime Expiry |
Wait for SA to expire |
SA deleted after timeout |
5 |
SA Deletion |
Manually delete SA |
SA removed from table |
6 |
SA with ESP |
Use Encapsulating Security Payload |
Encrypted traffic flows |
7 |
SA with AH |
Use Authentication Header |
Authenticated traffic flows |
8 |
SA with Both ESP & AH |
Use both ESP and AH |
Encrypted and authenticated traffic |
9 |
SA with Tunnel Mode |
Use tunnel mode |
IPsec tunnel established |
10 |
SA with Transport Mode |
Use transport mode |
Payload protected, headers visible |
11 |
SA with IPv4 |
Use IPv4 traffic |
SA handles IPv4 correctly |
12 |
SA with IPv6 |
Use IPv6 traffic |
SA handles IPv6 correctly |
13 |
SA with ICMP |
Send ICMP packets |
ICMP protected by SA |
14 |
SA with TCP |
Send TCP packets |
TCP protected by SA |
15 |
SA with UDP |
Send UDP packets |
UDP protected by SA |
16 |
SA Replay Protection |
Send replayed packets |
Packets dropped |
17 |
SA Integrity Check |
Tamper with packet |
Packet rejected |
18 |
SA Encryption Check |
Verify encryption algorithm |
Data encrypted as expected |
19 |
SA Authentication Check |
Verify authentication algorithm |
Data authenticated |
20 |
SA with Manual Keying |
Configure keys manually |
SA established without IKE |
21 |
SA with Dynamic Keying |
Use IKE for key exchange |
Keys negotiated dynamically |
22 |
SA with PFS |
Enable Perfect Forward Secrecy |
Keys regenerated securely |
23 |
SA with NAT Traversal |
Enable NAT-T |
SA works behind NAT |
24 |
SA with Fragmentation |
Send large packets |
Packets fragmented and reassembled |
25 |
SA with MTU Constraints |
Test with small MTU |
SA handles fragmentation |
26 |
SA with Multiple Peers |
Establish SA with multiple peers |
All SAs established |
27 |
SA with Policy Mismatch |
Use mismatched policies |
SA negotiation fails |
28 |
SA with Invalid SPI |
Use invalid SPI |
Packet dropped |
29 |
SA with Replay Window |
Test replay window size |
Replay protection works |
30 |
SA with Traffic Selector |
Use specific traffic selectors |
Only selected traffic protected |
31 |
SA with Dead Peer Detection |
Enable DPD |
Dead peer detected |
32 |
SA with Keepalive |
Enable keepalive |
SA maintained |
33 |
SA with Certificate Auth |
Use certificates for auth |
SA established with certs |
34 |
SA with PSK Auth |
Use pre-shared key |
SA established with PSK |
35 |
SA with CRL |
Use certificate revocation list |
Revoked cert rejected |
36 |
SA with IKEv1 |
Use IKEv1 |
SA established via IKEv1 |
37 |
SA with IKEv2 |
Use IKEv2 |
SA established via IKEv2 |
38 |
SA with Aggressive Mode |
Use aggressive mode |
SA established quickly |
39 |
SA with Main Mode |
Use main mode |
SA established securely |
40 |
SA with DDoS Simulation |
Simulate DDoS on IKE port |
SA negotiation fails |
41 |
SA with Packet Sniffing |
Monitor traffic |
Encrypted packets visible |
42 |
SA with IPsec Bypass |
Use bypass policy |
Traffic not encrypted |
43 |
SA with IPsec Drop |
Use drop policy |
Traffic blocked |
44 |
SA with IPsec Accept |
Use accept policy |
Traffic allowed |
45 |
SA with SA Status Query |
Query SA status |
SA details returned |
46 |
SA with SA Statistics |
Check SA stats |
Packet counts visible |
47 |
SA with SA Refresh |
Refresh SA manually |
SA updated |
48 |
SA with SA Migration |
Migrate SA to new peer |
SA re-established |
49 |
SA with SA Backup |
Backup SA configuration |
Backup created |
50 |
SA with SA Restore |
Restore SA from backup |
SA restored successfully |
Protocol Support (ESP & AH) - Testcases
# |
Test Case |
Description |
Expected Result |
|---|---|---|---|
1 |
ESP Basic Functionality |
