IKEv2 - Internet Key Exchange v2
What is IKEv2?
A protocol used to establish secure, authenticated communication channels. It negotiates and manages Security Associations (SAs) for IPsec.
Why is IKEv2 important?
Automates key exchange and security negotiation.
Supports mobility, NAT traversal, and is more efficient and reliable than IKEv1.
How IKEv2 works (in simple steps):
Initiator sends a request to start a secure session.
Responder replies with cryptographic parameters.
Both sides authenticate each other using certificates or pre-shared keys.
A secure tunnel is established for IPsec traffic.
Keys are refreshed periodically to maintain security.
Where is IKEv2 used?
VPNs (Remote Access and Site-to-Site)
Mobile networks (due to support for MOBIKE)
Enterprise security gateways
Secure communication over public networks
Which OSI Layer does this protocol belong to?
IKEv2 works with IPsec, which secures IP packets directly at Layer 3.
It handles negotiation of cryptographic keys and policies for IPsec.
Topics in this section,
In this section, you are going to learn
Terminology
Version Info
IKEv2 Version |
RFC Version |
Year |
Core Idea / Contribution |
|---|---|---|---|
IKEv2 Base Specification |
|||
RFC 4306 |
2005 |
Original specification of IKEv2, replacing IKEv1. Introduced simplified message exchange and |
|
better NAT traversal. |
|||
IKEv2 Updates |
|||
RFC 5996 |
2010 |
Updated IKEv2 with clarifications and minor enhancements. |
|
RFC 7296 |
2014 |
Current standard for IKEv2. Consolidates and replaces RFC 5996. |
|
Mobility Support (MOBIKE) |
|||
RFC 4555 |
2006 |
Enables IKEv2 to support IP address changes without re-establishing the tunnel crucial for |
|
mobile devices. |
|||
NAT Traversal |
|||
RFC 3947 |
2005 |
Describes NAT traversal for IPsec using UDP encapsulation. |
|
IKEv2 Redirect Mechanism |
|||
RFC 5685 |
2009 |
Allows redirection of IKEv2 clients to different gateways useful in load balancing and mobility. |
|
Post-Quantum Key Exchange (Hybrid) |
|||
RFC 8784 |
2020 |
Defines a hybrid key exchange method combining classical and post-quantum algorithms. |
|
Authentication Enhancements |
|||
RFC 7427 |
2015 |
Adds support for signature authentication using modern algorithms. |
|
Configuration Payloads |
|||
RFC 8598 |
2019 |
Enhances configuration payloads for better client configuration in enterprise and mobile |
|
environments. |
|||
Child SA Rekeying |
|||
RFC 4478 |
2006 |
Improves rekeying of IPsec SAs without interrupting traffic. |
Setup
Setup
IKE_SA_INIT Packet
S.No |
Protocol Packets |
Description |
Size(Bytes) |
|---|---|---|---|
1 |
IKE_SA_INIT Packet |
|
~100300 |
Header |
Common IKEv2 header |
28 |
|
Initiator SPI |
Security Parameter Index for initiator |
8 |
|
Responder SPI |
Initially zero; filled by responder |
8 |
|
Next Payload |
Indicates the type of next payload |
1 |
|
Version |
IKE version (2.0) |
1 |
|
Exchange Type |
IKE_SA_INIT = 34 |
1 |
|
Flags |
Indicates initiator/responder, request/response |
1 |
|
Message ID |
Identifies message sequence |
4 |
|
Length |
Total message length |
4 |
|
Payload: SA |
Security Association proposal |
Variable |
|
Payload: KE |
Diffie-Hellman key exchange value |
Variable |
|
Payload: Nonce |
Random value for key derivation |
1632 |
|
Payload: NAT-D (optional) |
NAT detection |
Variable |
IKE_AUTH Packet
S.No |
Protocol Packets |
Description |
Size(Bytes) |
|---|---|---|---|
2 |
IKE_AUTH Packet |
Authenticates peers and establishes the first CHILD_SA. Used in secure mobile or enterprise communication |
~200600 |
Header |
Same as IKE_SA_INIT |
28 |
|
Initiator SPI |
Security Parameter Index for initiator |
8 |
|
Responder SPI |
Initially zero; filled by responder |
8 |
|
Next Payload |
Indicates the type of next payload |
1 |
|
Version |
IKE version (2.0) |
1 |
|
Exchange Type |
IKE_SA_INIT = 34 |
1 |
|
Flags |
Indicates initiator/responder, request/response |
1 |
|
Message ID |
Identifies message sequence |
4 |
|
Length |
Total message length |
4 |
|
Payload: IDi |
Initiator identity |
Variable |
|
Payload: IDr |
Responder identity |
Variable |
|
Payload: AUTH |
Authentication data (e.g., signature or MAC) |
Variable |
|
Payload: SA |
CHILD_SA proposal |
Variable |
|
Payload: TSi / TSr |
Traffic selectors |
Variable |
|
Payload: Encrypted |
Encrypted container for sensitive data |
Variable |
CREATE_CHILD_SA Packet
S.No |
Protocol Packets |
Description |
Size(Bytes) |
|---|---|---|---|
3 |
CREATE_CHILD_SA Packet |
Used to create or rekey IPsec SAs. In non-VPN contexts, it supports secure session refresh or expansion |
~100300 |
Header |
Same as IKE_SA_INIT |
28 |
|
Initiator SPI |
Security Parameter Index for initiator |
8 |
|
Responder SPI |
Initially zero; filled by responder |
8 |
|
Next Payload |
Indicates the type of next payload |
1 |
|
Version |
IKE version (2.0) |
1 |
|
Exchange Type |
IKE_SA_INIT = 34 |
1 |
|
Flags |
Indicates initiator/responder, request/response |
1 |
|
Message ID |
Identifies message sequence |
4 |
|
Length |
Total message length |
4 |
|
Payload: SA |
New Security Association proposal |
Variable |
|
Payload: KE |
New Diffie-Hellman key exchange value |
Variable |
|
Payload: Nonce |
New random value for key derivation |
1632 |
|
Payload: TSi |
Traffic Selector - Initiator |
Variable |
|
Payload: TSr |
Traffic Selector - Responder |
Variable |
INFORMATIONAL Packet
S.No |
Protocol Packets |
Description |
Size(Bytes) |
|---|---|---|---|
4 |
INFORMATIONAL Packet |
|
~60200 |
Header |
Same as IKE_SA_INIT |
28 |
|
Initiator SPI |
Security Parameter Index for initiator |
8 |
|
Responder SPI |
Initially zero; filled by responder |
8 |
|
Next Payload |
Indicates the type of next payload |
1 |
|
Version |
IKE version (2.0) |
1 |
|
Exchange Type |
IKE_SA_INIT = 34 |
1 |
|
Flags |
Indicates initiator/responder, request/response |
1 |
|
Message ID |
Identifies message sequence |
4 |
|
Length |
Total message length |
4 |
|
Payload: Delete |
Request to delete SAs |
Variable |
|
Payload: Notify |
Notifications or error messages |
Variable |
|
Payload: Encrypted |
Encrypted container for sensitive payloads |
Variable |
S.no |
Use Case |
Description |
|---|---|---|
1 |
Mobile IP Security |
IKEv2 with MOBIKE enables secure communication for mobile devices that frequently change networks (e.g., from Wi-Fi to cellular). |
2 |
IoT Device Communication |
Lightweight and secure method for IoT devices to establish encrypted tunnels with central servers or gateways. |
3 |
Enterprise Network Segmentation |
Secures communication between internal network segments or data centers without exposing traffic to the public internet. |
4 |
Cloud Interconnects |
Used to establish secure tunnels between cloud environments and on-premises infrastructure, often without traditional VPN clients. |
