AH Transport to ESP Tunnel mode (Security Gateway)
[IP2][AH][ESP][IP1]

[Interoperability Test Scenario]

Last Update: February 26, 2000

This scenario verifies interoperability when the target ROUTER is attached to the model network.

Subjects:

Verification of router's action, when it works as Security Gateway.
Authentication Header (transport mode) to ESP tunnel mode packet.
Verification Points:

- Authentication algorithm

HMAC-MD5
HMAC-SHA1

- Encryption algorithm

NULL
DES-CBC

- MODE:

tunnel (ESP)
transport (AH)

- Granularity:

Network

Logical Network Configuration:

 Host-1 -+- ROUTER-1 ---- ROUTER-2 ---- ROUTER-3 -+- Host-2
             SGW                            SGW
             | |                            ^ ^
             | |                            | |
             | +-----SA2(AH  Transport)-----+ |
             |                                |
             +-------SA1(ESP Tunnel)----------+


 Host-1 -+- ROUTER-1 ---- ROUTER-2 ---- ROUTER-3 -+- Host-2
             SGW                            SGW
             ^ ^                            | |
             | |                            | |
             | +-----SA2(AH  Transport)-----+ |
             |                                |
             +-------SA1(ESP Tunnel)----------+

```
Physical Network Configuration: 
```

SGW = Security Gateway

         HOST-2
           |(3ffe:501:481d:f004::22)
           |
(Net-w)  --+-----+--------- (3ffe:501:481d:f004::/64)
                 |
                 |(I/F3-w) (3ffe:501:481d:f004::3)
              ROUTER-3(SGW)
                 |(I/F3-x) (3ffe:501:481d:f003::3)
                 |
(Net-x)      ----+-----+--- (3ffe:501:481d:f003::/64)
                       |
                       |(I/F2-x) (3ffe:501:481d:f003::2)
                    ROUTER-2
                       |(I/F2-y) (3ffe:501:481d:f002::2)
                       |
(Net-y)      ----+-----+--- (3ffe:501:481d:f002::/64)
                 |
                 |(I/F1-y) (3ffe:501:481d:f002::1)
              ROUTER-1(SGW)
                 |(I/F1-z) (3ffe:501:481d:f001::1)
                 |
(Net-z)   --+----+--------- (3ffe:501:481d:f001::/64)
            |
            |(3ffe:501:481d:f001::11)
          HOST-1

Network	Prefix	Network media
Net-w	3ffe:501:481d:f004::/64	Ethernet 10BASE-T
Net-x	3ffe:501:481d:f003::/64	Ethernet 10BASE-T
Net-y	3ffe:501:481d:f002::/64	Ethernet 10BASE-T
Net-z	3ffe:501:481d:f001::/64	Ethernet 10BASE-T

Test Machine:

Machine Comments Initial status Configuration

HOST-2 Reference Machine Is attached to Net-w with power turned off. -

ROUTER-3 Reference Machine Power is turned off. I/F-z is attached to Net-x while I/F-y is attached to Net-w. Sends RA to Net-w and Net-x
Sends and receives RIPng..

ROUTER-2 Reference Machine Power is turned off. I/F-z is attached to Net-y while I/F-y is attached to Net-x. Sends RA to Net-x and Net-y.
Sends and receives RIPng..

ROUTER-1 Target Machine Power is turned off. I/F-z is attached to Net-z while I/F-y is attached to Net-y. Sends RA to Net-z and Net-y.
Sends and receives RIPng..

HOST-1 Reference Machine Is attached to Net-z with power turned off. -

Configuration list:

*AH auth = AH Authentication Algorithm
*ESP enc = ESP Encryption Algorithm
*ESP auth = ESP Authentication Algorithm

No. Machine Src Dest Protocol Mode SPI AH auth ESP enc ESP auth Upper Port(Src/Dst)

