IKE Phase I Settings
Click here to see this page in full context

Landslide Performance Test System – Release 24.3 September 2024

IKE Phase I Settings

During IKE Phase I, the IPSec peers authenticate each other and negotiate the IKE SA that will protect the keying material exchanged during IKE Phase II. If you selected IKE With Pre-Shared Keys or IKE With RSA Signature for the test's IKE mode, you can configure the credentials, algorithms, and methods used during IKE Phase I with the parameters described in this topic. With Pre-Provisioned mode, you configure the algorithms and keys described in IPSec Algorithms and Keys.

The topics listed under Related Parameters describe general IPSec test support settings, the settings used during Phase II, and the settings that determine how traffic is routed when multiple tunnels are used.

In this topic...

Related Parameters

Related Topics

 

IKE Phase I Type

Use the drop-down list to select the mode used for IKE Phase I when IKEv1 is used. Aggressive mode is faster but less secure; Main mode is more secure but requires more processing.

Options:

  • Aggressive — Three messages are exchanged: the MN sends all of the security information, the peer returns the negotiated values, and the MN acknowledges receipt.

  • Main — Three two-way exchanges between the peers establish the algorithms and hashes used in the ISAKMP SA, establish the Diffie-Hellman keys, and authenticate the peers.

Default: Aggressive

Tcl Parameters: DataIkeMasterType

 

 

Authentication Credentials

Two types of credentials are presented for authentication: peer credentials that identify an individual peer and IPSec credentials that identify a peer as a member of a trusted group. Peer credentials are defined by Identification Type, are typically unique to one peer, and consist of an IP address or FQDN. The IPSec credentials used depend on the IKE mode you selected — pre-shared key or RSA signature — and may be common to many peers.

Identification Type

Use the drop-down list to select the type of peer credentials that are used for authentication.

NOTE: In Wifi Offload Gateway Nodal test case, the following applies for UE DNS query to learn PDG IP Address:  

  • Tunnel Type should be NONE (tunneled GRE and CAPWAP are not supported).
  • On the IPSec tab, Identification Type FQDN format must be that of the IMIS (e.g., 505024101215074) so that the MN-NAI in the Mip (PMIPv6 Binding) is IMIS@APN name.
  • Tunnel Settings on the IPSec tab supports one tunnel (multiple-IPSec tunnel is not supported).

Tcl Parameter: DataIpSecIdType

Options:

  • Distinguished name: The DN is the name that uniquely identifies an entry in the directory. When you select the Distinguished Name option from the dropdown list, a default Distinguished Name displays your default Host/User Name and Domain Name information.

Tcl Parameter: DataDistinguishedName

  • Local IP Address — The local peer's IP address is used for the peer credential.

  • Fully Qualified Domain Names — Define the elements that form the FQDN in the fields provided. If more than one local peer is used in the test, you can provision a unique name for each peer with the Auto-Increment feature. The default values produce unique names in the format MNn.HomeAgent.net, where n begins at 1 and increments for each peer.

    TIP: The first character of Domain Name can be "@" — producing the user name format MNn@HomeAgent.net.

Host/User Name

Range: N/A

Default: MN#

Tcl Parameter: DataMobileNodeHostName

Domain Name

NOTE: The Domain Name is not validated and may be left blank, if required.

Range: N/A

Default: HomeAgent.net

Tcl Parameter: DataHaDomainName

  • Use X509 Certificate Domain Names (IKE with RSA Signature only)The domain name is provisioned from the Alt Subject Name of the certificate.

Default: Local IP Address

MIPv6 Testing

MN Host Name and MN Domain Name are always required regardless of the type of credentials selected.

Pre-Shared Key

The key, known to both peers, that is used during IKE Phase I authentication when IKE With Pre-Shared Keys is selected.