5 |
Post-Quantum Security Testing |
Supports hybrid key exchange mechanisms for evaluating post-quantum cryptography in secure IP communications. |
6 |
Secure Remote Management |
Enables secure access to remote systems or devices (e.g., routers, servers) over IP networks without full VPN deployment. |
7 |
Automated Key Exchange for IPsec |
Handles dynamic negotiation and rekeying of cryptographic keys for IPsec-protected traffic in non-VPN scenarios. |
8 |
Carrier-Grade NAT Traversal |
Facilitates secure communication across large-scale NAT environments, common in ISPs and mobile networks. |
S.no |
Feature |
Description |
|---|---|---|
1 |
Secure Key Exchange |
Uses Diffie-Hellman and cryptographic algorithms to securely exchange keys between peers in mobile or embedded systems. |
2 |
Authentication |
Supports mutual authentication using pre-shared keys, certificates, or EAP methods essential for secure device-to-device or device-to-server communication. |
3 |
Security Associations (SAs) |
Establishes and manages SAs that define encryption and authentication parameters for IPsec-protected communication. |
4 |
Mobility and Multihoming (MOBIKE) |
Maintains secure sessions across IP address changes, ideal for mobile devices and roaming users. |
5 |
Session Resumption |
Enables fast re-establishment of secure sessions after temporary disconnections, improving reliability in mobile and IoT networks. |
6 |
Message Fragmentation |
Supports fragmentation of large IKE messages to avoid MTU-related issues in |
constrained or variable networks. |
||
7 |
Traffic Selectors |
Defines which traffic should be protected useful for securing specific flows in enterprise or cloud environments. |
8 |
Encryption Agility |
Supports multiple encryption and hashing algorithms (e.g., AES, SHA-2), allowing flexible and future-proof security policies. |
9 |
Post-Quantum Readiness |
Experimental support for post-quantum cryptographic algorithms to secure future IP-based communications. |
10 |
Extensibility via Payloads |
Modular payload design (SA, KE, AUTH, etc.) allows IKEv2 to be adapted for diverse secure communication scenarios beyond VPNs. |
Secure Key Exchange - Testcases
# |
Test Case |
Description |
Expected Result |
|---|---|---|---|
1 |
IKE_SA_INIT Exchange |
Initiate IKE_SA_INIT |
SA_INIT messages exchanged |
2 |
IKE_AUTH Exchange |
Complete IKE_AUTH |
Authentication successful |
3 |
DH Group 14 Negotiation |
Use Diffie-Hellman Group 14 |
Keys exchanged securely |
4 |
DH Group 19 Negotiation |
Use ECP Group 19 |
Keys exchanged securely |
5 |
DH Group Mismatch |
Use mismatched DH groups |
Negotiation fails |
6 |
PSK Authentication |
Use pre-shared key |
Authentication succeeds |
7 |
Certificate Authentication |
Use X.509 certificates |
Authentication succeeds |
8 |
Invalid Certificate |
Use expired or invalid cert |
Authentication fails |
9 |
RSA Signature Authentication |
Use RSA signature for auth |
Auth succeeds if signature valid |
10 |
ECDSA Authentication |
Use ECDSA for authentication |
Auth succeeds if supported |
11 |
Key Exchange with NAT |
Perform key exchange behind NAT |
NAT-T used, keys exchanged |
12 |
NAT Detection Payload |
Include NAT detection payload |
NAT presence detected |
13 |
Key Exchange with Fragmentation |
Send large messages |
Fragments reassembled |
14 |
Key Exchange with Packet Loss |
Drop packets during exchange |
Retransmission occurs |
15 |
Key Exchange with Replay Attack |
Replay IKE_SA_INIT |
Message rejected |
16 |
Key Exchange with Invalid Nonce |
Use invalid nonce |
Exchange fails |
17 |
Key Exchange with Invalid SPI |
Use invalid SPI |
Message dropped |
18 |
Key Exchange with Logging Enabled |
Enable logging |
Key exchange events logged |
19 |
Key Exchange with Debugging |
Enable debug mode |
Detailed logs available |
20 |
Key Exchange with Wireshark |
Capture exchange |
Encrypted payloads visible |
21 |
Key Exchange with IPv4 |
Use IPv4 transport |
Exchange succeeds |
22 |
Key Exchange with IPv6 |
Use IPv6 transport |
Exchange succeeds |
23 |
Key Exchange with UDP |
Use UDP port 500/4500 |
Exchange succeeds |
24 |
Key Exchange with TCP (invalid) |
Attempt over TCP |
Exchange fails |
25 |
Key Exchange with High Latency |
Simulate high latency |
Exchange completes with delay |
26 |
Key Exchange with Low Bandwidth |
Simulate low bandwidth |
Exchange completes |
27 |
Key Exchange with DoS Simulation |
Flood IKE port |
Exchange may fail or throttle |
28 |
Key Exchange with Invalid Payload |
Send malformed payload |
Exchange fails |
29 |
Key Exchange with Vendor Interop |
Use different vendor implementations |
Exchange succeeds if compliant |
30 |
Key Exchange with Rekeying |
Trigger rekeying |
New keys negotiated |
31 |
Key Exchange with PFS |
Enable Perfect Forward Secrecy |
New DH exchange performed |
32 |
Key Exchange with Multiple Peers |
Initiate exchanges with multiple peers |
All exchanges succeed |
33 |
Key Exchange with Session Timeout |
Let session idle |
SA expires |
34 |
Key Exchange with Invalid IDi |
Use invalid initiator ID |
Exchange fails |
35 |
Key Exchange with Invalid IDr |
Use invalid responder ID |
Exchange fails |
36 |
Key Exchange with MOBIKE |
Enable MOBIKE |
Exchange adapts to IP changes |
37 |
Key Exchange with Fragment Support |
Enable IKEv2 fragmentation |
Large messages handled |
38 |
Key Exchange with Cookie Challenge |
Trigger cookie challenge |
Initiator retries with cookie |
39 |
Key Exchange with Dead Peer |
Simulate dead responder |
Exchange times out |
40 |
Key Exchange with Responder Crash |
Crash responder mid-exchange |
Exchange fails |
41 |
Key Exchange with Responder Restart |
Restart responder |
Exchange re-initiated |
42 |
Key Exchange with Invalid Hash |
Use invalid hash algorithm |
Exchange fails |
43 |
Key Exchange with AES-GCM |
Use AES-GCM for encryption |
Keys negotiated with AES-GCM |
44 |
Key Exchange with AES-CBC |
Use AES-CBC for encryption |
Keys negotiated with AES-CBC |
45 |
Key Exchange with SHA-256 |
Use SHA-256 for integrity |
Keys negotiated with SHA-256 |
46 |
Key Exchange with SHA-512 |
Use SHA-512 for integrity |
Keys negotiated with SHA-512 |
47 |
Key Exchange with Invalid Proposal |
Use unsupported proposal |
Exchange fails |
48 |
Key Exchange with Multiple Proposals |
Offer multiple proposals |
Best match selected |
49 |
Key Exchange with Policy Mismatch |
Use mismatched policies |
Exchange fails |
50 |
Key Exchange with Successful SA |
Complete full IKEv2 exchange |
IKE SA and CHILD SA established |
Authentication - Testcases
# |
Test Case |
Description |
Expected Result |
|---|---|---|---|
1 |
PSK Authentication |
Use pre-shared key for authentication |
Authentication succeeds |
2 |
Certificate-Based Authentication |
Use X.509 certificates |
