IPsec - Internet Protocol Security
What is IPsec (Inside VPN)?
IPsec (Internet Protocol Security) is a suite of protocols that provides encryption, authentication, and integrity for IP traffic. When used inside a VPN, IPsec works with tunneling protocols (like L2TP or IKEv2) to create secure, encrypted tunnels over public networks. Think of it as a secure tunnel that wraps and protects all your data as it travels across the internet.
Why is IPsec important inside VPN?
Data Confidentiality – Encrypts entire IP packets to prevent unauthorized access.
Data Integrity – Ensures that tunneled data hasn’t been altered during transit.
Authentication – Verifies the identity of both VPN endpoints.
Tunnel Protection – Secures the entire communication path between networks or users.
Mobility & NAT Support – Works well with mobile users and NAT traversal.
How IPsec works inside VPN (in simple steps):
Tunnel Setup – A VPN tunnel is established using a tunneling protocol (e.g., L2TP or IKEv2).
Negotiation – IPsec negotiates encryption/authentication parameters using IKE.
Authentication – Endpoints authenticate using pre-shared keys or certificates.
Encryption & Integrity – The entire IP packet is encrypted and signed.
Transmission & Decryption – Encrypted packets are sent through the tunnel and decrypted at the other end.
Where is IPsec used?
Site-to-Site VPNs – Securely connects branch offices over the internet.
Remote Access VPNs – Allows users to securely access internal networks from anywhere.
Cloud Connectivity – Secures traffic between on-prem and cloud environments.
Geo-Restriction Bypass – Enables access to region-restricted content securely.
BYOD Security – Protects enterprise data on employee-owned devices.
Which OSI Layer does this protocol belong to?
IPsec secures entire IP packets, regardless of the application or transport protocol.
It operates below the transport layer (TCP/UDP) and above the data link layer, making it part of the Network Layer (Layer 3).
This allows IPsec to secure all traffic within the VPN tunnel, not just specific applications.
Topics in this section,
In this section, you are going to learn
Terminology
Version Info
IPsec Version |
RFC |
Year |
Core Idea / Contribution |
|---|---|---|---|
IKEv2 |
|||
RFC 4306 |
2005 |
Introduced IKEv2 for simplified and more secure key exchange. |
|
RFC 5996 |
2010 |
Obsoletes RFC 4306; includes clarifications and updates to IKEv2. |
|
RFC 7296 |
2014 |
Latest IKEv2 specification with corrections and improvements. |
|
IPsec v3 |
|||
RFC 4301 |
2005 |
Updated architecture with better support for NAT, mobility, and modularity |
|
ESP Enhancements |
|||
RFC 4303 |
2005 |
Defines the Encapsulating Security Payload (ESP) protocol used in VPN |
|
tunneling. |
|||
AH Enhancements |
|||
RFC 4302 |
2005 |
Defines the Authentication Header (AH) protocol. |
|
Algorithm Support |
|||
RFC 4305 |
2005 |
Cryptographic algorithm requirements for ESP and AH. |
|
RFC 4835 |
2007 |
Updates algorithm requirements. |
|
RFC 8221 |
2017 |
Further updates to cryptographic algorithm usage. |
|
NAT Traversal |
|||
RFC 3947, 3948 |
2005 |
NAT traversal for IPsec using UDP encapsulation, essential for VPNs. |
|
Mobility Support |
|||
RFC 4555 |
2006 |
IPsec support for Mobile IPv6, useful for mobile VPN clients. |
|
Roadmap |
|||
RFC 6071 |
2011 |
Comprehensive roadmap of IPsec and IKE-related RFCs. |
Setup
Setup
Tunnel Mode with AH
S.No |
Protocol Packets |
Description |
Size(Bytes) |
|---|---|---|---|
1 |
Tunnel Mode with AH |
Authenticates the entire original IP packet with a new outer IP header |
~64104 bytes |
Outer IP Header |
New IP header added for tunneling. |
20 (IPv4) / 40 (IPv6) |
|
Next Header |
Identifies the type of the next payload (e.g., IP-in-IP). |
1 |
|
Payload Length |
Length of the AH header in 32-bit words, minus 2. |
1 |
|
Reserved |
Reserved for future use; must be zero. |
2 |
|
Security Parameters Index (SPI) |
Identifies the security association. |
4 |
|
Sequence Number |
Increments with each packet to prevent replay attacks. |
4 |
|
Authentication Data |
Integrity Check Value (ICV) for the entire packet. |
1232 |
|
Inner IP Header |
Original IP header of the encapsulated packet. |
20 (IPv4) / 40 (IPv6) |
|
Payload |
Original transport layer data (e.g., TCP/UDP + application data). |
Variable |
Tunnel Mode with ESP
S.No |
Protocol Packets |
Description |
Size(Bytes) |
|---|---|---|---|
2 |
Tunnel Mode with ESP |
Encrypts and optionally authenticates the entire original IP packet |
~80140+ bytes |
Outer IP Header |
New IP header added for tunneling. |
20 (IPv4) / 40 (IPv6) |
|
ESP Header |
Contains SPI and Sequence Number. |
8 |
|
Encrypted Inner IP Header + Payload |
Entire original packet is encrypted. |
Variable |
|
Padding |
Aligns payload to encryption block size. |
0-255 |
|
Pad Length |
Length of the padding. |
1 |
|
Next Header |
Identifies the type of data in the payload (e.g., TCP, UDP). |
1 |
|
Authentication Data (optional) |
Integrity Check Value (ICV) for the encrypted portion. |
1232 |
S.no |
Use Case |
Description |
|---|---|---|
1 |
Secure Site-to-Site VPN |
Connects two networks securely over the internet (e.g., branch to HQ). |
2 |
Remote Access VPN |
Allows users to securely access internal networks from remote locations. |
3 |
Data Confidentiality |
Encrypts entire IP packets within a VPN tunnel to ensure privacy. |
4 |
Data Integrity |
Ensures tunneled data hasnt been altered during transit. |
5 |
Authentication |
Verifies identity of VPN endpoints using pre-shared keys or certificates. |
6 |
Secure VoIP and Video |
Protects real-time communication over VPN tunnels from eavesdropping. |
7 |
Mobile IP Security |
Maintains secure VPN sessions as users move across networks. |
8 |
Cloud Connectivity |
Establishes secure tunnels between on-premises and cloud environments. |
9 |
IoT Device Protection |
Secures IoT traffic routed through VPN gateways. |
10 |
Bypass Geo-Restrictions |
Enables secure tunneling to access region-restricted services or content. |