Send encrypted traffic using ESP |
Traffic encrypted and received correctly |
2 |
AH Basic Functionality |
Send authenticated traffic using AH |
Traffic authenticated and received correctly |
3 |
ESP with Tunnel Mode |
Use ESP in tunnel mode |
Entire packet encrypted |
4 |
ESP with Transport Mode |
Use ESP in transport mode |
Payload encrypted, headers visible |
5 |
AH with Tunnel Mode |
Use AH in tunnel mode |
Entire packet authenticated |
6 |
AH with Transport Mode |
Use AH in transport mode |
Headers and payload authenticated |
7 |
ESP with AES Encryption |
Use AES algorithm with ESP |
Data encrypted with AES |
8 |
ESP with 3DES Encryption |
Use 3DES algorithm with ESP |
Data encrypted with 3DES |
9 |
AH with SHA-1 |
Use SHA-1 for AH authentication |
Data authenticated with SHA-1 |
10 |
AH with SHA-256 |
Use SHA-256 for AH authentication |
Data authenticated with SHA-256 |
11 |
ESP with Integrity Check |
Enable integrity check in ESP |
Packet integrity verified |
12 |
ESP without Integrity Check |
Disable integrity check |
Packet encrypted but not authenticated |
13 |
AH with Replay Protection |
Enable anti-replay in AH |
Replayed packets dropped |
14 |
ESP with Replay Protection |
Enable anti-replay in ESP |
Replayed packets dropped |
15 |
ESP with NAT Traversal |
Use ESP behind NAT |
Traffic passes using UDP encapsulation |
16 |
AH with NAT |
Use AH behind NAT |
AH fails due to header modification |
17 |
ESP with IPv4 |
Send ESP traffic over IPv4 |
Traffic encrypted and received |
18 |
ESP with IPv6 |
Send ESP traffic over IPv6 |
Traffic encrypted and received |
19 |
AH with IPv4 |
Send AH traffic over IPv4 |
Traffic authenticated and received |
20 |
AH with IPv6 |
Send AH traffic over IPv6 |
Traffic authenticated and received |
21 |
ESP with Fragmentation |
Send large ESP packets |
Packets fragmented and reassembled |
22 |
AH with Fragmentation |
Send large AH packets |
Packets authenticated and reassembled |
23 |
ESP with ICMP |
Send ICMP traffic with ESP |
Encrypted ICMP traffic received |
24 |
AH with ICMP |
Send ICMP traffic with AH |
Authenticated ICMP traffic received |
25 |
ESP with TCP |
Send TCP traffic with ESP |
Encrypted TCP traffic received |
26 |
AH with TCP |
Send TCP traffic with AH |
Authenticated TCP traffic received |
27 |
ESP with UDP |
Send UDP traffic with ESP |
Encrypted UDP traffic received |
28 |
AH with UDP |
Send UDP traffic with AH |
Authenticated UDP traffic received |
29 |
ESP with Invalid Key |
Use incorrect encryption key |
Decryption fails |
30 |
AH with Invalid Key |
Use incorrect authentication key |
Authentication fails |
31 |
ESP with Manual Keying |
Configure ESP manually |
Traffic encrypted manually |
32 |
AH with Manual Keying |
Configure AH manually |
Traffic authenticated manually |
33 |
ESP with Dynamic Keying |
Use IKE to negotiate ESP keys |
Keys exchanged and traffic encrypted |
34 |
AH with Dynamic Keying |
Use IKE to negotiate AH keys |
Keys exchanged and traffic authenticated |
35 |
ESP with PFS |
Enable Perfect Forward Secrecy |
Keys regenerated securely |
36 |
AH with PFS |
Enable PFS for AH |
Keys regenerated securely |
37 |
ESP with Packet Tampering |
Modify encrypted packet |
Packet rejected |
38 |
AH with Packet Tampering |
Modify authenticated packet |
Packet rejected |
39 |
ESP with SPI Validation |
Use invalid SPI |
Packet dropped |
40 |
AH with SPI Validation |
Use invalid SPI |
Packet dropped |
41 |
ESP with SA Expiry |
Let ESP SA expire |
Traffic stops |
42 |
AH with SA Expiry |
Let AH SA expire |
Traffic stops |
43 |
ESP with Rekeying |
Rekey ESP SA |