1
ROUTER-1 Net-z Net-w ESP Tunnel 1011 - NULL HMAC-MD5 any -

IF-1y IF-3x AH Transport 1012 HMAC-MD5 - - any -

ROUTER-3 Net-w Net-z ESP Tunnel 5011 - NULL HMAC-MD5 any -

IF-3x IF-1y AH Transport 5012 HMAC-MD5 - - any -

2
ROUTER-1 Net-z Net-w ESP Tunnel 1021 - NULL HMAC-MD5 any -

IF-1y IF-3x AH Transport 1022 HMAC-SHA1 - - any -

ROUTER-3 Net-w Net-z ESP Tunnel 5021 - NULL HMAC-MD5 any -

IF-3x IF-1y AH Transport 5022 HMAC-SHA1 - - any -

3
ROUTER-1 Net-z Net-w ESP Tunnel 1031 - DES-CBC HMAC-MD5 any -

IF-1y IF-3x AH Transport 1032 HMAC-MD5 - - any -

ROUTER-3 Net-w Net-z ESP Tunnel 5031 - DES-CBC HMAC-MD5 any -

IF-3x IF-1y AH Transport 5032 HMAC-MD5 - - any -

4
ROUTER-1 Net-z Net-w ESP Tunnel 1041 - DES-CBC HMAC-MD5 any -

IF-1y IF-3x AH Transport 1042 HMAC-SHA1 - - any -

ROUTER-3 Net-w Net-z ESP Tunnel 5041 - DES-CBC HMAC-MD5 any -

IF-3x IF-1y AH Transport 5042 HMAC-SHA1 - - any -

Applications:
ping program (ping)

NOTE:
We select only ping.
About other applications or protocols we prepare other scenarios.

Interoperability check

-

No Action Criteria Comments

Address auto configuration check.

1 Boot ROUTER-1. - -

2 Boot ROUTER-2 - -

3 Boot ROUTER-3 - -

4 Boot HOST-1. - -

5 Boot HOST-2. -

Availability confirmation.

6 At HOST-1, run "ping" to HOST-2.
Repeat 10 times, with 1452 bytes ICMP payload, interval 1 second.
Ex) # ping6 -I ed0 -s 1452 -i 1 -c 10 HOST-2. *HOST-1 sends ICMP Echo Request to HOST-2.
*HOST-1 receives ICMP Echo Reply from HOST-2. ROUTER-1 and ROUTER-3 don't use IPsec.

IPsec tunnel and transport [IP2][AH][ESP][IP1] (AH auth=HMAC-MD5) (ESP enc=NULL) (ESP auth=HMAC-MD5)

7 At ROUTER-1 set configuration #1 - -

8 At ROUTER-3 set configuration #1 - -

9 At HOST-1, run "ping" to HOST-2.
Repeat 10 times, with 64 bytes ICMP payload, interval 1 second.
Ex) # ping6 -I ed0 -s 64 -i 1 -c 10 HOST-2. *HOST-1 sends ICMP Echo Request to HOST-2.
*HOST-1 receives ICMP Echo Reply from HOST-2.
*Original packets are encapsulated between ROUTER-1 and ROUTER-3.
*Encapsulating packets include AH and ESP header. ESP tunnel between ROUTER-1 and ROUTER-3.
AH auth = HMAC-MD5
ESP enc = NULL
ESP auth = HMAC-MD5
HOST-1 <-> HOST-2
(ICMP)

10 At HOST-1, run "ping" to HOST-2.
Repeat 10 times, with 2000 bytes ICMP payload, interval 1 second.
Ex) # ping6 -I ed0 -s 2000 -i 1 -c 10 HOST-2. *HOST-1 sends ICMP Echo Request to HOST-2.
*HOST-1 receives ICMP Echo Reply from HOST-2.
*Original packets are encapsulated between ROUTER-1 and ROUTER-3.
*Encapsulating packets include AH and ESP header. ESP tunnel between ROUTER-1 and ROUTER-3.
AH auth = HMAC-MD5
ESP enc = NULL
ESP auth = HMAC-MD5
HOST-1 <-> HOST-2
The packet will be fragmented to 2 packets.
(ICMP)

11 At HOST-1, run "ping" to HOST-2.
Repeat 10 times, with 3000 bytes ICMP payload, interval 1 second.
Ex) # ping6 -I ed0 -s 3000 -i 1 -c 10 HOST-2. *HOST-1 sends ICMP Echo Request to HOST-2.
*HOST-1 receives ICMP Echo Reply from HOST-2.
*Original packets are encapsulated between ROUTER-1 and ROUTER-3.
*Encapsulating packets include AH and ESP header. ESP tunnel between ROUTER-1 and ROUTER-3.
AH auth = HMAC-MD5
ESP enc = NULL
ESP auth = HMAC-MD5
HOST-1 <-> HOST-2
The packet will be fragmented to 3 packets.
(ICMP)

