IPSec can be used to encrypt control plane traffic, Data Traffic, or both in a variety of test cases. With the IPSec settings, you can define the Internet Key Exchange (IKE) authentication mode and version used, and the encryption and identification information required to enable the negotiation of the IKE and IPSec Security Agreements (SA) required for IPSec tunnels. In some cases, multiple SAs per MN are supported and you can select the type of traffic that will be associated with each tunnel.
This topic describes the settings that control overall IPSec test support and behavior. The topics listed under Related Parameters describe the settings used during IKE v1 and v2, and the settings that determine how traffic is routed when multiple tunnels are used.
IKE Settings Pre-shared Keys |
IKE With RSA Signature |
Pre-provisioned Settings |
|
---|---|---|---|
|
|
||
|
|
|
|
|
|
IPSec measurements are reported on the IPSec report tab.
Use the drop-down list to select the IKE mode for the test. Parameters that are valid for the mode you select are enabled; parameters that are not applicable are disabled. Options:
Default: IKE With Pre-Shared Keys Tcl Parameter: DataIkeType
Update CDMA Wifi test cases (both nodal and node) to only allow IKEv2 for the . Also changed the Combo Box enabling logic globally to prevent the case where the combo box text looks disabled but you can still change the choice. Didn't seem to break anything, but we'll have to see how regression goes across the other test cases. |
||||||||||||||||||||
Fragment before ESP Header |
Enable to fragment packets before adding the ESP Header. Tcl Parameter: DataFragBeforeEspHeaderEn |
|||||||||||||||||||
Enable IKE SA Init Cookie Mechanism |
Enable to support Anti CPU attack Cookie Mechanism per RFC 4306. For PSK and RSK, the checkbox is only enabled when IKE Version is V2. For Pre-provisioned, it is always enabled. Only available in "Node type" Test Cases. Tcl Parameter: DiaIkeCookieRequestEn |
|||||||||||||||||||
IKE Version |
Use the drop-down list to select the IKE version used. When you select V2, you can include EAP Authorization and provision the initiator and responder information for each tunnel with the Advanced settings.
Options: V1 or V2 Default: V1 Tcl Parameter: DataIkeVer |
|||||||||||||||||||
Number of Cryptographic Suites |
For the IPSec IKEv2 you may configure a maximum of 5 cryptographic suites, where each suite contains the Authentication type, Encryption Key Type, Use AEAD Type, Oakley Group type, and Hash type.
Tcl Parameter: DataNumCryptoSuites Options: 1 - 5 Default: 1 See for IPSec Algorithm and Keys topic for a description of these parameters: |
|||||||||||||||||||
Include Peer ID |
Select the Include Peer ID checkbox to specify the contents of the ID-r payload that can be sent in the IKE_AUTH exchange for IKE version 2. Use the Type drop-down list to select the ID type. Option : Fully Qualified Domain Names is the only option available on most IPSec Tabs. Define the elements that form the FQDN in the following fields. Option : KEY_ID (ID Type as Key_ID(11) as per RFC 2407 Sec 4.6.2.12) is available on these IPSec tabs: AMF Nodal: NWu, SWu MME Nodal: SWu Wifi Nodal: Data-IPSec When "Peer ID Type" is KEY_ID, "Peer Host Name" and "Peer Domain Name" are greyed out. Tcl Parameter: DataIncludePeerIdPayload Tcl Parameter: DataPeerIdPayloadType |
|||||||||||||||||||
Peer Host Name |
Enter the Perr Host Name. When "Peer ID Type" is KEY_ID, "Peer Host Name" and "Peer Domain Name" are greyed out. Range: N/A Default: PeerAgent Tcl Parameter: DataPeerHostName |
|||||||||||||||||||
Peer Domain Name |
Enter the Perr Host Name. When "Peer ID Type" is KEY_ID, "Peer Host Name" and "Peer Domain Name" are greyed out. Range: N/A
Default: spirent.net Tcl Parameter: DataPeerDomainName |
|||||||||||||||||||
previously named Retry Interval |
When IKE Phase I and II will be performed, SA Response Timeout defines the maximum number of seconds the test will wait for a required response to an IKE message before re-transmitting the message. Enter 0 to disable retries.