Authentication succeeds |
3 |
EAP Authentication |
Use EAP method (e.g., EAP-MSCHAPv2) |
Authentication succeeds |
4 |
RSA Signature Authentication |
Use RSA digital signature |
Signature verified |
5 |
ECDSA Authentication |
Use ECDSA for authentication |
Signature verified |
6 |
Invalid PSK |
Use incorrect pre-shared key |
Authentication fails |
7 |
Expired Certificate |
Use expired certificate |
Authentication fails |
8 |
Revoked Certificate |
Use certificate on CRL |
Authentication fails |
9 |
Self-Signed Certificate |
Use self-signed certificate |
Authentication fails or warning |
10 |
Mismatched IDi/IDr |
Use incorrect identity payloads |
Authentication fails |
11 |
Missing IDi |
Omit initiator identity |
Authentication fails |
12 |
Missing IDr |
Omit responder identity |
Authentication fails |
13 |
Certificate Chain Validation |
Use intermediate CA |
Chain validated |
14 |
Certificate with SAN |
Use Subject Alternative Name in cert |
SAN matched |
15 |
Certificate with CN Only |
Use Common Name only |
CN matched |
16 |
Certificate with Invalid Signature |
Use cert with invalid signature |
Authentication fails |
17 |
Certificate with Unsupported Algo |
Use unsupported signature algorithm |
Authentication fails |
18 |
EAP with Username/Password |
Use EAP-MSCHAPv2 |
Credentials validated |
19 |
EAP with OTP |
Use EAP with one-time password |
OTP validated |
20 |
EAP with Token |
Use EAP with hardware token |
Token validated |
21 |
EAP with Invalid Credentials |
Use wrong username/password |
Authentication fails |
22 |
EAP with No Identity |
Omit EAP identity |
Authentication fails |
23 |
EAP with Identity Mismatch |
Use mismatched EAP identity |
Authentication fails |
24 |
Authentication Retry |
Retry after failure |
Authentication succeeds |
25 |
Authentication Timeout |
Delay response |
Authentication fails |
26 |
Authentication with NAT |
Authenticate behind NAT |
Authentication succeeds |
27 |
Authentication with IPv6 |
Use IPv6 transport |
Authentication succeeds |
28 |
Authentication with IPv4 |
Use IPv4 transport |
Authentication succeeds |
29 |
Authentication with Fragmentation |
Fragment authentication payload |
Reassembled and validated |
30 |
Authentication with Logging |
Enable logging |
Auth events logged |
31 |
Authentication with Debugging |
Enable debug mode |
Detailed logs available |
32 |
Authentication with Wireshark |
Capture authentication exchange |
Encrypted payloads visible |
33 |
Authentication with MOBIKE |
Use MOBIKE |
Auth remains valid after IP change |
34 |
Authentication with Rekeying |
Re-authenticate during rekeying |
New keys authenticated |
35 |
Authentication with Multiple Peers |
Authenticate with multiple peers |
All succeed |
36 |
Authentication with DoS Attack |
Flood IKE port |
Auth throttled or blocked |
37 |
Authentication with Cookie Challenge |
Trigger cookie challenge |
Auth proceeds after cookie |
38 |
Authentication with Invalid Hash |
Use invalid hash algorithm |
Authentication fails |
39 |
Authentication with AES-GCM |
Use AES-GCM for encryption |
Authenticated encryption succeeds |
40 |
Authentication with AES-CBC |
Use AES-CBC for encryption |
Authenticated encryption succeeds |
41 |
Authentication with SHA-256 |
Use SHA-256 for integrity |
Auth succeeds |
42 |
Authentication with SHA-512 |
Use SHA-512 for integrity |
Auth succeeds |
43 |
Authentication with Policy Mismatch |
Use mismatched auth policies |
Auth fails |
44 |
Authentication with Vendor Interop |
Authenticate with different vendor |
Auth succeeds if compliant |
45 |
Authentication with Invalid SPI |
Use invalid SPI |
Auth fails |
46 |
Authentication with Replay Attack |
Replay authentication message |
Message rejected |
47 |
Authentication with Certificate Pinning |
Use pinned certificate |
Auth succeeds if match |
48 |
Authentication with CRL Check |
Validate against CRL |
Revoked cert rejected |
49 |
Authentication with OCSP |
Use OCSP for cert validation |
Cert status verified |
50 |
Authentication with Successful SA |
Complete full IKEv2 exchange with auth |
IKE SA and CHILD SA established |
Security Associations (SAs) - Testcases
# |
Test Case |
Description |
Expected Result |
|---|---|---|---|
1 |
IKE SA Initialization |
Initiate IKE SA between peers |
IKE SA established |
2 |
CHILD SA Creation |
Create CHILD SA after IKE SA |
CHILD SA established |
3 |
SA Negotiation with AES-GCM |
Negotiate SA with AES-GCM encryption |
SA established with AES-GCM |
4 |
SA Negotiation with AES-CBC |
Negotiate SA with AES-CBC encryption |
SA established with AES-CBC |
5 |
SA Negotiation with SHA-256 |
Use SHA-256 for integrity |
SA established with SHA-256 |
6 |
SA Negotiation with SHA-512 |
Use SHA-512 for integrity |
SA established with SHA-512 |
7 |
SA with DH Group 14 |
Use DH Group 14 for key exchange |
SA established securely |
8 |
SA with DH Group 19 |
Use ECP Group 19 |
SA established securely |
9 |
SA with PFS Enabled |
Enable Perfect Forward Secrecy |
New DH exchange performed |
10 |
SA with PFS Disabled |
Disable PFS |
SA established without new DH |
11 |
SA Rekeying |
Trigger rekeying of SA |
New SA replaces old one |
12 |
SA Lifetime Expiry |
Let SA expire naturally |
SA deleted |
13 |
SA Manual Deletion |
Delete SA manually |
SA removed |
14 |
SA with NAT Traversal |
Establish SA behind NAT |
NAT-T used, SA established |
15 |
SA with Fragmentation |
Send large packets |
SA handles fragmentation |
16 |
SA with Packet Loss |
Drop packets during negotiation |
SA established after retransmission |
17 |
SA with Replay Protection |
Replay encrypted packet |
Packet dropped |
18 |
SA with Invalid SPI |
Use invalid SPI |
Packet dropped |
19 |
SA with Invalid Proposal |
Use unsupported proposal |
SA negotiation fails |
20 |
SA with Multiple Proposals |
Offer multiple proposals |
Best match selected |
21 |
SA with Policy Mismatch |
Use mismatched policies |
SA negotiation fails |
22 |
SA with Logging Enabled |
Enable logging |
SA events logged |
23 |
SA with Debugging Enabled |
Enable debug mode |
Detailed logs available |
24 |
SA with Wireshark Capture |
Capture SA negotiation |
Encrypted payloads visible |
25 |
SA with IPv4 Transport |
Use IPv4 for SA |
SA established |
26 |
SA with IPv6 Transport |
Use IPv6 for SA |
SA established |
27 |
SA with UDP Transport |
Use UDP port 500/4500 |
SA established |
28 |
SA with TCP (invalid) |
Attempt SA over TCP |
SA negotiation fails |
29 |
SA with High Latency |
Simulate high latency |
SA established with delay |
30 |
SA with Low Bandwidth |
Simulate low bandwidth |
SA established |
31 |
SA with DoS Simulation |
Flood IKE port |
SA negotiation throttled or blocked |
32 |
SA with Vendor Interop |
Use different vendor implementations |
SA established if compliant |
33 |
SA with MOBIKE Enabled |