New keys used for encryption |
44 |
AH with Rekeying |
Rekey AH SA |
New keys used for authentication |
45 |
ESP with Multiple Peers |
Use ESP with multiple endpoints |
All peers communicate securely |
46 |
AH with Multiple Peers |
Use AH with multiple endpoints |
All peers authenticate traffic |
47 |
ESP with Policy Mismatch |
Use mismatched ESP policies |
SA negotiation fails |
48 |
AH with Policy Mismatch |
Use mismatched AH policies |
SA negotiation fails |
49 |
ESP with Logging Enabled |
Enable logging for ESP |
Logs show encrypted traffic |
50 |
AH with Logging Enabled |
Enable logging for AH |
Logs show authenticated traffic |
NAT Traversal - Testcases
# |
Test Case |
Description |
Expected Result |
|---|---|---|---|
1 |
NAT-T Basic Functionality |
Enable NAT-T on both peers |
IPsec tunnel established behind NAT |
2 |
NAT-T with One Peer Behind NAT |
Only one peer behind NAT |
Tunnel established using UDP encapsulation |
3 |
NAT-T with Both Peers Behind NAT |
Both peers behind different NATs |
Tunnel established using UDP encapsulation |
4 |
NAT-T Detection |
Detect NAT presence during IKE negotiation |
NAT detected and NAT-T enabled |
5 |
NAT-T with ESP in UDP |
Use ESP encapsulated in UDP |
ESP packets encapsulated in UDP |
6 |
NAT-T with Port Mapping |
NAT device remaps ports |
Tunnel still established |
7 |
NAT-T with IP Mapping |
NAT device remaps IP addresses |
Tunnel still established |
8 |
NAT-T Keepalive |
Send NAT keepalive packets |
NAT binding maintained |
9 |
NAT-T with IKEv1 |
Use IKEv1 with NAT-T |
Tunnel established |
10 |
NAT-T with IKEv2 |
Use IKEv2 with NAT-T |
Tunnel established |
11 |
NAT-T with UDP Port 4500 |
Use UDP port 4500 for NAT-T |
Traffic flows through port 4500 |
12 |
NAT-T with UDP Port 500 |
Start negotiation on port 500 |
Switches to 4500 after NAT detection |
13 |
NAT-T with Static NAT |
Use static NAT configuration |
Tunnel established |
14 |
NAT-T with Dynamic NAT |
Use dynamic NAT configuration |
Tunnel established |
15 |
NAT-T with PAT |
Use Port Address Translation |
Tunnel established |
16 |
NAT-T with Symmetric NAT |
Use symmetric NAT |
Tunnel may fail or require workaround |
17 |
NAT-T with Cone NAT |
Use full cone NAT |
Tunnel established |
18 |
NAT-T with Restricted NAT |
Use restricted cone NAT |
Tunnel established |
19 |
NAT-T with Multiple Clients |
Multiple clients behind same NAT |
Tunnels established with unique ports |
20 |
NAT-T with IPsec Policy Match |
Ensure policies match with NAT-T enabled |
Tunnel established |
21 |
NAT-T with Fragmented Packets |
Send large packets requiring fragmentation |
Packets reassembled successfully |
22 |
NAT-T with MTU Constraints |
Use small MTU |
Tunnel handles fragmentation |
23 |
NAT-T with DPD |
Enable Dead Peer Detection |
Peer failure detected behind NAT |
24 |
NAT-T with Keepalive Timeout |
Simulate NAT timeout |
Tunnel re-established |
25 |
NAT-T with Re-keying |
Re-key SA while behind NAT |
New keys negotiated |
26 |
NAT-T with IPsec Transport Mode |
Use transport mode with NAT-T |
Tunnel established |
27 |
NAT-T with IPsec Tunnel Mode |
Use tunnel mode with NAT-T |
Tunnel established |
28 |
NAT-T with ESP Integrity Check |
Verify ESP integrity behind NAT |
Packets authenticated |
29 |
NAT-T with AH |
Use AH protocol behind NAT |
Fails due to header modification |
30 |
NAT-T with Firewall |
NAT device with firewall enabled |
Tunnel established if ports allowed |
31 |
NAT-T with UDP Flooding |
Simulate UDP flood on port 4500 |
Tunnel may drop or throttle |
32 |
NAT-T with IPsec Logging |
Enable logs during NAT-T |
