There is an issue regarding FCS_IPSEC_EXT.1.5 in cases where the VPN gateway communicates configuration settings to the TOE, but some specific FIPS-CC builds force the gateway to use configuration settings that are consistent with the claimed standards against which it is certified. Therefore, it is not possible to use the gateway to configure the TOE to disable XAUTH or to enable aggressive mode, or for the gateway to present aggressive mode or to disable its own XAUTH.

The test EAs state that the invalid connection attempts must be unsuccessful but it does not specify the manner in which they should fail. In this case, there will be no IPsec level packet captures to fail because the client will not even get to attempt a connection with the invalid settings. So the invalid connection attempt does fail, but it fails at a configuration level rather than a network one.

The following change is made to the tests for FCS_IPSEC_EXT.1.5 in Section 2.5.1.2.6 of the MOD_VPN_CLI_v2.4 PP-Module SD, with underlines denoting additions:

Test 1:

a. The evaluator shall configure the TOE so that it will perform NAT traversal processing as described in the TSS and RFC 7296, section 2.23. The evaluator shall initiate an IPsec connection and determine that the NAT is successfully traversed.

b. If the TOE supports IKEv1 with or without XAUTH, the evaluator shall verify that this test can be successfully repeated with XAUTH enabled and disabled in the manner specified by the operational guidance. If the TOE only supports IKEv1 with XAUTH, the evaluator shall verify that connections not using XAUTH are unsuccessful. If the TOE only supports IKEv1 without XAUTH, the evaluator shall verify that connections using XAUTH are unsuccessful.

In the case that the VPN gateway enforces the TOE's configuration, the following steps shall be performed to meet the objective of Test 1:

1. Configure the TOE client and VPN gateway to have XAUTH enabled.
2. Attempt the connection and observe that the connection succeeds and that XAUTH is used.
3. Configure the TOE and gateway to have XAUTH disabled.
4. Attempt the connection and observe that the connection succeeds and that XAUTH is not present.
5. Attempt to configure a mismatch between the TOE and gateway (i.e. modify a local configuration setting on the client system)
6. Verify that no IPsec connection is attempted until the gateway corrects the configuration settings

Test 2: [conditional]: If the TOE supports IKEv1, the evaluator shall perform any applicable operational guidance steps to disable the use of aggressive mode and then attempt to establish a connection using an IKEv1 Phase 1 connection in aggressive mode. This attempt should fail. The evaluator shall show that the TOE will reject a VPN gateway from initiating an IKEv1 Phase 1 connection in aggressive mode. The evaluator should then show that main mode exchanges are supported.

In the case that the VPN gateway enforces the TOE's configuration, the following steps should be performed to meet the objective of Test 2:

1. Configure the gateway and TOE client in the appropriate manner per the guidance documentation. (Gateway rejects Aggressive mode, Client rejects aggressive mode)
2. Connect the TOE client to the gateway to obtain the configuration settings.
3. Observe the main mode connection is successful.
4. Disconnect the TOE from the gateway.
5. Attempt to modify the setting for main mode locally on the TOE to force the client to attempt to use aggressive mode.
6. Observe that when the initial connection attempt to the gateway is made, the gateway detects the configuration difference and reapplies the main mode setting before the TOE can attempt an IPsec connection.
7. Configure a peer to have equivalent settings to the VPN gateway (Same ciphers/Authentication/Hash/KEX settings)
8. Tell the TOE that there is a VPN gateway at the location of the peer.
9. Observe that the TOE cannot establish a connection with the peer.

See issue description.