S.no |
Feature |
Description |
|---|---|---|
1 |
Encryption |
Encrypts entire IP packets within a VPN tunnel to ensure confidentiality. |
2 |
Authentication |
Verifies the identity of VPN endpoints using pre-shared keys or certificates. |
3 |
Integrity Checking |
Ensures tunneled data hasnt been altered during transmission. |
4 |
Tunneling and Transport Modes |
Supports Tunnel Mode (primarily used in VPNs) and Transport Mode. |
5 |
Key Exchange (IKE/IKEv2) |
Negotiates secure VPN tunnels and encryption keys between endpoints. |
6 |
Security Associations (SAs) |
Defines parameters for secure VPN communication between peers. |
7 |
Protocol Support (ESP & AH) |
Uses ESP for encryption and AH for integrity/authentication in VPN tunnels. |
8 |
NAT Traversal |
Enables VPN tunnels to pass through NAT devices using UDP encapsulation. |
9 |
Replay Protection |
Prevents replay attacks using sequence numbers in VPN traffic. |
10 |
Flexible Algorithm Support |
Supports modern encryption and hashing algorithms (e.g., AES, SHA-2). |
Encryption - Testcases
# |
Test Case |
Description |
Expected Result |
|---|---|---|---|
1 |
IPsec Tunnel Establishment |
Initiate IPsec VPN connection |
Tunnel established successfully |
2 |
IKEv1 Negotiation |
Use IKEv1 for key exchange |
SA established |
3 |
IKEv2 Negotiation |
Use IKEv2 for key exchange |
SA established |
4 |
Main Mode Exchange |
Perform IKE main mode exchange |
Keys exchanged securely |
5 |
Aggressive Mode Exchange |
Perform IKE aggressive mode exchange |
Tunnel established |
6 |
IPsec Authentication Success |
Authenticate with valid credentials |
Access granted |
7 |
IPsec Authentication Failure |
Use invalid credentials |
Access denied |
8 |
Pre-Shared Key Authentication |
Use PSK for authentication |
Tunnel established |
9 |
Certificate-Based Authentication |
Use digital certificates |
Tunnel established |
10 |
IPsec Tunnel Teardown |
Disconnect VPN session |
Tunnel closed gracefully |
11 |
IPsec Encryption AES |
Use AES encryption |
Data encrypted |
12 |
IPsec Encryption 3DES |
Use 3DES encryption |
Data encrypted |
13 |
IPsec Encryption ChaCha20 |
Use ChaCha20 encryption |
Data encrypted |
14 |
IPsec Integrity SHA-1 |
Use SHA-1 for integrity |
Data integrity verified |
15 |
IPsec Integrity SHA-256 |
Use SHA-256 for integrity |
Data integrity verified |
16 |
IPsec Tunnel Mode |
Use tunnel mode |
Entire packet encrypted |
17 |
IPsec Transport Mode |
Use transport mode |
Payload encrypted, headers visible |
18 |
IPsec NAT Traversal |
Connect through NAT |
Tunnel established |
19 |
IPsec Dead Peer Detection |
Enable DPD |
Dead peer detected and tunnel reset |
20 |
IPsec Rekeying |
Force rekeying |
New keys negotiated |
21 |
IPsec Perfect Forward Secrecy |
Enable PFS |
New DH key generated |
22 |
IPsec Tunnel with IPv6 |
Use IPv6 addresses |
Tunnel established |
23 |
IPsec Tunnel with IPv4 |
Use IPv4 addresses |
Tunnel established |
24 |
IPsec Tunnel with Dual Stack |
Use both IPv4 and IPv6 |
Tunnel supports both |
25 |
IPsec Tunnel with Static IP |
Use static IP for peer |
Tunnel established |
26 |
IPsec Tunnel with Dynamic IP |
Use dynamic IP for peer |
Tunnel established |
27 |
IPsec Tunnel with DNS |
Use FQDN for peer |
DNS resolved and tunnel established |
28 |
IPsec Tunnel with Firewall |
Pass through firewall |
Tunnel established |
29 |
IPsec Tunnel with NAT |
Pass through NAT |
Tunnel established |
30 |
IPsec Tunnel with Mobile Client |
Connect from mobile device |
Tunnel established |
31 |
IPsec Tunnel with Desktop Client |
Connect from desktop |
Tunnel established |
32 |
IPsec Tunnel with VPN Gateway |
Connect to VPN gateway |
Tunnel established |
33 |
IPsec Tunnel with Load Balancer |
Use load-balanced gateway |
Tunnel established |
34 |
IPsec Tunnel Failover |
Simulate gateway failure |
Tunnel re-established with backup |
35 |
IPsec Tunnel Redundancy |
Configure redundant tunnels |
Failover successful |
36 |
IPsec Tunnel Logging |
Enable logging |
Tunnel events logged |
37 |
IPsec Tunnel Monitoring |
Monitor tunnel status |
Status visible |
38 |
IPsec Tunnel Performance Test |
Measure throughput |
Meets expected performance |
39 |
IPsec Tunnel Latency Test |
Measure latency |
Within acceptable limits |
40 |
IPsec Tunnel Packet Loss Test |
Drop packets intentionally |
Tunnel remains stable |
41 |
IPsec Tunnel with QoS |
Apply QoS policies |
Traffic prioritized |
42 |
IPsec Tunnel with ACL |
Apply access control lists |
Traffic filtered |
43 |
IPsec Tunnel with Routing Protocol |
Run OSPF/BGP over tunnel |
Routes exchanged |
44 |
IPsec Tunnel with Static Routes |
Use static routes |
Traffic routed through tunnel |
45 |
IPsec Tunnel with Multicast |
Send multicast traffic |
Multicast delivered |
46 |
IPsec Tunnel with Fragmentation |
Send large packets |
Packets fragmented and reassembled |
47 |
IPsec Tunnel with Compression |
Enable compression |
Traffic compressed |
48 |
IPsec Tunnel with SNMP |
Monitor via SNMP |
Tunnel stats visible |
49 |
IPsec Tunnel with Syslog |
Log events to syslog |
Logs received |
50 |
IPsec Tunnel with SIEM |
Forward logs to SIEM |
Events visible in SIEM |
Authentication - Testcases
# |
Test Case |
Description |
Expected Result |
|---|---|---|---|
1 |
Valid Login |
Login with correct credentials |
Access granted |
2 |
Invalid Password |
Login with wrong password |
Access denied |
3 |
Invalid Username |
Login with non-existent username |
Access denied |
4 |
Empty Credentials |
Submit empty username and password |
Error message shown |
5 |
SQL Injection Attempt |
Attempt SQL injection in login form |
Input sanitized, access denied |
6 |
XSS in Login Field |
Inject script in login field |
Script blocked |
7 |
Password Case Sensitivity |
Use wrong case in password |
Access denied |
8 |
Username Case Sensitivity |
Use wrong case in username |
Access denied or granted based on config |
9 |
Account Lockout |
Exceed max login attempts |
Account locked |
10 |
Password Expiry |
Login with expired password |
