From 69bc73179fe39ea02c9d53c0eb167e1320bcf090 Mon Sep 17 00:00:00 2001
From: Jan Gelety <jgelety@cisco.com>
Date: Thu, 16 Nov 2017 18:47:05 +0100
Subject: CSIT-859: KW to add crypto SW device to startup.conf

Change-Id: I8441d58a2d7f604b64fff358a3cef8d72289dcdc
Signed-off-by: Jan Gelety <jgelety@cisco.com>
---
 .../eth2p-ethip4ipsectnl-ip4base-func.robot        | 523 +++++++++++++++++++
 .../eth2p-ethip4ipsectpt-ip4base-func.robot        | 487 ++++++++++++++++++
 .../eth2p-ethip4ipsectptlispgpe-ip4base-func.robot | 270 ++++++++++
 .../eth2p-ethip4ipsectptlispgpe-ip6base-func.robot | 160 ++++++
 ...h2p-ethip4ipsectptlispgpe-ip6basevrf-func.robot | 135 +++++
 .../eth2p-ethip6ipsectnl-ip6base-func.robot        | 523 +++++++++++++++++++
 .../eth2p-ethip6ipsectpt-ip6base-func.robot        | 487 ++++++++++++++++++
 .../eth2p-ethip6ipsectptlispgpe-ip4base-func.robot | 158 ++++++
 .../eth2p-ethip6ipsectptlispgpe-ip6base-func.robot | 174 +++++++
 .../crypto/eth2p-ethip4ipsectnl-ip4base-func.robot | 523 -------------------
 .../crypto/eth2p-ethip4ipsectpt-ip4base-func.robot | 487 ------------------
 .../eth2p-ethip4ipsectptlispgpe-ip4base-func.robot | 270 ----------
 .../eth2p-ethip4ipsectptlispgpe-ip6base-func.robot | 160 ------
 ...h2p-ethip4ipsectptlispgpe-ip6basevrf-func.robot | 135 -----
 .../crypto/eth2p-ethip6ipsectnl-ip6base-func.robot | 523 -------------------
 .../crypto/eth2p-ethip6ipsectpt-ip6base-func.robot | 487 ------------------
 .../eth2p-ethip6ipsectptlispgpe-ip4base-func.robot | 158 ------
 .../eth2p-ethip6ipsectptlispgpe-ip6base-func.robot | 174 -------
 .../eth2p-ethip4ipsectnlsw-ip4base-func.robot      | 560 +++++++++++++++++++++
 .../eth2p-ethip4ipsectptsw-ip4base-func.robot      | 535 ++++++++++++++++++++
 20 files changed, 4012 insertions(+), 2917 deletions(-)
 create mode 100644 tests/vpp/func/crypto/default/eth2p-ethip4ipsectnl-ip4base-func.robot
 create mode 100644 tests/vpp/func/crypto/default/eth2p-ethip4ipsectpt-ip4base-func.robot
 create mode 100644 tests/vpp/func/crypto/default/eth2p-ethip4ipsectptlispgpe-ip4base-func.robot
 create mode 100644 tests/vpp/func/crypto/default/eth2p-ethip4ipsectptlispgpe-ip6base-func.robot
 create mode 100644 tests/vpp/func/crypto/default/eth2p-ethip4ipsectptlispgpe-ip6basevrf-func.robot
 create mode 100644 tests/vpp/func/crypto/default/eth2p-ethip6ipsectnl-ip6base-func.robot
 create mode 100644 tests/vpp/func/crypto/default/eth2p-ethip6ipsectpt-ip6base-func.robot
 create mode 100644 tests/vpp/func/crypto/default/eth2p-ethip6ipsectptlispgpe-ip4base-func.robot
 create mode 100644 tests/vpp/func/crypto/default/eth2p-ethip6ipsectptlispgpe-ip6base-func.robot
 delete mode 100644 tests/vpp/func/crypto/eth2p-ethip4ipsectnl-ip4base-func.robot
 delete mode 100644 tests/vpp/func/crypto/eth2p-ethip4ipsectpt-ip4base-func.robot
 delete mode 100644 tests/vpp/func/crypto/eth2p-ethip4ipsectptlispgpe-ip4base-func.robot
 delete mode 100644 tests/vpp/func/crypto/eth2p-ethip4ipsectptlispgpe-ip6base-func.robot
 delete mode 100644 tests/vpp/func/crypto/eth2p-ethip4ipsectptlispgpe-ip6basevrf-func.robot
 delete mode 100644 tests/vpp/func/crypto/eth2p-ethip6ipsectnl-ip6base-func.robot
 delete mode 100644 tests/vpp/func/crypto/eth2p-ethip6ipsectpt-ip6base-func.robot
 delete mode 100644 tests/vpp/func/crypto/eth2p-ethip6ipsectptlispgpe-ip4base-func.robot
 delete mode 100644 tests/vpp/func/crypto/eth2p-ethip6ipsectptlispgpe-ip6base-func.robot
 create mode 100644 tests/vpp/func/crypto/sw_device/eth2p-ethip4ipsectnlsw-ip4base-func.robot
 create mode 100644 tests/vpp/func/crypto/sw_device/eth2p-ethip4ipsectptsw-ip4base-func.robot

(limited to 'tests')

diff --git a/tests/vpp/func/crypto/default/eth2p-ethip4ipsectnl-ip4base-func.robot b/tests/vpp/func/crypto/default/eth2p-ethip4ipsectnl-ip4base-func.robot
new file mode 100644
index 0000000000..814d8ee45c
--- /dev/null
+++ b/tests/vpp/func/crypto/default/eth2p-ethip4ipsectnl-ip4base-func.robot
@@ -0,0 +1,523 @@
+# Copyright (c) 2016 Cisco and/or its affiliates.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at:
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+*** Settings ***
+| Resource | resources/libraries/robot/crypto/ipsec.robot
+| Library | resources.libraries.python.Trace
+| Force Tags | 3_NODE_SINGLE_LINK_TOPO | 3_NODE_DOUBLE_LINK_TOPO
+| ...        | VM_ENV | HW_ENV | SKIP_VPP_PATCH
+| ...
+| Test Setup | Set up IPv4 IPSec functional test
+| ...
+| Test Teardown | Tear down IPSec functional test | ${dut_node}
+| ...
+| Documentation | *IPv4 IPsec tunnel mode test suite.*
+| ...
+| ... | *[Top] Network topologies:* TG-DUT1 2-node topology with one link\
+| ... | between nodes.
+| ... | *[Cfg] DUT configuration:* On DUT1 create loopback interface, configure\
+| ... | loopback an physical interface IPv4 addresses, static ARP record, route\
+| ... | and IPsec manual keyed connection in tunnel mode.
+| ... | *[Ver] TG verification:* ESP packet is sent from TG to DUT1. ESP packet\
+| ... | is received on TG from DUT1.
+| ... | *[Ref] Applicable standard specifications:* RFC4303.
+
+*** Variables ***
+| ${tg_spi}= | ${1000}
+| ${dut_spi}= | ${1001}
+| ${ESP_PROTO}= | ${50}
+| ${tg_if_ip4}= | 192.168.100.2
+| ${dut_if_ip4}= | 192.168.100.3
+| ${tg_lo_ip4}= | 192.168.3.3
+| ${dut_lo_ip4}= | 192.168.4.4
+| ${ip4_plen}= | ${24}
+
+*** Test Cases ***
+| TC01: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel mode.
+| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
+| | ${encr_alg}= | Crypto Alg AES CBC 128
+| | ${auth_alg}= | Integ Alg SHA1 96
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
+| | ... | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
+| | ... | ${dut_tun_ip}
+
+| TC02: VPP process ESP packet in Tunnel Mode with AES-CBC-192 encryption and SHA1-96 integrity
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-192 and integrity algorithm SHA1-96 in tunnel mode.
+| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
+| | [Tags] | SKIP_PATCH
+| | ${encr_alg}= | Crypto Alg AES CBC 192
+| | ${auth_alg}= | Integ Alg SHA1 96
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
+| | ... | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
+| | ... | ${dut_tun_ip}
+
+| TC03: VPP process ESP packet in Tunnel Mode with AES-CBC-256 encryption and SHA1-96 integrity
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-256 and integrity algorithm SHA1-96 in tunnel mode.
+| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
+| | [Tags] | SKIP_PATCH
+| | ${encr_alg}= | Crypto Alg AES CBC 256
+| | ${auth_alg}= | Integ Alg SHA1 96
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
+| | ... | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
+| | ... | ${dut_tun_ip}
+
+| TC04: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA-256-128 integrity
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-128 and integrity algorithm SHA-256-128 in tunnel\
+| | ... | mode.
+| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
+| | [Tags] | SKIP_PATCH
+| | ${encr_alg}= | Crypto Alg AES CBC 128
+| | ${auth_alg}= | Integ Alg SHA 256 128
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
+| | ... | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
+| | ... | ${dut_tun_ip}
+
+| TC05: VPP process ESP packet in Tunnel Mode with AES-CBC-192 encryption and SHA-256-128 integrity
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-192 and integrity algorithm SHA-256-128 in tunnel\
+| | ... | mode.
+| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
+| | ${encr_alg}= | Crypto Alg AES CBC 192
+| | ${auth_alg}= | Integ Alg SHA 256 128
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
+| | ... | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
+| | ... | ${dut_tun_ip}
+
+| TC06: VPP process ESP packet in Tunnel Mode with AES-CBC-256 encryption and SHA-256-128 integrity
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-256 and integrity algorithm SHA-256-128 in tunnel\
+| | ... | mode.
+| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
+| | [Tags] | SKIP_PATCH
+| | ${encr_alg}= | Crypto Alg AES CBC 256
+| | ${auth_alg}= | Integ Alg SHA 256 128
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
+| | ... | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
+| | ... | ${dut_tun_ip}
+
+| TC07: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA-384-192 integrity
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-128 and integrity algorithm SHA-384-192 in tunnel\
+| | ... | mode.
+| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
+| | [Tags] | SKIP_PATCH
+| | ${encr_alg}= | Crypto Alg AES CBC 128
+| | ${auth_alg}= | Integ Alg SHA 384 192
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
+| | ... | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
+| | ... | ${dut_tun_ip}
+
+| TC08: VPP process ESP packet in Tunnel Mode with AES-CBC-192 encryption and SHA-384-192 integrity
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-192 and integrity algorithm SHA-384-192 in tunnel\
+| | ... | mode.
+| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
+| | [Tags] | SKIP_PATCH
+| | ${encr_alg}= | Crypto Alg AES CBC 192
+| | ${auth_alg}= | Integ Alg SHA 384 192
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
+| | ... | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
+| | ... | ${dut_tun_ip}
+
+| TC09: VPP process ESP packet in Tunnel Mode with AES-CBC-256 encryption and SHA-384-192 integrity
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-256 and integrity algorithm SHA-384-192 in tunnel\
+| | ... | mode.
+| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
+| | ${encr_alg}= | Crypto Alg AES CBC 256
+| | ${auth_alg}= | Integ Alg SHA 384 192
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
+| | ... | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
+| | ... | ${dut_tun_ip}
+
+| TC10: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA-512-256 integrity
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-128 and integrity algorithm SHA-512-256 in tunnel\
+| | ... | mode.
+| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
+| | [Tags] | SKIP_PATCH
+| | ${encr_alg}= | Crypto Alg AES CBC 128
+| | ${auth_alg}= | Integ Alg SHA 512 256
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
+| | ... | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
+| | ... | ${dut_tun_ip}
+
+| TC11: VPP process ESP packet in Tunnel Mode with AES-CBC-192 encryption and SHA-512-256 integrity
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-192 and integrity algorithm SHA-512-256 in tunnel\
+| | ... | mode.
+| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
+| | [Tags] | SKIP_PATCH
+| | ${encr_alg}= | Crypto Alg AES CBC 192
+| | ${auth_alg}= | Integ Alg SHA 512 256
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
+| | ... | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
+| | ... | ${dut_tun_ip}
+
+| TC12: VPP process ESP packet in Tunnel Mode with AES-CBC-256 encryption and SHA-512-256 integrity
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-256 and integrity algorithm SHA-512-256 in tunnel\
+| | ... | mode.
+| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
+| | ${encr_alg}= | Crypto Alg AES CBC 256
+| | ${auth_alg}= | Integ Alg SHA 512 256
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
+| | ... | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
+| | ... | ${dut_tun_ip}
+
+| TC13: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity - different encryption alogrithms used
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel mode.
+| | ... | [Ver] Send an ESP packet encrypted by encryption key different from\
+| | ... | encryption key stored on VPP node from TG to VPP node and expect no\
+| | ... | response to be received on TG.
+| | ... | [Ref] RFC4303.
+| | ${encr_alg}= | Crypto Alg AES CBC 128
+| | ${auth_alg}= | Integ Alg SHA1 96
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | ${encr_key2}= | And Get Second Random String | ${encr_alg} | Crypto
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
+| | ... | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Run Keyword And Expect Error | ESP packet Rx timeout
+| | ... | Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
+| | ... | ${dut_tun_ip}
+
+| TC14: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity - different integrity alogrithms used
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel mode.
+| | ... | [Ver] Send an ESP packet authenticated by integrity key different\
+| | ... | from integrity key stored on VPP node from TG to VPP node and expect\
+| | ... | no response to be received on TG.
+| | ... | [Ref] RFC4303.
+| | ${encr_alg}= | Crypto Alg AES CBC 128
+| | ${auth_alg}= | Integ Alg SHA1 96
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | ${auth_key2}= | And Get Second Random String | ${auth_alg} | Integ
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
+| | ... | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Run Keyword And Expect Error | ESP packet Rx timeout
+| | ... | Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key2} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
+| | ... | ${dut_tun_ip}
+
+| TC15: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity - different encryption and integrity alogrithms used
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel mode.
+| | ... | [Ver] Send an ESP packet authenticated by integrity key and encrypted\
+| | ... | by encryption key different from integrity and encryption keys stored\
+| | ... | on VPP node from TG to VPP node and expect no response to be received\
+| | ... | on TG.
+| | ... | [Ref] RFC4303.
+| | ${encr_alg}= | Crypto Alg AES CBC 128
+| | ${auth_alg}= | Integ Alg SHA1 96
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | ${encr_key2}= | And Get Second Random String | ${encr_alg} | Crypto
+| | ${auth_key2}= | And Get Second Random String | ${auth_alg} | Integ
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
+| | ... | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Run Keyword And Expect Error | ESP packet Rx timeout
+| | ... | Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key2} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
+| | ... | ${dut_tun_ip}
+
+| TC16: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel\
+| | ... | mode. Then update SA keys - use new keys.
+| | ... | [Ver] Send and receive ESP packet between TG and VPP node before\
+| | ... | and after SA keys update.