IPsec tunnel and transport [IP2][AH][ESP][IP1] (AH auth=HMAC-SHA1) (ESP enc=NULL) (ESP auth=HMAC-MD5)

12 At ROUTER-1 set configuration #2 - -

13 At ROUTER-3 set configuration #2 - -

14 At HOST-1, run "ping" to HOST-2.
Repeat 10 times, with 64 bytes ICMP payload, interval 1 second.
Ex) # ping6 -I ed0 -s 64 -i 1 -c 10 HOST-2. *HOST-1 sends ICMP Echo Request to HOST-2.
*HOST-1 receives ICMP Echo Reply from HOST-2.
*Original packets are encapsulated between ROUTER-1 and ROUTER-3.
*Encapsulating packets include AH and ESP header. ESP tunnel between ROUTER-1 and ROUTER-3.
AH auth = HMAC-SHA1
ESP enc = NULL
ESP auth = HMAC-MD5
HOST-1 <-> HOST-2
(ICMP)

15 At HOST-1, run "ping" to HOST-2.
Repeat 10 times, with 2000 bytes ICMP payload, interval 1 second.
Ex) # ping6 -I ed0 -s 2000 -i 1 -c 10 HOST-2. *HOST-1 sends ICMP Echo Request to HOST-2.
*HOST-1 receives ICMP Echo Reply from HOST-2.
*Original packets are encapsulated between ROUTER-1 and ROUTER-3.
*Encapsulating packets include AH and ESP header. ESP tunnel between ROUTER-1 and ROUTER-3.
AH auth = HMAC-SHA1
ESP enc = NULL
ESP auth = HMAC-MD5
HOST-1 <-> HOST-2
The packet will be fragmented to 2 packets.
(ICMP)

16 At HOST-1, run "ping" to HOST-2.
Repeat 10 times, with 3000 bytes ICMP payload, interval 1 second.
Ex) # ping6 -I ed0 -s 3000 -i 1 -c 10 HOST-2. *HOST-1 sends ICMP Echo Request to HOST-2.
*HOST-1 receives ICMP Echo Reply from HOST-2.
*Original packets are encapsulated between ROUTER-1 and ROUTER-3.
*Encapsulating packets include AH and ESP header. ESP tunnel between ROUTER-1 and ROUTER-3.
AH auth = HMAC-SHA1
ESP enc = NULL
ESP auth = HMAC-MD5
HOST-1 <-> HOST-2
The packet will be fragmented to 3 packets.
(ICMP)

IPsec tunnel and transport [IP2][AH][ESP][IP1] (AH auth=HMAC-MD5) (ESP enc=DES-CBC) (ESP auth=HMAC-MD5)

17 At ROUTER-1 set configuration #3 - -

18 At ROUTER-3 set configuration #3 - -

19 At HOST-1, run "ping" to HOST-2.
Repeat 10 times, with 64 bytes ICMP payload, interval 1 second.
Ex) # ping6 -I ed0 -s 64 -i 1 -c 10 HOST-2. *HOST-1 sends ICMP Echo Request to HOST-2.
*HOST-1 receives ICMP Echo Reply from HOST-2.
*Original packets are encapsulated between ROUTER-1 and ROUTER-3.
*Encapsulating packets include AH and ESP header. ESP tunnel between ROUTER-1 and ROUTER-3.
AH auth = HMAC-MD5
ESP enc = DES-CBC
ESP auth = HMAC-MD5
HOST-1 <-> HOST-2
(ICMP)

20 At HOST-1, run "ping" to HOST-2.
Repeat 10 times, with 2000 bytes ICMP payload, interval 1 second.
Ex) # ping6 -I ed0 -s 2000 -i 1 -c 10 HOST-2. *HOST-1 sends ICMP Echo Request to HOST-2.
*HOST-1 receives ICMP Echo Reply from HOST-2.
*Original packets are encapsulated between ROUTER-1 and ROUTER-3.
*Encapsulating packets include AH and ESP header. ESP tunnel between ROUTER-1 and ROUTER-3.
AH auth = HMAC-MD5
ESP enc = DES-CBC
ESP auth = HMAC-MD5
HOST-1 <-> HOST-2
The packet will be fragmented to 2 packets.
(ICMP)

