IKE Hash Algorithm
with AH Transport/Tunnel mode (HOST)
[IP][AH]
[IP1][AH][IP2]

[Interoperability Test Scenario]

Last Update: February 23, 2001

This scenario verifies interoperability when the target HOST is attached to the model network.

Subjects:

Verification of host's action.
IKE with IPsec Authentication Header transport mode.

Verification Points

Parameter Value

IKE Hash Algorithm MD5

SHA1

Fixed Parameters

Parameter Value

IKE Exchange mode Main mode

Authentication method Pre-Shared key (DH group 1)

Phase-1 lifetime 24 hour

Phase-2 lifetime 24 hour

Encryption Algorithm DES

IPsec Authentication algorithm HMAC-MD5

MODE Transport

Granularity Host

Physical Network Configuration:

  (3ffe:501:481d:f002::11) (3ffe:501:481d:f002::12)
         HOST-2                  HOST-3
           |(HIF-2y)               |(HIF-3y)
           |                       |
(Net-y)  --+-----------+-----------+-- (3ffe:501:481d:f002::/64)
                       |
                       |(I/F-y) (3ffe:501:481d:f002::1)
                    ROUTER-1
                       |(I/F-z) (3ffe:501:481d:f001::1)
                       |
(Net-z)      ----+-----+------------- (3ffe:501:481d:f001::/64)
                 |
                 |(HIF-1z) (3ffe:501:481d:f001::11)
               HOST-1

Network	Prefix	Network media
Net-y	3ffe:501:481d:f002::/64	Ethernet 10BASE-T
Net-z	3ffe:501:481d:f001::/64	Ethernet 10BASE-T

Test Machine:

Machine Comments Initial status Configuration

HOST-3 Reference Machine Is attached to Net-y with power turned off. -

HOST-2 Reference Machine Is attached to Net-y with power turned off. -
ROUTER-1 Reference Machine Power is turned off.
I/F-z is attached to Net-z while I/F-y is attached to Net-y. Sends RA to Net-z and Net-y.

HOST-1 Target Machine Is attached to Net-z with power turned off. -

Configuration list:

*DH Key = Diffie-Hellman shared key
*Hash Alg = IKE Authentication Algorithm
*Enc Alg = IKE Encryption Algorithm
*PH1 Lifetime = Phase-1 Lifetime
*PH2 Lifetime = Phase-2 Lifetime
*Protocol = Security Protocol
*AH auth = AH Authentication Algorithm
*Auth Method = Authentication Method
*Upper = Upper Layer Protocol

No. Machine Src Dest IKE IPsec

Exchange
mode
Local ID

Remote ID
Auth
Method DH Key Hash
Alg Enc
Alg PH1
Lifetime PH2
Lifetime Protocol Mode AH auth Upper

1
HOST-1 HIF-1z HIF-2y Main 3ffe:501:481d:f001::11 3ffe:501:481d:f002::11 DH(1) IKE-TEST MD5 DES 24 Hour 24 Hour AH Transport HMAC-MD5 any

HOST-2 HIF-2y HIF-1z Main 3ffe:501:481d:f002::11 3ffe:501:481d:f001::11 DH(1) IKE-TEST MD5 DES 24 Hour 24 Hour AH Transport HMAC-MD5 any

2
HOST-1 HIF-1z HIF-2y Main 3ffe:501:481d:f001::11 3ffe:501:481d:f002::11 DH(1) IKE-TEST SHA1 DES 24 Hour 24 Hour AH Transport HMAC-MD5 any

HOST-2 HIF-2y HIF-1z Main 3ffe:501:481d:f002::11 3ffe:501:481d:f001::11 DH(1) IKE-TEST SHA1 DES 24 Hour 24 Hour AH Transport HMAC-MD5 any

3
HOST-1 HIF-1z HIF-2y Main 3ffe:501:481d:f001::11 3ffe:501:481d:f002::11 DH(1) IKE-TEST MD5 DES 24 Hour 24 Hour AH Tunnel HMAC-MD5 any

HOST-2 HIF-2y HIF-1z Main 3ffe:501:481d:f002::11 3ffe:501:481d:f001::11 DH(1) IKE-TEST MD5 DES 24 Hour 24 Hour AH Tunnel HMAC-MD5 any

4
HOST-1 HIF-1z HIF-2y Main 3ffe:501:481d:f001::11 3ffe:501:481d:f002::11 DH(1) IKE-TEST SHA1 DES 24 Hour 24 Hour AH Tunnel HMAC-MD5 any

HOST-2 HIF-2y HIF-1z Main 3ffe:501:481d:f002::11 3ffe:501:481d:f001::11 DH(1) IKE-TEST SHA1 DES 24 Hour 24 Hour AH Tunnel HMAC-MD5 any

Applications:
ping program (ping)

NOTE:
We select these applications, as typical application for each protocol (ICMP/UDP/TCP).
In this scenario, it is not a subject to verify each application in detail.