+| | ${encr_alg}= | Crypto Alg AES CBC 128
+| | ${auth_alg}= | Integ Alg SHA1 96
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
+| | ... | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
+| | ... | ${dut_tun_ip}
+| | ${new_encr_key}= | Given Get Second Random String | ${encr_alg} | Crypto
+| | ${new_auth_key}= | And Get Second Random String | ${auth_alg} | Integ
+| | When Update IPSec SA keys | ${dut_node} | ${l_sa_id} | ${r_sa_id}
+| | ... | ${new_encr_key} | ${new_auth_key}
+| | Then Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${new_encr_key} | ${auth_alg} | ${new_auth_key}
+| | ... | ${tg_spi} | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
+| | ... | ${dut_tun_ip}
+
+| TC17: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys - different encryption alogrithms used
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel
+| | ... | mode. Then update SA keys - use new keys.
+| | ... | [Ver] Send an ESP packet encrypted by encryption key different from\
+| | ... | encryption key stored on VPP node from TG to VPP node and expect no\
+| | ... | response to be received on TG before and after SA keys update.
+| | ${encr_alg}= | Crypto Alg AES CBC 128
+| | ${auth_alg}= | Integ Alg SHA1 96
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
+| | ... | ${dut_tun_ip} | ${tg_tun_ip}
+| | ${encr_key2}= | And Get Second Random String | ${encr_alg} | Crypto
+| | Then Run Keyword And Expect Error | ESP packet Rx timeout
+| | ... | Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
+| | ... | ${dut_tun_ip}
+| | ${new_encr_key}= | Given Get Second Random String | ${encr_alg} | Crypto
+| | ${new_auth_key}= | And Get Second Random String | ${auth_alg} | Integ
+| | When Update IPSec SA keys | ${dut_node} | ${l_sa_id} | ${r_sa_id}
+| | ... | ${new_encr_key} | ${new_auth_key}
+| | Then Run Keyword And Expect Error | ESP packet Rx timeout
+| | ... | Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${new_auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
+| | ... | ${dut_tun_ip}
+
+| TC18: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys - different integrity alogrithms used
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel\
+| | ... | mode. Then update SA keys - use new keys.
+| | ... | [Ver] Send an ESP packet authenticated by integrity key different\
+| | ... | from integrity key stored on VPP node from TG to VPP node and expect\
+| | ... | no response to be received on TG before and after SA keys update.
+| | ${encr_alg}= | Crypto Alg AES CBC 128
+| | ${auth_alg}= | Integ Alg SHA1 96
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
+| | ... | ${dut_tun_ip} | ${tg_tun_ip}
+| | ${auth_key2}= | And Get Second Random String | ${auth_alg} | Integ
+| | Then Run Keyword And Expect Error | ESP packet Rx timeout
+| | ... | Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key2} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
+| | ... | ${dut_tun_ip}
+| | ${new_encr_key}= | Given Get Second Random String | ${encr_alg} | Crypto
+| | ${new_auth_key}= | And Get Second Random String | ${auth_alg} | Integ
+| | When Update IPSec SA keys | ${dut_node} | ${l_sa_id} | ${r_sa_id}
+| | ... | ${new_encr_key} | ${new_auth_key}
+| | Then Run Keyword And Expect Error | ESP packet Rx timeout
+| | ... | Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${new_encr_key} | ${auth_alg} | ${auth_key2} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
+| | ... | ${dut_tun_ip}
+
+| TC19: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys - different encryption and integrity alogrithms used
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel\
+| | ... | mode. Then update SA keys - use new keys.
+| | ... | [Ver] Send an ESP packet authenticated by integrity key and encrypted\
+| | ... | by encryption key different from integrity and encryption keys stored\
+| | ... | on VPP node from TG to VPP node and expect no response to be received\
+| | ... | on TG before and after SA keys update.
+| | ${encr_alg}= | Crypto Alg AES CBC 128
+| | ${auth_alg}= | Integ Alg SHA1 96
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
+| | ... | ${dut_tun_ip} | ${tg_tun_ip}
+| | ${encr_key2}= | And Get Second Random String | ${encr_alg} | Crypto
+| | ${auth_key2}= | And Get Second Random String | ${auth_alg} | Integ
+| | Then Run Keyword And Expect Error | ESP packet Rx timeout
+| | ... | Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key2} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
+| | ... | ${dut_tun_ip}
+| | ${new_encr_key}= | Given Get Second Random String | ${encr_alg} | Crypto
+| | ${new_auth_key}= | And Get Second Random String | ${auth_alg} | Integ
+| | When Update IPSec SA keys | ${dut_node} | ${l_sa_id} | ${r_sa_id}
+| | ... | ${new_encr_key} | ${new_auth_key}
+| | Then Run Keyword And Expect Error | ESP packet Rx timeout
+| | ... | Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key2} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
+| | ... | ${dut_tun_ip}
+
+*** Keywords ***
+| Get Second Random String
+| | [Arguments] | ${req_alg} | ${req_type}
+| | ${req_key_len}= | Run Keyword | Get ${req_type} Alg Key Len | ${req_alg}
+| | ${key}= | Set Variable If | '${req_type}' == 'Crypto' | ${encr_key}
+| | ... | '${req_type}' == 'Integ' | ${auth_key}
+| | :FOR | ${index} | IN RANGE | 100
+| | | ${req_key}= | Generate Random String | ${req_key_len}
+| | | Return From Keyword If | '${req_key}' != '${key}' | ${req_key}
diff --git a/tests/vpp/func/crypto/default/eth2p-ethip4ipsectpt-ip4base-func.robot b/tests/vpp/func/crypto/default/eth2p-ethip4ipsectpt-ip4base-func.robot
new file mode 100644
index 0000000000..e599cf9506
--- /dev/null
+++ b/tests/vpp/func/crypto/default/eth2p-ethip4ipsectpt-ip4base-func.robot
@@ -0,0 +1,487 @@
+# Copyright (c) 2016 Cisco and/or its affiliates.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at:
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+*** Settings ***
+| Resource | resources/libraries/robot/crypto/ipsec.robot
+| Library | resources.libraries.python.Trace
+| Force Tags | 3_NODE_SINGLE_LINK_TOPO | 3_NODE_DOUBLE_LINK_TOPO
+| ...        | VM_ENV | HW_ENV | SKIP_VPP_PATCH
+| Test Setup | Set up IPv4 IPSec functional test
+| ...
+| Test Teardown | Tear down IPSec functional test | ${dut_node}
+| ...
+| Documentation | *IPv4 IPsec transport mode test suite.*
+| ...
+| ... | *[Top] Network topologies:* TG-DUT1 2-node topology with one link\
+| ... | between nodes.
+| ... | *[Cfg] DUT configuration:* On DUT1 create loopback interface, configure\
+| ... | loopback an physical interface IPv4 addresses, static ARP record, route\
+| ... | and IPsec manual keyed connection in transport mode.
+| ... | *[Ver] TG verification:* ESP packet is sent from TG to DUT1. ESP packet\
+| ... | is received on TG from DUT1.
+| ... | *[Ref] Applicable standard specifications:* RFC4303.
+
+*** Variables ***
+| ${tg_spi}= | ${1000}
+| ${dut_spi}= | ${1001}
+| ${ESP_PROTO}= | ${50}
+| ${tg_if_ip4}= | 192.168.100.2
+| ${dut_if_ip4}= | 192.168.100.3
+| ${tg_lo_ip4}= | 192.168.3.3
+| ${dut_lo_ip4}= | 192.168.4.4
+| ${ip4_plen}= | ${24}
+
+*** Test Cases ***
+| TC01: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport
+| | ... | mode.
+| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
+| | ${encr_alg}= | Crypto Alg AES CBC 128
+| | ${auth_alg}= | Integ Alg SHA1 96
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
+
+| TC02: VPP process ESP packet in Transport Mode with AES-CBC-192 encryption and SHA1-96 integrity
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-192 and integrity algorithm SHA1-96 in transport
+| | ... | mode.
+| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
+| | [Tags] | SKIP_PATCH
+| | ${encr_alg}= | Crypto Alg AES CBC 192
+| | ${auth_alg}= | Integ Alg SHA1 96
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
+
+| TC03: VPP process ESP packet in Transport Mode with AES-CBC-256 encryption and SHA1-96 integrity
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-256 and integrity algorithm SHA1-96 in transport
+| | ... | mode.
+| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
+| | [Tags] | SKIP_PATCH
+| | ${encr_alg}= | Crypto Alg AES CBC 256
+| | ${auth_alg}= | Integ Alg SHA1 96
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
+
+| TC04: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA-256-128 integrity
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-128 and integrity algorithm SHA-256-128 in transport
+| | ... | mode.
+| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
+| | [Tags] | SKIP_PATCH
+| | ${encr_alg}= | Crypto Alg AES CBC 128
+| | ${auth_alg}= | Integ Alg SHA 256 128
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
+
+| TC05: VPP process ESP packet in Transport Mode with AES-CBC-192 encryption and SHA-256-128 integrity
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-192 and integrity algorithm SHA-256-128 in transport
+| | ... | mode.
+| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
+| | ${encr_alg}= | Crypto Alg AES CBC 192
+| | ${auth_alg}= | Integ Alg SHA 256 128
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
+
+| TC06: VPP process ESP packet in Transport Mode with AES-CBC-256 encryption and SHA-256-128 integrity
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-256 and integrity algorithm SHA-256-128 in transport
+| | ... | mode.
+| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
+| | [Tags] | SKIP_PATCH
+| | ${encr_alg}= | Crypto Alg AES CBC 256
+| | ${auth_alg}= | Integ Alg SHA 256 128
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
+
+| TC07: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA-384-192 integrity
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-128 and integrity algorithm SHA-384-192 in transport
+| | ... | mode.
+| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
+| | [Tags] | SKIP_PATCH
+| | ${encr_alg}= | Crypto Alg AES CBC 128
+| | ${auth_alg}= | Integ Alg SHA 384 192
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
+
+| TC08: VPP process ESP packet in Transport Mode with AES-CBC-192 encryption and SHA-384-192 integrity
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-192 and integrity algorithm SHA-384-192 in transport
+| | ... | mode.
+| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
+| | [Tags] | SKIP_PATCH
+| | ${encr_alg}= | Crypto Alg AES CBC 192
+| | ${auth_alg}= | Integ Alg SHA 384 192
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
+
+| TC09: VPP process ESP packet in Transport Mode with AES-CBC-256 encryption and SHA-384-192 integrity
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-256 and integrity algorithm SHA-384-192 in transport
+| | ... | mode.
+| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
+| | ${encr_alg}= | Crypto Alg AES CBC 256
+| | ${auth_alg}= | Integ Alg SHA 384 192
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
+
+| TC10: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA-512-256 integrity
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-128 and integrity algorithm SHA-512-256 in transport
+| | ... | mode.
+| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
+| | [Tags] | SKIP_PATCH
+| | ${encr_alg}= | Crypto Alg AES CBC 128
+| | ${auth_alg}= | Integ Alg SHA 512 256
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
+
+| TC11: VPP process ESP packet in Transport Mode with AES-CBC-192 encryption and SHA-512-256 integrity
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-192 and integrity algorithm SHA-512-256 in transport
+| | ... | mode.
+| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
+| | [Tags] | SKIP_PATCH
+| | ${encr_alg}= | Crypto Alg AES CBC 192
+| | ${auth_alg}= | Integ Alg SHA 512 256
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
+
+| TC12: VPP process ESP packet in Transport Mode with AES-CBC-256 encryption and SHA-512-256 integrity
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-256 and integrity algorithm SHA-512-256 in transport
+| | ... | mode.
+| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
+| | ${encr_alg}= | Crypto Alg AES CBC 256
+| | ${auth_alg}= | Integ Alg SHA 512 256
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
+
+
+| TC13: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity - different encryption alogrithms used
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport\
+| | ... | mode.
+| | ... | [Ver] Send an ESP packet encrypted by encryption key different from\
+| | ... | encryption key stored on VPP node from TG to VPP node and expect no\
+| | ... | response to be received on TG.
+| | ... | [Ref] RFC4303.
+| | ${encr_alg}= | Crypto Alg AES CBC 128
+| | ${auth_alg}= | Integ Alg SHA1 96
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | ${encr_key2}= | And Get Second Random String | ${encr_alg} | Crypto
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Run Keyword And Expect Error | ESP packet Rx timeout
+| | ... | Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
+
+| TC14: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity - different integrity alogrithms used
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport\
+| | ... | mode.
+| | ... | [Ver] Send an ESP packet authenticated by integrity key different\
+| | ... | from integrity key stored on VPP node from TG to VPP node and expect\
+| | ... | no response to be received on TG.
+| | ... | [Ref] RFC4303.
+| | ${encr_alg}= | Crypto Alg AES CBC 128
+| | ${auth_alg}= | Integ Alg SHA1 96
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | ${auth_key2}= | And Get Second Random String | ${auth_alg} | Integ
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Run Keyword And Expect Error | ESP packet Rx timeout
+| | ... | Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key2} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
+
+| TC15: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity - different encryption and integrity alogrithms used
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport\
+| | ... | mode.
+| | ... | [Ver] Send an ESP packet authenticated by integrity key and encrypted\
+| | ... | by encryption key different from integrity and encryption keys stored\
+| | ... | on VPP node from TG to VPP node and expect no response to be received\
+| | ... | on TG.
+| | ... | [Ref] RFC4303.
+| | ${encr_alg}= | Crypto Alg AES CBC 128
+| | ${auth_alg}= | Integ Alg SHA1 96
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | ${encr_key2}= | And Get Second Random String | ${encr_alg} | Crypto
+| | ${auth_key2}= | And Get Second Random String | ${auth_alg} | Integ
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Run Keyword And Expect Error | ESP packet Rx timeout
+| | ... | Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key2} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
+
+| TC16: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport\
+| | ... | mode. Then update SA keys - use new keys.
+| | ... | [Ver] Send and receive ESP packet between TG and VPP node before\
+| | ... | and after SA keys update.
+| | ${encr_alg}= | Crypto Alg AES CBC 128
+| | ${auth_alg}= | Integ Alg SHA1 96
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
+| | ${new_encr_key}= | Given Get Second Random String | ${encr_alg} | Crypto
+| | ${new_auth_key}= | And Get Second Random String | ${auth_alg} | Integ
+| | When Update IPSec SA keys | ${dut_node} | ${l_sa_id} | ${r_sa_id}
+| | ... | ${new_encr_key} | ${new_auth_key}
+| | Then Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${new_encr_key} | ${auth_alg} | ${new_auth_key}
+| | ... | ${tg_spi} | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
+
+| TC17: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys - different encryption alogrithms used
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport\
+| | ... | mode. Then update SA keys - use new keys.
+| | ... | [Ver] Send an ESP packet encrypted by encryption key different from\
+| | ... | encryption key stored on VPP node from TG to VPP node and expect no\
+| | ... | response to be received on TG before and after SA keys update.