Range: 0— 65535 Default: 30 Tcl Parameter: DataRetryInterval Related Measurements |
|||||||||||||||||||
previously named Max Retry Attempts |
SA Request Max Retries (previously named Max Retry Attempts) defines the maximum number of times the test attempts to send the IKE message to peer to determine if peer connection is not available. Once SA Request Max Retries is exhausted, the test will start a new Phase 1 negotiation. The parameter is available for IKE V1 and V2 with IKE With Pre-Shared Keys and RSA Signature. When there are high number of tunnels to be setup, the DUTs do not respond to IKE requests immediately. Repeated attempts allows all tunnels to be setup.
Range: 0 - 1000000 Default: 2 Tcl Parameter: MaxAttempts |
|||||||||||||||||||
Anti-Replay Protection |
Available on AMF Nodal, UPF Nodal, and Network Host, for IKE = IKE With Pre-Shared Keys or IKE With RSA Signature. Select to emulate IPSec Replay Attack. An Overview of Replay AttacksA replay attack is a form of network attack in which valid data transmission is maliciously or fraudulently recorded and later repeated. It is an attempt to subvert security by someone who records legitimate communications and repeats them in order to impersonate a valid user and disrupt or cause a negative impact on legitimate connections. IPsec Replay Check Protection A sequence number that monotonically increases is assigned to each encrypted packet by IPsec to provide anti-replay protection against an attacker. The receiving IPsec endpoint keeps track of which packets it has already processed when it uses these numbers and a sliding window of acceptable sequence numbers.
When an IPsec tunnel endpoint has anti-replay protection enabled, the incoming IPsec traffic is processed as follows:
Tcl Parameter: DataAntiReplayProtectionEn |
|||||||||||||||||||
IKEv2 Fragmentation |
Select for support of IKEv2 message fragmentation. Per RFC 7383, IKE fragmentation MUST NOT be used unless both peers have indicated their support for it. Available on all IPSec tabs, in the "IKE Settings - Pre-Shared Key" and "IKE Settings - RSA Signature" panels when IKE Version = V2. Tcl Parameter: DataIkeV2FragmentEn |
|||||||||||||||||||
N3GPP Backoff Timer (s) |
Resource Congestion is used to indicate that the requested service was rejected because of congestion in the network. N3IWF will send this Notify Payload – CONGESTION(15500) via IKE_AUTH Response message. Resource Congestion is available at the bottom of the NWu IPSec tab for test cases AMF Nodal and Non 3GPP Access Node. Additionally, Non-3GPP Access GW Node's NWu IPSec tab includes a numerical input box labeled "N3GPP Backoff Timer (s)" which gets enabled when "Resource Congestion" is checked. This field indicates the value of the backoff timer. N3IWF will send this value in N3GPP_BACKOFF_TIMER(55507) Notify Payload in IKE_AUTH Response message. UE will try connection establishment after expiry of this timer. Enabling Resource Congestion requires NWu|TCP Version (24.502) >= 16.4.0. Range : 0 - 65535 Tcl Parameter : NWuResourceCongestionEn Tcl Parameter : NWuN3gppBackoffTimer |
|||||||||||||||||||
If one of the IPSec peers is an MN, you can use the checkbox to enable IPSec NAT Traversal, which allows an MN with a private address to exchange IPSec packets with a peer while traversing a NAT gateway. When NAT Traversal is used, IPSec packets are encapsulated with UDP and a keep-alive packet is sent every 4 minutes to refresh the NAT gateway's UDP bindings. When you enable NAT Traversal, you can configure the number of seconds for the NAT Keep-alive Interval timer.