Enable MOBIKE |
SA remains valid after IP change |
34 |
SA with MOBIKE Disabled |
Disable MOBIKE |
SA breaks on IP change |
35 |
SA with Multiple CHILD SAs |
Create multiple CHILD SAs under one IKE SA |
All CHILD SAs established |
36 |
SA with CHILD SA Deletion |
Delete one CHILD SA |
Other CHILD SAs remain |
37 |
SA with IKE SA Deletion |
Delete IKE SA |
All CHILD SAs deleted |
38 |
SA with Invalid Nonce |
Use invalid nonce |
SA negotiation fails |
39 |
SA with Cookie Challenge |
Trigger cookie challenge |
SA established after retry |
40 |
SA with Certificate Authentication |
Use certificates for auth |
SA established securely |
41 |
SA with PSK Authentication |
Use pre-shared key |
SA established securely |
42 |
SA with EAP Authentication |
Use EAP method |
SA established securely |
43 |
SA with Session Timeout |
Let SA idle |
SA expires |
44 |
SA with Rekeying Interval |
Set short rekeying interval |
Frequent SA updates |
45 |
SA with Traffic Selector Narrowing |
Use narrowed traffic selectors |
SA established with limited scope |
46 |
SA with Traffic Selector Mismatch |
Use mismatched selectors |
SA negotiation fails |
47 |
SA with Invalid ID Payload |
Use invalid IDi or IDr |
SA negotiation fails |
48 |
SA with Encryption Disabled |
Attempt SA without encryption |
SA negotiation fails |
49 |
SA with Authentication Disabled |
Attempt SA without authentication |
SA negotiation fails |
50 |
SA with Successful Exchange |
Complete full IKEv2 exchange |
IKE SA and CHILD SA established |
Mobility and Multihoming (MOBIKE) - Testcases
# |
Test Case |
Description |
Expected Result |
|---|---|---|---|
1 |
MOBIKE Support Detection |
Check if both peers support MOBIKE |
MOBIKE negotiation succeeds |
2 |
MOBIKE Disabled |
Disable MOBIKE on one peer |
MOBIKE not used |
3 |
IP Address Change (Client) |
Change client IP address |
SA remains valid |
4 |
IP Address Change (Server) |
Change server IP address |
SA remains valid |
5 |
NAT Rebinding |
Change NAT mapping during session |
SA remains valid |
6 |
Interface Switch (Wi-Fi to LTE) |
Switch client interface |
SA remains valid |
7 |
Interface Switch (LTE to Wi-Fi) |
Switch back to original interface |
SA remains valid |
8 |
Dual Interface Availability |
Enable two interfaces simultaneously |
MOBIKE selects best path |
9 |
Interface Failover |
Disable primary interface |
MOBIKE switches to secondary |
10 |
Interface Recovery |
Re-enable primary interface |
MOBIKE may switch back |
11 |
IP Address Change with NAT-T |
Change IP behind NAT |
MOBIKE handles NAT rebinding |
12 |
MOBIKE with IPv4 |
Use IPv4 transport |
MOBIKE functions correctly |
13 |
MOBIKE with IPv6 |
Use IPv6 transport |
MOBIKE functions correctly |
14 |
MOBIKE with Dual Stack |
Use both IPv4 and IPv6 |
MOBIKE selects preferred path |
15 |
MOBIKE with Fragmentation |
Send large packets |
Packets reassembled |
16 |
MOBIKE with Packet Loss |
Drop packets during migration |
MOBIKE retries |
17 |
MOBIKE with High Latency |
Simulate high latency |
MOBIKE adapts |
18 |
MOBIKE with Low Bandwidth |
Simulate low bandwidth |
MOBIKE adapts |
19 |
MOBIKE with DoS Simulation |
Flood one interface |
MOBIKE switches path |
20 |
MOBIKE with Logging Enabled |
Enable logging |
MOBIKE events logged |
21 |
MOBIKE with Debugging Enabled |
Enable debug mode |
Detailed logs available |
22 |
MOBIKE with Wireshark |
Capture MOBIKE messages |
UPDATE_SA_ADDRESSES visible |
23 |
MOBIKE with Vendor Interop |
Use different vendor stacks |
MOBIKE functions if compliant |
24 |
MOBIKE with Rekeying |
Rekey after IP change |
New SA established |
25 |
MOBIKE with PFS |
Use Perfect Forward Secrecy |
DH exchange succeeds after migration |
26 |
MOBIKE with Certificate Auth |
Use certificates |
Auth remains valid after IP change |
27 |
MOBIKE with PSK Auth |
Use pre-shared key |
Auth remains valid after IP change |
28 |
MOBIKE with EAP Auth |
Use EAP authentication |
Auth remains valid after IP change |
29 |
MOBIKE with Session Timeout |
Let session idle after migration |
SA expires |
30 |
MOBIKE with Invalid Update |
Send malformed UPDATE_SA_ADDRESSES |
Message rejected |
31 |
MOBIKE with Invalid SPI |
Use invalid SPI in update |
Message dropped |
32 |
MOBIKE with Invalid Nonce |
Use invalid nonce |
Update rejected |
33 |
MOBIKE with Cookie Challenge |
Trigger cookie challenge |
MOBIKE resumes after retry |
34 |
MOBIKE with Traffic Selector Change |
Change traffic selectors |
SA updated accordingly |
35 |
MOBIKE with Multiple CHILD SAs |
Maintain multiple CHILD SAs |
All remain valid after migration |
36 |
MOBIKE with CHILD SA Deletion |
Delete one CHILD SA |
Others remain valid |
37 |
MOBIKE with IKE SA Deletion |
Delete IKE SA |
All CHILD SAs deleted |
38 |
MOBIKE with NAT Detection Payload |
Include NAT detection payload |
NAT presence detected |
39 |
MOBIKE with No NAT Detection |
Omit NAT detection payload |
MOBIKE may not function |
40 |
MOBIKE with IPsec Policy Update |
Update IPsec policy after migration |
SA updated accordingly |
41 |
MOBIKE with Interface Priority |
Set interface priority |
MOBIKE uses preferred interface |
42 |
MOBIKE with Routing Change |
Change routing table |
MOBIKE adapts |
43 |
MOBIKE with DNS Update |
Change DNS resolution of peer |
MOBIKE reconnects |
44 |
MOBIKE with Firewall Rebinding |
Rebind to new port after firewall change |
MOBIKE resumes |
45 |
MOBIKE with UDP Port Change |
Change UDP port |
MOBIKE resumes |
46 |
MOBIKE with IP Blacklisting |
Blacklist one IP |
MOBIKE switches to alternate |
47 |
MOBIKE with Tunnel Mode |
Use tunnel mode |
MOBIKE functions correctly |
48 |
MOBIKE with Transport Mode |
Use transport mode |
MOBIKE functions correctly |
49 |
MOBIKE with Invalid Address Update |
Send invalid IP in update |
Update rejected |
50 |
MOBIKE with Successful Migration |
Complete full IP migration |
SA remains valid, traffic uninterrupted |
Session Resumption - Testcases
# |
Test Case |
Description |
Expected Result |
|---|---|---|---|
1 |
Session Resumption Support |
Check if both peers support session resumption |
Resumption capability negotiated |
2 |
Session Resumption Disabled |
Disable resumption on one peer |
Full IKE exchange required |
3 |
Resume After Reboot (Client) |
Reboot client and attempt resumption |
Session resumed if state preserved |
4 |
Resume After Reboot (Server) |
Reboot server and attempt resumption |
Session resumed if state preserved |
5 |
Resume After Timeout |
Resume session after idle timeout |
Session resumed |
6 |
Resume After IP Change |
Change client IP and resume session |
Session resumed via MOBIKE |
7 |
Resume After NAT Rebinding |
NAT mapping changes |
Session resumed |
8 |
Resume with Valid Ticket |
Use valid session ticket |
Session resumed |
9 |
Resume with Expired Ticket |
Use expired session ticket |
