Comments about NTT's 2nd IPSec Interoperability Test Results

• The number of items selectable from the setup menus is comparably larger than most.
  
• The GUI related to the "Entity", "KeyProfile", etc. setup screens becomes more and more difficult to view when large numbers of items are entered.
  
• Because the RaptorFirewall has supported VPN as a standard feature for quite some time, the number of people who knew how to operate the setup screens were many.

  ---

• Only the "BSD" version is IPsec compliant. Operation was virtually the same as that of the previous version used for NTT's 1st IPSec interoperability testing so operation was easy to use.

  ---

• All settings can be made from within your Web Browser. You can create VPN groups and manage those groupings as well.
• They also offer a Client software package as well. Japanese will is supported towards the end of this summer. This is definately a product to watch for.

  ---

• From Ver 4.0, they support automatic key sequencing. This version also supports Diffie-Hellman Group-1 and -2, but when Firewall-1 is used as the "Initiater" [Snd], the "Proposal" is sent out as Group-2.
• They already have a large Firewall installed base and expect that a good portion of their already installed users will upgrade to this new version as well.

  ---

• A minor version up was made and it looks as though this latest release seems to follow the IPSec draft to the letter.
• Also, there are numerous settings and combinations of each setting are possible.

  ---

• From Ver 4.0, they support automatic key sequencing. Making VPN settings are very easy.
• As for manual key interoperatility, all three modes "Combined IPsec", "Separated IPsec" & "Old IPsec" are supported.
• They already have a large Firewall installed base and expect that a good portion of their already installed users will upgrade to this new version as well.

  ---

• They have switching hub capability and remote router functionality built into the unit so this is definately built to be an Intranet solution.
• iv32 is supported in this version, however automatic key sequencing was not compatible and thus testing could not be performed with this version. They will support automatic key sequencing in their next release though.

  ---

• If the "PFS ON" mode is used, the automatic key sequencing supported was incompatible with other vendor machines. Thus all testing performed this time around had the "PFS OFF" to allow the automatic key sequencing to take place with other vendor's equipment.
• Only Diffie-Hellman Group-1 is supported in this release. They do offer client software as well.
• There was not enough time to test manual key exchange.
• Initial setup as well as mode changes can be made easily and the Log file is very nice as well.
• The RAVLIN 4 is smaller than a notebook PC power supply so it is quite convenient to take along with you as a mobile device. Also, the "Cisco PIX Encryption Card" can be used as a "Ravlin IPSec encryption card" as well.

  ---

• As for IPSec compliance, this product follows all of the latest settable parameters for the version tested.
• There was not enough time to test manual key exchange.
• At the present their only IPsec compliant product is the Client software, but they plan on releasing an IPSec compliant Gateway in the future.

  ---

• This SOHO router is automatic key sequencing compliant, not to mention that as it is a Japanese product, it can support T-DES within Japan.
• As for interoperability, keep in mind that this product supports the latest IPSec draft specifications.

  ---

• As there is an HP OpenView management agent included with this product, it can be managed along with other management systems the same as other devices.
• Identification can only be specified as a "Host" device and as such, it can only communicate with other products which are also "Host" devices. (Of course, this poses no problems with other cIPro products.)

  ---

Raptor-Gauntlet
• It can establish manual key exchange.
• Raptor Setting: Reply Protection=None, AH Header ON, ESP Header OnAMD5
• Gauntlet Setting: AH over ESP with anti-reply, MD5
• Concerning Automatic Key Sequencing; as the "Initiator" [Snd], it was impossible to get a Phase 1 confirmation.

---

Raptor-VPNet
• Concerning Automatic Key Sequencing; as the "Initiator" [Snd], it was able to get a Phase 1 confirmation.
• With VPNet as the "Initiator" [Snd], Automatic Key Exchange was not successful.

---

Raptor-Firewall-1
• Manual Key Exchange completed properly.
• Raptor SettingFiv32/64bit, Reply Protection=OFF
• Firewall-1 SettingFiv32/64bit
• Concerning Automatic Key Sequencing; on a peer-to-peer level, keys were exchanged in both directions.

---

Raptor-PERMIT
• Concerning Automatic Key Sequencing; keys were exchanged regardless of which was the originator.
• It was required to use the "PFS ON" and PERMIT had to have the "Identity Option" added.
• Raptor's "Advanced Menu" was set to "Proxy ON".