Logs show NAT detection and UDP encapsulation |
33 |
NAT-T with IPsec Debugging |
Enable debug mode |
Detailed NAT-T negotiation visible |
34 |
NAT-T with Packet Sniffing |
Capture traffic with Wireshark |
ESP-in-UDP packets visible |
35 |
NAT-T with IPsec Bypass Policy |
Use bypass policy |
Traffic not encrypted |
36 |
NAT-T with IPsec Drop Policy |
Use drop policy |
Traffic blocked |
37 |
NAT-T with IPsec Accept Policy |
Use accept policy |
Traffic allowed |
38 |
NAT-T with Mobile Clients |
Use mobile device behind NAT |
Tunnel established |
39 |
NAT-T with Home Router |
Use IPsec client behind home NAT router |
Tunnel established |
40 |
NAT-T with Enterprise Firewall |
Use IPsec behind enterprise NAT/firewall |
Tunnel established if ports open |
41 |
NAT-T with IPsec Failover |
Simulate failover of NAT device |
Tunnel re-established |
42 |
NAT-T with IPsec Migration |
Change public IP of NAT device |
Tunnel re-established |
43 |
NAT-T with Multiple Interfaces |
Use multiple interfaces on NAT device |
Tunnel established on correct interface |
44 |
NAT-T with IPsec SA Expiry |
Let SA expire behind NAT |
Tunnel re-established |
45 |
NAT-T with IPsec SA Deletion |
Delete SA manually |
Tunnel torn down |
46 |
NAT-T with IPsec SA Refresh |
Refresh SA manually |
Tunnel updated |
47 |
NAT-T with IPsec Certificate Auth |
Use certificates behind NAT |
Tunnel established |
48 |
NAT-T with IPsec PSK Auth |
Use pre-shared key behind NAT |
Tunnel established |
49 |
NAT-T with IPsec Policy Mismatch |
Use mismatched policies |
Tunnel fails |
50 |
NAT-T with IPsec Interop Test |
Test NAT-T with different vendor devices |
Tunnel established if standards followed |
Replay Protection - Testcases
# |
Test Case |
Description |
Expected Result |
|---|---|---|---|
1 |
Replay Protection Enabled |
Enable anti-replay on SA |
Replayed packets are dropped |
2 |
Replay Protection Disabled |
Disable anti-replay on SA |
Replayed packets are accepted |
3 |
Replay Window Size Default |
Use default replay window size |
Packets within window accepted |
4 |
Replay Window Size Custom |
Set custom replay window size |
Behavior matches configured window |
5 |
Replay with Identical Packet |
Resend same packet |
Packet dropped |
6 |
Replay with Modified Payload |
Resend packet with changed payload |
Packet dropped |
7 |
Replay with Delayed Packet |
Delay and resend packet |
Packet dropped if outside window |
8 |
Replay with Out-of-Order Packets |
Send packets out of order |
Accepted if within window |
9 |
Replay with Duplicate Sequence |
Send packet with duplicate sequence number |
Packet dropped |
10 |
Replay with Skipped Sequence |
Skip sequence number and send |
Packet accepted, gap noted |
11 |
Replay with Wrapped Sequence |
Force sequence number wraparound |
New window starts, old packets dropped |
12 |
Replay with ESP |
Test replay protection with ESP |
Replayed ESP packets dropped |
13 |
Replay with AH |
Test replay protection with AH |
Replayed AH packets dropped |
14 |
Replay with IKEv1 |
Use IKEv1 with replay protection |
Replayed packets dropped |
15 |
Replay with IKEv2 |
Use IKEv2 with replay protection |
Replayed packets dropped |
16 |
Replay with IPv4 |
Send IPv4 packets |
Replay protection enforced |
17 |
Replay with IPv6 |
Send IPv6 packets |
Replay protection enforced |
18 |
Replay with Fragmented Packets |
Replay fragmented packets |
Dropped if already received |
19 |
Replay with NAT-T |
Replay ESP-in-UDP packets |
Dropped if replayed |
20 |
Replay with Manual Keying |
Use manual keys |
Replay protection may not be enforced |
21 |
Replay with Dynamic Keying |
