$Id: report-ike-interop0007.html,v 1.15 2000/07/28 08:46:10 sakane Exp $

The result of the round robin of IPsec/IKE
in the TAHI 2nd interoperability test

Here is the result of the round robin of the test. There is no meaning of the order of each implementations.
The description is the configuration only when IKE exchange was successful. All annotations are described at last part.

Implementaions

• YAMAHA WS-ONE beta release
• Racoon current
• FW-1 v4.1
• VP100
• NEC IX5000 alpha release
• IKED
• Windows2000
• NetCocoon
• AR300V2
• Sun IKE prototype
• MG1

Default configuration

• IPv4
• Pre-shared key: hogehoge
• Main mode

Notiation

N/A

the test was impossible because of mismatching address family, supported algorithm...

---

the test was not played.

###

same result when a implementation was responder of the session.

*

annotation which is described at last part.

X

empty.

Annotation

• *1: When WS-ONE initiated with main mode, occasionally 5th message was failed to decode on IX5000 by unkown reason.
• *4: We didn't find how to delete both phase 1 and 2 of SAs on Windows2000.
• *5: When rekeying happened, it was failed because AR300V2's soft lifetime was shorter than Sun IKE prototype's one then the rekeying went into *14.
• *6: Occasionally, Windows2000 reject phase 2 exchange due to NO-PROPOSAL-CHOSEN of unkown reason.
• *7: When racoon was initiate, the exchange was failed because NetCocoon modified proposal number. For example, racoon sent (#1 3des/#2 des). Netcocoon replied (#1 des).
• *8: The negotiation was failed on 15th. But it was successful on 16th. We didn't know the reason.
• *9: It was successful to be both secured connection of IPv4 and IPv6 same time.
• *10: A resending time was set longer.
• *11: The phase 2 negotiation had been failed because there was a tiny bug about KE processing on WS-ONE side.
• *12: In the case of RSA signature, VP100 had rejected phase1 exchange because there was no SubjectAltName in racoon's certificate. Racoon's certificate was signed by Windows2000's CA. The CA looked there was no place to specify a SubjectAltName. The test was successful by using a certificate signed by the isakmp-test.ssh.fi's CA.
• *14: AR300V2 didn't carry both ID paylads on phase 2 when quick mode SA range was equals to Phase I ID. This was occurred when AR300V2 was initiator.
• *16: MG1 had 16 fixed bytes of nonce data.
• *17: When we would choice AH+ESP, MG1 sent separated phase 2.
• *18: We couldn't configurate to initiate from Windows2000.
• *20: It's available to rekey phase 2 SAs every 2(s).
• *22: NetCocoon sent a packet by using new SA without sending DELETE message. But racoon always used old SA. So that the communication with IPsec was failed after phase 2 rekeying. This problem happened by using the debug command of rekeying on NetCocoon. Without the debug command, we never encountered this problem.