IPSec Test Options

IPSec can be used to encrypt control plane traffic, Data Traffic, or both in a variety of test cases. With the IPSec settings, you can define the Internet Key Exchange (IKE) authentication mode and version used, and the encryption and identification information required to enable the negotiation of the IKE and IPSec Security Agreements (SA) required for IPSec tunnels. In some cases, multiple SAs per MN are supported and you can select the type of traffic that will be associated with each tunnel.

Data Traffic Testing — IPSec can be used in all data-capable nodal test cases to encrypt the Data Traffic exchanged between the MN and a local or remote Network Host. You can define up to sixteen IPSec tunnels, resulting in sixteen different IPSec SAs, and you can select the type of traffic that is routed through each tunnel. Tunnels can be terminated at the Network Host or at a Security Gateway between the MN and the Network Host. Enable IPSec with the Data IPSec checkbox located in the Test Options pane, and configure the test settings on the Data IPSec tab.
AAA Testing — IPSec can be used with Diameter traffic between the NAS and the AAA Server. Enable IPSec with the IPSec checkbox located on the NAS tab of the AAA Server Nodal test case and on the General tab of the AAA Server Node test case, and configure the test settings on the Diameter IPSec tab.
CDMA2000 Testing — IPSec can be used with MIP traffic between an FA SUT and an HA node (FA Nodal test case) or an HA SUT and an FA node (HA Nodal test case). Enable IPSec with the MIP IPSec checkbox located on the Test Configuration tab, and configure the test settings on the MIP IPSec tab.
CDMA Femtocell testing supports Femtocell and user data over IPSec. Enable IPSec with the Femtocell IPSec and/or Data IPSec checkbox located on the Test Configuration tab, and configure the test settings on the Femtocell IPSec tab and user data on the Data IPSec tab.
CSN Testing— IPSec can be used with MIP traffic between an HA SUT and an FA node. Enable IPSec with the MIP IPSec checkbox located on the Test Configuration tab, and configure the test settings on the MIP IPSec tab.
DCCA Testing — IPSec can be used with Diameter traffic between a DCCA Client and a DCCA Server. Enable IPSec with the IPSec checkbox located on the DCCA tab of the DCCA Nodal test case and on the Test Configuration tab of the DCCA Node test case. Configure the test settings on the DCCA IPSec tab.
IP Data Testing — IPSec must be used in the PDG Micro-Mobility test case in order for the MNs to attach to the PDG and register with their home network, and the Data IPSec tab is used to configure the IPSec settings. EAP, MOBIKE (IKEv2), and tunnel address allocation (remote IP address) are all integral to PDG testing.
L2TP VPN Gateway Testing — IPSec can be used with the L2TP control plane traffic between a LAC and an LNS in the LNS Nodal and LNS Node test cases. Enable IPSec with the L2TP IPSec checkbox on the Test Configuration tab, and configure the test settings on the L2TP IPSec tab.
Mobile IPv4 Testing — In the CDMA/WiFi Convergence test case, IPSec is always used to secure traffic between the MN and the PDIF-FA using IKEv2 with MOBIKE. Configure the settings on the MN-FA IPSec tab. You can optionally include MIP IPSec to secure traffic between the PDIF-FA SUT and an HA node, and include Data IPSec to secure bearer plane traffic in a VPN configuration.
Mobile IPv6 Testing — In the IPv6 HA Nodal test case, IPSec can be used with some or all of the traffic between an MN and its HA. Enable IPSec with the MIPv6 IPSec checkbox on the Test Configuration tab, and configure the test settings on the MIPv6 IPSec tab. You can define separate tunnels for different kinds of traffic, resulting in multiple SAs negotiated with the HA. When you include Route Optimization in the test, you can also use Data IPSec to encrypt Data Traffic between the MN and the CN.
- Learn more about IPSec support for MIPv6

This topic describes the settings that control overall IPSec test support and behavior. The topics listed under Related Parameters describe the settings used during IKE Phase I and Phase II, and the settings that determine how traffic is routed when multiple tunnels are used.

In this topic...

IKE
IKE Version
Peer ID

Retry Interval
NAT Traversal

Related Parameters

IKE

Use the drop-down list to select the IKE mode for the test. Parameters that are valid for the mode you select are enabled; parameters that are not applicable are disabled.

Options:

IKE With Pre-Shared Keys — Authentication using a static pre-shared key and either the MN's home address or an FQDN. The algorithms used in IKE Phase I and Phase II are configurable (see IKE Phase I Settings and IPSec Tunnel Definition), as are the SA lifetimes.
IKE with RSA Signature — Authentication using a digital certificate, verified by an RSA signature, and either the MN's home address, an FQDN, or the domain name from the certificate. The algorithms used in IKE Phase I and Phase II are configurable (see IKE Phase I Settings and IPSec Tunnel Definition), as are the SA lifetimes.
Pre-Provisioned — Simulates MNs that were configured with SAs when they were configured for their home link. In this case, IKE Phase I and IKE Phase II are not performed and the keying material normally exchanged during SA negotiation is known to both sides (see IPSec Algorithms and Keys and IPSec Tunnel Definition).

Default: IKE With Pre-Shared Keys

IMPORTANT:

When MNs use IPSec in any mode except Pre-Provisioned, the maximum Activation Rate and Deactivation Rate are limited to 200 sessions/second or the licensed maximum, whichever is lower.
Before executing a test in IKE with RSA Signature mode, the test server must be provisioned with private key and X.509 certificate files generated by a Certificate Authority.
- Learn more about using digital certificates

^ Back to Top

IKE Version

Use the drop-down list to select the IKE version used. When you select V2, you can include EAP Authorization and provision the initiator and responder information for each tunnel with the Advanced settings.

NOTES:

IKEv2 is not a valid selection for MIPv6 IPSec.
IKEv2 must always be selected in a CDMA/WiFi Convergence or PDG Micro-Mobility test since MOBIKE support is mandatory.

Options: V1 or V2

Default: V1

^ Back to Top

Peer ID

Select the Include Peer ID checkbox to specify the contents of the ID-r payload that can be sent in the IKE_AUTH exchange for IKE version 2. Use the Type drop-down list to select the ID type. (Currently, Fully Qualified Domain Names is the only option available.) Define the elements that form the FQDN in the following fields:

Peer Host Name

Range: N/A

Default: PeerAgent

Peer Domain Name

Range: N/A

Default: spirent.net

^ Back to Top

Retry Interval

When IKE Phase I and II will be performed, Retry Interval defines the maximum number of seconds the test will wait for a required response to an IKE message before re-transmitting the message. Enter 0 to disable retries.

Range: 0— 65535

Default: 30

Related Measurements

^ Back to Top

NAT Traversal

If one of the IPSec peers is an MN, you can use the checkbox to enable IPSec NAT-T, which allows an MN with a private address to exchange IPSec packets with a peer while traversing a NAT gateway. When NAT-T is used, IPSec packets are encapsulated with UDP and a keep-alive packet is sent every 4 minutes to refresh the NAT gateway's UDP bindings.

When you enable NAT-T, you can configure the number of seconds for the NAT Keep-alive Interval timer.

Range: 0 — 65535

Default: 240

You can also define the NAT Source Port and NAT Destination Port.

Range: 0 — 65535

Default: 4500

NOTE: If the NAT gateway supports IPSec, the gateway will assume that it is the IPSec peer if port 500 is used.

^ Back to Top