Use IKE-negotiated keys |
Replay protection enforced |
22 |
Replay with PFS |
Enable Perfect Forward Secrecy |
Replay protection still enforced |
23 |
Replay with Re-keying |
Replay old packet after rekey |
Dropped due to SPI mismatch |
24 |
Replay with Expired SA |
Replay packet after SA expiry |
Dropped due to invalid SA |
25 |
Replay with Invalid SPI |
Use invalid SPI in replayed packet |
Packet dropped |
26 |
Replay with Logging Enabled |
Enable IPsec logs |
Replay attempts logged |
27 |
Replay with Debugging Enabled |
Enable debug mode |
Detailed logs of replay detection |
28 |
Replay with Packet Sniffing |
Capture and replay packet |
Packet dropped |
29 |
Replay with High Traffic |
Replay during high traffic |
Replay protection still enforced |
30 |
Replay with Low Traffic |
Replay during idle time |
Packet dropped |
31 |
Replay with Multiple Peers |
Replay packet from one peer to another |
Dropped due to SPI mismatch |
32 |
Replay with Policy Mismatch |
Use mismatched policies |
SA not established |
33 |
Replay with Firewall |
Replay packet through firewall |
Dropped if IPsec inspection enabled |
34 |
Replay with NAT Device |
Replay packet behind NAT |
Dropped if replay protection enabled |
35 |
Replay with Mobile Client |
Replay packet from mobile device |
Packet dropped |
36 |
Replay with Static IP |
Replay from static IP |
Packet dropped |
37 |
Replay with Dynamic IP |
Replay from dynamic IP |
Packet dropped |
38 |
Replay with Time Sync Drift |
Replay with clock drift |
Packet dropped |
39 |
Replay with Packet Injection |
Inject replayed packet into stream |
Packet dropped |
40 |
Replay with DoS Simulation |
Flood with replayed packets |
Dropped and logged |
41 |
Replay with Sequence Reset |
Force sequence reset |
Old packets dropped |
42 |
Replay with Sequence Overflow |
Force sequence number overflow |
New window starts |
43 |
Replay with SA Migration |
Replay packet after SA migration |
Dropped due to SPI mismatch |
44 |
Replay with SA Backup/Restore |
Replay packet after SA restore |
Dropped if SPI or keys changed |
45 |
Replay with IPsec Accept Policy |
Use accept policy |
Replay protection still enforced |
46 |
Replay with IPsec Drop Policy |
Use drop policy |
All packets dropped |
47 |
Replay with IPsec Bypass Policy |
Use bypass policy |
Replay protection not applied |
48 |
Replay with Vendor Interop |
Replay packet between different vendor devices |
Packet dropped if compliant |
49 |
Replay with Sequence Gap |
Introduce large sequence gap |
Older packets dropped |
50 |
Replay with Sequence Replay Burst |
Replay burst of old packets |
All dropped |
Flexible Algorithm Support - Testcases
# |
Test Case |
Description |
Expected Result |
|---|---|---|---|
1 |
AES-128 Encryption |
Use AES-128 for ESP encryption |
Traffic encrypted with AES-128 |
2 |
AES-256 Encryption |
Use AES-256 for ESP encryption |
Traffic encrypted with AES-256 |
3 |
3DES Encryption |
Use 3DES for ESP encryption |
Traffic encrypted with 3DES |
4 |
ChaCha20 Encryption |
Use ChaCha20 for ESP encryption |
Traffic encrypted with ChaCha20 |
5 |
Blowfish Encryption |
Use Blowfish for ESP encryption |
Traffic encrypted with Blowfish |
6 |
DES Encryption |
Use DES for ESP encryption |
Traffic encrypted with DES |
7 |
SHA-1 Authentication |
Use SHA-1 for AH authentication |
Traffic authenticated with SHA-1 |
8 |
SHA-256 Authentication |
Use SHA-256 for AH authentication |
Traffic authenticated with SHA-256 |
9 |
SHA-384 Authentication |
Use SHA-384 for AH authentication |
Traffic authenticated with SHA-384 |
10 |
SHA-512 Authentication |