Resumption fails |
10 |
Resume with Invalid Ticket |
Use tampered session ticket |
Resumption fails |
11 |
Resume with Encrypted Ticket |
Use encrypted ticket |
Ticket decrypted and validated |
12 |
Resume with Ticket Lifetime |
Set short ticket lifetime |
Ticket expires as expected |
13 |
Resume with Ticket Renewal |
Renew session ticket |
New ticket issued |
14 |
Resume with Ticket Replay |
Replay old ticket |
Ticket rejected |
15 |
Resume with Ticket Binding |
Bind ticket to IP or ID |
Ticket accepted only if match |
16 |
Resume with Logging Enabled |
Enable logging |
Resumption events logged |
17 |
Resume with Debugging Enabled |
Enable debug mode |
Detailed logs available |
18 |
Resume with Wireshark |
Capture resumption exchange |
Shortened handshake visible |
19 |
Resume with IPv4 |
Use IPv4 transport |
Session resumed |
20 |
Resume with IPv6 |
Use IPv6 transport |
Session resumed |
21 |
Resume with UDP Port 4500 |
Use NAT-T port |
Session resumed |
22 |
Resume with Fragmentation |
Resume with large payloads |
Packets reassembled |
23 |
Resume with Packet Loss |
Drop packets during resumption |
Retransmission occurs |
24 |
Resume with High Latency |
Simulate high latency |
Session resumed with delay |
25 |
Resume with Low Bandwidth |
Simulate low bandwidth |
Session resumed |
26 |
Resume with DoS Simulation |
Flood IKE port |
Resumption throttled or blocked |
27 |
Resume with Certificate Auth |
Use certificate authentication |
Session resumed securely |
28 |
Resume with PSK Auth |
Use pre-shared key |
Session resumed securely |
29 |
Resume with EAP Auth |
Use EAP authentication |
Session resumed securely |
30 |
Resume with Rekeying |
Rekey after resumption |
New keys negotiated |
31 |
Resume with CHILD SA |
Resume and create new CHILD SA |
CHILD SA established |
32 |
Resume with Multiple CHILD SAs |
Resume and restore multiple CHILD SAs |
All SAs restored |
33 |
Resume with MOBIKE |
Resume session after IP change |
Session resumed |
34 |
Resume with Invalid SPI |
Use invalid SPI in resumption |
Message dropped |
35 |
Resume with Invalid Nonce |
Use invalid nonce |
Resumption fails |
36 |
Resume with Cookie Challenge |
Trigger cookie challenge |
Resumption proceeds after retry |
37 |
Resume with Policy Mismatch |
Change policy after ticket issued |
Resumption fails |
38 |
Resume with Vendor Interop |
Resume session with different vendor |
Resumption succeeds if compliant |
39 |
Resume with Session Migration |
Move session to new server |
Resumption fails unless state shared |
40 |
Resume with Session Cloning |
Clone session ticket |
Resumption fails if binding enforced |
41 |
Resume with Ticket Rotation |
Rotate session ticket keys |
Old tickets invalidated |
42 |
Resume with Ticket Size Limit |
Use large ticket |
Ticket accepted if within limit |
43 |
Resume with Stateless Server |
Use stateless ticket validation |
Session resumed |
44 |
Resume with Stateful Server |
Use server-side session cache |
Session resumed |
45 |
Resume with Ticket Expiry Logging |
Log ticket expiration |
Expiry events logged |
46 |
Resume with Ticket Renewal Logging |
Log ticket renewal |
Renewal events logged |
47 |
Resume with Ticket Format Check |
Validate ticket structure |
Ticket accepted if valid |
48 |
Resume with Ticket Encryption Check |
Validate ticket encryption |
Ticket decrypted successfully |
49 |
Resume with Ticket Integrity Check |
Validate ticket MAC |
Ticket accepted if MAC valid |
50 |
Resume with Successful Exchange |
Complete full resumption flow |
IKE SA and CHILD SA restored |
Message Fragmentation - Testcases
# |
Test Case |
Description |
Expected Result |
|---|---|---|---|
1 |
Fragmentation Support Detection |
Check if both peers support IKEv2 fragmentation |
Fragmentation capability negotiated |
2 |
Fragmentation Disabled |
Disable fragmentation on one peer |
Large messages dropped or rejected |
3 |
Fragment Large IKE_SA_INIT |
Send large IKE_SA_INIT message |
Message fragmented and reassembled |
4 |
Fragment Large IKE_AUTH |
Send large IKE_AUTH message |
Message fragmented and reassembled |
5 |
Fragment Large Certificate |
Send large certificate payload |
Certificate transmitted in fragments |
6 |
Fragment Large EAP Payload |
Send large EAP payload |
Payload fragmented and reassembled |
7 |
Fragmentation with IPv4 |
Use IPv4 transport |
Fragments handled correctly |
8 |
Fragmentation with IPv6 |
Use IPv6 transport |
Fragments handled correctly |
9 |
Fragmentation with NAT-T |
Use NAT traversal with fragmentation |
Fragments reassembled behind NAT |
10 |
Fragmentation with UDP Port 4500 |
Use UDP port 4500 |
Fragments transmitted successfully |
11 |
Fragmentation with Packet Loss |
Drop one fragment |
Message reassembly fails |
12 |
Fragmentation with Reordering |
Deliver fragments out of order |
Message reassembled correctly |
13 |
Fragmentation with Duplicate Fragments |
Send duplicate fragments |
Duplicates ignored |
14 |
Fragmentation with Invalid Length |
Use incorrect fragment length |
Fragment rejected |
15 |
Fragmentation with Invalid Header |
Use malformed fragment header |
Fragment rejected |
16 |
Fragmentation with Logging Enabled |
Enable logging |
Fragmentation events logged |
17 |
Fragmentation with Debugging |
Enable debug mode |
Detailed logs available |
18 |
Fragmentation with Wireshark |
Capture fragmented exchange |
Fragments visible in capture |
19 |
Fragmentation with High Latency |
Simulate high latency |
Fragments reassembled with delay |
20 |
Fragmentation with Low Bandwidth |
Simulate low bandwidth |
Fragments transmitted successfully |
21 |
Fragmentation with DoS Simulation |
Flood with fragments |
Throttling or drop |
22 |
Fragmentation with MOBIKE |
Change IP mid-fragment exchange |
Reassembly continues if supported |
23 |
Fragmentation with Rekeying |
Rekey during fragmented exchange |
New SA established |
24 |
Fragmentation with Certificate Auth |
Use certificate authentication |
Auth succeeds with fragmented cert |
25 |
Fragmentation with PSK Auth |
Use pre-shared key |
Auth succeeds with fragmented payloads |
26 |
Fragmentation with EAP Auth |
Use EAP authentication |
Auth succeeds with fragmented EAP |
27 |
Fragmentation with Vendor Interop |
Use different vendor stacks |
Fragments handled if compliant |
28 |
Fragmentation with CHILD SA |
Create CHILD SA with large payload |
CHILD SA established |
29 |
Fragmentation with Multiple CHILD SAs |
Create multiple CHILD SAs with fragmentation |
All SAs established |
30 |
Fragmentation with Invalid SPI |
Use invalid SPI in fragment |
Fragment dropped |
31 |
Fragmentation with Invalid Nonce |
Use invalid nonce in fragment |
Fragment dropped |
32 |
Fragmentation with Cookie Challenge |
Trigger cookie challenge |
Challenge handled with fragments |
33 |
