2nd IPSec Interoperability Testing Results

(Oct. 7 - 9, 1998)

NTT (Nippon Telegraph and Telephone Corporation) performed three days of IPSec interoperability testing amongst various different vendors products at one of their testing facilities in Tokyo, Japan.


This testing was the 2nd interoperability test perform by them. The 1st testing was held earlier and only tested manual key exchange between vendors. This 2nd testing included automatic key exchange between vendors. There is going to be a 3rd interoperability test performed over the Internet (probably during 1Q 1999), but no final dates have been specified. This 3rd test, I believe, is going to include CA testing as well, but the final configuration has yet to be announced.


After looking at the results, it is apparent that IPSec still has a long way to go...

I was present for the 2nd interoperability testing at the test site performing the setup and testing of IRE's SafeNet-PK^TM and have translated the test results posted by NTT on their Japanese site into English and published them here.

IRE's SafeNet-PK^TM has already received the ICSA IPSec compatible certificate, but even so, there were still numerous vendors with whom keys couldn't be established or keys could be established but no traffic was sent after that.

This is due to the fact that those vendors tested were not fully IPSec compatible. Of all the other vendors products I tested IRE's SafeNet-PK^TM against, many were unable to talk directly with an IPSec client. The majority of these devices were Gateways and were able to communicate with other vendor's Gateway products, but were unable to set up the SPI properly to handle Gateway-to-Client communications. We were not the only ones to experience this. All IPSec compliant Client software tested experienced similar results. So regardless of whether you are fully IPSec compliant or not, until all vendors become fully IPSec compliant, multi-vendor interoperability will remain an issue at hand.

The original Japanese can be found by clicking on the results of the 2nd Interoperability testing or on the previous results of the 1st Interoperability testing which I was not present for as well as various other information concerning the testing (and which I have not translated).

There are two reports included, first is a simple cross-matrix showing the level of compatibility of each vendor's product against the others and the second is a more detailed explanation of configuration and various problems experienced during that testing.

I also found a picture that someone took of me and the IRE engineer present during the IPSec testing (unknowingly) and had posted on NTT's web site. I'm crouched down looking at a sniffer to find out why we were having problems with one of the other vendor's products.