21 At HOST-1, run "ping" to HOST-2.
Repeat 10 times, with 3000 bytes ICMP payload, interval 1 second.
Ex) # ping6 -I ed0 -s 3000 -i 1 -c 10 HOST-2. *HOST-1 sends ICMP Echo Request to HOST-2.
*HOST-1 receives ICMP Echo Reply from HOST-2.
*Original packets are encapsulated between ROUTER-1 and ROUTER-3.
*Encapsulating packets include AH and ESP header. ESP tunnel between ROUTER-1 and ROUTER-3.
AH auth = HMAC-MD5
ESP enc = DES-CBC
ESP auth = HMAC-MD5
HOST-1 <-> HOST-2
The packet will be fragmented to 3 packets.
(ICMP)

IPsec tunnel and transport (granularity=Network) (AH auth=HMAC-SHA1) (ESP enc=DES-CBC) (ESP auth=HMAC-MD5)

22 At ROUTER-1 set configuration #4 - -

23 At ROUTER-3 set configuration #4 - -

24 At HOST-1, run "ping" to HOST-2.
Repeat 10 times, with 64 bytes ICMP payload, interval 1 second.
Ex) # ping6 -I ed0 -s 64 -i 1 -c 10 HOST-2. *HOST-1 sends ICMP Echo Request to HOST-2.
*HOST-1 receives ICMP Echo Reply from HOST-2.
*Original packets are encapsulated between ROUTER-1 and ROUTER-3.
*Encapsulating packets include AH and ESP header. ESP tunnel between ROUTER-1 and ROUTER-3.
AH auth = HMAC-SHA1
ESP enc = DES-CBC
ESP auth = HMAC-MD5
HOST-1 <-> HOST-2
(ICMP)

25 At HOST-1, run "ping" to HOST-2.
Repeat 10 times, with 2000 bytes ICMP payload, interval 1 second.
Ex) # ping6 -I ed0 -s 2000 -i 1 -c 10 HOST-2. *HOST-1 sends ICMP Echo Request to HOST-2.
*HOST-1 receives ICMP Echo Reply from HOST-2.
*Original packets are encapsulated between ROUTER-1 and ROUTER-3.
*Encapsulating packets include AH and ESP header. ESP tunnel between ROUTER-1 and ROUTER-3.
AH auth = HMAC-SHA1
ESP enc = DES-CBC
ESP auth = HMAC-MD5
HOST-1 <-> HOST-2
The packet will be fragmented to 2 packets.
(ICMP)

26 At HOST-1, run "ping" to HOST-2.
Repeat 10 times, with 3000 bytes ICMP payload, interval 1 second.
Ex) # ping6 -I ed0 -s 3000 -i 1 -c 10 HOST-2. *HOST-1 sends ICMP Echo Request to HOST-2.
*HOST-1 receives ICMP Echo Reply from HOST-2.
*Original packets are encapsulated between ROUTER-1 and ROUTER-3.
*Encapsulating packets include AH and ESP header. ESP tunnel between ROUTER-1 and ROUTER-3.
AH auth = HMAC-SHA1
ESP enc = DES-CBC
ESP auth = HMAC-MD5
HOST-1 <-> HOST-2
The packet will be fragmented to 3 packets.
(ICMP)

Mark"*"with no number means that we are going to judge that subject.

Machine	Comments	Initial status	Configuration
HOST-2	Reference Machine	Is attached to Net-w with power turned off.	-
ROUTER-3	Reference Machine	Power is turned off. I/F-z is attached to Net-x while I/F-y is attached to Net-w.	Sends RA to Net-w and Net-x Sends and receives RIPng..
ROUTER-2	Reference Machine	Power is turned off. I/F-z is attached to Net-y while I/F-y is attached to Net-x.	Sends RA to Net-x and Net-y. Sends and receives RIPng..
ROUTER-1	Target Machine	Power is turned off. I/F-z is attached to Net-z while I/F-y is attached to Net-y.	Sends RA to Net-z and Net-y. Sends and receives RIPng..
HOST-1	Reference Machine	Is attached to Net-z with power turned off.	-