Prompt to change password |
11 |
Password Change |
Change password successfully |
New password accepted |
12 |
Password Reuse |
Reuse old password |
Reuse denied |
13 |
Password Complexity |
Set weak password |
Password rejected |
14 |
Password Length Enforcement |
Set short password |
Password rejected |
15 |
Password Reset |
Request password reset |
Reset link sent |
16 |
Password Reset Link Expiry |
Use expired reset link |
Link invalid |
17 |
Password Reset Token Reuse |
Reuse reset token |
Token invalid |
18 |
Multi-Factor Authentication (MFA) |
Login with MFA enabled |
Second factor required |
19 |
MFA Code Expiry |
Use expired MFA code |
Code rejected |
20 |
MFA Code Reuse |
Reuse MFA code |
Code rejected |
21 |
Email Verification |
Register new account |
Verification email sent |
22 |
Email Verification Link Expiry |
Use expired verification link |
Link invalid |
23 |
Email Verification Bypass |
Try to login without verifying email |
Access denied |
24 |
Session Timeout |
Stay idle beyond timeout limit |
Session expires |
25 |
Concurrent Session Limit |
Exceed allowed sessions |
New session denied |
26 |
Logout Functionality |
Logout from session |
Session terminated |
27 |
Remember Me Option |
Enable “remember me” |
Session persists across restarts |
28 |
Social Login (Google) |
Login using Google account |
Access granted |
29 |
Social Login (Facebook) |
Login using Facebook account |
Access granted |
30 |
OAuth Token Expiry |
Use expired OAuth token |
Access denied |
31 |
OAuth Token Refresh |
Refresh access token |
New token issued |
32 |
JWT Token Validation |
Use valid JWT token |
Access granted |
33 |
JWT Token Tampering |
Modify JWT token |
Token rejected |
34 |
SSO Integration |
Login via SSO |
Access granted |
35 |
SSO Logout Propagation |
Logout from one app |
Session ends in all apps |
36 |
Role-Based Access Control |
Login with limited role |
Access restricted to role |
37 |
Unauthorized Resource Access |
Access resource without permission |
Access denied |
38 |
Audit Logging |
Perform login/logout |
Events logged |
39 |
Login Attempt Logging |
Attempt login |
Attempt logged |
40 |
Brute Force Detection |
Simulate brute force login |
Alert triggered |
41 |
CAPTCHA on Login |
Trigger CAPTCHA after failed attempts |
CAPTCHA shown |
42 |
CAPTCHA Validation |
Solve CAPTCHA |
Login proceeds |
43 |
Device Recognition |
Login from new device |
Verification required |
44 |
IP Whitelisting |
Login from whitelisted IP |
Access granted |
45 |
IP Blacklisting |
Login from blacklisted IP |
Access denied |
46 |
Login from VPN |
Login while connected to VPN |
Access granted or flagged |
47 |
Login from Tor Network |
Login via Tor |
Access denied or flagged |
48 |
Login from Mobile Device |
Login using mobile browser |
Access granted |
49 |
Login from Desktop |
Login using desktop browser |
Access granted |
50 |
Login UI Accessibility |
Navigate login form with screen reader |
Accessible labels and fields |
Integrity Checking - Testcases
# |
Test Case |
Description |
Expected Result |
|---|---|---|---|
1 |
File Hash Generation |
Generate hash for a file |
Hash value generated |
2 |
File Hash Comparison |
Compare file hash with known value |
Match or mismatch reported |
3 |
MD5 Hash Check |
Use MD5 for integrity check |
MD5 hash generated and verified |
4 |
SHA-1 Hash Check |
Use SHA-1 for integrity check |
SHA-1 hash generated and verified |
5 |
SHA-256 Hash Check |
Use SHA-256 for integrity check |
SHA-256 hash generated and verified |
6 |
SHA-512 Hash Check |
Use SHA-512 for integrity check |
SHA-512 hash generated and verified |
7 |
File Modification Detection |
Modify file after hash generation |
Hash mismatch detected |
8 |
File Corruption Detection |
Corrupt file contents |
Integrity check fails |
9 |
File Rename Test |
Rename file without changing content |
Integrity check passes |
10 |
File Move Test |
Move file to another location |
Integrity check passes |
11 |
File Permission Change |
Change file permissions |
Integrity check passes |
12 |
File Timestamp Change |
Modify file timestamp |
Integrity check passes |
13 |
Directory Hashing |
Generate hash for directory |
Directory hash generated |
14 |
Nested Directory Hashing |
Hash nested folders and files |
Hash generated for entire structure |
15 |
Large File Hashing |
Hash file >1GB |
Hash generated successfully |
16 |
Small File Hashing |
Hash file <1KB |
Hash generated successfully |
17 |
Empty File Hashing |
Hash an empty file |
Known hash value returned |
18 |
Binary File Hashing |
Hash executable file |
Hash generated |
19 |
Text File Hashing |
Hash plain text file |
Hash generated |
20 |
Image File Hashing |
Hash image file |
Hash generated |
21 |
Video File Hashing |
Hash video file |
Hash generated |
22 |
Audio File Hashing |
Hash audio file |
Hash generated |
23 |
Hash Collision Test |
Use two different files |
Different hashes generated |
24 |
Hash Algorithm Switching |
Switch between hash algorithms |
Correct hash generated for each |
25 |
Integrity Check Logging |
Enable logging |
Events logged |
26 |
Integrity Check Notification |
Enable alerts on failure |
Notification triggered |
27 |
Scheduled Integrity Check |
Run check on schedule |
Check runs at set time |
28 |
Real-Time Integrity Monitoring |
Monitor file changes live |
Alerts on unauthorized changes |
29 |
Integrity Check via CLI |
Run check from command line |
Output displayed |
30 |
Integrity Check via GUI |
Run check from interface |
Results shown visually |
31 |
Integrity Check via API |
Trigger check via API |
API returns result |
32 |
Integrity Check on Download |
Verify file after download |
Hash matches expected value |
33 |
Integrity Check on Upload |
Verify file before upload |
Hash verified |
34 |
Integrity Check on Backup |
Verify backup file integrity |
Backup validated |
35 |
Integrity Check on Restore |
Verify restored file |
File matches original |
36 |
Integrity Check on Transfer |
Verify file after transfer |
File unchanged |
37 |
Integrity Check on Cloud Storage |
