IPsec Tunnel mode to IPsec Transport mode (HOST)
[IP2][AH/ESP][IP1][AH/ESP]

[Interoperability Test Scenario]

Last Update: February 26, 2000

This scenario verifies interoperability when the target HOST is attached to the model network.

Subjects:

Verification of host's action.
AH or ESP tunnel mode to AH or ESP tunnel mode packet.
Verification Points:

- Authentication algorithm

HMAC-MD5

- Encryption algorithm

NULL

- MODE:

tunnel
transport

- Granularity:

Network

Logical Network Configuration:

SGW=Security Gateway

           Host-1 -------------------- ROUTER-1--- HOST-2
             | |                         SGW         ^
             | |                          ^          |
             | |                          |          |
             | +-----SA2(AH/ESP Tunnel)---+          |
             |                                       |
             +-------SA1(AH/ESP Transport)-----------+


           Host-1 -------------------- ROUTER-1--- HOST-2
             ^ ^                         SGW         |
             | |                          |          |
             | |                          |          |
             | +-----SA2(AH/ESP Tunnel)---+          |
             |                                       |
             +-------SA1(AH/ESP Transport)-----------+

Physical Network Configuration:

               HOST-2
                 |(HIF-2y) (3ffe:501:481d:f002::11)
                 |
      (Net-y)  --+-----+------------- (3ffe:501:481d:f002::/64)
                       |
                       |(I/F-y) (3ffe:501:481d:f002::1)
                    ROUTER-1
                       |(I/F-z) (3ffe:501:481d:f001::1)
                       |
      (Net-z)  --+-----+------------- (3ffe:501:481d:f001::/64)
                 |
                 |(HIF-1z) (3ffe:501:481d:f001::11)
               HOST-1

Network Prefix Network media

Net-y 3ffe:501:481d:f002::/64 Ethernet 10BASE-T

Net-z 3ffe:501:481d:f001::/64 Ethernet 10BASE-T

Test Machine:

Machine Comments Initial status Configuration

HOST-2 Reference Machine Is attached to Net-y with power turned off. -

ROUTER-1 Reference Machine Power is turned off. I/F-z is attached to Net-z while I/F-y is attached to Net-y. Sends RA to Net-z and Net-y.
Sends and receives RIPng..

HOST-1 Target Machine Is attached to Net-z with power turned off. -

Configuration list:

*AH auth = AH Authentication Algorithm
*ESP enc = ESP Encryption Algorithm
*ESP auth = ESP Authentication Algorithm

No. Machine Src Dest Protocol Mode SPI AH auth ESP enc ESP auth Upper Port(Src/Dst)

1
HOST-1 HIF-1z HIF-2y AH Transport 1011 HMAC-MD5 - - any -

HIF-1z IF-1z AH Tunnel 1012 HMAC-MD5 - - any -

ROUTER-1 IF-1z HIF-1z AH Tunnel 2011 HMAC-MD5 - - any -

HOST-2 HIF-2y HIF-1z AH Transport 3012 HMAC-MD5 - - any -

2
HOST-1 HIF-1z HIF-2y ESP Transport 1021 - NULL HMAC-MD5 any -

HIF-1z IF-1z AH Tunnel 1022 HMAC-MD5 - - any -

ROUTER-1 IF-1z HIF-1z AH Tunnel 2021 HMAC-MD5 - - any -

HOST-2 HIF-2y HIF-1z ESP Transport 3022 - NULL HMAC-MD5 any -

3
HOST-1 HIF-1z HIF-2y AH Transport 1031 HMAC-MD5 - - any -

HIF-1z IF-1z ESP Tunnel 1032 - NULL HMAC-MD5 any -

ROUTER-1 IF-1z HIF-1z ESP Tunnel 5031 - NULL HMAC-MD5 any -

HOST-2 HIF-2y HIF-1z AH Transport 5032 HMAC-MD5 - - any -

4
HOST-1 HIF-1z HIF-2y ESP Transport 1041 - NULL HMAC-MD5 any -

HIF-1z IF-1z ESP Tunnel 1042 - NULL HMAC-MD5 any -

ROUTER-1 IF-1z HIF-1z ESP Tunnel 5041 - NULL HMAC-MD5 any -

HOST-2 HIF-2y HIF-1z ESP Transport 5042 - NULL HMAC-MD5 any -

Applications:
ping program (ping)

NOTE:
We select only ping.
About other applications or protocols we prepare other scenarios.