Range: 0 — 65535 Default: 240 You can also define the NAT Source Port and NAT Destination Port. Range: 0 — 65535 Default: 4500
Originating Source Port Tcl Parameter: DataOriginatingSourcePort Range: 0 — 65535 Default: 500
|
||||||||||||||||||||
Available when NAT Traversal is enabled and (when AP Tunnel Type = None on the Wifi Offload Gateway Nodal Test Case or when N3IWF is enabled on the AMF Nodal Test Case or on the SWu IPSec tab when NAT Traversal is enabled for Inter Tech WiFi for AMF Nodal and MME Nodal). Select NAT Emulation for NAT-T scenario for outer IPs.
Enter NAT Address and NAT Starting Port Range: 1025 — 65535 Default: 1025 |
||||||||||||||||||||
The Redirect option is available in IP Application Node, Site to Site Nodal, MME Nodal and Node test cases when IKE Version is V2 for IKE With Pre-Shared Keys and IKE with RSA Signature.
Select Redirect to indicate the use of the redirect mechanism during the IKE_SA_INIT exchange. (RFC 5685 section 3). Redirect is also available for selection in Security GW Node test case when IKE Version is V2 for IKE With Pre-Shared Keys and IKE with RSA Signature. The redirect mechanism in Security GE Node test case indicates redirecting the client to another VPN Gateway during an active session and also processing Redirects during Rekeys and Rekeys during Redirects (RFC 5685 section 5). Selecting Redirect allows you to indicate whether Information Messages are redirected, enter the Redirect Security Gateway Address, the Tunnel ID used for start redirect messages and the time to hold before starting the redirect mechanism.
|
||||||||||||||||||||
The Private Vendor ID checkbox is available only with IKEv1 (for XAuth with PSK). Select the Private Vendor ID checkbox and click the Vendor IDs button to open the Private Vendor IDs dialog box. Select the number of IDs from the Number of IDs dropdown list, and the corresponding Vendor IDs become available. Range: 2 - 128 characters (minimum of two in addition to 0x) Default: 0x Tcl Parameter: DataPrivateVendorIdEn |
||||||||||||||||||||
The Private Attribute Configuration checkbox is only enabled only for IKEv2 and is currently only visible in the Network Host test case. Select the Private Attribute Configuration checkbox to enable the private attribute feature, which allows you to add a maximum of ten IPv4 IPSec private attributes to the configuration payload in the IKE-AUTH message for up to 30 Mobile nodes. This feature is used in conjunction with the following:
|
||||||||||||||||||||
Multiple Authentication settings panel can only be used with IKEv2 for Data/Host IPsec, MnFa IPsec (PDIF applications), and in MME Nodal/Node test cases.
|
||||||||||||||||||||
Select the Authentication Type options from the dropdown list: Pre-Shared Keys, EAP, and RSA Signature. Depending on the options you select, additional settings display. If you select the Authentication Type as RSA (second authentication) and IKE type is also IKE with RSA Signature (first authentication), then the second authentication will use the same values for certificate settings provisioned for the first RSA authentication. That is, the values provisioned in Private key Filename, First Certificate Entry, File Format, X509 Certificate Filename for the first RSA authentication will be used for the second RSA authentication. Tcl Parameter: DataAuthTypeM |
||||||||||||||||||||
The key, known to both peers, that is used during IKE Phase I authentication when IKE With Pre-Shared Keys is selected. Range: N/A Default: 0 Tcl Parameter: DataPreSharedKeyM |
||||||||||||||||||||
Selecting RSA Signature displays a set of certificate setting options:
|
||||||||||||||||||||
Enable the RSA Certificate file inputs when EAP Authorization is selected by enabling the EAP with RSA check-box. Used to re-enable the File format, Private key file and X509 Certificate file settings. Tcl Parameter: WfoApEapWithRsaEn |
||||||||||||||||||||
Support for EAP Authentication to a AAA Server via IKEv2 per RFC 5998. Available when IKE Version = V2 and RSA or PSK. Available for SWu IPSec in LTE to WiFi Inter Technology Scenarios on MME Nodal and Wifi Offload Gateway Nodal cases. Tcl Parameter: DataEapOnlyAuthEn |
||||||||||||||||||||
When IKEv2 is used, the local peer can also support EAP authentication. Use the checkbox to enable EAP and click the EAP Settings.. button to open the settings window. Tcl Parameter: DataEapEn |