Ambiguity in MOD_VPNGW_V1.3 makes it appear that PPK use is required, while RFC 8784 only requires that is it configurable whether it is required or not.

The Guidance Activity and Test for FIA_PSK_EXT.1 in MOD_VPNGW_V1.3-SD are updated as follows, with green-highlighted underlines indicating additions and red-highlighted strikethroughs indicating deletions:

Guidance

The evaluator shall examine the operational guidance to determine that it provides guidance to administrators on how to configure all selected pre-shared key options if any configuration is required.

The evaluator shall examine the operational guidance to determine that it provides guidance to administrators on how to configure the mandatory_or_not flag per RFC 8784.

Tests

The evaluator shall also perform the following tests for each protocol (or instantiation of a protocol, if performed by a different implementation on the TOE).

• Test FIA_PSK_EXT.1:1: For each mechanism selected in FIA_PSK_EXT.1.2 the evaluator shall attempt to establish a connection and confirm that the connection requires the selected factors in the PSK to establish the connection in alignment with table 1 from RFC 8784.

See Issue Description.