VPNC logo
VPNC members | VPN technologies | Mailing list | Join VPNC
Interoperability testing | Documentation profiles | VPN standards | IPsec features chart | SSL features chart | VPN white papers
VPN conferences | IPsec bakeoff | Definitions | HIPAA | VPNC home

VPNC Testing for Interoperability

VPNC testing logo

The VPN Consortium issues logos to products of member companies that have passed its interoperability tests. The interoperability logos indicate that a product interoperates with the other products in the test. Each category label under the logo indicates a test that the product has passed.

VPNC members pay a one-time fee of $1000 for the Basic Interoperability or SSL Portal logo, but do not pay for any additional category logos, or for retesting when significant changes are made to their software or firmware. (In the past, VPNC tested for IPsec conformance, but those old tests are now completely replaced by our interoperability tests.)


VPNC Logos

IPsec Interoperability — The long-standing IPsec interoperability tests are for "AES Interoperability". In 2006, VPNC introduced the first significant IKEv2 interoperability logos in the IPsec market, "IKEv2 Basic Interoperability". In 2009, VPNC introduced the first significant IPv6 interoperability logos for IPsec. In 2010, VPNC added testing for authentication with certificates. (Earlier, we tested for "Basic Interoperability" using TripleDES for encryption, but we removed those tests in 2013 to emphasize that AES's universal adoption.)

   AES Interoperability
   IKEv2 Basic Interoperability
   IPv6 Interoperability
   Certificate Interoperability

SSL Interoperability — Beginning in 2004, VPNC has also performed testing for SSL VPNs. These involve extensive real-world usability tests for a variety of important features for SSL VPNs. The base SSL Portal logo is supplemented by additional tests, including SSL Exchange, SSL Firefox, SSL File Access, SSL JavaScript, SSL Flash. SSL Basic Network Extension, and SSL Advanced Network Extension.

   SSL Portal
   SSL Exchange
   SSL Firefox
   SSL File Access
   SSL JavaScript
   SSL Flash
   SSL Basic Network Extension
   SSL Advanced Network Extension


AES Interoperability

VPNC AES Interop logo

The AES Interoperability test assures VPN users that IPsec systems are generally interoperable with other IPsec systems when using the new AES encryption algorithm. The test uses 128-bit AES for encryption, which is supported in all modern VPN systems.

Interoperability is defined as creating a working IKE tunnel between the systems that normal IP traffic can flow through. The tunnel requires AES-128 for encryption, SHA-1 for hash, 1024-bit key exchange, and a preshared secret for authentication.

Each system was set up based on the VPNC documentation profile for the system, with the exception that the AES algorithm and 128-bit keys were chosen.

The products from VPNC members that have passed the AES Interoperability test are:

Full details of the AES Interoperability test include the technical specification of the steps needed to pass, as well as the trace logs showing that IKE tunnels were set up in both directions.


IKEv2 Basic Interoperability

VPNC IKEv2 Basic Interop logo

The IKEv2 Basic Interoperability test assures VPN users that IPsec systems that use IKEv2 as gateways are generally interoperable with other IKEv2 systems. To pass, a system has to interoperate with all of the other systems that are in the test.

Interoperability is defined as creating a working IKEv2 tunnel between the systems that normal IP traffic can flow through. The tunnel requires AES for encryption, SHA-1 for the hash and PRF, 1024-bit key exchange, and a preshared secret for authentication. As the term "Basic" implies, every IKEv2 implementation shipped today should have these features and should be able to interoperate with other IKEv2 systems.

Each system was set up based on the VPNC documentation profile for the system. Having the test follow the documentation profiles instead of setting up the systems based on the systems' documentation assures that end users can easily achieve interoperability in the same way that VPNC did.

The products from VPNC members that have passed the IKEv2 Basic Interoperability test are:

Full details of the IKEv2 Basic Interoperability test include the technical specification of the steps needed to pass, as well as the trace logs showing that IKEv2 tunnels were set up in both directions.


IPv6 Interoperability

VPNC IPv6 Interop logo

The IPv6 Interoperability test assures VPN users that IPsec systems are generally interoperable with other IPsec systems when using IPv6 addresses. The test is identical to the AES Interoperability Test, except that the systems use fixed IPv6 addresses for both the internal and external networks.

Each system was set up based on the VPNC documentation profile for the system, with the exceptions that the addresses used were on IPv6 /64 networks and the AES algorithm and 128-bit keys were chosen.

The products from VPNC members that have passed the IPv6 Interoperability test are:

Full details of the IPv6 Interoperability test include the technical specification of the steps needed to pass, as well as the trace logs showing that IKE tunnels were set up in both directions.


Certificate Interoperability

VPNC certificate logo

The Certificate Interoperability test assures VPN users that IPsec systems are generally interoperable with other IPsec systems when using PKIX certificates for authentication. The test is identical to the AES Interoperability Test, except that the systems use PKIX certificates for authentication.

Each system was set up based on the VPNC documentation profile for the system, with the exceptions that the systems used PKIX certificates with 2048-bit RSA keys for authentication.

The products from VPNC members that have passed the Certificate Interoperability test are:

Full details of the Certificate Interoperability test include the technical specification of the steps needed to pass, as well as the trace logs showing that IKE tunnels were set up in both directions.


SSL Portal

VPNC SSL Portal logo

The SSL Portal test assures SSL VPN users that a particular SSL gateway system will work correctly as a front end for a typical corporate portal application. To pass, the SSL gateway system has to correctly allow a user outside the corporate firewall access to many linked internal web sites. This involves rewriting the URLs that appear on web pages so that the remote user's experience is similar to an internal user's experience on the same web sites.