Interoperability check

No Action Criteria Comments

Address auto configuration check.

1 Boot ROUTER-1. - -

2 Boot HOST-1. - -

3 Boot HOST-2. - -

4 Boot HOST-3. - -

Availability confirmation.

5 At HOST-2, run "ping" to HOST-1.
Repeat 10 times, with 1452 bytes ICMP payload, interval 1 second.
Ex) # ping6 -s 1452 -i 1 -c 10 HOST-1 *HOST-2 sends ICMP Echo Request to HOST-1.
*HOST-2 receives ICMP Echo Reply from HOST-1. HOST-2 and HOST-1 don't use IPsec.

6 At HOST-3, run "ping" to HOST-1.
Repeat 10 times, with 1452 bytes ICMP payload, interval 1 second.
Ex) # ping6 -s 1452 -i 1 -c 10 HOST-1 *HOST-3 sends ICMP Echo Request to HOST-1.
*HOST-3 receives ICMP Echo Reply from HOST-1. HOST-3 and HOST-1 don't use IPsec.

IPsec transport [IP][AH] (IKE auth=MD5)

7 At HOST-1 set configuration #1 - -

8 At HOST-2 set configuration #1 - -

9 At HOST-2, run "ping" to HOST-1.
Repeat 20 times, with 64 bytes ICMP payload, interval 1 second.
Ex) # ping6 -s 64 -i 1 -c 20 HOST-1. *HOST-2 sends ICMP Echo Request to HOST-1.
*HOST-2 receives ICMP Echo Reply from HOST-1.
*AH is attached to original packet between HOST-1 and HOST-2. AH transport between HOST-1 and HOST-2.(HMAC-MD5)
HOST-2 <-> HOST-1
(ICMP)

10 At HOST-3, run "ping" to HOST-1.
Repeat 20 times, with 64 bytes ICMP payload, interval 1 second.
Ex) # ping6 -s 64 -i 1 -c 20 HOST-1. *HOST-3 sends ICMP Echo Request to HOST-1.
*HOST-3 receives ICMP Echo Reply from HOST-1.
*Original packets go through between HOST-1 and HOST-3.
HOST-3 and HOST-1 don't use IPsec.

IPsec transport [IP][AH] (IKE auth=SHA1)

11 At HOST-1 set configuration #2 - -

12 At HOST-2 set configuration #2 - -

13 At HOST-2, run "ping" to HOST-1.
Repeat 20 times, with 64 bytes ICMP payload, interval 1 second.
Ex) # ping6 -s 64 -i 1 -c 20 HOST-1. *HOST-2 sends ICMP Echo Request to HOST-1.
*HOST-2 receives ICMP Echo Reply from HOST-1.
*AH is attached to original packet between HOST-1 and HOST-2. AH transport between HOST-1 and HOST-2.(HMAC-MD5)
HOST-2 <-> HOST-1
(ICMP)

14 At HOST-3, run "ping" to HOST-1.
Repeat 20 times, with 64 bytes ICMP payload, interval 1 second.
Ex) # ping6 -s 64 -i 1 -c 20 HOST-1. *HOST-3 sends ICMP Echo Request to HOST-1.
*HOST-3 receives ICMP Echo Reply from HOST-1.
*Original packets go through between HOST-1 and HOST-3.
HOST-3 and HOST-1 don't use IPsec.

