NIAP: View Technical Decision Details
NIAP/CCEVS
  NIAP  »»  Protection Profiles  »»  Technical Decisions  »»  View Details  
TD0303:  IKEv1 and support for XAUTH

Publication Date
2018.03.29

Protection Profiles
MOD_VPN_CLI_V2.1

Other References
FCS_IPSEC_EXT.1.5

Issue Description

The SFR has a selection for "support for XAUTH", but the test requires that if there is XAUTH support it must be possible to use IKEv1 with and without XAUTH. The test does not account for when only IKEv1 with XAUTH is supported.

Resolution

FCS_IPSEC_EXT.1.5, Test 1 is replaced as follows:

Test 1: The evaluator shall configure the TOE/platform so that it will perform NAT traversal processing as described in the TSS and RFC 7296, section 2.23. The evaluator shall initiate an IPsec connection and determine that the NAT is successfully traversed. If the TOE/platform supports IKEv1 with or without XAUTH, the evaluator shall verify that this test can be successfully repeated with XAUTH enabled and disabled in the manner specified by the operational guidance. If the TOE/platform only supports IKEv1 with XAUTH, the evaluator shall verify that connections not using XAUTH are unsuccessful. If the TOE/platform only supports IKEv1 without XAUTH, the evaluator shall verify that connections using XAUTH are unsuccessful.

Justification

See issue description.

 
 
Site Map              Contact Us              Home