Correct operation is defined as allowing access to both HTTP and HTTPS servers; correctly rewriting links on the internal sites so that the external user can visit multiple internal web servers on different protected subnets; and allowing the user to traverse from a protected site to external HTTP and HTTPS servers.

The products from VPNC members that have passed the SSL Portal test are:

Full details of the SSL Portal test include the features of the cross-linking, and the web pages used to test the functionality of the SSL gateways.


SSL Exchange

VPNC SSL Exchange logo

The SSL Exchange test assures SSL VPN users that a particular SSL gateway system will work correctly as a front end for Microsoft Exchange Outlook Web Access (OWA). To pass, the SSL gateway system has to correctly allow a user outside the corporate firewall to correctly use OWA from both Exchange 2000 and Exchange 2003. This involves rewriting the URLs that appear in email messages so that the remote user's experience is similar to an internal users experience reading the same messages from OWA.

Correct operation is defined as proper display of the OWA introductory page; proper display of messages from the inbox; and properly rewriting URLs in messages so that the remote user can follow links that point to external HTTP and HTTPS sites.

The products from VPNC members that have passed the SSL Exchange test are:

Full details of the SSL Exchange test include the messages used in Exchange 2000 OWA and Exchange 2003 OWA inboxes.


SSL Firefox

VPNC SSL Firefox logo

The SSL Firefox test assures SSL VPN users that they can access a particular SSL gateway using the latest version of Mozilla Firefox. Many organizations are allowing or requiring their users use the Mozilla Firefox web browser, so having their users be able to access their SSL VPN though that browser is important. To pass, the SSL gateway must be able to correctly display all tests used in the SSL Portal test when using Mozilla Firefox. Both Firefox 1.5 and 2.0 are tested, and the gateway must correctly display all tests with both versions.

The products from VPNC members that have passed the SSL Firefox test are:


SSL File Access

VPNC SSL File Access logo

The SSL File Access test assures SSL VPN users that they can read and write files on CIFS/SMB file servers that are protected by a particular SSL gateway. CIFS (the Common Internet File System) uses the Server Message Block (SMB) protocol to make files available to users on the network. Many organizations use CIFS/SMB file servers for storing files that are used by many people, and also for easy backup of local files.

To pass, the SSL gateway must be able to correctly allow remote users to both read and write files on two different CIFS/SMB servers on the protected network. One server is running Windows Server 2000, and the other is running Windows Server 2003.

The products from VPNC members that have passed the SSL File Access test are:


SSL JavaScript

VPNC SSL JavaScript logo

The SSL JavaScript test assures SSL VPN users that a particular SSL gateway system will work correctly as a front end for a corporate web portal that uses JavaScript that includes URLs. This is a specialized version of the SSL Portal logo, which only tests URLs in HTML. Many corporate web sites make extensive use of JavaScript, and rewriting URLs in JavaScript is more difficult than rewriting URLs in HTML.

To pass, the SSL gateway must be able to correctly interpret an URL that is formed by JavaScript code. The test URL points to a page on a web server on the protected network, and is made up of the concatenation of two variables, such as "http://www.example.com/" and "somepage.html". The test is run on up-to-date versions of Internet Explorer and Firefox; the gateway must work correctly with both.

The products from VPNC members that have passed the SSL JavaScript test are:


SSL Flash

VPNC SSL Flash logo

The SSL Flash test assures SSL VPN users that a particular SSL gateway system will work correctly as a front end for a corporate web portal that uses Flash applets that include URLs. This is a specialized version of the SSL Portal logo, which only tests URLs in HTML. Some corporate web sites make use of Flash that includes URLs, such as in navigation menus.

Rewriting URLs in Flash is significantly more difficult than rewriting URLs in HTML. Also, many vendors find that few of their customers require this level of URL rewriting, and therefore have not yet put this feature into their gateway. For these reasons, fewer VPNC members' products have passed this test and received the SSL Flash logo than have passed the tests to qualify for the other SSL VPN logos (Portal, Exchange, Firefox, and JavaScript).

To pass, the SSL gateway must be able to correctly interpret an URL that is in a Flash applet. The test URL points to a page on a web server on the protected network, and is made up of the concatenation of two variables, such as "http://www.example.com/" and "somepage.html".

The products from VPNC members that have passed the SSL Flash test are:


SSL Basic Network Extension

VPNC SSL Basic Network Extension logo

The SSL Basic Network Extension test is for basic network extension functionality: secure tunneling of normal IP traffic through SSL to an internal network protected by the SSL VPN gateway. This test consists of a client accessing a server on the protected network on a custom TCP port.

To pass this test, the gateway must encrypt traffic to the server and must not need to have the specific server and port number assigned during setup.

The products from VPNC members that have passed the SSL Basic Network Extension test are:


SSL Advanced Network Extension

VPNC SSL Advanced Network Extensionlogo

The SSL Advanced Network Extension test determines whether or not the SSL VPN gateway can trap and securely tunnel all traffic coming from a remote access client, even traffic not destined for the internal network.

To pass this test, the gateway must encrypt all traffic from the remote access client destined to a server on the Internet, and must then decrypt the traffic within the gateway and pass it to its destination.

The products from VPNC members that have passed the SSL Advanced Network Extension test are:


Back to top

If you have comments or questions about VPNC's testing, please feel free to send them to Paul Hoffman, VPNC's director, at paul.hoffman@vpnc.org.