Range: N/A

Default: 0

Tcl Parameter: DataPreSharedKey

IKE With RSA Signature Options

See Digital Certificate Settings

EAP Authorization

When IKEv2 is used, the local peer can also support EAP authentication. Use the checkbox to enable EAP and click the EAP Settings.. button to open the settings window.

Tcl Parameter: DataAsnEapEn

 

NOTE: The Phase 1 certificate settings are available for selection when you enable the EAP Authorization check box.

IKE SA Lifetime Type

SA Lifetime Value

You can define the IKE SA lifetime Type / Value requested during IKE Phase I. The test will attempt to refresh the SA with the peer prior to expiration of the lifetime. A different lifetime can be requested for the IPSec SA during IKE Phase II.

SA Lifetime Type

Use the drop-down list to select the way in which the lifetime will be measured.

Options: Seconds or Kilobytes

Default: Seconds

Tcl Parameter: BsAsnSaLifeDurType

SA Lifetime Value

The maximum lifetime in seconds or kilobytes.

Range: N/A

Default: 28800

Tcl Parameter: DataSaLifeDur

 

Enable Reestablishment of IPSec Sessions

Select to enable reestablishment of IPSec session after tunnel deletion.

Tcl Parameter: DataReestablishIpsecTunnelEn

Send Delete Informational Message Interval (s)

Only available in the Network Host test case. Used to send Delete Request for established IPSec session after timer expires.

Range : 0 to 65535

Default: 0

Tcl Parameter: DataSendDeleteInformationalMsgInterval

Disable Child SA Delete Messages on shutdown

Disable Child SA Delete Messages on shutdown is available for IKE With Pre-Shared Keys and IKE With RSA Signature for IKE V1 and V2.

Select Disable Child SA Delete Messages on shutdown to ensure that the Child SA is not deleted at the end of test. The default, not selecting the parameter deletes Child SA and IKE SA.

Default: Disabled

Value:  0 (disable) / 1 (enable)

Default: 0 (disabled)

Tcl Parameter: DisableSendDelIpsecMsgEn

Ignore Timeout on Rekey Delete Response

Ignore Timeout on Rekey Delete Response is available for IKE With Pre-Shared Keys and IKE With RSA Signature only for IKE V2.

Select Ignore Timeout on Rekey Delete Response to support client initiated rekey attempts. (Selecting this parameter ensures that the new SA is up when the request acknowledgement is sent and the rekey is complete. That is, Landslide ignores the Informational Delete response from SecGW in phase1 rekey process).

Not selecting Ignore Timeout on Rekey Delete Response ensures that no subsequent rekey occurs after the 1st rekey attempt by the client, and a IKE Phase 1 timeout message is logged. I then enabled the "Ignore Timeout on Rekey Delete Response" chdckbox and re-ran the test. I verified that the client initiated rekey attempts worked and that the error OM was no longer pegged.

Default: disabled

Value:  0 (disable) / 1 (enable)

Default: 0 (disabled)

Tcl Parameter: IgnoreTimeoutRekeyDelRespEn

 

Inspect Rekey Packet

The Inspect Rekey Packet only needed for IKEv2. Select the Inspect Rekey Packet checkbox to allow the encrypted IKEv2 payload to be inspected before determining the packet's destination.

Default: disabled

Value:  0 (disable) / 1 (enable)

Tcl Parameter: DataInspectPacketEn

 

Initial Contact Notification

This is applicable for IKE Version 1 only. Select when you would like to receive initial notification from the dropdown list: Following Phase 1 Negotiation or During Phase 1 Negotiation.

Tcl Parameter: DataIpsecInitialContactNotification

 

Initiate Contact Notification

This is applicable for IKE Version 2 only. Select the checkbox when you would like to receive/initiate contact notification from the dropdown list: "SA_INIT" or "SA_Auth"

 

Tcl Parameter: DataIkev2InitContactNotification

 

 

 

^ Back to Top

© 2024 Spirent Communications Inc. All Rights Reserved.