Fragmentation with Traffic Selector |
Use large traffic selector payload |
Fragmented and reassembled |
34 |
Fragmentation with Large Proposal |
Use large proposal list |
Fragmented and reassembled |
35 |
Fragmentation with Large ID Payload |
Use large IDi/IDr payloads |
Fragmented and reassembled |
36 |
Fragmentation with Large Notify |
Use large notify payload |
Fragmented and reassembled |
37 |
Fragmentation with Large Vendor ID |
Use large vendor ID payload |
Fragmented and reassembled |
38 |
Fragmentation with Large Config Payload |
Use large configuration payload |
Fragmented and reassembled |
39 |
Fragmentation with Large NAT Payload |
Use large NAT detection payload |
Fragmented and reassembled |
40 |
Fragmentation with Large Certificate Request |
Use large cert request payload |
Fragmented and reassembled |
41 |
Fragmentation with Large Hash |
Use large hash payload |
Fragmented and reassembled |
42 |
Fragmentation with Large Signature |
Use large signature payload |
Fragmented and reassembled |
43 |
Fragmentation with Large Key Exchange |
Use large DH group payload |
Fragmented and reassembled |
44 |
Fragmentation with Large Encrypted Payload |
Use large encrypted payload |
Fragmented and reassembled |
45 |
Fragmentation with Large ID Payload |
Use large identity payload |
Fragmented and reassembled |
46 |
Fragmentation with Session Timeout |
Let session idle during fragmentation |
Session expires |
47 |
Fragmentation with Retry Mechanism |
Retry after fragment loss |
Exchange completes |
48 |
Fragmentation with Invalid Fragment Order |
Send fragments in wrong order |
Reassembly fails |
49 |
Fragmentation with Mixed Fragment Sizes |
Use varying fragment sizes |
Reassembly succeeds |
50 |
Fragmentation with Successful Exchange |
Complete full IKEv2 exchange with fragmentation |
IKE SA and CHILD SA established |
Traffic Selectors - Testcases
# |
Test Case |
Description |
Expected Result |
|---|---|---|---|
1 |
Basic Traffic Selector Match |
Use matching TSi and TSr |
SA established |
2 |
Traffic Selector Mismatch |
Use non-overlapping TSi and TSr |
SA negotiation fails |
3 |
Narrowing Traffic Selector |
Responder narrows initiator’s selector |
Narrowed SA established |
4 |
Broad Traffic Selector |
Initiator proposes broad selector |
Responder narrows appropriately |
5 |
Single IP Traffic Selector |
Use single IP address in TSi/TSr |
SA established for that IP |
6 |
IP Range Traffic Selector |
Use IP range in TSi/TSr |
SA established for range |
7 |
Subnet Traffic Selector |
Use subnet (e.g., /24) |
SA established for subnet |
8 |
Port-Specific Traffic Selector |
Use specific port (e.g., TCP 443) |
SA established for that port |
9 |
Protocol-Specific Selector |
Use specific protocol (e.g., UDP) |
SA established for that protocol |
10 |
ICMP Traffic Selector |
Use ICMP protocol in selector |
SA established for ICMP |
11 |
TCP Traffic Selector |
Use TCP protocol in selector |
SA established for TCP |
12 |
UDP Traffic Selector |
Use UDP protocol in selector |
SA established for UDP |
13 |
All Traffic Selector |
Use 0.0.0.0/0 |
SA established for all traffic |
14 |
IPv6 Traffic Selector |
Use IPv6 address in selector |
SA established for IPv6 |
15 |
Mixed IPv4/IPv6 Selectors |
Use both IPv4 and IPv6 |
Dual-stack SA established |
16 |
Invalid IP in Selector |
Use malformed IP |
SA negotiation fails |
17 |
Invalid Port in Selector |
Use invalid port number |
SA negotiation fails |
18 |
Overlapping Traffic Selectors |
Use overlapping ranges |
SA established with intersection |
19 |
Non-Overlapping Traffic Selectors |
Use disjoint ranges |
SA negotiation fails |
20 |
Traffic Selector Logging |
Enable logging |
TSi/TSr logged |
21 |
Traffic Selector Debugging |
Enable debug mode |
Detailed logs available |
22 |
Traffic Selector with Wireshark |
Capture negotiation |
TSi/TSr visible in IKE_AUTH |
23 |
Traffic Selector with NAT |
Use selectors behind NAT |
NAT-T used, selectors adjusted |
24 |
Traffic Selector with Fragmentation |
Use large selector payload |
Fragmented and reassembled |
25 |
Traffic Selector with High Latency |
Simulate high latency |
SA established with delay |
26 |
Traffic Selector with Low Bandwidth |
Simulate low bandwidth |
SA established |
27 |
Traffic Selector with DoS Attack |
Flood with selector requests |
Throttling or drop |
28 |
Traffic Selector with Rekeying |
Rekey CHILD SA with new selectors |
New SA established |
29 |
Traffic Selector with MOBIKE |
Change IP after SA established |
Selectors remain valid |
30 |
Traffic Selector with Multiple CHILD SAs |
Use different selectors per CHILD SA |
All SAs established |
31 |
Traffic Selector with Policy Mismatch |
Use selectors not matching policy |
SA negotiation fails |
32 |
Traffic Selector with Certificate Auth |
Use certs with selectors |
SA established securely |
33 |
Traffic Selector with PSK Auth |
Use PSK with selectors |
SA established securely |
34 |
Traffic Selector with EAP Auth |
Use EAP with selectors |
SA established securely |
35 |
Traffic Selector with Vendor Interop |
Use different vendor stacks |
SA established if compliant |
36 |
Traffic Selector with IPv4 NAT |
Use IPv4 selectors behind NAT |
NAT-T adjusts selectors |
37 |
Traffic Selector with IPv6 NAT |
Use IPv6 selectors behind NAT |
NAT-T adjusts selectors |
38 |
Traffic Selector with Port Range |
Use port range (e.g., 10002000) |
SA established for range |
39 |
Traffic Selector with Protocol Range |
Use protocol range (if supported) |
SA established |
40 |
Traffic Selector with Invalid SPI |
Use invalid SPI in selector |
SA negotiation fails |
41 |
Traffic Selector with Cookie Challenge |
Trigger cookie challenge |
SA established after retry |
42 |
Traffic Selector with Large Proposal |
Use many selectors |
SA established if within limits |
43 |
Traffic Selector with Narrow Policy |
Use narrow policy on responder |
Initiator proposal narrowed |
44 |
Traffic Selector with Broad Policy |
Use broad policy on responder |
Initiator proposal accepted |
45 |
Traffic Selector with Tunnel Mode |
Use selectors in tunnel mode |
SA established |
46 |
Traffic Selector with Transport Mode |
Use selectors in transport mode |
SA established |
47 |
Traffic Selector with Replay Attack |
Replay selector negotiation |
Message rejected |
48 |
Traffic Selector with Invalid Nonce |
Use invalid nonce in selector negotiation |
SA negotiation fails |
49 |
Traffic Selector with Session Timeout |
Let session idle |
SA expires |
50 |
Traffic Selector with Successful Exchange |
Complete full IKEv2 exchange with selectors |
IKE SA and CHILD SA established |
Encryption Agility - Testcases
# |
Test Case |
Description |
Expected Result |
|---|---|---|---|
1 |
AES-CBC Negotiation |
Negotiate AES-CBC encryption |
SA established with AES-CBC |
