Archived TD0303: IKEv1 and support for XAUTH
The SFR has a selection for "support for XAUTH", but the test requires that if there is XAUTH support it must be possible to use IKEv1 with and without XAUTH. The test does not account for when only IKEv1 with XAUTH is supported.
FCS_IPSEC_EXT.1.5, Test 1 is replaced as follows:
Test 1: The evaluator shall configure the TOE/platform so that it will perform NAT traversal processing as described in the TSS and RFC 7296, section 2.23. The evaluator shall initiate an IPsec connection and determine that the NAT is successfully traversed. If the TOE/platform supports IKEv1 with or without XAUTH, the evaluator shall verify that this test can be successfully repeated with XAUTH enabled and disabled in the manner specified by the operational guidance. If the TOE/platform only supports IKEv1 with XAUTH, the evaluator shall verify that connections not using XAUTH are unsuccessful. If the TOE/platform only supports IKEv1 without XAUTH, the evaluator shall verify that connections using XAUTH are unsuccessful.
See issue description.