TD0662: Changes to Testing IPsec NAT Transversal and XAUTH in MOD_VPNC 2.4
There is an issue regarding FCS_IPSEC_EXT.1.5 in cases where the VPN gateway communicates configuration settings to the TOE, but some specific FIPS-CC builds force the gateway to use configuration settings that are consistent with the claimed standards against which it is certified. Therefore, it is not possible to use the gateway to configure the TOE to disable XAUTH or to enable aggressive mode, or for the gateway to present aggressive mode or to disable its own XAUTH.
The test EAs state that the invalid connection attempts must be unsuccessful but it does not specify the manner in which they should fail. In this case, there will be no IPsec level packet captures to fail because the client will not even get to attempt a connection with the invalid settings. So the invalid connection attempt does fail, but it fails at a configuration level rather than a network one.
The following change is made to the tests for FCS_IPSEC_EXT.1.5 in Section 220.127.116.11.6 of the MOD_VPN_CLI_v2.4 PP-Module SD, with underlines denoting additions:
a. The evaluator shall configure the TOE so that it will perform NAT traversal processing as described in the TSS and RFC 7296, section 2.23. The evaluator shall initiate an IPsec connection and determine that the NAT is successfully traversed.
b. If the TOE supports IKEv1 with or without XAUTH, the evaluator shall verify that this test can be successfully repeated with XAUTH enabled and disabled in the manner specified by the operational guidance. If the TOE only supports IKEv1 with XAUTH, the evaluator shall verify that connections not using XAUTH are unsuccessful. If the TOE only supports IKEv1 without XAUTH, the evaluator shall verify that connections using XAUTH are unsuccessful.
In the case that the VPN gateway enforces the TOE's configuration, the following steps shall be performed to meet the objective of Test 1:
Test 2: [conditional]: If the TOE supports IKEv1, the evaluator shall perform any applicable operational guidance steps to disable the use of aggressive mode and then attempt to establish a connection using an IKEv1 Phase 1 connection in aggressive mode. This attempt should fail. The evaluator shall show that the TOE will reject a VPN gateway from initiating an IKEv1 Phase 1 connection in aggressive mode. The evaluator should then show that main mode exchanges are supported.
In the case that the VPN gateway enforces the TOE's configuration, the following steps should be performed to meet the objective of Test 2:
See issue description.