Verify file in cloud |
File integrity confirmed |
38 |
Integrity Check on USB Drive |
Verify file on external storage |
File integrity confirmed |
39 |
Integrity Check on Network Share |
Verify file on shared drive |
File integrity confirmed |
40 |
Integrity Check on Encrypted File |
Hash encrypted file |
Hash generated |
41 |
Integrity Check on Compressed File |
Hash ZIP or TAR file |
Hash generated |
42 |
Integrity Check with Checksum File |
Use .md5/.sha256 file |
Checksum verified |
43 |
Integrity Check with Digital Signature |
Verify file signature |
Signature valid or invalid |
44 |
Integrity Check with Blockchain |
Store hash on blockchain |
Hash verified via ledger |
45 |
Integrity Check with TPM |
Use Trusted Platform Module |
Integrity verified securely |
46 |
Integrity Check with HSM |
Use Hardware Security Module |
Hash securely generated |
47 |
Integrity Check with Antivirus |
Compare with AV scan |
File verified clean |
48 |
Integrity Check with SIEM |
Send results to SIEM |
Events logged and correlated |
49 |
Integrity Check with Email Alert |
Send email on failure |
Alert received |
50 |
Integrity Check Audit Trail |
Review history of checks |
Complete audit trail available |
Tunneling and Transport Modes - Testcases
# |
Test Case |
Description |
Expected Result |
|---|---|---|---|
1 |
Tunnel Mode Establishment |
Establish IPsec in tunnel mode |
Tunnel created successfully |
2 |
Transport Mode Establishment |
Establish IPsec in transport mode |
Transport mode active |
3 |
Tunnel Mode Encryption |
Encrypt full IP packet |
Entire packet encrypted |
4 |
Transport Mode Encryption |
Encrypt only payload |
Payload encrypted, headers visible |
5 |
Tunnel Mode with IPv4 |
Use IPv4 in tunnel mode |
Tunnel established |
6 |
Tunnel Mode with IPv6 |
Use IPv6 in tunnel mode |
Tunnel established |
7 |
Transport Mode with IPv4 |
Use IPv4 in transport mode |
Transport mode active |
8 |
Transport Mode with IPv6 |
Use IPv6 in transport mode |
Transport mode active |
9 |
Tunnel Mode with NAT |
Establish tunnel through NAT |
Tunnel established with NAT traversal |
10 |
Transport Mode with NAT |
Use transport mode through NAT |
Tunnel established or fails based on config |
11 |
Tunnel Mode with ESP |
Use ESP in tunnel mode |
ESP encapsulation successful |
12 |
Transport Mode with ESP |
Use ESP in transport mode |
ESP encapsulation successful |
13 |
Tunnel Mode with AH |
Use AH in tunnel mode |
AH encapsulation successful |
14 |
Transport Mode with AH |
Use AH in transport mode |
AH encapsulation successful |
15 |
Tunnel Mode with AES Encryption |
Use AES in tunnel mode |
Data encrypted with AES |
16 |
Transport Mode with AES Encryption |
Use AES in transport mode |
Data encrypted with AES |
17 |
Tunnel Mode with SHA-256 |
Use SHA-256 for integrity |
Integrity verified |
18 |
Transport Mode with SHA-256 |
Use SHA-256 for integrity |
Integrity verified |
19 |
Tunnel Mode Rekeying |
Force rekeying in tunnel mode |
New keys negotiated |
20 |
Transport Mode Rekeying |
Force rekeying in transport mode |
New keys negotiated |
21 |
Tunnel Mode with PFS |
Enable Perfect Forward Secrecy |
New DH key generated |
22 |
Transport Mode with PFS |
Enable PFS in transport mode |
New DH key generated |
23 |
Tunnel Mode with Static IP |
Use static IPs for peers |
Tunnel established |
24 |
Transport Mode with Dynamic IP |
Use dynamic IPs for peers |
Tunnel established |
25 |
Tunnel Mode with Routing Protocols |
Run OSPF/BGP over tunnel |
Routes exchanged |
26 |
Transport Mode with Static Routes |
Use static routes |
Traffic routed correctly |
27 |
Tunnel Mode with Multicast |
Send multicast over tunnel |
Multicast delivered |
28 |
Transport Mode with Unicast |
Send unicast traffic |
Traffic encrypted and delivered |
29 |
Tunnel Mode with Fragmentation |
Send large packets |
Packets fragmented and reassembled |
30 |
Transport Mode with Fragmentation |
Send large packets |
Packets fragmented and reassembled |
31 |
Tunnel Mode Performance Test |
Measure throughput |
Meets expected performance |
32 |
Transport Mode Performance Test |
Measure throughput |
Meets expected performance |
33 |
Tunnel Mode Latency Test |
Measure latency |
Within acceptable limits |
34 |
Transport Mode Latency Test |
Measure latency |
Within acceptable limits |
35 |
Tunnel Mode Packet Loss Test |
Drop packets intentionally |
Tunnel remains stable |
36 |
Transport Mode Packet Loss Test |
Drop packets intentionally |
Tunnel remains stable |
37 |
Tunnel Mode Failover |
Simulate peer failure |
Tunnel re-established |
38 |
Transport Mode Failover |
Simulate peer failure |
Tunnel re-established |
39 |
Tunnel Mode Logging |
Enable logging |
Tunnel events logged |
40 |
Transport Mode Logging |
Enable logging |
Transport events logged |
41 |
Tunnel Mode Monitoring |
Monitor tunnel status |
Status visible |
42 |
Transport Mode Monitoring |
Monitor transport session |
Status visible |
43 |
Tunnel Mode with SNMP |
Monitor via SNMP |
Tunnel stats visible |
44 |
Transport Mode with Syslog |
Log events to syslog |
Logs received |
45 |
Tunnel Mode with SIEM |
Forward logs to SIEM |
Events visible in SIEM |
46 |
Tunnel Mode with ACL |
Apply ACL to tunnel interface |
Traffic filtered |
47 |
Transport Mode with ACL |
Apply ACL to transport interface |
Traffic filtered |
48 |
Tunnel Mode with QoS |
Apply QoS policies |
Traffic prioritized |
49 |
Transport Mode with QoS |
Apply QoS policies |
Traffic prioritized |
50 |
Tunnel vs Transport Comparison |
Compare both modes |
Differences in encryption scope and use cases noted |
Key Exchange (IKE/IKEv2) - Testcases
# |
Test Case |
Description |
Expected Result |
|---|---|---|---|
1 |
IKEv1 Tunnel Establishment |
Initiate IPsec tunnel using IKEv1 |
Tunnel established successfully |
2 |
IKEv2 Tunnel Establishment |
Initiate IPsec tunnel using IKEv2 |
Tunnel established successfully |
3 |
IKEv1 Main Mode |
Use IKEv1 main mode |
SA established securely |
4 |
IKEv1 Aggressive Mode |
Use IKEv1 aggressive mode |
