VPNC members | VPN technologies | Mailing list | Join VPNC Interoperability testing | Documentation profiles VPN standards | IPsec archives | Features chart | VPN white papers VPN conferences | IPsec bakeoff | Definitions | HIPAA | VPNC home

VPNC Certificates Conformance Test

The Certificates Conformance test is to see whether or not the tested gateway can authenticate itself using standard PKIX digital certificates in RSA signature mode. This is by far the most common method of using digital certificates for authentication in IKE. The certificate is checked to see if it was issued by the VPNC test CA, and that the identity offered in the IKE exchange matches one of the identities in the certificate.

There are two conformance gateways that are tested against: one running OpenBSD, the other running KAME. These two systems were chosen because the are independently-developed, have open source code, are actively maintained, and have been widely tested against commercial systems by their developers.

When testing, the test gateway initiated and set up a Phase 1 with the conformance gateway and a phase 2 for the host on the networks behind each gateway. In IKE Main Mode, the test gateway proposed TripleDES, SHA-1, MODP group 2 (1024-bit), authentication with certificates, no PFS, and no rekeying. After setting up phase 1 and phase 2, the host behind the test gateway went to the web server on the host behind the conformance gateway and got a short message there. The test was then repeated on the second conformance gateway.

The following lists the products that passed. The links after the product names are to the debugging information generated on each conformance gateway during the successful test. It is unlikely that this information is of much value to typical users; however, without it, you have no proof that the company even tested their products against the conformance gateways. On each conformance gateway, the debug output is:

• debug: Verbose debugging output from IKE
• report: Short report (OpenBSD only)
• outside: TCP dump from the outside network interface on the gateway
• inside: TCP dump from the inside network interface on gateway

Company	Product	OpenBSD testing	KAME testing
Ashley Laurent	BroadWay ISS	debug, report, outside, inside	debug, outside, inside
Cisco	VPN 3000 Concentrator	debug, report, outside, inside	debug, outside, inside
CyberGuard	Premium Appliance Firewall Family	debug, report, outside, inside	debug, outside, inside
DigiSAFE	BigBouncer	debug, report, outside, inside	debug, outside, inside
Intoto	iGateway family	debug, report, outside, inside	debug, outside, inside
NETGEAR	FVL328	debug, report, outside, inside	debug, outside, inside
NetScreen	NetScreen	debug, report, outside, inside	debug, outside, inside
Quarry Technologies	iQ-series Switches	debug, report, outside, inside	debug, outside, inside
SSH Communications Security	IPSEC Express	debug, report, outside, inside	debug, outside, inside
SSH Communications Security	QuickSec Toolkit	debug, report, outside, inside	debug, outside, inside
Stonesoft	StoneGate	debug, report, outside, inside	debug, outside, inside
WatchGuard	WatchGuard Firebox Vclass	debug, report, outside, inside	debug, outside, inside
Wipro Technologies	Wipro Home Gateway	debug, report, outside, inside	debug, outside, inside

If you have comments or questions about VPNC's testing, please feel free to send them to Paul Hoffman, VPNC's director, at paul.hoffman@vpnc.org.