The IKEv2 Basic Interoperability test assures VPN users that IKEv2 systems acting as gateways are generally interoperable with other IKEv2 systems. To pass, a system has to interoperate with all of the other systems that are in the test.
Every system in the test is tested against every other system. Most pairs of systems are tested twice, switching the roles of initiator and responder. For two systems to be considered interoperable, they each must be able to be initiator or responder. An exception to this rule is that systems that are typically used as remote-access VPN clients are always tested as the initiator because that is how they are almost always deployed by VPN users.
The IKEv2 Basic Interoperability Test mirrors typical use of IPsec systems in VPNs. A gateway system protects a network of systems behind the gateway; a remote-access client protects either just the single system on which it is running, or a pseudo-network of addresses that refer to the single system.
In the IKE_SA_INIT exchange (similar to IKEv1 "Phase 1"), each system uses AES-128, SHA-1, MODP group 2 (1024-bit), and a pre-shared secret of "hr5xb84l6aa9r6". In the IKE_AUTH exchange (similar to IKEv1 "Phase 2"), each system uses AES, SHA-1, and ESP tunnel mode.
The following are the results from the testing, including notes that might affect users checking the results on their own.
Certicom Security Builder IPSec (version 3.2.5) passed all tests as initiator with all other participants. Security Builder IPSec was tested as a remote-access client, and therefore always initiated.
Cisco ASA Family (version 8.4.1.10) passed all tests in both directions with all other participants.
Juniper Networks NetScreen family (ScreenOS 6.1) passed all tests in both directions with all other participants.
AuthenTec QuickSec Toolkit (version 5.0) passed all tests in both directions with all other participants.
Mocana NanoSec (version 5.3.1) passed all tests in both directions with all other participants.
SonicWALL TZ and PRO products running SonicOS Enhanced (version 5.3) passed all tests in both directions with all other participants.
Stonesoft Stonegate (version 5.3.1) passed all tests in both directions with all other participants.
Wind River IPIKE (version 6.9) passed all tests in both directions with all other participants.
The following are links to the files showing each pair of systems interoperating. Each file shows an expanded dump of the IKEv2 messages setting up the secure IPsec tunnel. The information was collected with "tethereal", part of the excellent freeware "ethereal" network diagnostics package.
It is unlikely that this information is of much value to typical users; however, without it, you have no proof that the two systems actually were able to interoperate.
AuthenTec QuickSec toolkit initiating to:
Cisco ASA Family
Juniper NetScreen family
Mocana NanoSec
SonicWALL TZ and PRO products running SonicOS Enhanced
Stonesoft Stonegate
Wind River IPIKE family
Certicom Security Builder IPSec initiating to:
AuthenTec QuickSec toolkit
Cisco ASA Family
Juniper NetScreen family
Mocana NanoSec
SonicWALL TZ and PRO products running SonicOS Enhanced
Stonesoft Stonegate
Wind River IPIKE family
Cisco ASA Family initiating to:
AuthenTec QuickSec toolkit
Juniper NetScreen family
Mocana NanoSec
SonicWALL TZ and PRO products running SonicOS Enhanced
Stonesoft Stonegate
Wind River IPIKE family
Juniper NetScreen family initiating to:
AuthenTec QuickSec toolkit
Cisco ASA Family
Mocana NanoSec
SonicWALL TZ and PRO products running SonicOS Enhanced
Stonesoft Stonegate
Wind River IPIKE family
Mocana NanoSec initiating to:
AuthenTec QuickSec toolkit
Cisco ASA Family
Juniper NetScreen family
SonicWALL TZ and PRO products running SonicOS Enhanced
Stonesoft Stonegate
Wind River IPIKE family
SonicWALL TZ and PRO products running SonicOS Enhanced initiating to:
AuthenTec QuickSec toolkit
Cisco ASA Family
Juniper NetScreen family
Mocana NanoSec
Stonesoft Stonegate
Wind River IPIKE family
Stonesoft Stonegate initiating to:
AuthenTec QuickSec toolkit
Cisco ASA Family
Juniper NetScreen family
Mocana NanoSec
SonicWALL TZ and PRO products running SonicOS Enhanced
Wind River IPIKE family
Wind River IPIKE family initiating to:
AuthenTec QuickSec toolkit
Cisco ASA Family
Juniper NetScreen family
Mocana NanoSec
SonicWALL TZ and PRO products running SonicOS Enhanced
Stonesoft Stonegate
If you have comments or questions about VPNC's testing, please feel free to send them to Paul Hoffman, VPNC's director, at paul.hoffman@vpnc.org.
