HSC
Network Security Consulting Agency Since 1989 - Specialized in Unix, Windows, TCP/IP and Internet
Text mode: access to the page content
Hervé Schauer Consultants
You are here: Home > Resources > IPsec > IPsec 2000 Interop Demo
Go to: HSC Trainings
Search:  
Version française
   Services   
o Skills & Expertise
o Consulting
o ISO 27001 services
o Vulnerabilities monitoring
o Audit & Assessment
o Penetration tests
o Vunerability assessment (TSAR)
o Forensics
o ARJEL
o Training courses
o E-learning
   Conferences   
o Agenda
o Past events
o Tutorials
   Resources   
o Thematic index
o Tips
o Lectures
o Courses
o Articles
o Tools (download)
o Vulnerability watch
   Company   
o Hervé Schauer
o Job opportunities
o Credentials
o History
o Partnerships
o Associations
   Press and
 communication
 
 
o HSC Newsletter
o Press review
o Press releases
o Publications
   Contacts   
o How to reach us
o Specific inquiries
o Directions to our office
o Hotels near our office
|>|IPsec 2000 Interop Demo  
> Description This document and the associated sub-documents form a report on the tests which were conducted on the occasion of the setup of an interoperability demonstration platform for the IPsec 2000 conference
> Dates 24-27 October 2000 - IPsec 2000 conference
13 November 2000 - Publication of the results on www.hsc.fr
> Table of content Introduction
Implementations tested
Network Layout
Tests conducted
Results - Initial negotiation
Results - SA deletion and renewal
Configurations and details on the implementations
> Related documents dir  IPsec 2001 - IKE Interoperability Demonstrations and Tests [October 2001 - French/English]
[Theme]  IPsec theme
> Author Ghislaine Labouret
> Copyright © 2000, Hervé Schauer Consultants, all rights reserved.

 

IPsec 2000


Introduction

On the occasion of the IPsec 2000 conference, organised by Upper Side, an IKE/IPsec demonstration and test platform was set up. Vendors were invited to take part in the event, which was coordinated by HSC. HSC acted as an integrator, but mainly provided its expertise in network security (and in particular IPsec).

The aims of this event were to:

  • Demonstrate interoperability to the public
  • Get a feeling of the feature level of current IPsec implementations
This event was not a a bakeoff, its was not intended to perform exhaustive or advanced features testing.

This report covers the tests performed during the two following stages:

  • Preparation in HSC's office from thursday 19 to monday 23 October
    • Network setup
    • Tests so as to find working configurations
  • Demonstration during the IPsec 2000 conference, from tuesday 24 to friday 27 october


Implementations tested

Four IPsec devices vendors participated:

And HSC added two open-source implementations:
  • FreeS/WAN (v1.6 running on Linux RedHat 6.2)
  • KAME (v20001023 running on FreeBSD 4.1)
In addition to these IPsec implementations, two network analysers were used: Finaly, the certificates used were generated localy using:


Network layout

All the devices were directly interconnected through an ethernet 10 base T network, simply made of two 16-ports hubs.

The addressing plan was as follows:

The following services were provided:

  • Internet access
    • ISDN router (192.168.1.1) with free ISP
    • NATed :-(
  • DNS server (192.168.1.40)
    • ipsec2000.fr domain
    • _vendor_.ipsec2000.fr sub-domains
  • Anonymous FTP server for (quick and dirty) file exchange
  • Certificate authority


Tests conducted

The test case was the following:

  • Fully meshed, gateway-to-gateway VPN
  • Protect all traffic between internal networks
  • Use exclusively IKE (no manual IPsec)

Phase 1 parameters:

  • Main Mode, 3DES, SHA-1, DH group 2, default lifetimes
  • Peer authentication:
    • Pre-Shared Key
    • RSA Signature

Phase 2 parameters:

  • No PFS
  • Protect all traffic between internal networks
  • Negotiate tunnel mode ESP (3DES, HMAC-SHA-1)
  • No compression

The situations which were tested were:

  • Initial negotiation
  • Voluntary SA deletion
  • Rekeying
Checking was performed using logs, pings and web accesses, and thanks to the network analysers. The tests were very IKE-oriented, no real IPsec-level test was performed (no fragementation test for example).


Results - Initial negotiation

Overall, few adaptations from the default configurations were necessary and few bugs were encountered.

Pre-Shared Key Authentication

All the implementations were able to interoperate (as initiator and as responder): for each situation, we were able to find a configuration which led to the creation of functional ISAKMP and IPsec SAs.

RSA Signature Authentication

  • Alcatel
    Not tested because we could not get the box to accept our certificates.
  • Check Point
    Succesfully tested with KAME and Nortel.
  • FreeS/WAN
    FreeS/WAN does not include certificate support, the public keys have to be exchanged off-line or via DNSSEC (There is an X.509 patch for FreeS/WAN, but we did not use it). Nortel and Check Point both require online certificate exchange, so they can not interoperate with FreeS/WAN. On the other hand, KAME can get public keys by off-line means; it correctly interoperates with FreeS/WAN using RSA-Sig authentication.
  • KAME
    Successfully tested with Check Point, FreeS/WAN and Nortel.
  • Nortel
    Successfully tested with Check Point and KAME.
  • RedCreek
    The RSA signature authentication method is not available on this device.


Results - SA deletion and renewal

Voluntary SA deletion

When an IPsec device deletes security assocaitions (end of lifetime or administrator's action), it is supposed to send "SA deletion" informational messages, so that the peer device can also delete the involved SAs.

The set of tested devices follow this line of conduct, with the exception of:

  • FreeS/WAN: does not send any SA deletion message and does not take received messages into account
  • Check Point VPN-1: does not send any SA deletion message

SA renewal

Security associations renewal was not thoroughly tested. The tests conducted on IPsec SAs renewal were successful, no explicit test was conducted on IKE SAs renewal.


Configurations and details on the implementations

Last modified on 23 October 2002 at 15:26:12 CET - webmaster@hsc.fr
Information on this server - © 1989-2010 Hervé Schauer Consultants