IPsec tunnel [IP][AH][IP] (IKE auth=MD5)

15 At HOST-1 set configuration #3 - -

16 At HOST-2 set configuration #3 - -

17 At HOST-2, run "ping" to HOST-1.
Repeat 20 times, with 64 bytes ICMP payload, interval 1 second.
Ex) # ping6 -s 64 -i 1 -c 20 HOST-1. *HOST-2 sends ICMP Echo Request to HOST-1.
*HOST-2 receives ICMP Echo Reply from HOST-1.
*AH is attached to original packet between HOST-1 and HOST-2. AH tunnel between HOST-1 and HOST-2.(HMAC-MD5)
HOST-2 <-> HOST-1
(ICMP)

18 At HOST-3, run "ping" to HOST-1.
Repeat 20 times, with 64 bytes ICMP payload, interval 1 second.
Ex) # ping6 -s 64 -i 1 -c 20 HOST-1. *HOST-3 sends ICMP Echo Request to HOST-1.
*HOST-3 receives ICMP Echo Reply from HOST-1.
*AH is attached to original packet between HOST-1 and HOST-3. HOST-3 and HOST-1 don't use IPsec.

IPsec tunnel [IP][AH][IP] (IKE auth=SHA1)

19 At HOST-1 set configuration #4 - -

20 At HOST-2 set configuration #4 - -

21 At HOST-2, run "ping" to HOST-1.
Repeat 20 times, with 64 bytes ICMP payload, interval 1 second.
Ex) # ping6 -s 64 -i 1 -c 20 HOST-1. *HOST-2 sends ICMP Echo Request to HOST-1.
*HOST-2 receives ICMP Echo Reply from HOST-1.
*AH is attached to original packet between HOST-1 and HOST-2. AH tunnel between HOST-1 and HOST-2.(HMAC-MD5)
HOST-2 <-> HOST-1
(ICMP)

22 At HOST-3, run "ping" to HOST-1.
Repeat 20 times, with 64 bytes ICMP payload, interval 1 second.
Ex) # ping6 -s 64 -i 1 -c 20 HOST-1. *HOST-3 sends ICMP Echo Request to HOST-1.
*HOST-3 receives ICMP Echo Reply from HOST-1.
*AH is attached to original packet between HOST-1 and HOST-3. HOST-3 and HOST-1 don't use IPsec.

Mark"*"with no number means that we are going to judge that subject.

Parameter		Value
IKE	Exchange mode	Main mode
	Authentication method	Pre-Shared key (DH group 1)
	Phase-1 lifetime	24 hour
	Phase-2 lifetime	24 hour
	Encryption Algorithm	DES
IPsec	Authentication algorithm	HMAC-MD5
	MODE	Transport
	Granularity	Host

Machine	Comments	Initial status	Configuration
HOST-3	Reference Machine	Is attached to Net-y with power turned off.	-
HOST-2	Reference Machine	Is attached to Net-y with power turned off.	-
ROUTER-1	Reference Machine	Power is turned off. I/F-z is attached to Net-z while I/F-y is attached to Net-y.	Sends RA to Net-z and Net-y.
HOST-1	Target Machine	Is attached to Net-z with power turned off.	-