Interoperability check

No Action Criteria Comments

Address auto configuration check.

1 Boot ROUTER-1. - -

2 Boot HOST-1. - -

3 Boot HOST-2. - -

Availability confirmation.

4 At HOST-2, run "ping" to HOST-1.
Repeat 10 times, with 1452 bytes ICMP payload, interval 1 second.
Ex) # ping6 -I ed0 -s 1452 -i 1 -c 10 HOST-1. *HOST-2 sends ICMP Echo Request to HOST-1.
*HOST-2 receives ICMP Echo Reply from HOST-1. HOST-1, HOST-2 and ROUTER-1 don't use IPsec.

IPsec tunnel to IPsec transport [IP2][AH][IP1][AH]

5 At ROUTER-1 set configuration #1 - -

6 At HOST-1 set configuration #1 - -

7 At HOST-2 set configuration #1 - -

8 At HOST-2, run "ping" to HOST-1.
Repeat 10 times, with 64 bytes ICMP payload, interval 1 second.
Ex) # ping6 -I ed0 -s 64 -i 1 -c 10 HOST-1 *HOST-2 sends ICMP Echo Request to HOST-1.
*HOST-2 receives ICMP Echo Reply from HOST-1.
*AH is attached to original packet. [IP1][AH]
*[IP1] is encapsulated by [IP2] including AH between HOST-1 and ROUTER-1. IP1 [SRC=HIF-1z/HIF-2y
     -[DST=HIF-2y/HIF-1z]
IP2 [SRC=HIF-1z/IF-1z]
     -[DST=IF-1z/HIF-1z]
Original packet=[IP1]

9 At HOST-2, run "ping" to HOST-1.
Repeat 10 times, with 2000 bytes ICMP payload, interval 1 second.
Ex) # ping6 -I ed0 -s 2000 -i 1 -c 10 HOST-1 *HOST-2 sends ICMP Echo Request to HOST-1.
*HOST-2 receives ICMP Echo Reply from HOST-1.
*AH is attached to original packet. [IP1][AH]
*[IP1] is encapsulated by [IP2], including AH between HOST-1 and ROUTER-1. Original packet will fragmented to 2 packets.

10 At HOST-2, run "ping" to HOST-1.
Repeat 10 times, with 3000 bytes ICMP payload, interval 1 second.
Ex) # ping6 -I ed0 -s 3000 -i 1 -c 10 HOST-1 *HOST-2 sends ICMP Echo Request to HOST-1.
*HOST-2 receives ICMP Echo Reply from HOST-1.
*AH is attached to original packet. [IP1][AH]
*[IP1] is encapsulated by [IP2], including AH between HOST-1 and ROUTER-1. Original packet will fragmented to 3 packets.

IPsec tunnel to IPsec transport [IP2][AH][IP1][ESP]

11 At ROUTER-1 set configuration #2 - -

12 At HOST-1 set configuration #2 - -

13 At HOST-2 set configuration #2 - -

14 At HOST-2, run "ping" to HOST-1.
Repeat 10 times, with 64 bytes ICMP payload, interval 1 second.
Ex) # ping6 -I ed0 -s 64 -i 1 -c 10 HOST-1 *HOST-2 sends ICMP Echo Request to HOST-1.
*HOST-2 receives ICMP Echo Reply from HOST-1.
*AH is attached to original packet. [IP1][ESP]
*[IP1] is encapsulated by [IP2], including AH between HOST-1 and ROUTER-1. IP1 [SRC=HIF-1z/HIF-2y
     -[DST=HIF-2y/HIF-1z]
IP2 [SRC=HIF-1z/IF-1z]
     -[DST=IF-1z/HIF-1z]
Original packet=[IP1]

15 At HOST-2, run "ping" to HOST-1.
Repeat 10 times, with 2000 bytes ICMP payload, interval 1 second.
Ex) # ping6 -I ed0 -s 2000 -i 1 -c 10 HOST-1 *HOST-2 sends ICMP Echo Request to HOST-1.
*HOST-2 receives ICMP Echo Reply from HOST-1
*AH is attached to original packet. [IP1][ESP]
*[IP1] is encapsulated by [IP2], including AH between HOST-1 and ROUTER-1. Original packet will fragmented to 2 packets.