---

Raptor-Sidewinder
• Manual Key Sequencing was possible.
• Raptor Setting: Reply Option=None, AH+ESP
• Sidewinder Setting: Old IPsec

---

Raptor-A2DIS
• For Manual Key Sequencing; the A2DIS only supported iv32 so the Raptor side also had to be set to iv32 to be able to communicate properly.

---

Raptor-RAVLIN
• With the "PFS OFF", regardless of which was the "Initiator" [Snd], communication was possible.
• Upon "Rekey" however, the key was unable to be re-established and the Raptor side gave off an Error Message stating such.

---

Raptor-SafeNet
• On the Raptor side, a 32-bit mask had to be set to communicate peer-to-peer to be able to communicate as the "Initiator" [Snd] because it didn't support single 8-octet settings.

---

Raptor-YAMAHA
• It was not possible to establish Manual Key Sequencing.

---

Raptor-cIPro
• Identification was only settable as a "Host".
• On the Raptor side, a 32-bit mask had to be set to communicate peer-to-peer to be able to communicate as the "Initiator" [Snd] because it didn't support single 8-octet settings.

---

Gauntlet-VPNet
• Manual Key Sequencing was possible.
• Gauntlet Setting: iv64, AH over ESP

---

Gauntlet-Firewall-1
• Manual Key Sequencing was only possible using ESP.
• When AH was added, communications could not be established.

---

Gauntlet-PERMIT
• Regardless of which side was the "Initiator" [Snd], Automatic Key Sequencing was impossible.

---

Gauntlet-Sidewinder
• Manual Key Sequencing was possible.
• Gauntlet Setting: Tunnel with anti-reply
• Sidewinder Setting: Combined ESP

---

Gauntlet-A2DIS
• Manual Key Sequencing was possible.
• Gauntlet Setting: iv32, Tunnel with anti-reply

---

Gauntlet-RAVLIN
• Regardless of which side was the "Initiator" [Snd], Automatic Key Sequencing was impossible.

---

Gauntlet-SafeNet
• Regardless of which side was the "Initiator" [Snd], Automatic Key Sequencing was impossible.

---

Gauntlet-YAMAHA
• Manual Key Sequencing was possible using iv32.
• Gauntlet Setting: Tunnel with anti-reply
• When Automatic Key Sequencing was tested, a "Payload MALFORMED" error occurred.

---

Gauntlet-cIPro
• Regardless of which side was the "Initiator" [Snd], Automatic Key Sequencing was impossible.

---

VPNet-Firewall-1
• When Firewall-1 was the "Initiator" [Snd], Diffie Helman Group-2 was used, thus on the VPNet side, Group-2 also had to be selected with "PFS OFF". But with this setting, Automatic Key Sequencing was possiblein both directions.
• When Firewall-1 was the "Responder" [Rcv], both Diffie Helman Group-1 & -2 could be selected and Automatic Key Sequencing completed properly.

---

VPNet-PERMIT
• With "PFS ON" or "PFS OFF", Automatic Key Sequencing was possible regardless of which was the "Initiator" [Snd].

---

VPNet-Sidewinder
• Automatic Key Sequencing was possible regardless of which was the "Initiator" [Snd].

---

VPNet-A2DIS
• Automatic Key Sequencing was unable to be established regardless of which was the "Initiator" [Snd].

---

VPNet-RAVLIN
• With "PFS OFF", Automatic Key Sequencing was possible regardless of which was the "Initiator" [Snd].

---

VPNet-SafeNet
• Automatic Key Sequencing completed properly for the Key Exchange, but "Identification" information was not properly exchanged because VPNet was unable to be set to communicate with a Client, only a Host.

---

VPNet-YAMAHA
• Automatic Key Sequencing was unable to be established regardless of which was the "Initiator" [Snd].

---

VPNet-cIPro
• cIPro only supports "Identification" type [Host], so when the VPnet was the "Initiator" [Snd], so after the Automatic Key Sequencing Exchange completed, a "No Response" error occurred.
• Also, for cIPro, for the "Proposal" portion of the "SecurityAssociation", [Life-Time-Type] and [Life-Time-Duration] were added and as such, a "Notification Message" [Attribute Not Supported] was returned. Thus, regardless of which side was the "Initiator" [Snd], communications were not possible.

---

Firewall-1-PERMIT
• When Firewall-1 was the "Initiator" [Snd], communications were possible, but when PERMIT was the "Initiator" [Snd], an "Invalid IP Information" Error Message occurred and communications were not possible.