No	Action	Criteria	Comments
Address auto configuration check.
1	Boot ROUTER-1.	-	-
2	Boot HOST-1.	-	-
3	Boot HOST-2.	-	-
4	Boot HOST-3.	-	-
Availability confirmation.
5	At HOST-2, run "ping" to HOST-1. Repeat 10 times, with 1452 bytes ICMP payload, interval 1 second. Ex) # ping6 -s 1452 -i 1 -c 10 HOST-1	HOST-2 sends ICMP Echo Request to HOST-1. HOST-2 receives ICMP Echo Reply from HOST-1.	HOST-2 and HOST-1 don't use IPsec.
6	At HOST-3, run "ping" to HOST-1. Repeat 10 times, with 1452 bytes ICMP payload, interval 1 second. Ex) # ping6 -s 1452 -i 1 -c 10 HOST-1	HOST-3 sends ICMP Echo Request to HOST-1. HOST-3 receives ICMP Echo Reply from HOST-1.	HOST-3 and HOST-1 don't use IPsec.
IPsec transport [IP][AH] (IKE auth=MD5)
7	At HOST-1 set configuration #1	-	-
8	At HOST-2 set configuration #1	-	-
9	At HOST-2, run "ping" to HOST-1. Repeat 20 times, with 64 bytes ICMP payload, interval 1 second. Ex) # ping6 -s 64 -i 1 -c 20 HOST-1.	HOST-2 sends ICMP Echo Request to HOST-1. HOST-2 receives ICMP Echo Reply from HOST-1. *AH is attached to original packet between HOST-1 and HOST-2.	AH transport between HOST-1 and HOST-2.(HMAC-MD5) HOST-2 <-> HOST-1 (ICMP)
10	At HOST-3, run "ping" to HOST-1. Repeat 20 times, with 64 bytes ICMP payload, interval 1 second. Ex) # ping6 -s 64 -i 1 -c 20 HOST-1.	HOST-3 sends ICMP Echo Request to HOST-1. HOST-3 receives ICMP Echo Reply from HOST-1. *Original packets go through between HOST-1 and HOST-3.	HOST-3 and HOST-1 don't use IPsec.
IPsec transport [IP][AH] (IKE auth=SHA1)
11	At HOST-1 set configuration #2	-	-
12	At HOST-2 set configuration #2	-	-
13	At HOST-2, run "ping" to HOST-1. Repeat 20 times, with 64 bytes ICMP payload, interval 1 second. Ex) # ping6 -s 64 -i 1 -c 20 HOST-1.	HOST-2 sends ICMP Echo Request to HOST-1. HOST-2 receives ICMP Echo Reply from HOST-1. *AH is attached to original packet between HOST-1 and HOST-2.	AH transport between HOST-1 and HOST-2.(HMAC-MD5) HOST-2 <-> HOST-1 (ICMP)
14	At HOST-3, run "ping" to HOST-1. Repeat 20 times, with 64 bytes ICMP payload, interval 1 second. Ex) # ping6 -s 64 -i 1 -c 20 HOST-1.	HOST-3 sends ICMP Echo Request to HOST-1. HOST-3 receives ICMP Echo Reply from HOST-1. *Original packets go through between HOST-1 and HOST-3.	HOST-3 and HOST-1 don't use IPsec.
IPsec tunnel [IP][AH][IP] (IKE auth=MD5)
15	At HOST-1 set configuration #3	-	-
16	At HOST-2 set configuration #3	-	-
17	At HOST-2, run "ping" to HOST-1. Repeat 20 times, with 64 bytes ICMP payload, interval 1 second. Ex) # ping6 -s 64 -i 1 -c 20 HOST-1.	HOST-2 sends ICMP Echo Request to HOST-1. HOST-2 receives ICMP Echo Reply from HOST-1. *AH is attached to original packet between HOST-1 and HOST-2.	AH tunnel between HOST-1 and HOST-2.(HMAC-MD5) HOST-2 <-> HOST-1 (ICMP)
18	At HOST-3, run "ping" to HOST-1. Repeat 20 times, with 64 bytes ICMP payload, interval 1 second. Ex) # ping6 -s 64 -i 1 -c 20 HOST-1.	HOST-3 sends ICMP Echo Request to HOST-1. HOST-3 receives ICMP Echo Reply from HOST-1. *AH is attached to original packet between HOST-1 and HOST-3.	HOST-3 and HOST-1 don't use IPsec.
IPsec tunnel [IP][AH][IP] (IKE auth=SHA1)
19	At HOST-1 set configuration #4	-	-
20	At HOST-2 set configuration #4	-	-
21	At HOST-2, run "ping" to HOST-1. Repeat 20 times, with 64 bytes ICMP payload, interval 1 second. Ex) # ping6 -s 64 -i 1 -c 20 HOST-1.	HOST-2 sends ICMP Echo Request to HOST-1. HOST-2 receives ICMP Echo Reply from HOST-1. *AH is attached to original packet between HOST-1 and HOST-2.	AH tunnel between HOST-1 and HOST-2.(HMAC-MD5) HOST-2 <-> HOST-1 (ICMP)
22	At HOST-3, run "ping" to HOST-1. Repeat 20 times, with 64 bytes ICMP payload, interval 1 second. Ex) # ping6 -s 64 -i 1 -c 20 HOST-1.	HOST-3 sends ICMP Echo Request to HOST-1. HOST-3 receives ICMP Echo Reply from HOST-1. *AH is attached to original packet between HOST-1 and HOST-3.	HOST-3 and HOST-1 don't use IPsec.

IKE Hash Algorithm with AH Transport/Tunnel mode (HOST) [IP][AH] [IP1][AH][IP2]

[Interoperability Test Scenario]

IKE Hash Algorithm
with AH Transport/Tunnel mode (HOST)
[IP][AH]
[IP1][AH][IP2]