The IPv6 Interoperability test assures VPN users that IPsec systems are generally interoperable with other IPsec systems when using IPv6 for both access to a protected network and on the Internet. To pass, a system has to interoperate with at least three quarters of the other systems that are in the test. This test is extremely similar to the VPNC AES Interoperability test, except that the systems use IPv6 addresses for both the protected network (the LAN) and the unprotected network (the Internet).
Every system in the test is tested against every other system. Most pairs of systems are tested twice, switching the roles of initiator and responder. For two systems to be considered interoperable, they each must be able to be initiator or responder. An exception to this rule is that systems that are typically used as remote-access VPN clients are always tested as the initiator because that is how they are almost always deployed by VPN users. If a pair of systems fails a test, it is noted whether or not an IPsec tunnel could be created with one of the systems acting as the initiator, or whether no tunnel could ever be set up.
The IPv6 Interoperability test mirrors typical use of IPsec systems in VPNs in IPv6-only networks. A gateway system protects a network of systems behind the gateway; a remote-access client protects either just the single system on which it is running, or a pseudo-network of addresses that refer to the single system.
As specified in the VPNC documentation profile, in IKE Phase 1, each system uses 128-bit AES, SHA-1, MODP group 2 (1024-bit), and a pre-shared secret of "hr5xb84l6aa9r6". In IKE Phase 2, each system uses 128-bit AES, SHA-1, ESP tunnel mode, and PFS with MODP group 2 (1024 bits). For this test, all addresses used in the test are from IPv6 /64 subnets.
The following are the results from the testing, including notes that might affect users checking the results on their own.
AuthenTec QuickSec Toolkit (version 5.0) passed all tests in both directions with all other participants.
Certicom Security Builder IPSec (version 3.2.5) passed all tests as initiator with all other participants. Security Builder IPSec was tested as a remote-access client, and therefore always initiated.
Cisco ASA Family (version 8.4.1.10) passed all tests in both directions with all participants other than the Certicom client; further testing is pending.
Juniper Networks NetScreen family (ScreenOS 6.1) passed all tests in both directions with all other participants.
Mocana NanoSec (version 5.3.1) passed all tests in both directions with all other participants.
Stonesoft StoneGate (version 5.3.1) passed all tests in both directions with all other participants.
Wind River IPIKE (version 6.9) passed all tests in both directions with all other participants.
The following are links to the files showing each pair of systems interoperating. Each file shows an expanded dump of the IKE messages setting up the secure IPsec tunnel. The information was collected with "tethereal", part of the excellent freeware "ethereal" network diagnostics package.
It is unlikely that this information is of much value to typical users; however, without it, you have no proof that the two systems actually were able to interoperate.
AuthenTec QuickSec toolkit initiating to:
Cisco ASA Family
Juniper Networks NetScreen family
Mocana NanoSec
Stonesoft StoneGate
Windriver IPIKE
Certicom Security Builder IPSec initiating to:
AuthenTec QuickSec toolkit
Cisco ASA Family
Juniper Networks NetScreen family
Mocana NanoSec
Stonesoft StoneGate
Windriver IPIKE
Cisco ASA Family initiating to:
AuthenTec QuickSec toolkit
Juniper Networks NetScreen family
Mocana NanoSec
Stonesoft StoneGate
Windriver IPIKE
Juniper Networks NetScreen family initiating to:
AuthenTec QuickSec toolkit
Cisco ASA Family
Mocana NanoSec
Stonesoft StoneGate
Windriver IPIKE
Mocana NanoSec initiating to:
AuthenTec QuickSec toolkit
Cisco ASA Family
Juniper Networks NetScreen family
Stonesoft StoneGate
Windriver IPIKE
Stonesoft StoneGate initiating to:
AuthenTec QuickSec toolkit
Cisco ASA Family
Juniper Networks NetScreen family
Mocana NanoSec
Windriver IPIKE
Windriver IPIKE initiating to:
AuthenTec QuickSec toolkit
Cisco ASA Family
Juniper Networks NetScreen family
Mocana NanoSec
Stonesoft StoneGate
If you have comments or questions about VPNC's testing, please feel free to send them to Paul Hoffman, VPNC's director, at paul.hoffman@vpnc.org.