+| | ${encr_alg}= | Crypto Alg AES CBC 128
+| | ${auth_alg}= | Integ Alg SHA1 96
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
+| | ${encr_key2}= | And Get Second Random String | ${encr_alg} | Crypto
+| | Then Run Keyword And Expect Error | ESP packet Rx timeout
+| | ... | Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
+| | ${new_encr_key}= | Given Get Second Random String | ${encr_alg} | Crypto
+| | ${new_auth_key}= | And Get Second Random String | ${auth_alg} | Integ
+| | When Update IPSec SA keys | ${dut_node} | ${l_sa_id} | ${r_sa_id}
+| | ... | ${new_encr_key} | ${new_auth_key}
+| | Then Run Keyword And Expect Error | ESP packet Rx timeout
+| | ... | Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${new_auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
+
+| TC18: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys - different integrity alogrithms used
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport\
+| | ... | mode. Then update SA keys - use new keys.
+| | ... | [Ver] Send an ESP packet authenticated by integrity key different\
+| | ... | from integrity key stored on VPP node from TG to VPP node and expect\
+| | ... | no response to be received on TG before and after SA keys update.
+| | ${encr_alg}= | Crypto Alg AES CBC 128
+| | ${auth_alg}= | Integ Alg SHA1 96
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
+| | ${auth_key2}= | And Get Second Random String | ${auth_alg} | Integ
+| | Then Run Keyword And Expect Error | ESP packet Rx timeout
+| | ... | Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key2} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
+| | ${new_encr_key}= | Given Get Second Random String | ${encr_alg} | Crypto
+| | ${new_auth_key}= | And Get Second Random String | ${auth_alg} | Integ
+| | When Update IPSec SA keys | ${dut_node} | ${l_sa_id} | ${r_sa_id}
+| | ... | ${new_encr_key} | ${new_auth_key}
+| | Then Run Keyword And Expect Error | ESP packet Rx timeout
+| | ... | Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${new_encr_key} | ${auth_alg} | ${auth_key2} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
+
+| TC19: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys - different encryption and integrity alogrithms used
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport\
+| | ... | mode. Then update SA keys - use new keys.
+| | ... | [Ver] Send an ESP packet authenticated by integrity key and encrypted\
+| | ... | by encryption key different from integrity and encryption keys stored\
+| | ... | on VPP node from TG to VPP node and expect no response to be received\
+| | ... | on TG before and after SA keys update.
+| | ${encr_alg}= | Crypto Alg AES CBC 128
+| | ${auth_alg}= | Integ Alg SHA1 96
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
+| | ${encr_key2}= | And Get Second Random String | ${encr_alg} | Crypto
+| | ${auth_key2}= | And Get Second Random String | ${auth_alg} | Integ
+| | Then Run Keyword And Expect Error | ESP packet Rx timeout
+| | ... | Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key2} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
+| | ${new_encr_key}= | Given Get Second Random String | ${encr_alg} | Crypto
+| | ${new_auth_key}= | And Get Second Random String | ${auth_alg} | Integ
+| | When Update IPSec SA keys | ${dut_node} | ${l_sa_id} | ${r_sa_id}
+| | ... | ${new_encr_key} | ${new_auth_key}
+| | Then Run Keyword And Expect Error | ESP packet Rx timeout
+| | ... | Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key2} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
+
+*** Keywords ***
+| Get Second Random String
+| | [Arguments] | ${req_alg} | ${req_type}
+| | ${req_key_len}= | Run Keyword | Get ${req_type} Alg Key Len | ${req_alg}
+| | ${key}= | Set Variable If | '${req_type}' == 'Crypto' | ${encr_key}
+| | ... | '${req_type}' == 'Integ' | ${auth_key}
+| | :FOR | ${index} | IN RANGE | 100
+| | | ${req_key}= | Generate Random String | ${req_key_len}
+| | | Return From Keyword If | '${req_key}' != '${key}' | ${req_key}
diff --git a/tests/vpp/func/crypto/default/eth2p-ethip4ipsectptlispgpe-ip4base-func.robot b/tests/vpp/func/crypto/default/eth2p-ethip4ipsectptlispgpe-ip4base-func.robot
new file mode 100644
index 0000000000..15c10d40fc
--- /dev/null
+++ b/tests/vpp/func/crypto/default/eth2p-ethip4ipsectptlispgpe-ip4base-func.robot
@@ -0,0 +1,270 @@
+# Copyright (c) 2016 Cisco and/or its affiliates.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at:
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+*** Settings ***
+| Library | resources.libraries.python.topology.Topology
+| Library | resources.libraries.python.NodePath
+| Library | resources.libraries.python.Trace
+| Library | resources.libraries.python.LispUtil
+| Library | resources.libraries.python.VhostUser
+| Library | resources.libraries.python.QemuUtils
+| Library | resources.libraries.python.VPPUtil
+| Library | resources.libraries.python.IPsecUtil
+| Resource | resources/libraries/robot/shared/traffic.robot
+| Resource | resources/libraries/robot/shared/default.robot
+| Resource | resources/libraries/robot/shared/interfaces.robot
+| Resource | resources/libraries/robot/shared/testing_path.robot
+| Resource | resources/libraries/robot/crypto/ipsec.robot
+| Resource | resources/libraries/robot/vm/qemu.robot
+| Resource | resources/libraries/robot/overlay/lispgpe.robot
+| Resource | resources/libraries/robot/l2/l2_bridge_domain.robot
+| Resource | resources/libraries/robot/overlay/l2lisp.robot
+# Import configuration and test data:
+| Variables | resources/test_data/lisp/ipv4_ipsec_lispgpe_ipv4/ipv4_ipsec_lispgpe_ipv4.py
+| ...
+| Force Tags | 3_NODE_SINGLE_LINK_TOPO | VM_ENV | LISP | SKIP_VPP_PATCH
+| ...
+| Test Setup | Set up functional test
+| ...
+| Test Teardown | Tear down LISP functional test
+| ...
+| Documentation | *IPv4-ip4-ipsec-lispgpe-ip4 - main fib, vrf (gpe_vni-to-vrf)*
+| ...
+| ... | *[Top] Network Topologies:* TG-DUT1-DUT2-TG 3-node circular topology\
+| ... | with single links between nodes.
+| ... | *[Enc] Packet Encapsulations:* ICMPv4-IPv4-IPSec-LISPGPE-IPv4-ICMPv4.
+| ... | *[Cfg] DUT configuration:* Each DUT is configured with LISP and IPsec.\
+| ... | IPsec is in transport mode. Tests cases are for IPsec configured both\
+| ... | on RLOC interface or lisp_gpe0 interface.
+| ... | *[Ver] TG verification:* Packet is send from TG(if1) across the DUT1 to\
+| ... | DUT2 where it is forwarded to TG(if2).
+| ... | *[Ref] Applicable standard specifications:* RFC6830, RFC4303.
+
+*** Variables ***
+| ${dut2_spi}= | ${1000}
+| ${dut1_spi}= | ${1001}
+
+| ${ESP_PROTO}= | ${50}
+
+| ${bid}= | 10
+
+*** Test Cases ***
+| TC01: DUT1 and DUT2 route IPv4 bidirectionally over LISP GPE tunnel using IPsec (transport) on RLOC Int.
+| | [Documentation]
+| | ... | [Top] TG-DUT1-DUT2-TG.
+| | ... | [Enc] Eth-IPv4-IPSec-LISPGPE-IPv4-ICMPv4 on DUT1-DUT2,\
+| | ... | Eth-IPv4-ICMPv4 on TG-DUTn.
+| | ... | [Cfg] Configure IPv4 LISP static adjacencies on DUT1 and DUT2 with\
+| | ... | IPsec in between DUTs.
+| | ... | [Ver] Case: ip4-lispgpe-ipsec-ip4 - main fib
+| | ... | Make TG send ICMPv4 Echo Req between its interfaces across both\
+| | ... | DUTs and LISP GPE tunnel between them; verify IPv4 headers on\
+| | ... | received packets are correct.
+| | ... | [Ref] RFC6830, RFC4303.
+| | ...
+| | ${encr_alg}= | Crypto Alg AES CBC 128
+| | ${auth_alg}= | Integ Alg SHA1 96
+| | Given Setup 3-node Topology
+| | And Add IP Neighbors
+| | And Configure LISP GPE topology in 3-node circular topology
+| | ... | ${dut1_node} | ${dut1_to_dut2} | ${NONE}
+| | ... | ${dut2_node} | ${dut2_to_dut1} | ${NONE}
+| | ... | ${duts_locator_set} | ${dut1_ip4_eid} | ${dut2_ip4_eid}
+| | ... | ${dut1_to_dut2_ip4_static_adjacency}
+| | ... | ${dut2_to_dut1_ip4_static_adjacency}
+| | And Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut1_node} | ${dut1_to_dut2} | ${encr_alg} | ${encr_key}
+| | ... | ${auth_alg} | ${auth_key} | ${dut1_spi} | ${dut2_spi}
+| | ... | ${dut1_to_dut2_ip4} | ${dut2_to_dut1_ip4}
+| | And Configure manual keyed connection for IPSec
+| | ... | ${dut2_node} | ${dut2_to_dut1} | ${encr_alg} | ${encr_key}
+| | ... | ${auth_alg} | ${auth_key} | ${dut2_spi} | ${dut1_spi}
+| | ... | ${dut2_to_dut1_ip4} | ${dut1_to_dut2_ip4}
+| | Then Send packet and verify headers
+| | ... | ${tg_node} | ${tg1_ip4} | ${tg2_ip4}
+| | ... | ${tg_to_dut1} | ${tg_to_dut1_mac} | ${dut1_to_tg_mac}
+| | ... | ${tg_to_dut2} | ${dut2_to_tg_mac} | ${tg_to_dut2_mac}
+| | And Send packet and verify headers
+| | ... | ${tg_node} | ${tg2_ip4} | ${tg1_ip4}
+| | ... | ${tg_to_dut2} | ${tg_to_dut2_mac} | ${dut2_to_tg_mac}
+| | ... | ${tg_to_dut1} | ${dut1_to_tg_mac} | ${tg_to_dut1_mac}
+
+| TC02: DUT1 and DUT2 route IPv4 bidirectionally over LISP GPE tunnel using IPsec (transport) lisp_gpe0 Int.
+| | [Documentation]
+| | ... | [Top] TG-DUT1-DUT2-TG.
+| | ... | [Enc] Eth-IPv4-IPSec-LISPGPE-IPv4-ICMPv4 on DUT1-DUT2,\
+| | ... | Eth-IPv4-ICMPv4 on TG-DUTn.
+| | ... | [Cfg] Configure IPv4 LISP static adjacencies on DUT1 and DUT2 with\
+| | ... | IPsec in between DUTs.
+| | ... | [Ver] Case: ip4-ipsec-lispgpe-ip4 - main fib
+| | ... | Make TG send ICMPv4 Echo Req between its interfaces across both\
+| | ... | DUTs and LISP GPE tunnel between them; verify IPv4 headers on\
+| | ... | received packets are correct.
+| | ... | [Ref] RFC6830, RFC4303.
+| | ...
+| | ${encr_alg}= | Crypto Alg AES CBC 128
+| | ${auth_alg}= | Integ Alg SHA1 96
+| | Given Setup 3-node Topology
+| | And Add IP Neighbors
+| | And Configure LISP GPE topology in 3-node circular topology
+| | ... | ${dut1_node} | ${dut1_to_dut2} | ${NONE}
+| | ... | ${dut2_node} | ${dut2_to_dut1} | ${NONE}
+| | ... | ${duts_locator_set} | ${dut1_ip4_eid} | ${dut2_ip4_eid}
+| | ... | ${dut1_to_dut2_ip4_static_adjacency}
+| | ... | ${dut2_to_dut1_ip4_static_adjacency}
+| | ${lisp_if_idx}= | resources.libraries.python.InterfaceUtil.Get sw if index
+| | ... | ${dut1_node} | lisp_gpe0
+| | And Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut1_node} | ${lisp_if_idx} | ${encr_alg} | ${encr_key}
+| | ... | ${auth_alg} | ${auth_key} | ${dut1_spi} | ${dut2_spi} | ${tg1_ip4}
+| | ... | ${tg2_ip4}
+| | And Configure manual keyed connection for IPSec
+| | ... | ${dut2_node} | ${lisp_if_idx} | ${encr_alg} | ${encr_key}
+| | ... | ${auth_alg} | ${auth_key} | ${dut2_spi} | ${dut1_spi} | ${tg2_ip4}
+| | ... | ${tg1_ip4}
+| | Then Send packet and verify headers
+| | ... | ${tg_node} | ${tg1_ip4} | ${tg2_ip4}
+| | ... | ${tg_to_dut1} | ${tg_to_dut1_mac} | ${dut1_to_tg_mac}
+| | ... | ${tg_to_dut2} | ${dut2_to_tg_mac} | ${tg_to_dut2_mac}
+| | And Send packet and verify headers
+| | ... | ${tg_node} | ${tg2_ip4} | ${tg1_ip4}
+| | ... | ${tg_to_dut2} | ${tg_to_dut2_mac} | ${dut2_to_tg_mac}
+| | ... | ${tg_to_dut1} | ${dut1_to_tg_mac} | ${tg_to_dut1_mac}
+
+| TC03: DUT1 and DUT2 route IPv4 bidirectionally over LISP GPE tunnel using IPsec (transport) on RLOC Int and VRF on EID is enabled.
+| | [Documentation]
+| | ... | [Top] TG-DUT1-DUT2-TG.
+| | ... | [Enc] Eth-IPv4-IPSec-LISPGPE-IPv4-ICMPv4 on DUT1-DUT2,\
+| | ... | Eth-IPv4-ICMPv4 on TG-DUTn.
+| | ... | [Cfg] Configure IPv4 LISP static adjacencies on DUT1 and DUT2 with\
+| | ... | IPsec in between DUTs.
+| | ... | [Ver] Case: ip4-lispgpe-ipsec-ip4 - vrf, main fib
+| | ... | Make TG send ICMPv4 Echo Req between its interfaces across both\
+| | ... | DUTs and LISP GPE tunnel between them; verify IPv4 headers on\
+| | ... | received packets are correct.
+| | ... | [Ref] RFC6830, RFC4303.
+| | ...
+| | ${encr_alg}= | Crypto Alg AES CBC 128
+| | ${auth_alg}= | Integ Alg SHA1 96
+| | Given Setup 3-node Topology | ${fib_table_1}
+| | And Add IP Neighbors
+| | When Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | And Configure LISP GPE topology in 3-node circular topology
+| | ... | ${dut1_node} | ${dut1_to_dut2} | ${NONE}
+| | ... | ${dut2_node} | ${dut2_to_dut1} | ${NONE}
+| | ... | ${duts_locator_set} | ${dut1_ip4_eid} | ${dut2_ip4_eid}
+| | ... | ${dut1_to_dut2_ip4_static_adjacency}
+| | ... | ${dut2_to_dut1_ip4_static_adjacency}
+| | ... | ${dut1_dut2_vni} | ${fib_table_1}
+| | And Configure manual keyed connection for IPSec
+| | ... | ${dut1_node} | ${dut1_to_dut2} | ${encr_alg} | ${encr_key}
+| | ... | ${auth_alg} | ${auth_key} | ${dut1_spi} | ${dut2_spi}
+| | ... | ${dut1_to_dut2_ip4} | ${dut2_to_dut1_ip4}
+| | And Configure manual keyed connection for IPSec
+| | ... | ${dut2_node} | ${dut2_to_dut1} | ${encr_alg} | ${encr_key}
+| | ... | ${auth_alg} | ${auth_key} | ${dut2_spi} | ${dut1_spi}
+| | ... | ${dut2_to_dut1_ip4} | ${dut1_to_dut2_ip4}
+| | Then Send packet and verify headers
+| | ... | ${tg_node} | ${tg1_ip4} | ${tg2_ip4}
+| | ... | ${tg_to_dut1} | ${tg_to_dut1_mac} | ${dut1_to_tg_mac}
+| | ... | ${tg_to_dut2} | ${dut2_to_tg_mac} | ${tg_to_dut2_mac}
+| | And Send packet and verify headers
+| | ... | ${tg_node} | ${tg2_ip4} | ${tg1_ip4}
+| | ... | ${tg_to_dut2} | ${tg_to_dut2_mac} | ${dut2_to_tg_mac}
+| | ... | ${tg_to_dut1} | ${dut1_to_tg_mac} | ${tg_to_dut1_mac}
+
+| TC04: DUT1 and DUT2 route IPv4 bidirectionally over LISP GPE tunnel using IPsec (transport) on lisp_gpe0 Int and VRF is enabled.