16 At HOST-2, run "ping" to HOST-1.
Repeat 10 times, with 3000 bytes ICMP payload, interval 1 second.
Ex) # ping6 -I ed0 -s 3000 -i 1 -c 10 HOST-1 *HOST-2 sends ICMP Echo Request to HOST-1.
*HOST-2 receives ICMP Echo Reply from HOST-1.
*AH is attached to original packet. [IP1][ESP]
*[IP1] is encapsulated by [IP2], including AH between HOST-1 and ROUTER-1. Original packet will fragmented to 3 packets.

IPsec tunnel to IPsec transport [IP2][ESP][IP1][AH]

17 At ROUTER-1 set configuration #3 - -

18 At HOST-1 set configuration #3 - -

19 At HOST-2 set configuration #3 - -

20 At HOST-2, run "ping" to HOST-1.
Repeat 10 times, with 64 bytes ICMP payload, interval 1 second.
Ex) # ping6 -I ed0 -s 64 -i 1 -c 10 HOST-1 *HOST-2 sends ICMP Echo Request to HOST-1.
*HOST-2 receives ICMP Echo Reply from HOST-1.
*AH is attached to original packet. [IP1][ESP]
*[IP1] is encapsulated by [IP2], including AH between HOST-1 and ROUTER-1. IP1 [SRC=HIF-1z/HIF-2y
     -[DST=HIF-2y/HIF-1z]
IP2 [SRC=HIF-1z/IF-1z]
     -[DST=IF-1z/HIF-1z]
Original packet=[IP1]

21 At HOST-2, run "ping" to HOST-1.
Repeat 10 times, with 2000 bytes ICMP payload, interval 1 second.
Ex) # ping6 -I ed0 -s 2000 -i 1 -c 10 HOST-1 *HOST-2 sends ICMP Echo Request to HOST-1.
*HOST-2 receives ICMP Echo Reply from HOST-1.
*AH is attached to original packet. [IP1][ESP]
*[IP1] is encapsulated by [IP2], including AH between HOST-1 and ROUTER-1. Original packet will fragmented to 2 packets.

22 At HOST-2, run "ping" to HOST-1.
Repeat 10 times, with 3000 bytes ICMP payload, interval 1 second.
Ex) # ping6 -I ed0 -s 3000 -i 1 -c 10 HOST-1. *HOST-2 sends ICMP Echo Request to HOST-1.
*HOST-2 receives ICMP Echo Reply from HOST-1.
*AH is attached to original packet. [IP1][ESP]
*[IP1] is encapsulated by [IP2], including AH between HOST-1 and ROUTER-1. Original packet will fragmented to 3 packets.

IPsec tunnel to IPsec transport [IP2][ESP][IP1][ESP]

23 At ROUTER-1 set configuration #4 - -

24 At HOST-1 set configuration #4 - -

25 At HOST-2 set configuration #4 - -

26 At HOST-2, run "ping" to HOST-1.
Repeat 10 times, with 64 bytes ICMP payload, interval 1 second.
Ex) # ping6 -I ed0 -s 64 -i 1 -c 10 HOST-1. *HOST-2 sends ICMP Echo Request to HOST-1.
*HOST-2 receives ICMP Echo Reply from HOST-1.
*AH is attached to original packet. [IP1][ESP]
*[IP1] is encapsulated by [IP2], including AH between HOST-1 and ROUTER-1. IP1 [SRC=HIF-1z/HIF-2y
     -[DST=HIF-2y/HIF-1z]
IP2 [SRC=HIF-1z/IF-1z]
     -[DST=IF-1z/HIF-1z]
Original packet=[IP1]

27 At HOST-2, run "ping" to HOST-1.
Repeat 10 times, with 2000 bytes ICMP payload, interval 1 second.
Ex) # ping6 -I ed0 -s 2000 -i 1 -c 10 HOST-1. *HOST-2 sends ICMP Echo Request to HOST-1.
*HOST-2 receives ICMP Echo Reply from HOST-1.
*AH is attached to original packet. [IP1][ESP]
*[IP1] is encapsulated by [IP2], including AH between HOST-1 and ROUTER-1. Original packet will fragmented to 2 packets.

