The Network Interpretations Team (NIT) has issued a technical decision regarding the applicability of X.509 certificate testing to IPsec.

To align with NIT interpretation # 201628, the following guidance is issued.

The X.509 certificate testing should be performed for all functionality using X.509 certificates, including IPsec. MITM is not practical for modification of the certificates used in IPsec/IKE, instead the X.509 tests should use instrumented clients or servers, presenting modified certificates, to perform the tests.

For further information, please see the NIT interpretation at: https://www.niap-ccevs.org/Documents_and_Guidance/ccevs/NITDecisionRfI28.pdf

The X.509 requirements are about ensuring the behavior of the TOE when encountering malformed or invalid X.509 certificates regardless of protocol.