+| | [Documentation]
+| | ... | [Top] TG-DUT1-DUT2-TG.
+| | ... | [Enc] Eth-IPv4-IPSec-LISPGPE-IPv4-ICMPv4 on DUT1-DUT2,\
+| | ... | Eth-IPv4-ICMPv4 on TG-DUTn.
+| | ... | [Cfg] Configure IPv4 LISP static adjacencies on DUT1 and DUT2 with\
+| | ... | IPsec in between DUTs.
+| | ... | [Ver] Case: ip4-ipsec-lispgpe-ip4 - vrf, main fib
+| | ... | Make TG send ICMPv4 Echo Req between its interfaces across both\
+| | ... | DUTs and LISP GPE tunnel between them; verify IPv4 headers on\
+| | ... | received packets are correct.
+| | ... | [Ref] RFC6830, RFC4303.
+| | ...
+| | ${encr_alg}= | Crypto Alg AES CBC 128
+| | ${auth_alg}= | Integ Alg SHA1 96
+| | Given Setup 3-node Topology | ${fib_table_1}
+| | And Add IP Neighbors
+| | And Configure LISP GPE topology in 3-node circular topology
+| | ... | ${dut1_node} | ${dut1_to_dut2} | ${NONE}
+| | ... | ${dut2_node} | ${dut2_to_dut1} | ${NONE}
+| | ... | ${duts_locator_set} | ${dut1_ip4_eid} | ${dut2_ip4_eid}
+| | ... | ${dut1_to_dut2_ip4_static_adjacency}
+| | ... | ${dut2_to_dut1_ip4_static_adjacency}
+| | ... | ${dut1_dut2_vni} | ${fib_table_1}
+| | When Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | ${lisp_if_idx}= | resources.libraries.python.InterfaceUtil.Get sw if index
+| | ... | ${dut1_node} | lisp_gpe0
+| | And Configure manual keyed connection for IPSec
+| | ... | ${dut1_node} | ${lisp_if_idx} | ${encr_alg} | ${encr_key}
+| | ... | ${auth_alg} | ${auth_key} | ${dut1_spi} | ${dut2_spi} | ${tg1_ip4}
+| | ... | ${tg2_ip4}
+| | And Configure manual keyed connection for IPSec
+| | ... | ${dut2_node} | ${lisp_if_idx} | ${encr_alg} | ${encr_key}
+| | ... | ${auth_alg} | ${auth_key} | ${dut2_spi} | ${dut1_spi} | ${tg2_ip4}
+| | ... | ${tg1_ip4}
+| | Then Send packet and verify headers
+| | ... | ${tg_node} | ${tg1_ip4} | ${tg2_ip4}
+| | ... | ${tg_to_dut1} | ${tg_to_dut1_mac} | ${dut1_to_tg_mac}
+| | ... | ${tg_to_dut2} | ${dut2_to_tg_mac} | ${tg_to_dut2_mac}
+| | And Send packet and verify headers
+| | ... | ${tg_node} | ${tg2_ip4} | ${tg1_ip4}
+| | ... | ${tg_to_dut2} | ${tg_to_dut2_mac} | ${dut2_to_tg_mac}
+| | ... | ${tg_to_dut1} | ${dut1_to_tg_mac} | ${tg_to_dut1_mac}
+
+*** Keywords ***
+| Setup 3-node Topology
+| | [Documentation]
+| | ... | Setup 3-node topology for this test suite. Set all physical\
+| | ... | interfaces up and assing IP adresses to them.\
+| | ... | You can specify fib table ID where the DUT-TG interfaces assign to.\
+| | ... | Default is 0.
+| | ...
+| | [Arguments] | ${fib_table}=0
+| | Configure path in 3-node circular topology
+| | ... | ${nodes['TG']} | ${nodes['DUT1']} | ${nodes['DUT2']} | ${nodes['TG']}
+| | Set interfaces in 3-node circular topology up
+| | And Add Fib Table | ${dut1_node} | ${fib_table}
+| | Assign Interface To Fib Table | ${dut1_node}
+| | ... | ${dut1_to_tg} | ${fib_table}
+| | And Add Fib Table | ${dut2_node} | ${fib_table}
+| | Assign Interface To Fib Table | ${dut2_node}
+| | ... | ${dut2_to_tg} | ${fib_table}
+| | Set Interface Address | ${dut1_node} | ${dut1_to_dut2} | ${dut1_to_dut2_ip4}
+| | ... | ${prefix4}
+| | Set Interface Address | ${dut1_node} | ${dut1_to_tg} | ${dut1_to_tg_ip4}
+| | ... | ${prefix4}
+| | Set Interface Address | ${dut2_node} | ${dut2_to_dut1} | ${dut2_to_dut1_ip4}
+| | ... | ${prefix4}
+| | Set Interface Address | ${dut2_node} | ${dut2_to_tg} | ${dut2_to_tg_ip4}
+| | ... | ${prefix4}
+
+| Add IP Neighbors
+| | [Documentation]
+| | ... | Add IP neighbors to physical interfaces on DUTs.
+| | ...
+| | Add IP Neighbor | ${dut1_node} | ${dut1_to_tg} | ${tg1_ip4}
+| | ... | ${tg_to_dut1_mac}
+| | Add IP Neighbor | ${dut2_node} | ${dut2_to_tg} | ${tg2_ip4}
+| | ... | ${tg_to_dut2_mac}
+| | Add IP Neighbor | ${dut1_node} | ${dut1_to_dut2} | ${dut2_to_dut1_ip4}
+| | ... | ${dut2_to_dut1_mac}
+| | Add IP Neighbor | ${dut2_node} | ${dut2_to_dut1} | ${dut1_to_dut2_ip4}
+| | ... | ${dut1_to_dut2_mac}
diff --git a/tests/vpp/func/crypto/default/eth2p-ethip4ipsectptlispgpe-ip6base-func.robot b/tests/vpp/func/crypto/default/eth2p-ethip4ipsectptlispgpe-ip6base-func.robot
new file mode 100644
index 0000000000..550c9405cc
--- /dev/null
+++ b/tests/vpp/func/crypto/default/eth2p-ethip4ipsectptlispgpe-ip6base-func.robot
@@ -0,0 +1,160 @@
+# Copyright (c) 2016 Cisco and/or its affiliates.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at:
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+*** Settings ***
+| Library | resources.libraries.python.topology.Topology
+| Library | resources.libraries.python.NodePath
+| Library | resources.libraries.python.Trace
+| Library | resources.libraries.python.IPUtil
+| Library | resources.libraries.python.L2Util
+| Library | resources.libraries.python.LispUtil
+| Library | resources.libraries.python.IPsecUtil
+| Library | resources.libraries.python.VatJsonUtil
+| Library | resources.libraries.python.IPv6Setup
+| Library | resources.libraries.python.VhostUser
+| Library | resources.libraries.python.QemuUtils
+| Library | resources.libraries.python.VPPUtil
+| Library | String
+| Resource | resources/libraries/robot/shared/traffic.robot
+| Resource | resources/libraries/robot/shared/default.robot
+| Resource | resources/libraries/robot/shared/interfaces.robot
+| Resource | resources/libraries/robot/shared/testing_path.robot
+| Resource | resources/libraries/robot/ip/ip6.robot
+| Resource | resources/libraries/robot/crypto/ipsec.robot
+| Resource | resources/libraries/robot/vm/qemu.robot
+| Resource | resources/libraries/robot/overlay/lispgpe.robot
+| Resource | resources/libraries/robot/l2/l2_bridge_domain.robot
+# Import configuration and test data:
+| Variables | resources/test_data/lisp/ipv6_lispgpe_ipv4/ipv6_lispgpe_ipsec_ipv4.py
+| ...
+| Force Tags | 3_NODE_SINGLE_LINK_TOPO | VM_ENV | LISP | SKIP_VPP_PATCH
+| ...
+| Test Setup | Set up functional test
+| ...
+| Test Teardown | Tear down LISP functional test
+| ...
+| Documentation | *IPv6 - ip4-ipsec-lispgpe-ip6 - main fib, vrf, virt2lisp,\
+| ... | phy2lisp*
+| ...
+| ... | *[Top] Network Topologies:* TG-DUT1-DUT2-TG 3-node circular topology\
+| ... | with single links between nodes.
+| ... | *[Enc] Packet Encapsulations:* Eth-IPv4-LISPGPE-IPSec-IPv6-ICMP,\
+| ... | Eth-IPv4-IPSec-LISPGPE-IPv6-ICMP
+| ... | *[Cfg] DUT configuration:* Each DUT is configured with LISP and IPsec.\
+| ... | IPsec is in transport mode. Tests cases are for IPsec configured both\
+| ... | on RLOC interface or lisp_gpe0 interface.
+| ... | *[Ver] TG verification:* Packet is send from TG(if1) across the DUT1 to\
+| ... | DUT2 where it is forwarded to TG(if2).
+| ... | *[Ref] Applicable standard specifications:* RFC6830, RFC4303.
+
+*** Test Cases ***
+| TC01: DUT1 and DUT2 route IPv4 bidirectionally over LISP GPE tunnel using IPsec (transport) on RLOC Int.
+| | [Documentation]
+| | ... | [Top] TG-DUT1-DUT2-TG.
+| | ... | [Enc] Eth-IPv4-LISPGPE-IPSec-IPv6-ICMP on DUT1-DUT2, Eth-IPv6-ICMP\
+| | ... | on TG-DUTn.
+| | ... | [Cfg] Configure IPv6 LISP static adjacencies on DUT1 and DUT2 with\
+| | ... | IPsec in between DUTS.
+| | ... | [Ver] Make TG send ICMPv6 Echo Req between its interfaces across\
+| | ... | both DUTs and LISP GPE tunnel between them; verify IPv6 headers on\
+| | ... | received packets are correct.
+| | ... | [Ref] RFC6830, RFC4303.
+| | ...
+| | ${encr_alg}= | Crypto Alg AES CBC 128
+| | ${auth_alg}= | Integ Alg SHA1 96
+| | Given Setup Topology And Lisp
+| | And Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut1_node} | ${dut1_to_dut2} | ${encr_alg} | ${encr_key}
+| | ... | ${auth_alg} | ${auth_key} | ${dut1_spi} | ${dut2_spi}
+| | ... | ${dut1_to_dut2_ip4} | ${dut2_to_dut1_ip4}
+| | And Configure manual keyed connection for IPSec
+| | ... | ${dut2_node} | ${dut2_to_dut1} | ${encr_alg} | ${encr_key}
+| | ... | ${auth_alg} | ${auth_key} | ${dut2_spi} | ${dut1_spi}
+| | ... | ${dut2_to_dut1_ip4} | ${dut1_to_dut2_ip4}
+| | Then Send packet and verify headers
+| | ... | ${tg_node} | ${tg1_ip6} | ${tg2_ip6}
+| | ... | ${tg_to_dut1} | ${tg_to_dut1_mac} | ${dut1_to_tg_mac}
+| | ... | ${tg_to_dut2} | ${dut2_to_tg_mac} | ${tg_to_dut2_mac}
+| | And Send packet and verify headers
+| | ... | ${tg_node} | ${tg2_ip6} | ${tg1_ip6}
+| | ... | ${tg_to_dut2} | ${tg_to_dut2_mac} | ${dut2_to_tg_mac}
+| | ... | ${tg_to_dut1} | ${dut1_to_tg_mac} | ${tg_to_dut1_mac}
+
+| TC02: DUT1 and DUT2 route IPv4 bidirectionally over LISP GPE tunnel using IPsec (transport) on lisp_gpe0 Int.
+| | [Documentation]
+| | ... | [Top] TG-DUT1-DUT2-TG.
+| | ... | [Enc] Eth-IPv4-IPSec-LISPGPE-IPv6-ICMPv6 on DUT1-DUT2, Eth-IPv6-ICMP\
+| | ... | on TG-DUTn.
+| | ... | [Cfg] Configure IPv4 LISP static adjacencies on DUT1 and DUT2 with\
+| | ... | IPsec in between DUTS.
+| | ... | [Ver] Make TG send ICMPv6 Echo Req between its interfaces across\
+| | ... | both DUTs and LISP GPE tunnel between them; verify IPv6 headers on\
+| | ... | received packets are correct.
+| | ... | [Ref] RFC6830, RFC4303.
+| | ...
+| | ${encr_alg}= | Crypto Alg AES CBC 128
+| | ${auth_alg}= | Integ Alg SHA1 96
+| | Given Setup Topology And Lisp
+| | And Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | ${lisp_if_idx}= | resources.libraries.python.InterfaceUtil.get sw if index
+| | ... | ${dut1_node} | ${lisp_gpe_int}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut1_node} | ${lisp_if_idx} | ${encr_alg} | ${encr_key}
+| | ... | ${auth_alg} | ${auth_key} | ${dut1_spi} | ${dut2_spi}
+| | ... | ${dut1_to_dut2_ip4} | ${dut2_to_dut1_ip4}
+| | And Configure manual keyed connection for IPSec
+| | ... | ${dut2_node} | ${lisp_if_idx} | ${encr_alg} | ${encr_key}
+| | ... | ${auth_alg} | ${auth_key} | ${dut2_spi} | ${dut1_spi}
+| | ... | ${dut2_to_dut1_ip4} | ${dut1_to_dut2_ip4}
+| | Then Send packet and verify headers
+| | ... | ${tg_node} | ${tg1_ip6} | ${tg2_ip6}
+| | ... | ${tg_to_dut1} | ${tg_to_dut1_mac} | ${dut1_to_tg_mac}
+| | ... | ${tg_to_dut2} | ${dut2_to_tg_mac} | ${tg_to_dut2_mac}
+| | And Send packet and verify headers
+| | ... | ${tg_node} | ${tg2_ip6} | ${tg1_ip6}
+| | ... | ${tg_to_dut2} | ${tg_to_dut2_mac} | ${dut2_to_tg_mac}
+| | ... | ${tg_to_dut1} | ${dut1_to_tg_mac} | ${tg_to_dut1_mac}
+
+*** Keywords ***
+| Setup Topology And Lisp
+| | [Documentation] | Setup IPs and neighbors for interfaces on DUT1 and DUT2\
+| | ... | and then setup LISP.