SA established with fewer exchanges |
5 |
IKEv2 Initial Exchange |
Perform IKE_SA_INIT and IKE_AUTH |
IKEv2 SA established |
6 |
IKEv2 Child SA Creation |
Create CHILD_SA after IKE_AUTH |
CHILD_SA established |
7 |
IKEv2 Rekeying |
Rekey IKE SA |
New keys negotiated |
8 |
IKEv2 Child SA Rekeying |
Rekey CHILD_SA |
New keys negotiated |
9 |
IKEv2 Reauthentication |
Force reauthentication |
New IKE SA created |
10 |
IKEv1 with PSK |
Use pre-shared key for authentication |
Tunnel established |
11 |
IKEv2 with PSK |
Use pre-shared key for authentication |
Tunnel established |
12 |
IKEv1 with Certificates |
Use digital certificates |
Tunnel established |
13 |
IKEv2 with Certificates |
Use digital certificates |
Tunnel established |
14 |
IKEv2 with EAP Authentication |
Use EAP for user authentication |
Tunnel established |
15 |
IKEv2 with RSA Authentication |
Use RSA signature for authentication |
Tunnel established |
16 |
IKEv2 with ECDSA Authentication |
Use ECDSA for authentication |
Tunnel established |
17 |
IKEv2 with PFS |
Enable Perfect Forward Secrecy |
DH key exchange performed |
18 |
IKEv2 with DH Group 14 |
Use DH group 14 (2048-bit) |
Tunnel established |
19 |
IKEv2 with DH Group 19 |
Use DH group 19 (256-bit ECP) |
Tunnel established |
20 |
IKEv2 with DH Group 20 |
Use DH group 20 (384-bit ECP) |
Tunnel established |
21 |
IKEv2 with AES Encryption |
Use AES-256 for encryption |
Tunnel encrypted |
22 |
IKEv2 with SHA-256 Integrity |
Use SHA-256 for integrity |
Tunnel established |
23 |
IKEv2 with AES-GCM |
Use AES-GCM for encryption and integrity |
Tunnel established |
24 |
IKEv2 NAT Detection |
Detect NAT between peers |
NAT detected and handled |
25 |
IKEv2 Fragmentation Support |
Enable IKE message fragmentation |
Large messages fragmented |
26 |
IKEv2 Dead Peer Detection |
Enable DPD |
Dead peer detected |
27 |
IKEv2 Keepalive |
Send periodic keepalives |
Tunnel remains active |
28 |
IKEv2 Session Timeout |
Wait for session timeout |
Tunnel re-established |
29 |
IKEv2 Session Resumption |
Resume session after timeout |
Tunnel re-established quickly |
30 |
IKEv2 with IPv6 |
Use IPv6 addresses |
Tunnel established |
31 |
IKEv2 with IPv4 |
Use IPv4 addresses |
Tunnel established |
32 |
IKEv2 with FQDN |
Use FQDN instead of IP |
DNS resolved and tunnel established |
33 |
IKEv2 with Dynamic IP |
Use dynamic IP for peer |
Tunnel established |
34 |
IKEv2 with Static IP |
Use static IP for peer |
Tunnel established |
35 |
IKEv2 with Firewall |
Pass through firewall |
Tunnel established |
36 |
IKEv2 with NAT |
Pass through NAT |
Tunnel established |
37 |
IKEv2 with Load Balancer |
Use load-balanced gateway |
Tunnel established |
38 |
IKEv2 with Mobile Client |
Connect from mobile device |
Tunnel established |
39 |
IKEv2 with Desktop Client |
Connect from desktop |
Tunnel established |
40 |
IKEv2 Logging |
Enable logging |
Key exchange events logged |
41 |
IKEv2 Monitoring |
Monitor IKE sessions |
Status visible |
42 |
IKEv2 Performance Test |
Measure key exchange time |
Within acceptable limits |
43 |
IKEv2 Packet Capture |
Capture IKE packets |
IKE messages visible |
44 |
IKEv2 Error Handling |
Use invalid credentials |
Tunnel not established |
45 |
IKEv2 Certificate Expiry |
Use expired certificate |
Tunnel not established |
46 |
IKEv2 Certificate Revocation |
Use revoked certificate |
Tunnel not established |
47 |
IKEv2 with SIEM |
Forward logs to SIEM |
Events visible in SIEM |
48 |
IKEv2 with SNMP |
Monitor via SNMP |
Tunnel stats visible |
49 |
IKEv2 with Syslog |
Log events to syslog |
Logs received |
50 |
IKEv2 with Redundancy |
Configure redundant peers |
Failover successful |
Security Associations (SAs) - Testcases
# |
Test Case |
Description |
Expected Result |
|---|---|---|---|
1 |
SA Creation |
Initiate IPsec connection |
SA created successfully |
2 |
SA Deletion |
Terminate IPsec connection |
SA removed |
3 |
SA Lifetime Expiry |
Wait for SA to expire |
SA rekeyed or deleted |
4 |
SA Rekeying |
Force rekeying |
New SA created |
5 |
SA with IKEv1 |
Establish SA using IKEv1 |
SA created |
6 |
SA with IKEv2 |
Establish SA using IKEv2 |
SA created |
7 |
SA with Tunnel Mode |
Use tunnel mode |
SA created for full packet encryption |
8 |
SA with Transport Mode |
Use transport mode |
SA created for payload encryption |
9 |
SA with AES Encryption |
Use AES-256 for encryption |
SA uses AES-256 |
10 |
SA with 3DES Encryption |
Use 3DES for encryption |
SA uses 3DES |
11 |
SA with SHA-1 Integrity |
Use SHA-1 for integrity |
SA uses SHA-1 |
12 |
SA with SHA-256 Integrity |
Use SHA-256 for integrity |
SA uses SHA-256 |
13 |
SA with DH Group 14 |
Use DH group 14 |
SA established with DH14 |
14 |
SA with DH Group 19 |
Use DH group 19 |
SA established with DH19 |
15 |
SA with PFS Enabled |
Enable Perfect Forward Secrecy |
New DH key used |
16 |
SA with NAT Traversal |
Establish SA through NAT |
SA created successfully |
17 |
SA with Static IP |
Use static IP for peer |
SA created |
18 |
SA with Dynamic IP |
Use dynamic IP for peer |
SA created |
19 |
SA with Certificate Auth |
Use certificates for authentication |
SA created |
20 |
SA with PSK Auth |
Use pre-shared key for authentication |
SA created |
21 |
SA with RSA Auth |
Use RSA signature for authentication |
SA created |
22 |
SA with ECDSA Auth |
Use ECDSA for authentication |
SA created |
23 |
SA with IPv6 |
Use IPv6 addresses |
SA created |
24 |
SA with IPv4 |
Use IPv4 addresses |
SA created |
25 |
SA with FQDN |
Use FQDN instead of IP |
SA created |
26 |
SA with DNS Resolution |
Resolve peer via DNS |
SA created |
27 |
SA with Firewall |
Pass through firewall |
SA created |
28 |
SA with Load Balancer |
Use load-balanced peer |
SA created |
29 |
SA with Mobile Client |
Connect from mobile device |
SA created |
30 |
SA with Desktop Client |
Connect from desktop |
SA created |
31 |
SA with Logging Enabled |
Enable logging |
SA creation logged |
32 |
SA with Logging Disabled |
Disable logging |
No logs generated |
33 |
SA with Monitoring Tool |
Monitor SA status |