No.	Machine	Src	Dest	Protocol	Mode	SPI	AH auth	ESP enc	ESP auth	Upper	Port(Src/Dst)
1	ROUTER-1	Net-z	Net-w	ESP	Tunnel	1011	-	NULL	HMAC-MD5	any	-
	ROUTER-1	IF-1y	IF-3x	AH	Transport	1012	HMAC-MD5	-	-	any	-
	ROUTER-3	Net-w	Net-z	ESP	Tunnel	5011	-	NULL	HMAC-MD5	any	-
	ROUTER-3	IF-3x	IF-1y	AH	Transport	5012	HMAC-MD5	-	-	any	-
2	ROUTER-1	Net-z	Net-w	ESP	Tunnel	1021	-	NULL	HMAC-MD5	any	-
	ROUTER-1	IF-1y	IF-3x	AH	Transport	1022	HMAC-SHA1	-	-	any	-
	ROUTER-3	Net-w	Net-z	ESP	Tunnel	5021	-	NULL	HMAC-MD5	any	-
	ROUTER-3	IF-3x	IF-1y	AH	Transport	5022	HMAC-SHA1	-	-	any	-
3	ROUTER-1	Net-z	Net-w	ESP	Tunnel	1031	-	DES-CBC	HMAC-MD5	any	-
	ROUTER-1	IF-1y	IF-3x	AH	Transport	1032	HMAC-MD5	-	-	any	-
	ROUTER-3	Net-w	Net-z	ESP	Tunnel	5031	-	DES-CBC	HMAC-MD5	any	-
	ROUTER-3	IF-3x	IF-1y	AH	Transport	5032	HMAC-MD5	-	-	any	-
4	ROUTER-1	Net-z	Net-w	ESP	Tunnel	1041	-	DES-CBC	HMAC-MD5	any	-
	ROUTER-1	IF-1y	IF-3x	AH	Transport	1042	HMAC-SHA1	-	-	any	-
	ROUTER-3	Net-w	Net-z	ESP	Tunnel	5041	-	DES-CBC	HMAC-MD5	any	-
	ROUTER-3	IF-3x	IF-1y	AH	Transport	5042	HMAC-SHA1	-	-	any	-