+| | [Arguments] | ${fib_table}=0 | ${vni_table}=0 | ${ip6}=${FALSE}
+| | Configure path in 3-node circular topology
+| | ... | ${nodes['TG']} | ${nodes['DUT1']} | ${nodes['DUT2']} | ${nodes['TG']}
+| | Set interfaces in 3-node circular topology up
+| | Vpp Set If IPv6 Addr | ${dut1_node} | ${dut1_to_dut2} | ${dut1_to_dut2_ip4}
+| | ... | ${prefix4}
+| | Vpp Set If IPv6 Addr | ${dut1_node} | ${dut1_to_tg} | ${dut1_to_tg_ip6}
+| | ... | ${prefix6}
+| | Vpp Set If IPv6 Addr | ${dut2_node} | ${dut2_to_dut1} | ${dut2_to_dut1_ip4}
+| | ... | ${prefix4}
+| | Vpp Set If IPv6 Addr | ${dut2_node} | ${dut2_to_tg} | ${dut2_to_tg_ip6}
+| | ... | ${prefix6}
+| | Add IP Neighbor | ${dut2_node} | ${dut2_to_tg} | ${tg2_ip6}
+| | ... | ${tg_to_dut2_mac}
+| | Add IP Neighbor | ${dut1_node} | ${dut1_to_dut2} | ${dut2_to_dut1_ip4}
+| | ... | ${dut2_to_dut1_mac}
+| | Add IP Neighbor | ${dut2_node} | ${dut2_to_dut1} | ${dut1_to_dut2_ip4}
+| | ... | ${dut1_to_dut2_mac}
+| | Add IP Neighbor | ${dut1_node} | ${dut1_to_tg} | ${tg1_ip6}
+| | ... | ${tg_to_dut1_mac}
+| | Vpp All RA Suppress Link Layer | ${nodes}
+| | Configure LISP GPE topology in 3-node circular topology
+| | ... | ${dut1_node} | ${dut1_to_dut2} | ${NONE}
+| | ... | ${dut2_node} | ${dut2_to_dut1} | ${NONE}
+| | ... | ${duts_locator_set} | ${dut1_ip6_eid} | ${dut2_ip6_eid}
+| | ... | ${dut1_to_dut2_ip_static_adjacency}
+| | ... | ${dut2_to_dut1_ip_static_adjacency}
+| | ... | ${vni_table} | ${fib_table}
diff --git a/tests/vpp/func/crypto/default/eth2p-ethip4ipsectptlispgpe-ip6basevrf-func.robot b/tests/vpp/func/crypto/default/eth2p-ethip4ipsectptlispgpe-ip6basevrf-func.robot
new file mode 100644
index 0000000000..8c131181f3
--- /dev/null
+++ b/tests/vpp/func/crypto/default/eth2p-ethip4ipsectptlispgpe-ip6basevrf-func.robot
@@ -0,0 +1,135 @@
+# Copyright (c) 2016 Cisco and/or its affiliates.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at:
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+*** Settings ***
+| Library | resources.libraries.python.topology.Topology
+| Library | resources.libraries.python.NodePath
+| Library | resources.libraries.python.Trace
+| Library | resources.libraries.python.IPUtil
+| Library | resources.libraries.python.L2Util
+| Library | resources.libraries.python.LispUtil
+| Library | resources.libraries.python.IPsecUtil
+| Library | resources.libraries.python.VatJsonUtil
+| Library | resources.libraries.python.IPv6Setup
+| Library | resources.libraries.python.VhostUser
+| Library | resources.libraries.python.QemuUtils
+| Library | resources.libraries.python.VPPUtil
+| Library | String
+| Resource | resources/libraries/robot/shared/traffic.robot
+| Resource | resources/libraries/robot/shared/default.robot
+| Resource | resources/libraries/robot/shared/interfaces.robot
+| Resource | resources/libraries/robot/shared/testing_path.robot
+| Resource | resources/libraries/robot/ip/ip6.robot
+| Resource | resources/libraries/robot/crypto/ipsec.robot
+| Resource | resources/libraries/robot/vm/qemu.robot
+| Resource | resources/libraries/robot/overlay/lispgpe.robot
+| Resource | resources/libraries/robot/l2/l2_bridge_domain.robot
+# Import configuration and test data:
+| Variables | resources/test_data/lisp/ipv6_lispgpe_ipv4/ipv6_lispgpe_ipsec_ipv4.py
+| ...
+| Force Tags | 3_NODE_SINGLE_LINK_TOPO | VM_ENV | LISP | SKIP_VPP_PATCH
+| ...
+| Test Setup | Set up functional test
+| ...
+| Test Teardown | Tear down LISP functional test
+| ...
+| Documentation | *IPv6 - ip4-ipsec-lispgpe-ip6 - main fib, vrf, virt2lisp,\
+| ... | phy2lisp*
+| ...
+| ... | *[Top] Network Topologies:* TG-DUT1-DUT2-TG 3-node circular topology\
+| ... | with single links between nodes.
+| ... | *[Enc] Packet Encapsulations:* Eth-IPv4-LISPGPE-IPSec-IPv6-ICMP,\
+| ... | Eth-IPv4-IPSec-LISPGPE-IPv6-ICMP
+| ... | *[Cfg] DUT configuration:* Each DUT is configured with LISP and IPsec.\
+| ... | IPsec is in transport mode. Tests cases are for IPsec configured both\
+| ... | on RLOC interface or lisp_gpe0 interface.
+| ... | *[Ver] TG verification:* Packet is send from TG(if1) across the DUT1 to\
+| ... | DUT2 where it is forwarded to TG(if2).
+| ... | *[Ref] Applicable standard specifications:* RFC6830, RFC4303.
+
+*** Test Cases ***
+| TC01: DUT1 and DUT2 route IPv6 bidirectionally over LISP GPE tunnel using physical interfaces and VRF is enabled
+| | [Documentation]
+| | ... | [Top] TG-DUT1-DUT2-TG.
+| | ... | [Enc] Eth-IPv4-IPSec-LISPGPE-IPv6-ICMPv6 on DUT1-DUT2,\
+| | ... | Eth-IPv6-ICMPv6, on TG-DUTn.
+| | ... | [Cfg] Configure IPv4 LISP static adjacencies on DUT1 and DUT2 with\
+| | ... | IPsec in between DUTS.
+| | ... | [Ver] Case: ip4-ipsec-lispgpe-ip6 - vrf, phy2lisp
+| | ... | Make TG send ICMPv6 Echo Req between its interfaces across both\
+| | ... | DUTs and LISP GPE tunnel between them; verify IPv6 headers on\
+| | ... | received packets are correct.
+| | ... | [Ref] RFC6830, RFC4303.
+| | ...
+| | ${encr_alg}= | Crypto Alg AES CBC 128
+| | ${auth_alg}= | Integ Alg SHA1 96
+| | Given Configure path in 3-node circular topology
+| | ... | ${nodes['TG']} | ${nodes['DUT1']} | ${nodes['DUT2']} | ${nodes['TG']}
+| | And Set interfaces in 3-node circular topology up
+| | And Add Fib Table | ${dut1_node} | ${fib_table_1} | ip6=${TRUE}
+| | And Add Fib Table | ${dut2_node} | ${fib_table_1} | ip6=${TRUE}
+| | Assign Interface To Fib Table | ${dut1_node}
+| | ... | ${dut1_to_tg} | ${fib_table_1} | ip6=${TRUE}
+| | Assign Interface To Fib Table | ${dut2_node}
+| | ... | ${dut2_to_tg} | ${fib_table_1} | ip6=${TRUE}
+| | And Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut1_node} | ${dut1_to_dut2} | ${encr_alg} | ${encr_key}
+| | ... | ${auth_alg} | ${auth_key} | ${dut1_spi} | ${dut2_spi}
+| | ... | ${dut1_to_dut2_ip4} | ${dut2_to_dut1_ip4}
+| | And Configure manual keyed connection for IPSec
+| | ... | ${dut2_node} | ${dut2_to_dut1} | ${encr_alg} | ${encr_key}
+| | ... | ${auth_alg} | ${auth_key} | ${dut2_spi} | ${dut1_spi}
+| | ... | ${dut2_to_dut1_ip4} | ${dut1_to_dut2_ip4}
+| | Setup Topology And Lisp | ${fib_table_1} | ${dut1_dut2_vni}
+| | Then Send packet and verify headers
+| | ... | ${tg_node} | ${tg1_ip6} | ${tg2_ip6}
+| | ... | ${tg_to_dut1} | ${tg_to_dut1_mac} | ${dut1_to_tg_mac}
+| | ... | ${tg_to_dut2} | ${dut2_to_tg_mac} | ${tg_to_dut2_mac}
+| | And Send packet and verify headers
+| | ... | ${tg_node} | ${tg2_ip6} | ${tg1_ip6}
+| | ... | ${tg_to_dut2} | ${tg_to_dut2_mac} | ${dut2_to_tg_mac}
+| | ... | ${tg_to_dut1} | ${dut1_to_tg_mac} | ${tg_to_dut1_mac}
+
+*** Keywords ***
+| Setup Topology And Lisp
+| | [Documentation] | Setup IPs and neighbors for interfaces on DUT1 and DUT2\
+| | ... | and then setup LISP.
+| | [Arguments] | ${fib_table}=0 | ${vni_table}=0 | ${ip6}=${FALSE}
+| | Configure path in 3-node circular topology
+| | ... | ${nodes['TG']} | ${nodes['DUT1']} | ${nodes['DUT2']} | ${nodes['TG']}
+| | Set interfaces in 3-node circular topology up
+| | Vpp Set If IPv6 Addr | ${dut1_node} | ${dut1_to_dut2} | ${dut1_to_dut2_ip4}
+| | ... | ${prefix4}
+| | Vpp Set If IPv6 Addr | ${dut1_node} | ${dut1_to_tg} | ${dut1_to_tg_ip6}
+| | ... | ${prefix6}
+| | Vpp Set If IPv6 Addr | ${dut2_node} | ${dut2_to_dut1} | ${dut2_to_dut1_ip4}
+| | ... | ${prefix4}
+| | Vpp Set If IPv6 Addr | ${dut2_node} | ${dut2_to_tg} | ${dut2_to_tg_ip6}
+| | ... | ${prefix6}
+| | Add IP Neighbor | ${dut2_node} | ${dut2_to_tg} | ${tg2_ip6}
+| | ... | ${tg_to_dut2_mac}
+| | Add IP Neighbor | ${dut1_node} | ${dut1_to_dut2} | ${dut2_to_dut1_ip4}
+| | ... | ${dut2_to_dut1_mac}
+| | Add IP Neighbor | ${dut2_node} | ${dut2_to_dut1} | ${dut1_to_dut2_ip4}
+| | ... | ${dut1_to_dut2_mac}
+| | Add IP Neighbor | ${dut1_node} | ${dut1_to_tg} | ${tg1_ip6}
+| | ... | ${tg_to_dut1_mac}
+| | Vpp All RA Suppress Link Layer | ${nodes}
+| | Configure LISP GPE topology in 3-node circular topology
+| | ... | ${dut1_node} | ${dut1_to_dut2} | ${NONE}
+| | ... | ${dut2_node} | ${dut2_to_dut1} | ${NONE}
+| | ... | ${duts_locator_set} | ${dut1_ip6_eid} | ${dut2_ip6_eid}
+| | ... | ${dut1_to_dut2_ip_static_adjacency}
+| | ... | ${dut2_to_dut1_ip_static_adjacency}
+| | ... | ${vni_table} | ${fib_table}
diff --git a/tests/vpp/func/crypto/default/eth2p-ethip6ipsectnl-ip6base-func.robot b/tests/vpp/func/crypto/default/eth2p-ethip6ipsectnl-ip6base-func.robot
new file mode 100644
index 0000000000..26d109a0b7
--- /dev/null
+++ b/tests/vpp/func/crypto/default/eth2p-ethip6ipsectnl-ip6base-func.robot
@@ -0,0 +1,523 @@
+# Copyright (c) 2016 Cisco and/or its affiliates.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at:
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+*** Settings ***
+| Resource | resources/libraries/robot/crypto/ipsec.robot
+| Library | resources.libraries.python.Trace
+| Force Tags | 3_NODE_SINGLE_LINK_TOPO | 3_NODE_DOUBLE_LINK_TOPO
+| ...        | VM_ENV | HW_ENV | SKIP_VPP_PATCH
+| Test Setup | Set up IPv6 IPSec functional test
+| ...
+| Test Teardown | Tear down IPSec functional test | ${dut_node}
+| ...
+| Documentation | *IPv6 IPsec tunnel mode test suite.*
+| ...
+| ... | *[Top] Network topologies:* TG-DUT1 2-node topology with one link\
+| ... | between nodes.
+| ... | *[Cfg] DUT configuration:* On DUT1 create loopback interface, configure
+| ... | loopback an physical interface IPv6 addresses, static ARP record, route
+| ... | and IPsec manual keyed connection in tunnel mode.
+| ... | *[Ver] TG verification:* ESP packet is sent from TG to DUT1. ESP packet
+| ... | is received on TG from DUT1.
+| ... | *[Ref] Applicable standard specifications:* RFC4303.
+
+*** Variables ***
+| ${tg_spi}= | ${1000}
+| ${dut_spi}= | ${1001}
+| ${ESP_PROTO}= | ${50}
+| ${tg_if_ip6}= | 3ffe:5f::1
+| ${dut_if_ip6}= | 3ffe:5f::2
+| ${tg_lo_ip6}= | 3ffe:60::3
+| ${dut_lo_ip6}= | 3ffe:60::4
+| ${ip6_plen}= | ${64}
+| ${ip6_plen_rt}= | ${128}
+
+*** Test Cases ***
+| TC01: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel mode.
+| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
+| | ${encr_alg}= | Crypto Alg AES CBC 128
+| | ${auth_alg}= | Integ Alg SHA1 96
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
+| | ... | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
+| | ... | ${dut_tun_ip}
+
+| TC02: VPP process ESP packet in Tunnel Mode with AES-CBC-192 encryption and SHA1-96 integrity
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-192 and integrity algorithm SHA1-96 in tunnel mode.
+| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
+| | [Tags] | SKIP_PATCH
+| | ${encr_alg}= | Crypto Alg AES CBC 192
+| | ${auth_alg}= | Integ Alg SHA1 96
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
+| | ... | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
+| | ... | ${dut_tun_ip}
+
+| TC03: VPP process ESP packet in Tunnel Mode with AES-CBC-256 encryption and SHA1-96 integrity
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-256 and integrity algorithm SHA1-96 in tunnel mode.
+| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
+| | [Tags] | SKIP_PATCH
+| | ${encr_alg}= | Crypto Alg AES CBC 256
+| | ${auth_alg}= | Integ Alg SHA1 96
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
+| | ... | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
+| | ... | ${dut_tun_ip}
+
+| TC04: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA-256-128 integrity
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-128 and integrity algorithm SHA-256-128 in tunnel\
+| | ... | mode.
+| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
+| | [Tags] | SKIP_PATCH
+| | ${encr_alg}= | Crypto Alg AES CBC 128
+| | ${auth_alg}= | Integ Alg SHA 256 128
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
+| | ... | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
+| | ... | ${dut_tun_ip}
+
+| TC05: VPP process ESP packet in Tunnel Mode with AES-CBC-192 encryption and SHA-256-128 integrity
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-192 and integrity algorithm SHA-256-128 in tunnel\
+| | ... | mode.
+| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
+| | ${encr_alg}= | Crypto Alg AES CBC 192
+| | ${auth_alg}= | Integ Alg SHA 256 128
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
+| | ... | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
+| | ... | ${dut_tun_ip}
+
+| TC06: VPP process ESP packet in Tunnel Mode with AES-CBC-256 encryption and SHA-256-128 integrity
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-256 and integrity algorithm SHA-256-128 in tunnel\
+| | ... | mode.
+| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
+| | [Tags] | SKIP_PATCH
+| | ${encr_alg}= | Crypto Alg AES CBC 256
+| | ${auth_alg}= | Integ Alg SHA 256 128
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
+| | ... | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
+| | ... | ${dut_tun_ip}
+
+| TC07: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA-384-192 integrity
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-128 and integrity algorithm SHA-384-192 in tunnel\
+| | ... | mode.
+| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
+| | [Tags] | SKIP_PATCH
+| | ${encr_alg}= | Crypto Alg AES CBC 128
+| | ${auth_alg}= | Integ Alg SHA 384 192
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
+| | ... | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
+| | ... | ${dut_tun_ip}
+
+| TC08: VPP process ESP packet in Tunnel Mode with AES-CBC-192 encryption and SHA-384-192 integrity
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-192 and integrity algorithm SHA-384-192 in tunnel\
+| | ... | mode.
+| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
+| | [Tags] | SKIP_PATCH
+| | ${encr_alg}= | Crypto Alg AES CBC 192
+| | ${auth_alg}= | Integ Alg SHA 384 192
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
+| | ... | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
+| | ... | ${dut_tun_ip}
+
+| TC09: VPP process ESP packet in Tunnel Mode with AES-CBC-256 encryption and SHA-384-192 integrity
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-256 and integrity algorithm SHA-384-192 in tunnel\
+| | ... | mode.
+| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
+| | ${encr_alg}= | Crypto Alg AES CBC 256
+| | ${auth_alg}= | Integ Alg SHA 384 192
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
+| | ... | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
+| | ... | ${dut_tun_ip}
+
+| TC10: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA-512-256 integrity
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-128 and integrity algorithm SHA-512-256 in tunnel\
+| | ... | mode.
+| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
+| | [Tags] | SKIP_PATCH
+| | ${encr_alg}= | Crypto Alg AES CBC 128
+| | ${auth_alg}= | Integ Alg SHA 512 256
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
+| | ... | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
+| | ... | ${dut_tun_ip}
+
+| TC11: VPP process ESP packet in Tunnel Mode with AES-CBC-192 encryption and SHA-512-256 integrity
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-192 and integrity algorithm SHA-512-256 in tunnel\
+| | ... | mode.
+| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
+| | [Tags] | SKIP_PATCH
+| | ${encr_alg}= | Crypto Alg AES CBC 192
+| | ${auth_alg}= | Integ Alg SHA 512 256
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
+| | ... | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
+| | ... | ${dut_tun_ip}
+
+| TC12: VPP process ESP packet in Tunnel Mode with AES-CBC-256 encryption and SHA-512-256 integrity
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-256 and integrity algorithm SHA-512-256 in tunnel\
+| | ... | mode.
+| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
+| | ${encr_alg}= | Crypto Alg AES CBC 256
+| | ${auth_alg}= | Integ Alg SHA 512 256
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
+| | ... | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
+| | ... | ${dut_tun_ip}
+
+| TC13: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity - different encryption alogrithms used
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel mode.
+| | ... | [Ver] Send an ESP packet encrypted by encryption key different from\
+| | ... | encryption key stored on VPP node from TG to VPP node and expect no\
+| | ... | response to be received on TG.
+| | ... | [Ref] RFC4303.
+| | ${encr_alg}= | Crypto Alg AES CBC 128
+| | ${auth_alg}= | Integ Alg SHA1 96
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | ${encr_key2}= | And Get Second Random String | ${encr_alg} | Crypto
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
+| | ... | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Run Keyword And Expect Error | ESP packet Rx timeout
+| | ... | Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
+| | ... | ${dut_tun_ip}
+
+| TC14: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity - different integrity alogrithms used
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel mode.
+| | ... | [Ver] Send an ESP packet authenticated by integrity key different\
+| | ... | from integrity key stored on VPP node from TG to VPP node and expect\
+| | ... | no response to be received on TG.
+| | ... | [Ref] RFC4303.
+| | ${encr_alg}= | Crypto Alg AES CBC 128
+| | ${auth_alg}= | Integ Alg SHA1 96
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | ${auth_key2}= | And Get Second Random String | ${auth_alg} | Integ
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
+| | ... | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Run Keyword And Expect Error | ESP packet Rx timeout
+| | ... | Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key2} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
+| | ... | ${dut_tun_ip}
+
+| TC15: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity - different encryption and integrity alogrithms used
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel mode.
+| | ... | [Ver] Send an ESP packet authenticated by integrity key and encrypted\
+| | ... | by encryption key different from integrity and encryption keys stored\
+| | ... | on VPP node from TG to VPP node and expect no response to be received\
+| | ... | on TG.
+| | ... | [Ref] RFC4303.
+| | ${encr_alg}= | Crypto Alg AES CBC 128
+| | ${auth_alg}= | Integ Alg SHA1 96
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | ${encr_key2}= | And Get Second Random String | ${encr_alg} | Crypto
+| | ${auth_key2}= | And Get Second Random String | ${auth_alg} | Integ
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
+| | ... | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Run Keyword And Expect Error | ESP packet Rx timeout
+| | ... | Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key2} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
+| | ... | ${dut_tun_ip}
+
+| TC16: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel\
+| | ... | mode. Then update SA keys - use new keys.
+| | ... | [Ver] Send and receive ESP packet between TG and VPP node before\
+| | ... | and after SA keys update.
+| | ${encr_alg}= | Crypto Alg AES CBC 128
+| | ${auth_alg}= | Integ Alg SHA1 96
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
+| | ... | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
+| | ... | ${dut_tun_ip}
+| | ${new_encr_key}= | Given Get Second Random String | ${encr_alg} | Crypto
+| | ${new_auth_key}= | And Get Second Random String | ${auth_alg} | Integ
+| | When Update IPSec SA keys | ${dut_node} | ${l_sa_id} | ${r_sa_id}
+| | ... | ${new_encr_key} | ${new_auth_key}
+| | Then Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${new_encr_key} | ${auth_alg} | ${new_auth_key}
+| | ... | ${tg_spi} | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
+| | ... | ${dut_tun_ip}
+
+| TC17: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys - different encryption alogrithms used
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel
+| | ... | mode. Then update SA keys - use new keys.
+| | ... | [Ver] Send an ESP packet encrypted by encryption key different from\
+| | ... | encryption key stored on VPP node from TG to VPP node and expect no\
+| | ... | response to be received on TG before and after SA keys update.
+| | ${encr_alg}= | Crypto Alg AES CBC 128
+| | ${auth_alg}= | Integ Alg SHA1 96
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
+| | ... | ${dut_tun_ip} | ${tg_tun_ip}
+| | ${encr_key2}= | And Get Second Random String | ${encr_alg} | Crypto
+| | Then Run Keyword And Expect Error | ESP packet Rx timeout
+| | ... | Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
+| | ... | ${dut_tun_ip}
+| | ${new_encr_key}= | Given Get Second Random String | ${encr_alg} | Crypto
+| | ${new_auth_key}= | And Get Second Random String | ${auth_alg} | Integ
+| | When Update IPSec SA keys | ${dut_node} | ${l_sa_id} | ${r_sa_id}
+| | ... | ${new_encr_key} | ${new_auth_key}
+| | Then Run Keyword And Expect Error | ESP packet Rx timeout
+| | ... | Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${new_auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
+| | ... | ${dut_tun_ip}
+
+| TC18: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys - different integrity alogrithms used
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel\
+| | ... | mode. Then update SA keys - use new keys.
+| | ... | [Ver] Send an ESP packet authenticated by integrity key different\
+| | ... | from integrity key stored on VPP node from TG to VPP node and expect\
+| | ... | no response to be received on TG before and after SA keys update.
+| | ${encr_alg}= | Crypto Alg AES CBC 128
+| | ${auth_alg}= | Integ Alg SHA1 96
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
+| | ... | ${dut_tun_ip} | ${tg_tun_ip}
+| | ${auth_key2}= | And Get Second Random String | ${auth_alg} | Integ
+| | Then Run Keyword And Expect Error | ESP packet Rx timeout
+| | ... | Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key2} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
+| | ... | ${dut_tun_ip}
+| | ${new_encr_key}= | Given Get Second Random String | ${encr_alg} | Crypto
+| | ${new_auth_key}= | And Get Second Random String | ${auth_alg} | Integ
+| | When Update IPSec SA keys | ${dut_node} | ${l_sa_id} | ${r_sa_id}
+| | ... | ${new_encr_key} | ${new_auth_key}
+| | Then Run Keyword And Expect Error | ESP packet Rx timeout
+| | ... | Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${new_encr_key} | ${auth_alg} | ${auth_key2} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
+| | ... | ${dut_tun_ip}
+
+| TC19: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys - different encryption and integrity alogrithms used
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel\
+| | ... | mode. Then update SA keys - use new keys.
+| | ... | [Ver] Send an ESP packet authenticated by integrity key and encrypted\
+| | ... | by encryption key different from integrity and encryption keys stored\
+| | ... | on VPP node from TG to VPP node and expect no response to be received\
+| | ... | on TG before and after SA keys update.
+| | ${encr_alg}= | Crypto Alg AES CBC 128
+| | ${auth_alg}= | Integ Alg SHA1 96
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
+| | ... | ${dut_tun_ip} | ${tg_tun_ip}
+| | ${encr_key2}= | And Get Second Random String | ${encr_alg} | Crypto
+| | ${auth_key2}= | And Get Second Random String | ${auth_alg} | Integ
+| | Then Run Keyword And Expect Error | ESP packet Rx timeout
+| | ... | Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key2} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
+| | ... | ${dut_tun_ip}
+| | ${new_encr_key}= | Given Get Second Random String | ${encr_alg} | Crypto
+| | ${new_auth_key}= | And Get Second Random String | ${auth_alg} | Integ
+| | When Update IPSec SA keys | ${dut_node} | ${l_sa_id} | ${r_sa_id}
+| | ... | ${new_encr_key} | ${new_auth_key}
+| | Then Run Keyword And Expect Error | ESP packet Rx timeout
+| | ... | Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key2} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
+| | ... | ${dut_tun_ip}
+
+*** Keywords ***
+| Get Second Random String
+| | [Arguments] | ${req_alg} | ${req_type}
+| | ${req_key_len}= | Run Keyword | Get ${req_type} Alg Key Len | ${req_alg}
+| | ${key}= | Set Variable If | '${req_type}' == 'Crypto' | ${encr_key}
+| | ... | '${req_type}' == 'Integ' | ${auth_key}
+| | :FOR | ${index} | IN RANGE | 100
+| | | ${req_key}= | Generate Random String | ${req_key_len}
+| | | Return From Keyword If | '${req_key}' != '${key}' | ${req_key}
diff --git a/tests/vpp/func/crypto/default/eth2p-ethip6ipsectpt-ip6base-func.robot b/tests/vpp/func/crypto/default/eth2p-ethip6ipsectpt-ip6base-func.robot
new file mode 100644
index 0000000000..e36630b681
--- /dev/null
+++ b/tests/vpp/func/crypto/default/eth2p-ethip6ipsectpt-ip6base-func.robot
@@ -0,0 +1,487 @@
+# Copyright (c) 2016 Cisco and/or its affiliates.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at:
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+*** Settings ***
+| Resource | resources/libraries/robot/crypto/ipsec.robot
+| Library | resources.libraries.python.Trace
+| Force Tags | 3_NODE_SINGLE_LINK_TOPO | 3_NODE_DOUBLE_LINK_TOPO
+| ...        | VM_ENV | HW_ENV | SKIP_VPP_PATCH
+| Test Setup | Set up IPv6 IPSec functional test
+| ...
+| Test Teardown | Tear down IPSec functional test | ${dut_node}
+| ...
+| Documentation | *IPv6 IPsec transport mode test suite.*
+| ...
+| ... | *[Top] Network topologies:* TG-DUT1 2-node topology with one link\
+| ... | between nodes.
+| ... | *[Cfg] DUT configuration:* On DUT1 create loopback interface, configure
+| ... | loopback an physical interface IPv6 addresses, static ARP record, route
+| ... | and IPsec manual keyed connection in transport mode.
+| ... | *[Ver] TG verification:* ESP packet is sent from TG to DUT1. ESP packet
+| ... | is received on TG from DUT1.
+| ... | *[Ref] Applicable standard specifications:* RFC4303.
+
+*** Variables ***
+| ${tg_spi}= | ${1000}
+| ${dut_spi}= | ${1001}
+| ${ESP_PROTO}= | ${50}
+| ${tg_if_ip6}= | 3ffe:5f::1
+| ${dut_if_ip6}= | 3ffe:5f::2
+| ${tg_lo_ip6}= | 3ffe:60::3
+| ${dut_lo_ip6}= | 3ffe:60::4
+| ${ip6_plen}= | ${64}
+| ${ip6_plen_rt}= | ${128}
+
+*** Test Cases ***
+| TC01: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport
+| | ... | mode.
+| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
+| | ${encr_alg}= | Crypto Alg AES CBC 128
+| | ${auth_alg}= | Integ Alg SHA1 96
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
+
+| TC02: VPP process ESP packet in Transport Mode with AES-CBC-192 encryption and SHA1-96 integrity
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-192 and integrity algorithm SHA1-96 in transport
+| | ... | mode.
+| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
+| | [Tags] | SKIP_PATCH
+| | ${encr_alg}= | Crypto Alg AES CBC 192
+| | ${auth_alg}= | Integ Alg SHA1 96
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
+
+| TC03: VPP process ESP packet in Transport Mode with AES-CBC-256 encryption and SHA1-96 integrity
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-256 and integrity algorithm SHA1-96 in transport
+| | ... | mode.
+| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
+| | [Tags] | SKIP_PATCH
+| | ${encr_alg}= | Crypto Alg AES CBC 256
+| | ${auth_alg}= | Integ Alg SHA1 96
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
+
+| TC04: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA-256-128 integrity
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-128 and integrity algorithm SHA-256-128 in transport
+| | ... | mode.
+| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
+| | [Tags] | SKIP_PATCH
+| | ${encr_alg}= | Crypto Alg AES CBC 128
+| | ${auth_alg}= | Integ Alg SHA 256 128
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
+
+| TC05: VPP process ESP packet in Transport Mode with AES-CBC-192 encryption and SHA-256-128 integrity
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-192 and integrity algorithm SHA-256-128 in transport
+| | ... | mode.
+| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
+| | ${encr_alg}= | Crypto Alg AES CBC 192
+| | ${auth_alg}= | Integ Alg SHA 256 128
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
+
+| TC06: VPP process ESP packet in Transport Mode with AES-CBC-256 encryption and SHA-256-128 integrity
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-256 and integrity algorithm SHA-256-128 in transport
+| | ... | mode.
+| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
+| | [Tags] | SKIP_PATCH
+| | ${encr_alg}= | Crypto Alg AES CBC 256
+| | ${auth_alg}= | Integ Alg SHA 256 128
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
+
+| TC07: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA-384-192 integrity
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-128 and integrity algorithm SHA-384-192 in transport
+| | ... | mode.
+| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
+| | [Tags] | SKIP_PATCH
+| | ${encr_alg}= | Crypto Alg AES CBC 128
+| | ${auth_alg}= | Integ Alg SHA 384 192
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
+
+| TC08: VPP process ESP packet in Transport Mode with AES-CBC-192 encryption and SHA-384-192 integrity
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-192 and integrity algorithm SHA-384-192 in transport
+| | ... | mode.
+| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
+| | [Tags] | SKIP_PATCH
+| | ${encr_alg}= | Crypto Alg AES CBC 192
+| | ${auth_alg}= | Integ Alg SHA 384 192
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
+
+| TC09: VPP process ESP packet in Transport Mode with AES-CBC-256 encryption and SHA-384-192 integrity
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-256 and integrity algorithm SHA-384-192 in transport
+| | ... | mode.
+| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
+| | ${encr_alg}= | Crypto Alg AES CBC 256
+| | ${auth_alg}= | Integ Alg SHA 384 192
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
+
+| TC10: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA-512-256 integrity
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-128 and integrity algorithm SHA-512-256 in transport
+| | ... | mode.
+| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
+| | [Tags] | SKIP_PATCH
+| | ${encr_alg}= | Crypto Alg AES CBC 128
+| | ${auth_alg}= | Integ Alg SHA 512 256
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
+
+| TC11: VPP process ESP packet in Transport Mode with AES-CBC-192 encryption and SHA-512-256 integrity
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-192 and integrity algorithm SHA-512-256 in transport
+| | ... | mode.
+| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
+| | [Tags] | SKIP_PATCH
+| | ${encr_alg}= | Crypto Alg AES CBC 192
+| | ${auth_alg}= | Integ Alg SHA 512 256
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
+
+| TC12: VPP process ESP packet in Transport Mode with AES-CBC-256 encryption and SHA-512-256 integrity
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-256 and integrity algorithm SHA-512-256 in transport
+| | ... | mode.
+| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
+| | ${encr_alg}= | Crypto Alg AES CBC 256
+| | ${auth_alg}= | Integ Alg SHA 512 256
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
+
+| TC13: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity - different encryption alogrithms used
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport\
+| | ... | mode.
+| | ... | [Ver] Send an ESP packet encrypted by encryption key different from\
+| | ... | encryption key stored on VPP node from TG to VPP node and expect no\
+| | ... | response to be received on TG.
+| | ... | [Ref] RFC4303.
+| | ${encr_alg}= | Crypto Alg AES CBC 128
+| | ${auth_alg}= | Integ Alg SHA1 96
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | ${encr_key2}= | And Get Second Random String | ${encr_alg} | Crypto
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Run Keyword And Expect Error | ESP packet Rx timeout
+| | ... | Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
+
+| TC14: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity - different integrity alogrithms used
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport\
+| | ... | mode.
+| | ... | [Ver] Send an ESP packet authenticated by integrity key different\
+| | ... | from integrity key stored on VPP node from TG to VPP node and expect\
+| | ... | no response to be received on TG.
+| | ... | [Ref] RFC4303.
+| | ${encr_alg}= | Crypto Alg AES CBC 128
+| | ${auth_alg}= | Integ Alg SHA1 96
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | ${auth_key2}= | And Get Second Random String | ${auth_alg} | Integ
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Run Keyword And Expect Error | ESP packet Rx timeout
+| | ... | Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key2} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
+
+| TC15: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity - different encryption and integrity alogrithms used
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport\
+| | ... | mode.
+| | ... | [Ver] Send an ESP packet authenticated by integrity key and encrypted\
+| | ... | by encryption key different from integrity and encryption keys stored\
+| | ... | on VPP node from TG to VPP node and expect no response to be received\
+| | ... | on TG.
+| | ... | [Ref] RFC4303.
+| | ${encr_alg}= | Crypto Alg AES CBC 128
+| | ${auth_alg}= | Integ Alg SHA1 96
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | ${encr_key2}= | And Get Second Random String | ${encr_alg} | Crypto
+| | ${auth_key2}= | And Get Second Random String | ${auth_alg} | Integ
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Run Keyword And Expect Error | ESP packet Rx timeout
+| | ... | Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key2} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
+
+| TC16: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport\
+| | ... | mode. Then update SA keys - use new keys.
+| | ... | [Ver] Send and receive ESP packet between TG and VPP node before\
+| | ... | and after SA keys update.
+| | ${encr_alg}= | Crypto Alg AES CBC 128
+| | ${auth_alg}= | Integ Alg SHA1 96
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
+| | ${new_encr_key}= | Given Get Second Random String | ${encr_alg} | Crypto
+| | ${new_auth_key}= | And Get Second Random String | ${auth_alg} | Integ
+| | When Update IPSec SA keys | ${dut_node} | ${l_sa_id} | ${r_sa_id}
+| | ... | ${new_encr_key} | ${new_auth_key}
+| | Then Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${new_encr_key} | ${auth_alg} | ${new_auth_key}
+| | ... | ${tg_spi} | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
+
+| TC17: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys - different encryption alogrithms used
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport\
+| | ... | mode. Then update SA keys - use new keys.
+| | ... | [Ver] Send an ESP packet encrypted by encryption key different from\
+| | ... | encryption key stored on VPP node from TG to VPP node and expect no\
+| | ... | response to be received on TG before and after SA keys update.
+| | ${encr_alg}= | Crypto Alg AES CBC 128
+| | ${auth_alg}= | Integ Alg SHA1 96
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
+| | ${encr_key2}= | And Get Second Random String | ${encr_alg} | Crypto
+| | Then Run Keyword And Expect Error | ESP packet Rx timeout
+| | ... | Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
+| | ${new_encr_key}= | Given Get Second Random String | ${encr_alg} | Crypto
+| | ${new_auth_key}= | And Get Second Random String | ${auth_alg} | Integ
+| | When Update IPSec SA keys | ${dut_node} | ${l_sa_id} | ${r_sa_id}
+| | ... | ${new_encr_key} | ${new_auth_key}
+| | Then Run Keyword And Expect Error | ESP packet Rx timeout
+| | ... | Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${new_auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
+
+| TC18: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys - different integrity alogrithms used
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport\
+| | ... | mode. Then update SA keys - use new keys.
+| | ... | [Ver] Send an ESP packet authenticated by integrity key different\
+| | ... | from integrity key stored on VPP node from TG to VPP node and expect\
+| | ... | no response to be received on TG before and after SA keys update.
+| | ${encr_alg}= | Crypto Alg AES CBC 128
+| | ${auth_alg}= | Integ Alg SHA1 96
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
+| | ${auth_key2}= | And Get Second Random String | ${auth_alg} | Integ
+| | Then Run Keyword And Expect Error | ESP packet Rx timeout
+| | ... | Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key2} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
+| | ${new_encr_key}= | Given Get Second Random String | ${encr_alg} | Crypto
+| | ${new_auth_key}= | And Get Second Random String | ${auth_alg} | Integ
+| | When Update IPSec SA keys | ${dut_node} | ${l_sa_id} | ${r_sa_id}
+| | ... | ${new_encr_key} | ${new_auth_key}
+| | Then Run Keyword And Expect Error | ESP packet Rx timeout
+| | ... | Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${new_encr_key} | ${auth_alg} | ${auth_key2} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
+
+| TC19: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys - different encryption and integrity alogrithms used
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport\
+| | ... | mode. Then update SA keys - use new keys.
+| | ... | [Ver] Send an ESP packet authenticated by integrity key and encrypted\
+| | ... | by encryption key different from integrity and encryption keys stored\
+| | ... | on VPP node from TG to VPP node and expect no response to be received\
+| | ... | on TG before and after SA keys update.
+| | ${encr_alg}= | Crypto Alg AES CBC 128
+| | ${auth_alg}= | Integ Alg SHA1 96
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
+| | ${encr_key2}= | And Get Second Random String | ${encr_alg} | Crypto
+| | ${auth_key2}= | And Get Second Random String | ${auth_alg} | Integ
+| | Then Run Keyword And Expect Error | ESP packet Rx timeout
+| | ... | Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key2} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
+| | ${new_encr_key}= | Given Get Second Random String | ${encr_alg} | Crypto
+| | ${new_auth_key}= | And Get Second Random String | ${auth_alg} | Integ
+| | When Update IPSec SA keys | ${dut_node} | ${l_sa_id} | ${r_sa_id}
+| | ... | ${new_encr_key} | ${new_auth_key}
+| | Then Run Keyword And Expect Error | ESP packet Rx timeout
+| | ... | Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key2} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
+
+*** Keywords ***
+| Get Second Random String
+| | [Arguments] | ${req_alg} | ${req_type}
+| | ${req_key_len}= | Run Keyword | Get ${req_type} Alg Key Len | ${req_alg}
+| | ${key}= | Set Variable If | '${req_type}' == 'Crypto' | ${encr_key}
+| | ... | '${req_type}' == 'Integ' | ${auth_key}
+| | :FOR | ${index} | IN RANGE | 100
+| | | ${req_key}= | Generate Random String | ${req_key_len}
+| | | Return From Keyword If | '${req_key}' != '${key}' | ${req_key}
diff --git a/tests/vpp/func/crypto/default/eth2p-ethip6ipsectptlispgpe-ip4base-func.robot b/tests/vpp/func/crypto/default/eth2p-ethip6ipsectptlispgpe-ip4base-func.robot
new file mode 100644
index 0000000000..f3bc2e28b1
--- /dev/null
+++ b/tests/vpp/func/crypto/default/eth2p-ethip6ipsectptlispgpe-ip4base-func.robot
@@ -0,0 +1,158 @@
+# Copyright (c) 2016 Cisco and/or its affiliates.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at:
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+*** Settings ***
+| Library | resources.libraries.python.topology.Topology
+| Library | resources.libraries.python.NodePath
+| Library | resources.libraries.python.Trace
+| Library | resources.libraries.python.IPUtil
+| Library | resources.libraries.python.L2Util
+| Library | resources.libraries.python.LispUtil
+| Library | resources.libraries.python.IPsecUtil
+| Library | resources.libraries.python.VatJsonUtil
+| Library | resources.libraries.python.IPv6Setup
+| Library | resources.libraries.python.VhostUser
+| Library | resources.libraries.python.QemuUtils
+| Library | String
+| Resource | resources/libraries/robot/shared/traffic.robot
+| Resource | resources/libraries/robot/shared/default.robot
+| Resource | resources/libraries/robot/shared/interfaces.robot
+| Resource | resources/libraries/robot/shared/testing_path.robot
+| Resource | resources/libraries/robot/ip/ip6.robot
+| Resource | resources/libraries/robot/crypto/ipsec.robot
+| Resource | resources/libraries/robot/vm/qemu.robot
+| Resource | resources/libraries/robot/overlay/lispgpe.robot
+| Resource | resources/libraries/robot/l2/l2_bridge_domain.robot
+# Import configuration and test data:
+| Variables | resources/test_data/lisp/ipv4_lispgpe_ipv6/ipv4_lispgpe_ipsec_ipv6.py
+| ...
+| Force Tags | 3_NODE_SINGLE_LINK_TOPO | VM_ENV | LISP | SKIP_VPP_PATCH
+| ...
+| Test Setup | Set up functional test
+| ...
+| Test Teardown | Tear down functional test
+| ...
+| Documentation | *IPv6 - ip4-ipsec-lispgpe-ip6 - main fib, virt2lisp, phy2lisp*
+| ...
+| ... | *[Top] Network Topologies:* TG-DUT1-DUT2-TG 3-node circular topology\
+| ... | with single links between nodes.
+| ... | *[Enc] Packet Encapsulations:* Eth-IPv6-LISPGPE-IPSec-IPv4-ICMP,\
+| ... | Eth-IPv6-IPSec-LISPGPE-IPv4-ICMP
+| ... | *[Cfg] DUT configuration:* Each DUT is configured with LISP and IPsec.\
+| ... | IPsec is in transport mode. Tests cases are for IPsec configured both\
+| ... | on RLOC interface or lisp_gpe0 interface.
+| ... | *[Ver] TG verification:* Packet is send from TG(if1) across the DUT1 to\
+| ... | DUT2 where it is forwarded to TG(if2).
+| ... | *[Ref] Applicable standard specifications:* RFC6830, RFC4303.
+
+*** Test Cases ***
+| TC01: DUT1 and DUT2 route IPv4 bidirectionally over LISP GPE tunnel using IPsec (transport) on RLOC Int.
+| | [Documentation]
+| | ... | [Top] TG-DUT1-DUT2-TG.
+| | ... | [Enc] Eth-IPv6-LISPGPE-IPSec-IPv4-ICMP on DUT1-DUT2, Eth-IPv4-ICMP\
+| | ... | on TG-DUTn.
+| | ... | [Cfg] Configure IPv6 LISP static adjacencies on DUT1 and DUT2 with\
+| | ... | IPsec in between DUTS.
+| | ... | [Ver] Make TG send ICMPv6 Echo Req between its interfaces across\
+| | ... | both DUTs and LISP GPE tunnel between them; verify IPv4 headers on\
+| | ... | received packets are correct.
+| | ... | [Ref] RFC6830, RFC4303.
+| | ...