SA status visible |
34 |
SA with SNMP |
Monitor SA via SNMP |
SA stats visible |
35 |
SA with Syslog |
Log SA events to syslog |
Logs received |
36 |
SA with SIEM |
Forward SA logs to SIEM |
Events visible in SIEM |
37 |
SA with ACL |
Apply ACL to SA traffic |
Traffic filtered |
38 |
SA with QoS |
Apply QoS to SA traffic |
Traffic prioritized |
39 |
SA with Static Routing |
Use static routes with SA |
Traffic routed correctly |
40 |
SA with Dynamic Routing |
Use OSPF/BGP over SA |
Routes exchanged |
41 |
SA with Multicast Traffic |
Send multicast over SA |
Multicast delivered |
42 |
SA with Fragmentation |
Send large packets |
Packets fragmented and reassembled |
43 |
SA with Compression |
Enable compression |
Traffic compressed |
44 |
SA with Replay Protection |
Enable anti-replay |
Replay attacks blocked |
45 |
SA with Sequence Number Check |
Verify sequence numbers |
Packets accepted in order |
46 |
SA with Invalid SPI |
Use invalid SPI |
Packet dropped |
47 |
SA with Expired Key |
Use expired key |
SA rekeyed or dropped |
48 |
SA with Manual Configuration |
Configure SA manually |
SA created |
49 |
SA with Auto Configuration |
Use auto-negotiation |
SA created |
50 |
SA Audit Trail |
Review SA history/logs |
Complete audit trail available |
Protocol Support (ESP & AH) - Testcases
# |
Test Case |
Description |
Expected Result |
|---|---|---|---|
1 |
ESP Tunnel Mode |
Use ESP in tunnel mode |
Full packet encrypted |
2 |
ESP Transport Mode |
Use ESP in transport mode |
Payload encrypted, headers visible |
3 |
AH Tunnel Mode |
Use AH in tunnel mode |
Full packet authenticated |
4 |
AH Transport Mode |
Use AH in transport mode |
Payload authenticated, headers visible |
5 |
ESP with AES Encryption |
Use AES-256 with ESP |
Data encrypted |
6 |
ESP with 3DES Encryption |
Use 3DES with ESP |
Data encrypted |
7 |
ESP with ChaCha20 Encryption |
Use ChaCha20 with ESP |
Data encrypted |
8 |
ESP with SHA-256 Integrity |
Use SHA-256 for ESP integrity |
Integrity verified |
9 |
AH with SHA-1 Integrity |
Use SHA-1 with AH |
Packet authenticated |
10 |
AH with SHA-256 Integrity |
Use SHA-256 with AH |
Packet authenticated |
11 |
ESP with Null Encryption |
Use ESP with no encryption |
Only integrity provided |
12 |
AH with Null Encryption |
Use AH with no encryption |
Only authentication provided |
13 |
ESP with Replay Protection |
Enable anti-replay in ESP |
Replay attacks blocked |
14 |
AH with Replay Protection |
Enable anti-replay in AH |
Replay attacks blocked |
15 |
ESP with NAT Traversal |
Use ESP through NAT |
Tunnel established with NAT-T |
16 |
AH with NAT Traversal |
Use AH through NAT |
Tunnel fails (AH not NAT-friendly) |
17 |
ESP with IPv4 |
Use ESP with IPv4 |
Tunnel established |
18 |
ESP with IPv6 |
Use ESP with IPv6 |
Tunnel established |
19 |
AH with IPv4 |
Use AH with IPv4 |
Tunnel established |
20 |
AH with IPv6 |
Use AH with IPv6 |
Tunnel established |
21 |
ESP with Fragmentation |
Send large packets |
Packets fragmented and reassembled |
22 |
AH with Fragmentation |
Send large packets |
Packets authenticated correctly |
23 |
ESP with PFS |
Enable Perfect Forward Secrecy |
DH key exchange performed |
24 |
AH with PFS |
Enable PFS with AH |
DH key exchange performed |
25 |
ESP with Manual Keying |
Configure ESP manually |
Tunnel established |
26 |
AH with Manual Keying |
Configure AH manually |
Tunnel established |
27 |
ESP with IKEv1 |
Use ESP with IKEv1 |
SA established |
28 |
AH with IKEv1 |
Use AH with IKEv1 |
SA established |
29 |
ESP with IKEv2 |
Use ESP with IKEv2 |
SA established |
30 |
AH with IKEv2 |
Use AH with IKEv2 |
SA established |
31 |
ESP with Certificate Auth |
Use certificates for ESP |
Tunnel established |
32 |
AH with Certificate Auth |
Use certificates for AH |
Tunnel established |
33 |
ESP with PSK Auth |
Use pre-shared key for ESP |
Tunnel established |
34 |
AH with PSK Auth |
Use pre-shared key for AH |
Tunnel established |
35 |
ESP with Logging Enabled |
Enable logging |
ESP events logged |
36 |
AH with Logging Enabled |
Enable logging |
AH events logged |
37 |
ESP with Monitoring Tool |
Monitor ESP traffic |
Traffic visible in tool |
38 |
AH with Monitoring Tool |
Monitor AH traffic |
Traffic visible in tool |
39 |
ESP with SNMP |
Monitor ESP via SNMP |
Stats visible |
40 |
AH with SNMP |
Monitor AH via SNMP |
Stats visible |
41 |
ESP with SIEM |
Forward ESP logs to SIEM |
Events visible in SIEM |
42 |
AH with SIEM |
Forward AH logs to SIEM |
Events visible in SIEM |
43 |
ESP with ACL |
Apply ACL to ESP traffic |
Traffic filtered |
44 |
AH with ACL |
Apply ACL to AH traffic |
Traffic filtered |
45 |
ESP with QoS |
Apply QoS to ESP traffic |
Traffic prioritized |
46 |
AH with QoS |
Apply QoS to AH traffic |
Traffic prioritized |
47 |
ESP with Invalid SPI |
Use invalid SPI |
Packet dropped |
48 |
AH with Invalid SPI |
Use invalid SPI |
Packet dropped |
49 |
ESP with Sequence Number Check |
Verify sequence numbers |
Packets accepted in order |
50 |
AH with Sequence Number Check |
Verify sequence numbers |
Packets accepted in order |
NAT Traversal - Testcases
# |
Test Case |
Description |
Expected Result |
|---|---|---|---|
1 |
Basic NAT Traversal |
Establish connection through NAT |
Connection successful |
2 |
Full Cone NAT |
Connect through full cone NAT |
Peer-to-peer connection established |
3 |
Restricted Cone NAT |
Connect through restricted cone NAT |
Connection successful |
4 |
Port-Restricted Cone NAT |
Connect through port-restricted NAT |
Connection successful |
5 |
Symmetric NAT |
Connect through symmetric NAT |
Connection may require relay |
6 |
NAT Type Detection |
Detect NAT type using STUN |
Correct NAT type identified |
7 |
UDP Hole Punching |
Use UDP hole punching |
Peer-to-peer connection established |
8 |
TCP Hole Punching |
Use TCP hole punching |
Peer-to-peer connection established |
9 |
STUN Server Reachability |
Contact STUN server |
Public IP and port discovered |
10 |
STUN Response Validation |
Validate STUN response |
Correct IP and port returned |
