VPNC members | VPN technologies | Mailing list | Join VPNC
Interoperability testing | Documentation profiles
VPN standards | IPsec archives | Features chart | VPN white papers
VPN conferences | IPsec bakeoff | Definitions | HIPAA | VPNC home
The Rekeying Conformance test is to see whether or not the tested gateway can automatically rekey the Phase 2 SA when it is needed. The purpose of rekeying is to prevent a snooper from having too much data that has been encrypted with a particular key. Automatic rekeying and PFS are generally considered advanced features that are only needed by IPsec users with aggressive and sophisticated attackers, but employing them adds very little overhead to typical IPsec use.
There are two conformance gateways that are tested against: one running OpenBSD, the other running KAME. These two systems were chosen because the are independently-developed, have open source code, are actively maintained, and have been widely tested against commercial systems by their developers.
When testing, the test gateway initiated and set up a Phase 1 with the conformance gateway and a phase 2 for the host on the networks behind each gateway. In IKE Main Mode, the test gateway proposed TripleDES, SHA-1, MODP group 2 (1024-bit), a pre-shared secret of "mekmitasdigoat", PFS, and rekeying. After setting up phase 1 and phase 2, the host behind the test gateway went to the web server on the host behind the conformance gateway and got a short message there. The test was then repeated on the second conformance gateway. To pass, a host on a network behind the test gateway must reach a web server on a nework behind the conformance gateway during the first Phase 2 SA, and during the Phase 2 SA after the rekey.
The following lists the products that passed. The links after the product names are to the debugging information generated on each conformance gateway during the successful test. It is unlikely that this information is of much value to typical users; however, without it, you have no proof that the company even tested their products against the conformance gateways. On each conformance gateway, the debug output is:
If you have comments or questions about VPNC's testing, please feel free to send them to Paul Hoffman, VPNC's director, at paul.hoffman@vpnc.org.