28 At HOST-2, run "ping" to HOST-1.
Repeat 10 times, with 3000 bytes ICMP payload, interval 1 second.
Ex) # ping6 -I ed0 -s 3000 -i 1 -c 10 HOST-1 *HOST-2 sends ICMP Echo Request to HOST-1.
*HOST-2 receives ICMP Echo Reply from HOST-1.
*AH is attached to original packet. [IP1][ESP]
*[IP1] is encapsulated by [IP2], including AH between HOST-1 and ROUTER-1. Original packet will fragmented to 3 packets.

Mark"*"with no number means that we are going to judge that subject.

Network	Prefix	Network media
Net-y	3ffe:501:481d:f002::/64	Ethernet 10BASE-T
Net-z	3ffe:501:481d:f001::/64	Ethernet 10BASE-T

Machine	Comments	Initial status	Configuration
HOST-2	Reference Machine	Is attached to Net-y with power turned off.	-
ROUTER-1	Reference Machine	Power is turned off. I/F-z is attached to Net-z while I/F-y is attached to Net-y.	Sends RA to Net-z and Net-y. Sends and receives RIPng..
HOST-1	Target Machine	Is attached to Net-z with power turned off.	-

No.	Machine	Src	Dest	Protocol	Mode	SPI	AH auth	ESP enc	ESP auth	Upper	Port(Src/Dst)
1	HOST-1	HIF-1z	HIF-2y	AH	Transport	1011	HMAC-MD5	-	-	any	-
	HOST-1	HIF-1z	IF-1z	AH	Tunnel	1012	HMAC-MD5	-	-	any	-
	ROUTER-1	IF-1z	HIF-1z	AH	Tunnel	2011	HMAC-MD5	-	-	any	-
	HOST-2	HIF-2y	HIF-1z	AH	Transport	3012	HMAC-MD5	-	-	any	-
2	HOST-1	HIF-1z	HIF-2y	ESP	Transport	1021	-	NULL	HMAC-MD5	any	-
	HOST-1	HIF-1z	IF-1z	AH	Tunnel	1022	HMAC-MD5	-	-	any	-
	ROUTER-1	IF-1z	HIF-1z	AH	Tunnel	2021	HMAC-MD5	-	-	any	-
	HOST-2	HIF-2y	HIF-1z	ESP	Transport	3022	-	NULL	HMAC-MD5	any	-
3	HOST-1	HIF-1z	HIF-2y	AH	Transport	1031	HMAC-MD5	-	-	any	-
	HOST-1	HIF-1z	IF-1z	ESP	Tunnel	1032	-	NULL	HMAC-MD5	any	-
	ROUTER-1	IF-1z	HIF-1z	ESP	Tunnel	5031	-	NULL	HMAC-MD5	any	-
	HOST-2	HIF-2y	HIF-1z	AH	Transport	5032	HMAC-MD5	-	-	any	-
4	HOST-1	HIF-1z	HIF-2y	ESP	Transport	1041	-	NULL	HMAC-MD5	any	-
	HOST-1	HIF-1z	IF-1z	ESP	Tunnel	1042	-	NULL	HMAC-MD5	any	-
	ROUTER-1	IF-1z	HIF-1z	ESP	Tunnel	5041	-	NULL	HMAC-MD5	any	-
	HOST-2	HIF-2y	HIF-1z	ESP	Transport	5042	-	NULL	HMAC-MD5	any	-