No	Action	Criteria	Comments
Address auto configuration check.
1	Boot ROUTER-1.	-	-
2	Boot ROUTER-2	-	-
3	Boot ROUTER-3	-	-
4	Boot HOST-1.	-	-
5	Boot HOST-2.	-
Availability confirmation.
6	At HOST-1, run "ping" to HOST-2. Repeat 10 times, with 1452 bytes ICMP payload, interval 1 second. Ex) # ping6 -I ed0 -s 1452 -i 1 -c 10 HOST-2.	HOST-1 sends ICMP Echo Request to HOST-2. HOST-1 receives ICMP Echo Reply from HOST-2.	ROUTER-1 and ROUTER-3 don't use IPsec.
IPsec tunnel and transport [IP2][AH][ESP][IP1] (AH auth=HMAC-MD5) (ESP enc=NULL) (ESP auth=HMAC-MD5)
7	At ROUTER-1 set configuration #1	-	-
8	At ROUTER-3 set configuration #1	-	-
9	At HOST-1, run "ping" to HOST-2. Repeat 10 times, with 64 bytes ICMP payload, interval 1 second. Ex) # ping6 -I ed0 -s 64 -i 1 -c 10 HOST-2.	HOST-1 sends ICMP Echo Request to HOST-2. HOST-1 receives ICMP Echo Reply from HOST-2. Original packets are encapsulated between ROUTER-1 and ROUTER-3. Encapsulating packets include AH and ESP header.	ESP tunnel between ROUTER-1 and ROUTER-3. AH auth = HMAC-MD5 ESP enc = NULL ESP auth = HMAC-MD5 HOST-1 <-> HOST-2 (ICMP)
10	At HOST-1, run "ping" to HOST-2. Repeat 10 times, with 2000 bytes ICMP payload, interval 1 second. Ex) # ping6 -I ed0 -s 2000 -i 1 -c 10 HOST-2.	HOST-1 sends ICMP Echo Request to HOST-2. HOST-1 receives ICMP Echo Reply from HOST-2. Original packets are encapsulated between ROUTER-1 and ROUTER-3. Encapsulating packets include AH and ESP header.	ESP tunnel between ROUTER-1 and ROUTER-3. AH auth = HMAC-MD5 ESP enc = NULL ESP auth = HMAC-MD5 HOST-1 <-> HOST-2 The packet will be fragmented to 2 packets. (ICMP)
11	At HOST-1, run "ping" to HOST-2. Repeat 10 times, with 3000 bytes ICMP payload, interval 1 second. Ex) # ping6 -I ed0 -s 3000 -i 1 -c 10 HOST-2.	HOST-1 sends ICMP Echo Request to HOST-2. HOST-1 receives ICMP Echo Reply from HOST-2. Original packets are encapsulated between ROUTER-1 and ROUTER-3. Encapsulating packets include AH and ESP header.	ESP tunnel between ROUTER-1 and ROUTER-3. AH auth = HMAC-MD5 ESP enc = NULL ESP auth = HMAC-MD5 HOST-1 <-> HOST-2 The packet will be fragmented to 3 packets. (ICMP)
IPsec tunnel and transport [IP2][AH][ESP][IP1] (AH auth=HMAC-SHA1) (ESP enc=NULL) (ESP auth=HMAC-MD5)
12	At ROUTER-1 set configuration #2	-	-
13	At ROUTER-3 set configuration #2	-	-
14	At HOST-1, run "ping" to HOST-2. Repeat 10 times, with 64 bytes ICMP payload, interval 1 second. Ex) # ping6 -I ed0 -s 64 -i 1 -c 10 HOST-2.	HOST-1 sends ICMP Echo Request to HOST-2. HOST-1 receives ICMP Echo Reply from HOST-2. Original packets are encapsulated between ROUTER-1 and ROUTER-3. Encapsulating packets include AH and ESP header.	ESP tunnel between ROUTER-1 and ROUTER-3. AH auth = HMAC-SHA1 ESP enc = NULL ESP auth = HMAC-MD5 HOST-1 <-> HOST-2 (ICMP)
15	At HOST-1, run "ping" to HOST-2. Repeat 10 times, with 2000 bytes ICMP payload, interval 1 second. Ex) # ping6 -I ed0 -s 2000 -i 1 -c 10 HOST-2.	HOST-1 sends ICMP Echo Request to HOST-2. HOST-1 receives ICMP Echo Reply from HOST-2. Original packets are encapsulated between ROUTER-1 and ROUTER-3. Encapsulating packets include AH and ESP header.	ESP tunnel between ROUTER-1 and ROUTER-3. AH auth = HMAC-SHA1 ESP enc = NULL ESP auth = HMAC-MD5 HOST-1 <-> HOST-2 The packet will be fragmented to 2 packets. (ICMP)
16	At HOST-1, run "ping" to HOST-2. Repeat 10 times, with 3000 bytes ICMP payload, interval 1 second. Ex) # ping6 -I ed0 -s 3000 -i 1 -c 10 HOST-2.	HOST-1 sends ICMP Echo Request to HOST-2. HOST-1 receives ICMP Echo Reply from HOST-2. Original packets are encapsulated between ROUTER-1 and ROUTER-3. Encapsulating packets include AH and ESP header.	ESP tunnel between ROUTER-1 and ROUTER-3. AH auth = HMAC-SHA1 ESP enc = NULL ESP auth = HMAC-MD5 HOST-1 <-> HOST-2 The packet will be fragmented to 3 packets. (ICMP)