Use SHA-512 for AH authentication |
Traffic authenticated with SHA-512 |
11 |
MD5 Authentication |
Use MD5 for AH authentication |
Traffic authenticated with MD5 |
12 |
HMAC-SHA1 |
Use HMAC with SHA-1 |
HMAC applied correctly |
13 |
HMAC-SHA256 |
Use HMAC with SHA-256 |
HMAC applied correctly |
14 |
HMAC-SHA512 |
Use HMAC with SHA-512 |
HMAC applied correctly |
15 |
RSA Key Exchange |
Use RSA for IKE key exchange |
Keys exchanged securely |
16 |
DH Group 2 |
Use Diffie-Hellman Group 2 |
Keys exchanged securely |
17 |
DH Group 5 |
Use Diffie-Hellman Group 5 |
Keys exchanged securely |
18 |
DH Group 14 |
Use Diffie-Hellman Group 14 |
Keys exchanged securely |
19 |
DH Group 19 |
Use Diffie-Hellman Group 19 (Elliptic Curve) |
Keys exchanged securely |
20 |
DH Group 20 |
Use Diffie-Hellman Group 20 (Elliptic Curve) |
Keys exchanged securely |
21 |
ECDSA Authentication |
Use ECDSA for authentication |
SA established with ECDSA |
22 |
RSA Authentication |
Use RSA certificates |
SA established with RSA |
23 |
PSK Authentication |
Use pre-shared key |
SA established with PSK |
24 |
Certificate Revocation Check |
Use CRL to validate certificates |
Revoked cert rejected |
25 |
Algorithm Negotiation |
Negotiate algorithms during IKE |
Compatible algorithms selected |
26 |
Unsupported Algorithm |
Use unsupported algorithm |
SA negotiation fails |
27 |
Algorithm Mismatch |
Use mismatched algorithms |
SA negotiation fails |
28 |
Multiple Encryption Algorithms |
Configure multiple encryption options |
Best match selected |
29 |
Multiple Authentication Algorithms |
Configure multiple auth options |
Best match selected |
30 |
Algorithm Preference Order |
Set preference order |
Preferred algorithm selected |
31 |
Algorithm Performance Test |
Measure performance of each algorithm |
Performance metrics recorded |
32 |
Algorithm Interoperability |
Test with different vendor implementations |
SA established if compatible |
33 |
Algorithm with IPv4 |
Use flexible algorithms over IPv4 |
Traffic protected |
34 |
Algorithm with IPv6 |
Use flexible algorithms over IPv6 |
Traffic protected |
35 |
Algorithm with ESP |
Use flexible encryption algorithms with ESP |
Traffic encrypted |
36 |
Algorithm with AH |
Use flexible auth algorithms with AH |
Traffic authenticated |
37 |
Algorithm with NAT-T |
Use flexible algorithms behind NAT |
Tunnel established |
38 |
Algorithm with Fragmentation |
Use flexible algorithms with large packets |
Packets reassembled |
39 |
Algorithm with Re-keying |
Re-key SA with different algorithm |
New algorithm applied |
40 |
Algorithm with SA Expiry |
Let SA expire and re-establish with new algorithm |
New SA uses new algorithm |
41 |
Algorithm with Manual Keying |
Use manual keys with flexible algorithms |
Traffic protected |
42 |
Algorithm with Dynamic Keying |
Use IKE with flexible algorithms |
Traffic protected |
43 |
Algorithm with Logging Enabled |
Enable logs |
Logs show algorithm used |
44 |
Algorithm with Debugging Enabled |
Enable debug mode |
Detailed negotiation logs |
45 |
Algorithm with Mobile Clients |
Use flexible algorithms on mobile device |
SA established |
46 |
Algorithm with Embedded Devices |
Use flexible algorithms on embedded systems |
SA established |
47 |
Algorithm with High Latency Network |
Test algorithm performance under latency |
SA maintained |
48 |
Algorithm with Packet Loss |
Test algorithm resilience to packet loss |
SA maintained |
49 |
Algorithm with DoS Simulation |
Simulate DoS attack |
SA protected |
50 |
Algorithm with Vendor Compliance |
Validate against vendor specs |
Algorithms accepted |
Reference links