Library: Test Plans

IPSec VPN Testing

1. IPSec conformance test
2. Tunnel scalability test
3. Tunnel setup rate test
4. Re-key tests
5. Data performance test

1. IPSec conformance test

Objective: To characterize the DUT's compliance to IETF standards

Test setup: IxANVL IPSec test suite running a set of positive and negative test cases against the DUT.

Methodology: IxANVL tests interpret the IPSec RFCs and present a number of scenarios to test the DUT.

1. Select a set of test cases to run in IxANVL.
2. Configure the DUT with the corresponding IPSec parameters and IP addressing using a set of scripts.
3. Run IxANVL in a batch mode with the scripts re-configuring the DUT between tests to match the IxANVL test setup.

Results: Number of tests passed/failed.

Figure 1. IxANVL - configuring the device under test for conformance testing.


Figure 2. IPSec conformance testing in IxANVL - test cases.


Figure 3. IPSec conformance testing in IxANVL - journal.

2. Tunnel scalability test

Objective: To determine the maximum number of tunnels a DUT can set up.

Test setup: Ixia's IxVPN product emulates secure gateways setting up IPSec tunnels against the DUT.

Parameters: Varying IKE and IPSec protocols including different modes (tunnel mode and transport mode), varying Diffie-Hellman (dh1, dh2, dh5) and encryption protocols (3DES, AES 128 and AES 256).

Methodology:

1. Configure the DUT to accept tunnel requests from a number of peers.
2. In IxVPN, create a mix of IPSec tunnel parameters. Configure the DUT to match the crypto-parameters for each tunnel that IxVPN will initiate.
3. Set up tunnels sequentially against the DUT until a user-specified number of tunnels fail.
4. Repeat the test for multiple iterations.
5. Repeat the test with various mixes.

Result: Maximum number of tunnels that can be set up by the DUT with varying parameters (Figure 4 and Figure 5).



Figure 4. Tunnel capacity test results.



Figure 5. Tunnel capacity test results, graph view. Figure 6. Using IxVPN to set combinations of IPSec parameters for testing.

Creating mixes: example. As shown in Figure 6, the user can test a DUT with various combinations of IPSec tunnel parameters very quickly with IxVPN. While all combinations may not be used for a given deployment, the ability to create mixes quickly will be important to test border conditions.


Figure 6. Using IxVPN to set combinations of IPSec parameters for testing.

3. Tunnel setup rate test

Objective: To determine the rate at which the DUT can set up IPSec tunnels under varying conditions.

Test setup: Ixia's IxVPN product emulates secure gateways setting up IPSec tunnels against the DUT.

Parameters: Varying IKE and IPSec protocols (as in the tunnel scalability test), as well as varying numbers of simultaneous requests to determine behavior under real-world conditions.

Methodology:

1. Configure the DUT to accept tunnels requests from a number of peers.
2. In IxVPN, create a mix of IPSec tunnel parameters. Configure the DUT to match the crypto-parameters for each tunnel IxVPN will initiate.
3. Initiate a number of simultaneous tunnel requests from IxVPN and measure setup rates with each set of requests.
4. Continue to set up new tunnels with varying number of simultaneous tunnel requests until a user specified number of tunnels fail (as the DUT reaches capacity).
5. Repeat the test for multiple iterations and with varying mixes.

Result: Tunnel setup rate as a function of established tunnels on the DUT. As shown in Figure 7, therate drops significantly as the number of established tunnels increases.


Figure 7. IxVPN tunnel setup rate test, single iteration.


Figure 8. IxVPN tunnel setup rate test, aggregated results.


Figure 9. IxVPN setup rate test, statistics.


Figure 10. IxVPN per-phase, per-tunnel statistics.

Figure 10 shows statistics on a per-phase, per-tunnel basis. By using the data view filters, users can quickly see if certain tunnel parameters are causing performance problems.

4. Re-key tests

Objective: To determine the long-term stability of the DUT with re-keying, and the rate at which the DUT can re-key.

Test setup: Ixia's IxVPN product emulates secure gateways setting up IPSec tunnels against the DUT.

Parameters: Varying tunnel lifetimes and rekey intervals with various IKE and IPSec protocol.

Methodology:

1. Establish a number of tunnels against the DUT using IxVPN.
2. In IxVPN, configure the lifetime and re-key intervals to initiate re-keying.
3. At the specified re-key interval, IxVPN will initiate the re-key and measure any failures and also the rate at which the re-key is done by the DUT.
4. Repeat the test for multiple iterations and varying re-key intervals and parameters.

Results: Number of re-key failures and rekey rate.



Figure 11. IxVPN re-keying test options and report.

5. Data performance test

Objective: To determine encryption and decryption performance of the DUT so that the impact of IPSec on application performance can be assessed. Key metrics are encryption and decryption throughput, latency, and loss.

Test setup: Once the tunnels are set up using IxVPN, the IxChariot product is used to send data over the tunnels in a variety of traffic types.

Parameters: Varying application and transport protocols and packet sizes.

Methodology:

1. Set up a number of tunnels against the DUT using IxVPN with various parameters.
2. Set up IxChariot end points on both the public and private side of the DUT
3. Using the IxChariot console, send data over each of the tunnels from the emulated gateway side as well as from the host side to measure encryption and decryption performance.
4. Repeat the test with varying packet sizes and IPSec parameters.

Results: Encryption and decryption throughput, latency, and loss. IxChariot reports before and after establishment of IPSec tunnels, showing the impact of IPSec overhead on application traffic (Figure 12).


Figure 12. IxChariot data performance test: before and after addition of IPSec traffic.

Acknowledgements

[ back | top of page | back to test plans ]