No	Action	Criteria	Comments
Address auto configuration check.
1	Boot ROUTER-1.	-	-
2	Boot HOST-1.	-	-
3	Boot HOST-2.	-	-
Availability confirmation.
4	At HOST-2, run "ping" to HOST-1. Repeat 10 times, with 1452 bytes ICMP payload, interval 1 second. Ex) # ping6 -I ed0 -s 1452 -i 1 -c 10 HOST-1.	HOST-2 sends ICMP Echo Request to HOST-1. HOST-2 receives ICMP Echo Reply from HOST-1.	HOST-1, HOST-2 and ROUTER-1 don't use IPsec.
IPsec tunnel to IPsec transport [IP2][AH][IP1][AH]
5	At ROUTER-1 set configuration #1	-	-
6	At HOST-1 set configuration #1	-	-
7	At HOST-2 set configuration #1	-	-
8	At HOST-2, run "ping" to HOST-1. Repeat 10 times, with 64 bytes ICMP payload, interval 1 second. Ex) # ping6 -I ed0 -s 64 -i 1 -c 10 HOST-1	HOST-2 sends ICMP Echo Request to HOST-1. HOST-2 receives ICMP Echo Reply from HOST-1. AH is attached to original packet. [IP1][AH] [IP1] is encapsulated by [IP2] including AH between HOST-1 and ROUTER-1.	IP1 [SRC=HIF-1z/HIF-2y -[DST=HIF-2y/HIF-1z] IP2 [SRC=HIF-1z/IF-1z] -[DST=IF-1z/HIF-1z] Original packet=[IP1]
9	At HOST-2, run "ping" to HOST-1. Repeat 10 times, with 2000 bytes ICMP payload, interval 1 second. Ex) # ping6 -I ed0 -s 2000 -i 1 -c 10 HOST-1	HOST-2 sends ICMP Echo Request to HOST-1. HOST-2 receives ICMP Echo Reply from HOST-1. AH is attached to original packet. [IP1][AH] [IP1] is encapsulated by [IP2], including AH between HOST-1 and ROUTER-1.	Original packet will fragmented to 2 packets.
10	At HOST-2, run "ping" to HOST-1. Repeat 10 times, with 3000 bytes ICMP payload, interval 1 second. Ex) # ping6 -I ed0 -s 3000 -i 1 -c 10 HOST-1	HOST-2 sends ICMP Echo Request to HOST-1. HOST-2 receives ICMP Echo Reply from HOST-1. AH is attached to original packet. [IP1][AH] [IP1] is encapsulated by [IP2], including AH between HOST-1 and ROUTER-1.	Original packet will fragmented to 3 packets.
IPsec tunnel to IPsec transport [IP2][AH][IP1][ESP]
11	At ROUTER-1 set configuration #2	-	-
12	At HOST-1 set configuration #2	-	-
13	At HOST-2 set configuration #2	-	-
14	At HOST-2, run "ping" to HOST-1. Repeat 10 times, with 64 bytes ICMP payload, interval 1 second. Ex) # ping6 -I ed0 -s 64 -i 1 -c 10 HOST-1	HOST-2 sends ICMP Echo Request to HOST-1. HOST-2 receives ICMP Echo Reply from HOST-1. AH is attached to original packet. [IP1][ESP] [IP1] is encapsulated by [IP2], including AH between HOST-1 and ROUTER-1.	IP1 [SRC=HIF-1z/HIF-2y -[DST=HIF-2y/HIF-1z] IP2 [SRC=HIF-1z/IF-1z] -[DST=IF-1z/HIF-1z] Original packet=[IP1]
15	At HOST-2, run "ping" to HOST-1. Repeat 10 times, with 2000 bytes ICMP payload, interval 1 second. Ex) # ping6 -I ed0 -s 2000 -i 1 -c 10 HOST-1	HOST-2 sends ICMP Echo Request to HOST-1. HOST-2 receives ICMP Echo Reply from HOST-1 AH is attached to original packet. [IP1][ESP] [IP1] is encapsulated by [IP2], including AH between HOST-1 and ROUTER-1.	Original packet will fragmented to 2 packets.
16	At HOST-2, run "ping" to HOST-1. Repeat 10 times, with 3000 bytes ICMP payload, interval 1 second. Ex) # ping6 -I ed0 -s 3000 -i 1 -c 10 HOST-1	HOST-2 sends ICMP Echo Request to HOST-1. HOST-2 receives ICMP Echo Reply from HOST-1. AH is attached to original packet. [IP1][ESP] [IP1] is encapsulated by [IP2], including AH between HOST-1 and ROUTER-1.	Original packet will fragmented to 3 packets.