2 |
AES-GCM Negotiation |
Negotiate AES-GCM encryption |
SA established with AES-GCM |
3 |
AES-128 Negotiation |
Use AES-128 encryption |
SA established with AES-128 |
4 |
AES-256 Negotiation |
Use AES-256 encryption |
SA established with AES-256 |
5 |
3DES Negotiation |
Use 3DES encryption |
SA established with 3DES |
6 |
ChaCha20 Negotiation |
Use ChaCha20 encryption |
SA established with ChaCha20 |
7 |
Unsupported Algorithm |
Propose unsupported algorithm |
SA negotiation fails |
8 |
Multiple Algorithm Proposals |
Propose multiple algorithms |
Best match selected |
9 |
Algorithm Preference Order |
Change order of proposals |
Preferred algorithm selected |
10 |
Algorithm Mismatch |
Use mismatched algorithms |
SA negotiation fails |
11 |
Algorithm Downgrade Attack |
Attempt to force weaker algorithm |
Negotiation fails or logs warning |
12 |
Algorithm Upgrade |
Switch to stronger algorithm |
SA rekeyed with stronger cipher |
13 |
Rekey with Different Algorithm |
Rekey using a different encryption algorithm |
New SA established |
14 |
Algorithm Negotiation Logging |
Enable logging |
Negotiated algorithm logged |
15 |
Algorithm Negotiation Debugging |
Enable debug mode |
Detailed logs available |
16 |
Algorithm Negotiation with IPv4 |
Use IPv4 transport |
Algorithm negotiated successfully |
17 |
Algorithm Negotiation with IPv6 |
Use IPv6 transport |
Algorithm negotiated successfully |
18 |
Algorithm Negotiation with NAT-T |
Use NAT traversal |
Algorithm negotiated successfully |
19 |
Algorithm Negotiation with Fragmentation |
Use large payloads |
Fragments reassembled, algorithm negotiated |
20 |
Algorithm Negotiation with Packet Loss |
Drop packets during negotiation |
Retransmission occurs |
21 |
Algorithm Negotiation with High Latency |
Simulate high latency |
Negotiation completes with delay |
22 |
Algorithm Negotiation with Low Bandwidth |
Simulate low bandwidth |
Negotiation completes |
23 |
Algorithm Negotiation with DoS |
Flood IKE port |
Negotiation throttled or blocked |
24 |
Algorithm Negotiation with Certificate Auth |
Use certificates |
Algorithm negotiated securely |
25 |
Algorithm Negotiation with PSK |
Use pre-shared key |
Algorithm negotiated securely |
26 |
Algorithm Negotiation with EAP |
Use EAP authentication |
Algorithm negotiated securely |
27 |
Algorithm Negotiation with Vendor Interop |
Use different vendor stacks |
Negotiation succeeds if compliant |
28 |
Algorithm Negotiation with MOBIKE |
Change IP during session |
Algorithm remains valid |
29 |
Algorithm Negotiation with CHILD SA |
Create CHILD SA with different algorithm |
CHILD SA established |
30 |
Algorithm Negotiation with Multiple CHILD SAs |
Use different algorithms per CHILD SA |
All SAs established |
31 |
Algorithm Negotiation with Policy Mismatch |
Use policy not supporting proposed algorithm |
SA negotiation fails |
32 |
Algorithm Negotiation with AES-GCM-128 |
Use AES-GCM-128 |
SA established |
33 |
Algorithm Negotiation with AES-GCM-256 |
Use AES-GCM-256 |
SA established |
34 |
Algorithm Negotiation with SHA-1 |
Use SHA-1 for integrity |
SA established (deprecated warning) |
35 |
Algorithm Negotiation with SHA-256 |
Use SHA-256 for integrity |
SA established |
36 |
Algorithm Negotiation with SHA-384 |
Use SHA-384 for integrity |
SA established |
37 |
Algorithm Negotiation with SHA-512 |
Use SHA-512 for integrity |
SA established |
38 |
Algorithm Negotiation with AES-XCBC |
Use AES-XCBC for integrity |
SA established |
39 |
Algorithm Negotiation with Null Encryption |
Propose null encryption (for testing) |
SA rejected or warning logged |
40 |
Algorithm Negotiation with Replay Attack |
Replay negotiation message |
Message rejected |
41 |
Algorithm Negotiation with Invalid Proposal |
Use malformed proposal |
SA negotiation fails |
42 |
Algorithm Negotiation with Cookie Challenge |
Trigger cookie challenge |
Negotiation resumes after retry |
43 |
Algorithm Negotiation with Large Proposal Set |
Use many algorithms in proposal |
Best match selected |
44 |
Algorithm Negotiation with Custom Cipher |
Use custom-defined cipher |
SA established if supported |
45 |
Algorithm Negotiation with Weak Cipher |
Use deprecated cipher (e.g., DES) |
SA rejected or warning logged |
46 |
Algorithm Negotiation with FIPS Mode |
Use FIPS-compliant algorithms |
SA established with compliant cipher |
47 |
Algorithm Negotiation with Suite B |
Use Suite B algorithms |
SA established if supported |
48 |
Algorithm Negotiation with Logging Disabled |
Disable logging |
No logs generated |
49 |
Algorithm Negotiation with Session Timeout |
Let session idle |
SA expires |
50 |
Algorithm Negotiation with Successful Exchange |
Complete full IKEv2 exchange |
IKE SA and CHILD SA established |
Post-Quantum Readiness - Testcases
# |
Test Case |
Description |
Expected Result |
|---|---|---|---|
1 |
PQC Support Detection |
Check if both peers support post-quantum algorithms |
PQC capability negotiated |
2 |
PQC Disabled |
Disable PQC on one peer |
PQC negotiation fails |
3 |
PQC Algorithm Negotiation |
Negotiate post-quantum algorithm (e.g., Kyber) |
SA established with PQC |
4 |
PQC Algorithm Mismatch |
Use mismatched PQC algorithms |
SA negotiation fails |
5 |
PQC with Hybrid Key Exchange |
Combine classical and PQC algorithms |
Hybrid SA established |
6 |
PQC with Kyber |
Use Kyber for key exchange |
SA established securely |
7 |
PQC with Dilithium |
Use Dilithium for authentication |
Authenticated successfully |
8 |
PQC with Falcon |
Use Falcon for authentication |
Authenticated successfully |
9 |
PQC with SPHINCS+ |
Use SPHINCS+ for signature verification |
Authenticated successfully |
10 |
PQC with SIDH (deprecated) |
Attempt SIDH key exchange |
Negotiation fails or warning logged |
11 |
PQC with Certificate Auth |
Use PQC-based certificates |
Authenticated successfully |
12 |
PQC with PSK Auth |
Use PSK with PQC key exchange |
SA established securely |
13 |
PQC with EAP Auth |
Use EAP with PQC key exchange |
SA established securely |
14 |
PQC with IPv4 |
Use IPv4 transport |
PQC negotiation succeeds |
15 |
PQC with IPv6 |
Use IPv6 transport |
PQC negotiation succeeds |
16 |
PQC with NAT-T |
Use NAT traversal |
PQC negotiation succeeds |
17 |
PQC with Fragmentation |
Send large PQC payloads |
Fragments reassembled |
18 |
PQC with Packet Loss |
Drop packets during PQC exchange |
Retransmission occurs |
19 |
PQC with Replay Attack |
Replay PQC exchange messages |
Message rejected |
20 |
PQC with Invalid Payload |
Send malformed PQC payload |
Negotiation fails |
21 |
PQC with Logging Enabled |
Enable logging |
PQC events logged |
22 |
PQC with Debugging Enabled |
Enable debug mode |
Detailed logs available |
23 |
PQC with Wireshark |
Capture PQC exchange |
PQC payloads visible |
24 |