IPsec tunnel and transport [IP2][AH][ESP][IP1] (AH auth=HMAC-MD5) (ESP enc=DES-CBC) (ESP auth=HMAC-MD5)
17	At ROUTER-1 set configuration #3	-	-
18	At ROUTER-3 set configuration #3	-	-
19	At HOST-1, run "ping" to HOST-2. Repeat 10 times, with 64 bytes ICMP payload, interval 1 second. Ex) # ping6 -I ed0 -s 64 -i 1 -c 10 HOST-2.	HOST-1 sends ICMP Echo Request to HOST-2. HOST-1 receives ICMP Echo Reply from HOST-2. Original packets are encapsulated between ROUTER-1 and ROUTER-3. Encapsulating packets include AH and ESP header.	ESP tunnel between ROUTER-1 and ROUTER-3. AH auth = HMAC-MD5 ESP enc = DES-CBC ESP auth = HMAC-MD5 HOST-1 <-> HOST-2 (ICMP)
20	At HOST-1, run "ping" to HOST-2. Repeat 10 times, with 2000 bytes ICMP payload, interval 1 second. Ex) # ping6 -I ed0 -s 2000 -i 1 -c 10 HOST-2.	HOST-1 sends ICMP Echo Request to HOST-2. HOST-1 receives ICMP Echo Reply from HOST-2. Original packets are encapsulated between ROUTER-1 and ROUTER-3. Encapsulating packets include AH and ESP header.	ESP tunnel between ROUTER-1 and ROUTER-3. AH auth = HMAC-MD5 ESP enc = DES-CBC ESP auth = HMAC-MD5 HOST-1 <-> HOST-2 The packet will be fragmented to 2 packets. (ICMP)
21	At HOST-1, run "ping" to HOST-2. Repeat 10 times, with 3000 bytes ICMP payload, interval 1 second. Ex) # ping6 -I ed0 -s 3000 -i 1 -c 10 HOST-2.	HOST-1 sends ICMP Echo Request to HOST-2. HOST-1 receives ICMP Echo Reply from HOST-2. Original packets are encapsulated between ROUTER-1 and ROUTER-3. Encapsulating packets include AH and ESP header.	ESP tunnel between ROUTER-1 and ROUTER-3. AH auth = HMAC-MD5 ESP enc = DES-CBC ESP auth = HMAC-MD5 HOST-1 <-> HOST-2 The packet will be fragmented to 3 packets. (ICMP)
IPsec tunnel and transport (granularity=Network) (AH auth=HMAC-SHA1) (ESP enc=DES-CBC) (ESP auth=HMAC-MD5)
22	At ROUTER-1 set configuration #4	-	-
23	At ROUTER-3 set configuration #4	-	-
24	At HOST-1, run "ping" to HOST-2. Repeat 10 times, with 64 bytes ICMP payload, interval 1 second. Ex) # ping6 -I ed0 -s 64 -i 1 -c 10 HOST-2.	HOST-1 sends ICMP Echo Request to HOST-2. HOST-1 receives ICMP Echo Reply from HOST-2. Original packets are encapsulated between ROUTER-1 and ROUTER-3. Encapsulating packets include AH and ESP header.	ESP tunnel between ROUTER-1 and ROUTER-3. AH auth = HMAC-SHA1 ESP enc = DES-CBC ESP auth = HMAC-MD5 HOST-1 <-> HOST-2 (ICMP)
25	At HOST-1, run "ping" to HOST-2. Repeat 10 times, with 2000 bytes ICMP payload, interval 1 second. Ex) # ping6 -I ed0 -s 2000 -i 1 -c 10 HOST-2.	HOST-1 sends ICMP Echo Request to HOST-2. HOST-1 receives ICMP Echo Reply from HOST-2. Original packets are encapsulated between ROUTER-1 and ROUTER-3. Encapsulating packets include AH and ESP header.	ESP tunnel between ROUTER-1 and ROUTER-3. AH auth = HMAC-SHA1 ESP enc = DES-CBC ESP auth = HMAC-MD5 HOST-1 <-> HOST-2 The packet will be fragmented to 2 packets. (ICMP)
26	At HOST-1, run "ping" to HOST-2. Repeat 10 times, with 3000 bytes ICMP payload, interval 1 second. Ex) # ping6 -I ed0 -s 3000 -i 1 -c 10 HOST-2.	HOST-1 sends ICMP Echo Request to HOST-2. HOST-1 receives ICMP Echo Reply from HOST-2. Original packets are encapsulated between ROUTER-1 and ROUTER-3. Encapsulating packets include AH and ESP header.	ESP tunnel between ROUTER-1 and ROUTER-3. AH auth = HMAC-SHA1 ESP enc = DES-CBC ESP auth = HMAC-MD5 HOST-1 <-> HOST-2 The packet will be fragmented to 3 packets. (ICMP)

AH Transport to ESP Tunnel mode (Security Gateway) [IP2][AH][ESP][IP1]

[Interoperability Test Scenario]

AH Transport to ESP Tunnel mode (Security Gateway)
[IP2][AH][ESP][IP1]