Archived TD0014: Satisfying FCS_IPSEC_EXT.1.13 in VPN GW EP
The statement of FCS_IPSEC_EXT.1.14 in the VPN Client PP specifies:
FCS_IPSEC_EXT.1.14 The [selection: TOE, TOE platform] shall be able to ensure by default that the strength of the symmetric algorithm (in terms of the number of bits in the key) negotiated to protect the [selection: IKEv1 Phase 1, IKEv2 IKE_SA] connection is greater than or equal to the strength of the symmetric algorithm (in terms of the number of bits in the key) negotiated to protect the [selection: IKEv1 Phase 2, IKEv2 CHILD_SA] connection.
It has the accompanying Application Note:
FCS_IPSEC_EXT.1.14: The ST author chooses either or both of the IKE selections based on what is implemented by the TOE. Obviously, the IKE version(s) chosen should be consistent not only in this element, but with other choices for other elements in this component. While it is acceptable for this capability to be configurable, the default configuration in the evaluated configuration (either "out of the box" or by configuration guidance in the AGD documentation) must enable this functionality.
For FCS_IPSEC_EXT.1.13 in the VPN GW EP, is it sufficient for the TOE to need to be configured to adhere to SFR as indicated in the Application Note for FCS_IPSEC_EXT.1.14 in the VPN Client PP?
Yes, it is sufficient for the TOE to be configured to adhere to this SFR as indicated in the Application Note for FCS_IPSEC_EXT.1.14 in the VPN Client PP.
The VPN GW EP does not contain an Application Note for FCS_IPSEC_EXT.1.13 that provides any configuration information, and FCS_IPSEC_EXT.1.14 in the VPN Client PP is worded almost identically.