The FCS_IPSEC_EXT.1.14 requirement seeks to ensure commensurate key strength between the first and second stage negotiation.  It seems such a check might be best enforced from the gateway, where qualified administrators can follow administrative guidance one time (with the gateway to check that the configured first stage equals or exceeds that of the second stage), and then ensure that all clients are configured correctly.  Hence, we believe that the selection should allow VPN Gateway in addition to TOE and TOE platform.

The FCS_IPSEC_EXT.1.14 is revised to allow for the selection of VPN Gateway and an application note is added to omit Test 2 when VPN Gateway is selected. The revised requirement and application note are as follows:

FCS_IPSEC_EXT.1.14 The [selection: TOE, TOE platform, VPN Gateway] shall be able to ensure by default that the strength of the symmetric algorithm (in terms of the number of bits in the key) negotiated to protect the [selection: IKEv1 Phase 1, IKEv2 IKE_SA] connection is greater than or equal to the strength of the symmetric algorithm (in terms of the number of bits in the key) negotiated to protect the [selection: IKEv1 Phase 2, IKEv2 CHILD_SA] connection.

Application Note: If "VPN GW" is selected, then "Test 2" may be omitted from the evaluation. Test 1, 3, and 4 shall be performed regardless of the selection.

FCS_IPSEC_EXT.1.14 did not explicitly reference configuration via the VPN Gateway and was inconsistent with the permitted selection operations in FMT_SMF.1.