IPsec tunnel to IPsec transport [IP2][ESP][IP1][AH]
17	At ROUTER-1 set configuration #3	-	-
18	At HOST-1 set configuration #3	-	-
19	At HOST-2 set configuration #3	-	-
20	At HOST-2, run "ping" to HOST-1. Repeat 10 times, with 64 bytes ICMP payload, interval 1 second. Ex) # ping6 -I ed0 -s 64 -i 1 -c 10 HOST-1	HOST-2 sends ICMP Echo Request to HOST-1. HOST-2 receives ICMP Echo Reply from HOST-1. AH is attached to original packet. [IP1][ESP] [IP1] is encapsulated by [IP2], including AH between HOST-1 and ROUTER-1.	IP1 [SRC=HIF-1z/HIF-2y -[DST=HIF-2y/HIF-1z] IP2 [SRC=HIF-1z/IF-1z] -[DST=IF-1z/HIF-1z] Original packet=[IP1]
21	At HOST-2, run "ping" to HOST-1. Repeat 10 times, with 2000 bytes ICMP payload, interval 1 second. Ex) # ping6 -I ed0 -s 2000 -i 1 -c 10 HOST-1	HOST-2 sends ICMP Echo Request to HOST-1. HOST-2 receives ICMP Echo Reply from HOST-1. AH is attached to original packet. [IP1][ESP] [IP1] is encapsulated by [IP2], including AH between HOST-1 and ROUTER-1.	Original packet will fragmented to 2 packets.
22	At HOST-2, run "ping" to HOST-1. Repeat 10 times, with 3000 bytes ICMP payload, interval 1 second. Ex) # ping6 -I ed0 -s 3000 -i 1 -c 10 HOST-1.	HOST-2 sends ICMP Echo Request to HOST-1. HOST-2 receives ICMP Echo Reply from HOST-1. AH is attached to original packet. [IP1][ESP] [IP1] is encapsulated by [IP2], including AH between HOST-1 and ROUTER-1.	Original packet will fragmented to 3 packets.
IPsec tunnel to IPsec transport [IP2][ESP][IP1][ESP]
23	At ROUTER-1 set configuration #4	-	-
24	At HOST-1 set configuration #4	-	-
25	At HOST-2 set configuration #4	-	-
26	At HOST-2, run "ping" to HOST-1. Repeat 10 times, with 64 bytes ICMP payload, interval 1 second. Ex) # ping6 -I ed0 -s 64 -i 1 -c 10 HOST-1.	HOST-2 sends ICMP Echo Request to HOST-1. HOST-2 receives ICMP Echo Reply from HOST-1. AH is attached to original packet. [IP1][ESP] [IP1] is encapsulated by [IP2], including AH between HOST-1 and ROUTER-1.	IP1 [SRC=HIF-1z/HIF-2y -[DST=HIF-2y/HIF-1z] IP2 [SRC=HIF-1z/IF-1z] -[DST=IF-1z/HIF-1z] Original packet=[IP1]
27	At HOST-2, run "ping" to HOST-1. Repeat 10 times, with 2000 bytes ICMP payload, interval 1 second. Ex) # ping6 -I ed0 -s 2000 -i 1 -c 10 HOST-1.	HOST-2 sends ICMP Echo Request to HOST-1. HOST-2 receives ICMP Echo Reply from HOST-1. AH is attached to original packet. [IP1][ESP] [IP1] is encapsulated by [IP2], including AH between HOST-1 and ROUTER-1.	Original packet will fragmented to 2 packets.
28	At HOST-2, run "ping" to HOST-1. Repeat 10 times, with 3000 bytes ICMP payload, interval 1 second. Ex) # ping6 -I ed0 -s 3000 -i 1 -c 10 HOST-1	HOST-2 sends ICMP Echo Request to HOST-1. HOST-2 receives ICMP Echo Reply from HOST-1. AH is attached to original packet. [IP1][ESP] [IP1] is encapsulated by [IP2], including AH between HOST-1 and ROUTER-1.	Original packet will fragmented to 3 packets.

IPsec Tunnel mode to IPsec Transport mode (HOST) [IP2][AH/ESP][IP1][AH/ESP]

[Interoperability Test Scenario]

IPsec Tunnel mode to IPsec Transport mode (HOST)
[IP2][AH/ESP][IP1][AH/ESP]