The ICSA Labs IPSec Product Certification Program has the objective to make available to the end user community an ever-increasing selection of multiple vendors’ IPSec Products that are interoperable and that provide the security services of authentication, data integrity, and confidentiality. The IPSec Product Certification Criteria, Version 1.2 is based on the Internet Key Exchange version 1 (IKE), IPsec and related protocols. There is a baseline set of requirements that a Candidate IPSec Product must meet to attain the IPSec 1.2 BASIC Certification. In addition to the baseline requirements a vendor may elect to have optional functionality tested, as summarized below.

Furthermore, a vendor may elect to have the Candidate IPSec Product subjected to testing beyond the BASIC set of tests to verify that requirements related to digital certificate authentication are met. The Candidate IPSec Product will be granted the IPSec 1.2 ENHANCED Certification for meeting the digital certificate authentication requirements. This report will document the results of any optional or ENHANCED testing that was performed.

The following is a summary of the IPSec 1.2 BASIC requirements:
• General – The Candidate IPSec Product must be a generally available product and must interoperate with the other Certified IPSec Version 1.2 Products.
• IKE – The Candidate IPSec Product must be in compliance with a specific subset of requirements defined in the IETF IKE related RFCs, including RFC 2407, RFC 2408, and RFC 2409.
• IPsec – The Candidate IPSec Product must be in compliance with a specific subset of requirements defined in the IETF IPsec related RFCs, including RFC 4301 and RFC 4303.
• Cryptography – The Candidate IPSec Product must implement cryptographic algorithms without fatal or security-degrading mistakes, and must incorporate algorithms that are recognized on the list of ICSA Labs Approved Algorithms. The Candidate IPSec Product must employ acceptable key management techniques.
• Security Testing – The Candidate IPSec Product must not be vulnerable to an evolving set of remotely executable exploits related to the IKE/IPsec implementation that is known to the Internet community.
• Logging – The Candidate IPSec Product must have the ability to log the required data for rejected IKE messages and IPsec packets, and administrative changes.
• Administration – The Candidate IPSec Product must provide cryptographically protected remote administration.

Download