PQC with High Latency |
Simulate high latency |
Exchange completes with delay |
25 |
PQC with Low Bandwidth |
Simulate low bandwidth |
Exchange completes |
26 |
PQC with DoS Simulation |
Flood IKE port |
PQC negotiation throttled or blocked |
27 |
PQC with Vendor Interop |
Use different vendor stacks |
PQC negotiation succeeds if compliant |
28 |
PQC with MOBIKE |
Change IP during PQC session |
SA remains valid |
29 |
PQC with Rekeying |
Rekey using PQC algorithm |
New SA established |
30 |
PQC with CHILD SA |
Create CHILD SA with PQC algorithm |
CHILD SA established |
31 |
PQC with Multiple CHILD SAs |
Use different PQC algorithms per CHILD SA |
All SAs established |
32 |
PQC with Policy Mismatch |
Use policy not supporting PQC |
SA negotiation fails |
33 |
PQC with Hybrid Certificate |
Use hybrid classical/PQC certificate |
Authenticated successfully |
34 |
PQC with Large Key Sizes |
Use large PQC key sizes |
SA established |
35 |
PQC with Signature Verification |
Verify PQC signature |
Signature verified |
36 |
PQC with Invalid Signature |
Use invalid PQC signature |
Verification fails |
37 |
PQC with Certificate Chain |
Use PQC certificate chain |
Chain validated |
38 |
PQC with CRL Check |
Validate PQC certificate against CRL |
Revoked cert rejected |
39 |
PQC with OCSP |
Use OCSP for PQC certificate validation |
Cert status verified |
40 |
PQC with Cookie Challenge |
Trigger cookie challenge |
PQC resumes after retry |
41 |
PQC with Large Proposal Set |
Propose many PQC algorithms |
Best match selected |
42 |
PQC with Custom Cipher |
Use custom PQC cipher |
SA established if supported |
43 |
PQC with Weak Cipher |
Use deprecated PQC cipher |
SA rejected or warning logged |
44 |
PQC with FIPS Mode |
Use FIPS-compliant PQC algorithms |
SA established with compliant cipher |
45 |
PQC with Suite B |
Use Suite B + PQC hybrid |
SA established if supported |
46 |
PQC with Logging Disabled |
Disable logging |
No logs generated |
47 |
PQC with Session Timeout |
Let session idle |
SA expires |
48 |
PQC with Invalid SPI |
Use invalid SPI in PQC exchange |
Message dropped |
49 |
PQC with Invalid Nonce |
Use invalid nonce in PQC exchange |
Message dropped |
50 |
PQC with Successful Exchange |
Complete full IKEv2 exchange with PQC |
IKE SA and CHILD SA established securely |
Extensibility via Payloads - Testcases
# |
Test Case |
Description |
Expected Result |
|---|---|---|---|
1 |
Custom Payload Support |
Send custom payload |
Payload accepted if format valid |
2 |
Unknown Payload Handling |
Send unknown payload type |
Ignored if not critical |
3 |
Vendor ID Payload |
Include Vendor ID payload |
Vendor identified |
4 |
Notify Payload |
Include Notify payload |
Notification processed |
5 |
Configuration Payload |
Include Configuration payload |
Configuration applied |
6 |
Certificate Request Payload |
Request certificate from peer |
Certificate returned |
7 |
Certificate Payload |
Send certificate |
Certificate validated |
8 |
EAP Payload |
Include EAP authentication payload |
Authenticated successfully |
9 |
Encrypted Payload |
Send encrypted payload |
Decrypted and processed |
10 |
Fragmentation Payload |
Send fragmented payload |
Reassembled correctly |
11 |
IDi Payload |
Include initiator identity |
Identity verified |
12 |
IDr Payload |
Include responder identity |
Identity verified |
13 |
SA Payload |
Include Security Association proposal |
SA negotiated |
14 |
Key Exchange Payload |
Include DH key exchange |
Keys exchanged securely |
15 |
Nonce Payload |
Include nonce |
Used in key derivation |
16 |
Delete Payload |
Include delete payload |
SA deleted |
17 |
Notify Payload with Error Code |
Send error notification |
Error logged |
18 |
Notify Payload with Status Code |
Send status notification |
Status logged |
19 |
Notify Payload with NAT Detection |
Include NAT detection payload |
NAT presence detected |
20 |
Notify Payload with MOBIKE Support |
Indicate MOBIKE capability |
MOBIKE enabled |
21 |
Notify Payload with Fragment Support |
Indicate fragmentation support |
Fragmentation enabled |
22 |
Notify Payload with Session Resumption |
Indicate resumption capability |
Resumption enabled |
23 |
Notify Payload with Post-Quantum Support |
Indicate PQC capability |
PQC negotiation initiated |
24 |
Notify Payload with Custom Code |
Use custom notify code |
Vendor-specific action taken |
25 |
Notify Payload with Invalid Code |
Use invalid notify code |
Ignored or rejected |
26 |
Notify Payload with Logging Enabled |
Enable logging |
Payload logged |
27 |
Notify Payload with Debugging |
Enable debug mode |
Detailed logs available |
28 |
Notify Payload with Wireshark |
Capture notify payload |
Visible in packet capture |
29 |
Notify Payload with Replay Attack |
Replay notify payload |
Message rejected |
30 |
Notify Payload with Invalid Format |
Send malformed notify payload |
Message rejected |
31 |
Custom Payload with Encryption |
Encrypt custom payload |
Decrypted and processed |
32 |
Custom Payload with Compression |
Compress custom payload |
Decompressed and processed |
33 |
Custom Payload with Large Size |
Send large custom payload |
Fragmented and reassembled |
34 |
Custom Payload with Invalid Length |
Use incorrect length field |
Message rejected |
35 |
Custom Payload with Invalid Type |
Use unsupported payload type |
Message ignored |
36 |
Custom Payload with Vendor Extension |
Use vendor-specific extension |
Extension processed if supported |
37 |
Custom Payload with Policy Mismatch |
Use payload not allowed by policy |
Message rejected |
38 |
Custom Payload with Certificate Auth |
Use certs with custom payload |
Authenticated successfully |
39 |
Custom Payload with PSK Auth |
Use PSK with custom payload |
Authenticated successfully |
40 |
Custom Payload with EAP Auth |
Use EAP with custom payload |
Authenticated successfully |
41 |
Custom Payload with IPv4 |
Use IPv4 transport |
Payload transmitted successfully |
42 |
Custom Payload with IPv6 |
Use IPv6 transport |
Payload transmitted successfully |
43 |
Custom Payload with NAT-T |
Use NAT traversal |
Payload transmitted successfully |
44 |
Custom Payload with MOBIKE |
Change IP during session |
Payload transmitted successfully |
45 |
Custom Payload with Rekeying |
Rekey with custom payload |
New SA established |
46 |
Custom Payload with CHILD SA |
Create CHILD SA with custom payload |
CHILD SA established |
47 |
Custom Payload with Multiple CHILD SAs |
Use different payloads per CHILD SA |
All SAs established |
48 |
Custom Payload with Session Timeout |
Let session idle |
SA expires |
49 |
Custom Payload with Invalid SPI |
Use invalid SPI |
Message dropped |
50 |
Custom Payload with Successful Exchange |
Complete full IKEv2 exchange with custom payloads |
IKE SA and CHILD SA established |
Reference links