Adding IPSec to a Test
Click here to see this page in full context

Landslide Performance Test System – Release 24.3 September 2024

Adding IPSec to a Test

With the Dynamic IPSec feature, you can add IPSec encryption to Data Traffic and simulate a VPN configuration with the Network Host in a private network or establish a SIP session with an IMS. In some test cases, you can also use IPSec to encrypt control plane traffic between an emulated node and an SUT.

In general, adding IPSec to a test consists of the following steps:

 

Gather IPSec requirements:

Before you start, you will need the following information about the Security Gateway:

^Back to Top

To prepare the test system:

If you will be using IKE authentication with RSA signatures, at a minimum you will need to generate or import private key and X.509 certificate files following the instructions in Using Digital Certificates. If you will be testing with IKEv2, you will also need to import a CA file with one or more root certificates.

^Back to Top

To configure the IPSec parameters:

In most test cases, IPSec is optional. If possible, begin with a test that you have successfully executed without IPSec.

General options — Configure the options that control IPSec behavior. If IPSec is always used, an IPSec tab will be present in the test case. In some test cases, IPSec can be used more than once, with different tabs defining IPSec for MN Data Traffic and IPSec for control plane traffic between network nodes, for example. When IPSec is optional, you can enable it with a checkbox. See IPSec Test Options for more information about how IPSec can be enabled and used in each application or test case.

  1. Open the test session and edit the test case.

  2. Enable IPSec if necessary, and then select the IPSec tab.

  3. Select the IKE Version... that is used by the peer.

  4. Select the IKE... mode that controls whether and how IKE may be used to negotiate SAs. If you selected Pre-Provisioned, you can skip the IKE Settings section; otherwise, you can skip the IPSec Algorithms and Keys section.

  5. If a NAT gateway is between the peers and a private address will not be obtained by the local peer (see step 4 in Tunnel Definition), check the NAT Traversal... box and define the source and destination ports.

IKE Phase I Settings — If IKE Phase I will be performed, the following parameters will be available in the upper pane for you to define the credentials and cipher suite used to negotiate IKE SAs.

  1. If you selected V1, select an IKE Phase I Type... that is supported by the peer.

  2. Select an Identification Type... acceptable to the remote peer. If you choose FQDN, you can provision unique values for every MN in either a host name (host.domain) or user name (user@domain) format. With MIPv6 IPSec, host and domain name are always required.

  3. Select the Phase I algorithms:

  4. Configure the proposed IKE SA lifetime...

  5. Define the remaining authentication credentials depending on the IKE mode that you chose:

IPSec Algorithms and Keys — In a Pre-Provisioned test, you configure the cipher suite and keys that would have been built-in to the local peer. Select an algorithm and enter the applicable key for each of the following:

Tunnel Definition — Complete the definition with the IPSec SA settings and a traffic selection filter if more than one tunnel is supported. If you will be using more than one tunnel, use the IPSec Tunnel checkboxes to enable additional tunnels and follow these instructions to configure each tunnel.

  1. If IKE Phase II will be performed, you can select the cipher suite and configure a proposed lifetime for each IPSec SA. Authentication Type and Encryption Key Type have slightly different options for the IKE SA and the IPSec SA.

  2. Enter a unique Source SPI... for each tunnel and if you are testing in Pre-Provisioned mode, enter the Peer SPI...

  3. Select the ESP Data Mode... (see step 6 below if you are testing with MIPv6 IPSec).

  4. If you selected V2, define the traffic selectors for each tunnel using the Advanced... button. When you use Tunnel mode with IKEv2, you can request that the gateway assign a private address with the Request Private Address... checkbox. In this case, NAT Traversal is not required.

  5. If you are testing with Data IPSec, enter the remote peer's IP address in Security Gateway Address...

  6. Finally, define the traffic filter for the tunnel. In most cases, Payload Destination ID... determines which packets will be routed through the tunnel. When multiple tunnels are supported, configure the filter parameters shown in the tables below for each tunnel's traffic type.

    • With Data IPSec, the combination of Protocol Type, Payload ID Destination, Payload Source Port, and Payload Destination Port determines the type of traffic the tunnel will bear (see Data Traffic Selection for definitions). You can route traffic generated by all DMFs through one tunnel, as long as all traffic is headed to the same destination, route separate DMFs through different tunnels, or segregate traffic by protocol as shown in the examples below. For more advanced data testing, you can trigger the start of IPSec from within the DMF.

      Traffic

      Protocol Type

      Payload Source Port

      Payload Destination Port

      All Data Traffic

      Any

      0

      0

      HTTP Traffic

      TCP

      0

      80

      SMTP Traffic

      TCP

      0

      25

      All UDP Traffic

      UDP

      0

      0

    • With MIPv6 IPSec, the combination of Protocol Type, Payload ID Destination, and ESP Data Mode determines what type of traffic the tunnel will carry (see MIPv6 Traffic Selection for definitions).

      Traffic

      Protocol Type

      Payload ID Destination

      ESP Data Mode

      MN-HA Binding

      Mobility Header

      HA SUT address

      Transport

      Prefix Discovery

      ICMPv6

      HA SUT address

      Transport

      Route Optimization
      (Data Traffic required)

      ICMPv6

      CN node address

      Tunnel

      Data Traffic
      (without Route Optimization)

      Any

      ::0

      Tunnel

OK the test case and Run the test session, and if the IPSec configuration is correct, you should see all sessions establish as they did without IPSec. You should also see MN IPSec Tunnel Attempts and MN IPSec Tunnel Successes on the Data Traffic measurement tab.

TROUBLESHOOT:

  • If any sessions fail to establish, look for IPSec Tunnel Failures and corresponding errors on the IPSec tab, indicating that errors were encountered during either IKE Phase I or IKE Phase II. Refine your IKE configuration if necessary.

  • If you do not see MN IPSec Tunnel Attempts with Data IPSec but the Data Traffic measurements show that packets were sent, the test is transmitting data without IPSec because the tunnel definition is not correct. Check the definitions in Protocol Type, Payload ID Destination, Payload ID Port Destination, and Security Gateway Address.

^Back to Top

© 2024 Spirent Communications Inc. All Rights Reserved.