11 |
TURN Server Allocation |
Allocate relay on TURN server |
Relay address received |
12 |
TURN Relay Communication |
Send data via TURN relay |
Data relayed successfully |
13 |
ICE Candidate Gathering |
Gather ICE candidates |
Candidates collected |
14 |
ICE Connectivity Check |
Perform ICE checks |
Best path selected |
15 |
NAT Timeout Handling |
Wait for NAT mapping to expire |
Connection drops or re-established |
16 |
NAT Keepalive Mechanism |
Send periodic keepalives |
NAT mapping maintained |
17 |
NAT Mapping Consistency |
Check if NAT mapping is consistent |
Mapping remains stable |
18 |
NAT Mapping Change Detection |
Detect change in public IP/port |
Change detected and handled |
19 |
NAT Traversal with VPN |
Connect through VPN |
NAT traversal still works |
20 |
NAT Traversal with Firewall |
Connect through NAT + firewall |
Connection successful or blocked |
21 |
NAT Traversal with IPv6 |
Attempt NAT traversal on IPv6 |
Not applicable or bypassed |
22 |
NAT Traversal with Dual Stack |
Use IPv4 and IPv6 |
Best path selected |
23 |
NAT Traversal with Mobile Network |
Connect from mobile carrier NAT |
Connection successful |
24 |
NAT Traversal with Carrier-Grade NAT |
Connect from CGNAT |
Connection successful or relayed |
25 |
NAT Traversal with Static NAT |
Use static NAT mapping |
Connection successful |
26 |
NAT Traversal with Dynamic NAT |
Use dynamic NAT mapping |
Connection successful |
27 |
NAT Traversal with PAT |
Use port address translation |
Connection successful |
28 |
NAT Traversal with SIP |
Use SIP protocol |
SIP messages traverse NAT |
29 |
NAT Traversal with WebRTC |
Use WebRTC connection |
Peer-to-peer connection established |
30 |
NAT Traversal with VoIP |
Make VoIP call through NAT |
Call connects successfully |
31 |
NAT Traversal with Gaming |
Join multiplayer game |
Game session established |
32 |
NAT Traversal with IoT Device |
Connect IoT device through NAT |
Device reachable |
33 |
NAT Traversal with Cloud Service |
Connect to cloud-hosted app |
Connection successful |
34 |
NAT Traversal with P2P App |
Use peer-to-peer app |
Peers connect directly |
35 |
NAT Traversal with File Transfer |
Send file peer-to-peer |
File transferred successfully |
36 |
NAT Traversal with Video Call |
Start video call |
Video stream established |
37 |
NAT Traversal with Messaging App |
Send message through NAT |
Message delivered |
38 |
NAT Traversal with Port Forwarding |
Use manual port forwarding |
Connection successful |
39 |
NAT Traversal with UPnP |
Use UPnP to open ports |
Ports opened automatically |
40 |
NAT Traversal with PCP |
Use Port Control Protocol |
Ports mapped successfully |
41 |
NAT Traversal with NAT-PMP |
Use NAT Port Mapping Protocol |
Ports mapped successfully |
42 |
NAT Traversal with DNS |
Resolve peer IP via DNS |
IP resolved correctly |
43 |
NAT Traversal with TLS |
Use TLS over NAT |
Encrypted connection established |
44 |
NAT Traversal with DTLS |
Use DTLS over NAT |
Encrypted connection established |
45 |
NAT Traversal with HTTP Proxy |
Use HTTP proxy |
Connection tunneled |
46 |
NAT Traversal with SOCKS Proxy |
Use SOCKS5 proxy |
Connection tunneled |
47 |
NAT Traversal Logging |
Enable logging |
NAT traversal events logged |
48 |
NAT Traversal Error Handling |
Simulate failure |
Error handled gracefully |
49 |
NAT Traversal Performance Test |
Measure latency and throughput |
Within acceptable limits |
50 |
NAT Traversal Security Test |
Attempt spoofing or hijacking |
Attack detected or blocked |
Replay Protection - Testcases
# |
Test Case |
Description |
Expected Result |
|---|---|---|---|
1 |
Basic Replay Window Check |
Send packets within replay window |
Packets accepted |
2 |
Replay Attack Attempt |
Resend old packet with same sequence number |
Packet dropped |
3 |
Sequence Number Wraparound |
Send packets to reach max sequence number |
SA rekey or drop |
4 |
Out-of-Order Packet |
Send packets out of order within window |
Packets accepted |
5 |
Large Out-of-Order Packet |
Send packet outside replay window |
Packet dropped |
6 |
Replay Window Size Test |
Vary window size and test limits |
Behavior matches config |
7 |
Duplicate Packet Detection |
Send exact duplicate packet |
Packet dropped |
8 |
Packet Loss Simulation |
Drop packets and send later ones |
Later packets accepted |
9 |
Replay Protection Disabled |
Disable feature and resend packet |
Packet accepted |
10 |
Replay Protection Enabled |
Enable feature and resend packet |
Packet dropped |
11 |
SA Rekey with Replay |
Rekey SA and resend old packet |
Packet dropped |
12 |
Anti-Replay Counter Reset |
Reset counter manually |
Packets dropped |
13 |
High Throughput Replay Test |
Send high-speed traffic with duplicates |
Duplicates dropped |
14 |
IPsec Tunnel Mode Test |
Test replay in tunnel mode |
Replay protection works |
15 |
IPsec Transport Mode Test |
Test replay in transport mode |
Replay protection works |
16 |
ESP with Replay Protection |
Use ESP with replay enabled |
Duplicates dropped |
17 |
AH with Replay Protection |
Use AH with replay enabled |
Duplicates dropped |
18 |
Mixed Protocols Test |
Use both AH and ESP |
Replay protection works |
19 |
IPv6 Replay Test |
Use IPv6 traffic |
Replay protection works |
20 |
IPv4 Replay Test |
Use IPv4 traffic |
Replay protection works |
21 |
NAT Traversal Replay Test |
Use NAT-T and test replay |
Replay protection works |
22 |
Fragmented Packet Replay |
Send fragmented packets |
Replay protection works |
23 |
ICMP Packet Replay |
Replay ICMP over IPsec |
Packet dropped |
24 |
TCP Packet Replay |
Replay TCP packet |
Packet dropped |
25 |
UDP Packet Replay |
Replay UDP packet |
Packet dropped |
26 |
Replay with Delay Injection |
Delay and resend packet |
Packet dropped |
27 |
Replay with Modified Payload |
Modify payload and resend |
Packet dropped |
28 |
Replay with Modified Header |
Modify header and resend |
Packet dropped |
29 |
Replay with Same SPI |
Use same SPI and resend |
Packet dropped |
30 |
Replay with Different SPI |
Use different SPI |