---

Firewall-1-Sidewinder
• For Manual Key Sequencing, regardless of the Sidewinder mode; [Combined IPsec], [Separated IPsec] or [Old IPsec], communications were not possible.

---

Firewall-1-A2DIS
• Because the A2DIS only supported iv32, testing was not performed.

---

Firewall-1-RAVLIN
• Automatic Key Sequencing completed for the Key Exchange, but the Identification was unable to be completed regardless of which side was the "Initiator" [Snd].

---

Firewall-1-SafeNet
• Automatic Key Sequencing completed properly regardless of which side was the "Initiator" [Snd].

---

Firewall-1-YAMAHA
• Manual Key Sequencing was not possible.

---

Firewall-1-cIPro
• When set for Peer-to-peer communications, Automatic Key Sequencing completed properly regardless of which side was the "Initiator" [Snd].

---

PERMIT-Sidewinder
• With "PFS ON" or "PFS OFF", Automatic Key Sequencing completed successfully regardless of which side was the "Initiator" [Snd].

---

PERMIT-A2DIS
• Because the A2DIS only supports iv32 this test was not performed.

---

PERMIT-RAVLIN
• With "PFS OFF", Automatic Key Sequencing completed successfully regardless of which side was the "Initiator" [Snd].

---

PERMIT-SafeNet
• For Automatic Key Sequencing, when SafeNet was the "Initiator" [Snd], with an "Identification" addition to the PERMIT side, communications were possible.
• But when PERMIT was the "Initiator" [Snd] communications could not be established. PERMIT was not setable to allow for Client communications, only Host mode was supported.

---

PERMIT-YAMAHA
• Regardless of which side was the "Initiator" [Snd], communications were impossible.

---

PERMIT-cIPro
• For Automatic Key Sequencing; when cIPro was the "Initiator" communications were possible, but when PERMIT was the "Initiator"communications could not take place. On the cIPro side, the Error Message [Bad SPI_SIZE in initial contact notification] occurred and on the PERMIT side, the Error Message [Invalid Cookie ID unknown] occurred.

---

Sidewinder-A2DIS
• Using iv32, on the Sidewinder side, [Old IPsec] had to be set to allow Manual Key Sequencing to occur.

---

Sidewinder-RAVLIN
• Automatic Key Sequencing was possible regardless of which side was the "Initiator" [Snd].

---

Sidewinder-SafeNet
• Automatic Key Sequencing was impossible regardless of which side was the "Initiator" [Snd].

---

Sidewinder-YAMAHA
• For Manual Key Sequencing; regardless of which mode [Combined IPsec], [Separated IPsec] or [Old IPsec] for the Sidewinder, communications were not possible.

---

Sidewinder-cIPro
• Automatic Key Sequencing was impossible regardless of which side was the "Initiator" [Snd].
• On the Sidewinder side, peer-to-peer setting was impossible because it thought the client was one of it's local terminals.

---

A2DIS-RAVLIN
• Because A2DIS only supports iv32, testing was not performed.

---

A2DIS-SafeNet
• Because A2DIS only supports iv32, testing was not performed.

---

A2DIS-YAMAHA
• Manual Key Sequencing was not possible.

---

A2DIS-cIPro
• Because A2DIS only supports iv32, testing was not performed.

---

RAVLIN-SafeNet
• With peer-to-peer setting, Automatic Key Sequencing was possible regardless of which side was the "Initiator" [Snd].

---

RAVLIN-YAMAHA
• Regardless of which side was the "Initiator" [Snd], Automatic Key Sequencing was impossible.

---

RAVLIN-cIPro
• Also, for cIPro, for the "Proposal" portion of the "SecurityAssociation", [Life-Time-Type] and [Life-Time-Duration] were added and as such, a "Notification Message" [Attribute Not Supported] was returned.
• As for Automatic Key Sequencing; with RAVLIN as the "Initiator" [Snd], communications were not possible, but when the cIPro was the "Initiator" [Snd], communications were possible.

---

SafeNet-YAMAHA
• There was not enough time to perform this testing.

---

SafeNet-cIPro
• The cIPro was only capable of setting the "Identification" as Host, but when peer-to-peer was specified, communications in both directions were possible.

---

YAMAHA-cIPro
• There was not enough time to perform this testing.

---