Packet accepted |
31 |
Replay with Expired SA |
Use expired SA and resend |
Packet dropped |
32 |
Replay with Future Sequence |
Use future sequence number |
Packet dropped |
33 |
Replay with Zero Sequence |
Use sequence number 0 |
Packet dropped |
34 |
Replay with Random Sequence |
Use random sequence numbers |
Packet dropped |
35 |
Replay with Encrypted Payload |
Replay encrypted packet |
Packet dropped |
36 |
Replay with Authentication Only |
Use AH only |
Packet dropped |
37 |
Replay with Encryption Only |
Use ESP only |
Packet dropped |
38 |
Replay with Compression |
Use IPComp with IPsec |
Replay protection works |
39 |
Replay with QoS Marking |
Use DSCP/TOS bits |
Replay protection works |
40 |
Replay with VPN Failover |
Failover VPN and resend |
Packet dropped |
41 |
Replay with VPN Reconnect |
Reconnect VPN and resend |
Packet dropped |
42 |
Replay with Mobile IP |
Use mobile IP client |
Replay protection works |
43 |
Replay with Roaming Client |
Roam and resend packet |
Packet dropped |
44 |
Replay with Multicast |
Use multicast traffic |
Not supported/dropped |
45 |
Replay with Broadcast |
Use broadcast traffic |
Not supported/dropped |
46 |
Replay with IPv6 Extension Hdrs |
Use IPv6 with extension headers |
Replay protection works |
47 |
Replay with Jumbo Frames |
Use large MTU packets |
Replay protection works |
48 |
Replay with VPN Client Software |
Use commercial VPN client |
Replay protection works |
49 |
Replay with VPN Gateway |
Use enterprise VPN gateway |
Replay protection works |
50 |
Replay with Logging Enabled |
Enable logs and replay packet |
Logs show drop reason |
Flexible Algorithm Support - Testcases
# |
Test Case |
Description |
Expected Result |
|---|---|---|---|
1 |
Default Algorithm Negotiation |
Initiate VPN with default settings |
Negotiation succeeds |
2 |
AES-CBC Support |
Use AES-CBC encryption |
Tunnel established |
3 |
AES-GCM Support |
Use AES-GCM encryption |
Tunnel established |
4 |
ChaCha20-Poly1305 Support |
Use ChaCha20-Poly1305 encryption |
Tunnel established |
5 |
SHA-256 Authentication |
Use SHA-256 for integrity |
Tunnel established |
6 |
SHA-384 Authentication |
Use SHA-384 for integrity |
Tunnel established |
7 |
SHA-512 Authentication |
Use SHA-512 for integrity |
Tunnel established |
8 |
MD5 Authentication (Legacy) |
Use MD5 for integrity |
Tunnel established (if supported) |
9 |
RSA Key Exchange |
Use RSA for key exchange |
Tunnel established |
10 |
DH Group 2 Support |
Use Diffie-Hellman Group 2 |
Tunnel established |
11 |
DH Group 14 Support |
Use Diffie-Hellman Group 14 |
Tunnel established |
12 |
DH Group 19 Support |
Use Diffie-Hellman Group 19 |
Tunnel established |
13 |
DH Group 20 Support |
Use Diffie-Hellman Group 20 |
Tunnel established |
14 |
ECDH Support |
Use Elliptic Curve DH |
Tunnel established |
15 |
Algorithm Mismatch |
Use unsupported algorithm |
Tunnel fails |
16 |
Multiple Algorithm Proposals |
Propose multiple algorithms |
Best match selected |
17 |
Algorithm Rejection |
Peer rejects proposed algorithm |
Tunnel fails |
18 |
Fallback to Default Algorithm |
Peer rejects all proposals |
Fallback algorithm used |
19 |
IKEv2 Algorithm Negotiation |
Use IKEv2 for negotiation |
Tunnel established |
20 |
IKEv1 Algorithm Negotiation |
Use IKEv1 for negotiation |
Tunnel established |
21 |
Mixed Mode Algorithms |
Use different algorithms for ESP and AH |
Tunnel established |
22 |
Algorithm Change During Rekey |
Change algorithm during rekey |
Rekey succeeds |
23 |
Algorithm Compatibility Test |
Test compatibility with peer device |
Tunnel established |
24 |
Algorithm Performance Benchmark |
Measure performance of each algorithm |
Performance metrics recorded |
25 |
Algorithm Selection Logging |
Enable logs for selection process |
Logs show selected algorithm |
26 |
Algorithm Negotiation Failure |
Force mismatch in proposals |
Tunnel fails |
27 |
Algorithm Downgrade Attack Test |
Attempt downgrade attack |
Attack detected or blocked |
28 |
Algorithm Upgrade Test |
Upgrade to stronger algorithm |
Tunnel re-established |
29 |
Legacy Device Compatibility |
Connect to legacy device |
Tunnel established (if compatible) |
30 |
Strongest Algorithm Preference |
Prefer strongest algorithm |
Strongest available selected |
31 |
Weak Algorithm Rejection |
Reject weak algorithms |
Tunnel fails or uses strong algorithm |
32 |
Custom Algorithm Policy |
Apply custom selection policy |
Policy enforced |
33 |
Algorithm Negotiation Timeout |
Delay response during negotiation |
Negotiation times out |
34 |
Algorithm Negotiation Retry |
Retry after failure |
Tunnel established |
35 |
Algorithm Negotiation with NAT |
Use NAT environment |
Negotiation succeeds |
36 |
Algorithm Negotiation with IPv6 |
Use IPv6 traffic |
Negotiation succeeds |
37 |
Algorithm Negotiation with IPv4 |
Use IPv4 traffic |
Negotiation succeeds |
38 |
Algorithm Negotiation with Mobile |
Use mobile client |
Negotiation succeeds |
39 |
Algorithm Negotiation with Roaming |
Roam and reconnect |
Negotiation succeeds |
40 |
Algorithm Negotiation with Failover |
Failover and reconnect |
Negotiation succeeds |
41 |
Algorithm Negotiation with VM |
Use virtual machine |
Negotiation succeeds |
42 |
Algorithm Negotiation with Container |
Use containerized VPN |
Negotiation succeeds |
43 |
Algorithm Negotiation with Gateway |
Use enterprise VPN gateway |
Negotiation succeeds |
44 |
Algorithm Negotiation with Client |
Use commercial VPN client |
Negotiation succeeds |
45 |
Algorithm Negotiation with Server |
Use VPN server |
Negotiation succeeds |
46 |
Algorithm Negotiation with Cloud |
Use cloud VPN endpoint |
Negotiation succeeds |
47 |
Algorithm Negotiation with IoT |
Use IoT device |
Negotiation succeeds |
48 |
Algorithm Negotiation with Firewall |
Use firewall between peers |
Negotiation succeeds |
49 |
Algorithm Negotiation with Proxy |
Use proxy between peers |
Negotiation succeeds |
50 |
Algorithm Negotiation with Logging |
Enable full logging |
Logs show negotiation steps |
Reference links