+| | ${encr_alg}= | Crypto Alg AES CBC 128
+| | ${auth_alg}= | Integ Alg SHA1 96
+| | Given Setup Topology And Lisp
+| | And Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut1_node} | ${dut1_to_dut2} | ${encr_alg} | ${encr_key}
+| | ... | ${auth_alg} | ${auth_key} | ${dut1_spi} | ${dut2_spi}
+| | ... | ${dut1_to_dut2_ip6} | ${dut2_to_dut1_ip6}
+| | And Configure manual keyed connection for IPSec
+| | ... | ${dut2_node} | ${dut2_to_dut1} | ${encr_alg} | ${encr_key}
+| | ... | ${auth_alg} | ${auth_key} | ${dut2_spi} | ${dut1_spi}
+| | ... | ${dut2_to_dut1_ip6} | ${dut1_to_dut2_ip6}
+| | Then Send packet and verify headers
+| | ... | ${tg_node} | ${tg1_ip4} | ${tg2_ip4}
+| | ... | ${tg_to_dut1} | ${tg_to_dut1_mac} | ${dut1_to_tg_mac}
+| | ... | ${tg_to_dut2} | ${dut2_to_tg_mac} | ${tg_to_dut2_mac}
+| | And Send packet and verify headers
+| | ... | ${tg_node} | ${tg2_ip4} | ${tg1_ip4}
+| | ... | ${tg_to_dut2} | ${tg_to_dut2_mac} | ${dut2_to_tg_mac}
+| | ... | ${tg_to_dut1} | ${dut1_to_tg_mac} | ${tg_to_dut1_mac}
+
+| TC02: DUT1 and DUT2 route IPv4 bidirectionally over LISP GPE tunnel using IPsec (transport) on lisp_gpe0 Int.
+| | [Documentation]
+| | ... | [Top] TG-DUT1-DUT2-TG.
+| | ... | [Enc] Eth-IPv6-IPSec-LISPGPE-IPv4-ICMPv4 on DUT1-DUT2, Eth-IPv4-ICMP\
+| | ... | on TG-DUTn.
+| | ... | [Cfg] Configure IPv6 LISP static adjacencies on DUT1 and DUT2 with\
+| | ... | IPsec in between DUTS.
+| | ... | [Ver] Make TG send ICMPv6 Echo Req between its interfaces across\
+| | ... | both DUTs and LISP GPE tunnel between them; verify IPv4 headers on\
+| | ... | received packets are correct.
+| | ... | [Ref] RFC6830, RFC4303.
+| | ...
+| | ${encr_alg}= | Crypto Alg AES CBC 128
+| | ${auth_alg}= | Integ Alg SHA1 96
+| | Given Setup Topology And Lisp
+| | And Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | ${lisp_if_idx}= | resources.libraries.python.InterfaceUtil.get sw if index
+| | ... | ${dut1_node} | ${lisp_gpe_int}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut1_node} | ${lisp_if_idx} | ${encr_alg} | ${encr_key}
+| | ... | ${auth_alg} | ${auth_key} | ${dut1_spi} | ${dut2_spi}
+| | ... | ${dut1_to_dut2_ip6} | ${dut2_to_dut1_ip6}
+| | And Configure manual keyed connection for IPSec
+| | ... | ${dut2_node} | ${lisp_if_idx} | ${encr_alg} | ${encr_key}
+| | ... | ${auth_alg} | ${auth_key} | ${dut2_spi} | ${dut1_spi}
+| | ... | ${dut2_to_dut1_ip6} | ${dut1_to_dut2_ip6}
+| | Then Send packet and verify headers
+| | ... | ${tg_node} | ${tg1_ip4} | ${tg2_ip4}
+| | ... | ${tg_to_dut1} | ${tg_to_dut1_mac} | ${dut1_to_tg_mac}
+| | ... | ${tg_to_dut2} | ${dut2_to_tg_mac} | ${tg_to_dut2_mac}
+| | And Send packet and verify headers
+| | ... | ${tg_node} | ${tg2_ip4} | ${tg1_ip4}
+| | ... | ${tg_to_dut2} | ${tg_to_dut2_mac} | ${dut2_to_tg_mac}
+| | ... | ${tg_to_dut1} | ${dut1_to_tg_mac} | ${tg_to_dut1_mac}
+
+*** Keywords ***
+| Setup Topology And Lisp
+| | [Documentation] | Setup IPs and neighbors for interfaces on DUT1 and DUT2\
+| | ... | and then setup LISP.
+| | Configure path in 3-node circular topology
+| | ... | ${nodes['TG']} | ${nodes['DUT1']} | ${nodes['DUT2']} | ${nodes['TG']}
+| | Set interfaces in 3-node circular topology up
+| | Vpp Set If IPv6 Addr | ${dut1_node} | ${dut1_to_dut2} | ${dut1_to_dut2_ip6}
+| | ... | ${prefix6}
+| | Vpp Set If IPv6 Addr | ${dut1_node} | ${dut1_to_dut2} | ${dut1_to_dut2_ip6}
+| | ... | ${prefix6}
+| | Vpp Set If IPv6 Addr | ${dut1_node} | ${dut1_to_tg} | ${dut1_to_tg_ip4}
+| | ... | ${prefix4}
+| | Vpp Set If IPv6 Addr | ${dut2_node} | ${dut2_to_dut1} | ${dut2_to_dut1_ip6}
+| | ... | ${prefix6}
+| | Vpp Set If IPv6 Addr | ${dut2_node} | ${dut2_to_tg} | ${dut2_to_tg_ip4}
+| | ... | ${prefix4}
+| | Add IP Neighbor | ${dut2_node} | ${dut2_to_tg} | ${tg2_ip4}
+| | ... | ${tg_to_dut2_mac}
+| | Add IP Neighbor | ${dut1_node} | ${dut1_to_dut2} | ${dut2_to_dut1_ip6}
+| | ... | ${dut2_to_dut1_mac}
+| | Add IP Neighbor | ${dut2_node} | ${dut2_to_dut1} | ${dut1_to_dut2_ip6}
+| | ... | ${dut1_to_dut2_mac}
+| | Add IP Neighbor | ${dut1_node} | ${dut1_to_tg} | ${tg1_ip4}
+| | ... | ${tg_to_dut1_mac}
+| | Vpp All RA Suppress Link Layer | ${nodes}
+| | Configure LISP GPE topology in 3-node circular topology
+| | ... | ${dut1_node} | ${dut1_to_dut2} | ${NONE}
+| | ... | ${dut2_node} | ${dut2_to_dut1} | ${NONE}
+| | ... | ${duts_locator_set} | ${dut1_ip4_eid} | ${dut2_ip4_eid}
+| | ... | ${dut1_to_dut2_ip_static_adjacency}
+| | ... | ${dut2_to_dut1_ip_static_adjacency}
diff --git a/tests/vpp/func/crypto/default/eth2p-ethip6ipsectptlispgpe-ip6base-func.robot b/tests/vpp/func/crypto/default/eth2p-ethip6ipsectptlispgpe-ip6base-func.robot
new file mode 100644
index 0000000000..ca81b425c8
--- /dev/null
+++ b/tests/vpp/func/crypto/default/eth2p-ethip6ipsectptlispgpe-ip6base-func.robot
@@ -0,0 +1,174 @@
+# Copyright (c) 2016 Cisco and/or its affiliates.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at:
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+*** Settings ***
+| Library | resources.libraries.python.topology.Topology
+| Library | resources.libraries.python.NodePath
+| Library | resources.libraries.python.Trace
+| Library | resources.libraries.python.IPUtil
+| Library | resources.libraries.python.L2Util
+| Library | resources.libraries.python.LispUtil
+| Library | resources.libraries.python.VPPUtil
+| Library | resources.libraries.python.IPsecUtil
+| Library | resources.libraries.python.VatJsonUtil
+| Library | resources.libraries.python.IPv6Setup
+| Library | resources.libraries.python.VhostUser
+| Library | resources.libraries.python.QemuUtils
+| Library | String
+| Resource | resources/libraries/robot/shared/traffic.robot
+| Resource | resources/libraries/robot/shared/default.robot
+| Resource | resources/libraries/robot/shared/interfaces.robot
+| Resource | resources/libraries/robot/shared/testing_path.robot
+| Resource | resources/libraries/robot/ip/ip6.robot
+| Resource | resources/libraries/robot/crypto/ipsec.robot
+| Resource | resources/libraries/robot/vm/qemu.robot
+| Resource | resources/libraries/robot/overlay/lispgpe.robot
+| Resource | resources/libraries/robot/l2/l2_bridge_domain.robot
+# Import configuration and test data:
+| Variables | resources/test_data/lisp/ipv6_lispgpe_ipv6/ipv6_lispgpe_ipsec_ipv6.py
+| ...
+| Force Tags | 3_NODE_SINGLE_LINK_TOPO | VM_ENV | LISP | SKIP_VPP_PATCH
+| ...
+| Test Setup | Run Keywords | Set up functional test
+| ...        | AND          | Vpp All Ra Suppress Link Layer | ${nodes}
+| ...
+| Test Teardown | Tear down functional test
+| ...
+| Documentation | *IPv6 - ip6-ipsec-lispgpe-ip6 - main fib,
+| ... | vrf (gpe_vni-to-vrf), phy2lisp, virt2lisp*
+| ...
+| ... | *[Top] Network Topologies:* TG-DUT1-DUT2-TG 3-node circular topology\
+| ... | with single links between nodes.
+| ... | *[Enc] Packet Encapsulations:* Eth-IPv6-IPSec-LISPGPE-IPv6-ICMPv6,\
+| ... | *[Cfg] DUT configuration:* Each DUT is configured with LISP and IPsec.\
+| ... | IPsec is in transport mode. Tests cases are for IPsec configured both\
+| ... | on RLOC interface or lisp_gpe0 interface.
+| ... | *[Ver] TG verification:* Packet is send from TG(if1) across the DUT1\
+| ... | to DUT2 where it is forwarded to TG(if2).
+| ... | *[Ref] Applicable standard specifications:* RFC6830, RFC4303.
+
+*** Variables ***
+| ${dut2_spi}= | ${1000}
+| ${dut1_spi}= | ${1001}
+
+| ${ESP_PROTO}= | ${50}
+
+| ${bid}= | 10
+
+*** Test Cases ***
+| TC01: DUT1 and DUT2 route IPv6 bidirectionally over LISP GPE tunnel using IPsec (transport) on RLOC Int.
+| | [Documentation]
+| | ... | [Top] TG-DUT1-DUT2-TG.
+| | ... | [Enc] Eth-IPv6-IPSec-LISPGPE-IPv6-ICMPv6 on DUT1-DUT2,\
+| | ... | Eth-IPv6-ICMPv6 on TG-DUTn.
+| | ... | [Cfg] Configure IPv6 LISP static adjacencies on DUT1 and DUT2 with\
+| | ... | IPsec in between DUTS.
+| | ... | [Ver] Case: ip6-lispgpe-ipsec-ip6 - main fib, phys2lisp\
+| | ... | Make TG send ICMPv6 Echo Req between its interfaces across\
+| | ... | both DUTs and LISP GPE tunnel between them; verify IPv6 headers on\
+| | ... | received packets are correct.
+| | ... | [Ref] RFC6830, RFC4303.
+| | ...
+| | ${encr_alg}= | Crypto Alg AES CBC 128
+| | ${auth_alg}= | Integ Alg SHA1 96
+| | Given Setup Topology
+| | And Configure LISP GPE topology in 3-node circular topology
+| | ... | ${dut1_node} | ${dut1_to_dut2} | ${NONE}
+| | ... | ${dut2_node} | ${dut2_to_dut1} | ${NONE}
+| | ... | ${duts_locator_set} | ${dut1_ip6_eid} | ${dut2_ip6_eid}
+| | ... | ${dut1_to_dut2_ip6_static_adjacency}
+| | ... | ${dut2_to_dut1_ip6_static_adjacency}
+| | And Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut1_node} | ${dut1_to_dut2} | ${encr_alg} | ${encr_key}
+| | ... | ${auth_alg} | ${auth_key} | ${dut1_spi} | ${dut2_spi}
+| | ... | ${dut1_to_dut2_ip6} | ${dut2_to_dut1_ip6}
+| | And Configure manual keyed connection for IPSec
+| | ... | ${dut2_node} | ${dut2_to_dut1} | ${encr_alg} | ${encr_key}
+| | ... | ${auth_alg} | ${auth_key} | ${dut2_spi} | ${dut1_spi}
+| | ... | ${dut2_to_dut1_ip6} | ${dut1_to_dut2_ip6}
+| | Then Send packet and verify headers
+| | ... | ${tg_node} | ${tg1_ip6} | ${tg2_ip6}
+| | ... | ${tg_to_dut1} | ${tg_to_dut1_mac} | ${dut1_to_tg_mac}
+| | ... | ${tg_to_dut2} | ${dut2_to_tg_mac} | ${tg_to_dut2_mac}
+| | And Send packet and verify headers
+| | ... | ${tg_node} | ${tg2_ip6} | ${tg1_ip6}
+| | ... | ${tg_to_dut2} | ${tg_to_dut2_mac} | ${dut2_to_tg_mac}
+| | ... | ${tg_to_dut1} | ${dut1_to_tg_mac} | ${tg_to_dut1_mac}
+
+| TC02: DUT1 and DUT2 route IPv6 bidirectionally over LISP GPE tunnel using IPsec (transport) lisp_gpe0 Int.
+| | [Documentation]
+| | ... | [Top] TG-DUT1-DUT2-TG.
+| | ... | [Enc] Eth-IPv6-IPSec-LISPGPE-IPv6-ICMPv6 on DUT1-DUT2,\
+| | ... | Eth-IPv6-ICMPv6 on TG-DUTn.
+| | ... | [Cfg] Configure IPv6 LISP static adjacencies on DUT1 and DUT2 with\
+| | ... | IPsec in between DUTS.
+| | ... | [Ver] Case: ip6-ipsec-lispgpe-ip6 - main fib, phys2lisp\
+| | ... | Make TG send ICMPv6 Echo Req between its interfaces across\
+| | ... | both DUTs and LISP GPE tunnel between them; verify IPv6 headers on\
+| | ... | received packets are correct.
+| | ... | [Ref] RFC6830, RFC4303.
+| | ...
+| | ${encr_alg}= | Crypto Alg AES CBC 128
+| | ${auth_alg}= | Integ Alg SHA1 96
+| | Given Setup Topology
+| | And Configure LISP GPE topology in 3-node circular topology
+| | ... | ${dut1_node} | ${dut1_to_dut2} | ${NONE}
+| | ... | ${dut2_node} | ${dut2_to_dut1} | ${NONE}
+| | ... | ${duts_locator_set} | ${dut1_ip6_eid} | ${dut2_ip6_eid}
+| | ... | ${dut1_to_dut2_ip6_static_adjacency}
+| | ... | ${dut2_to_dut1_ip6_static_adjacency}
+| | ${lisp_if_idx}= | resources.libraries.python.InterfaceUtil.get sw if index
+| | ... | ${dut1_node} | lisp_gpe0
+| | And Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut1_node} | ${lisp_if_idx} | ${encr_alg} | ${encr_key}
+| | ... | ${auth_alg} | ${auth_key} | ${dut1_spi} | ${dut2_spi} | ${tg1_ip6}
+| | ... | ${tg2_ip6}
+| | And Configure manual keyed connection for IPSec
+| | ... | ${dut2_node} | ${lisp_if_idx} | ${encr_alg} | ${encr_key}
+| | ... | ${auth_alg} | ${auth_key} | ${dut2_spi} | ${dut1_spi} | ${tg2_ip6}
+| | ... | ${tg1_ip6}
+| | Then Send packet and verify headers
+| | ... | ${tg_node} | ${tg1_ip6} | ${tg2_ip6}
+| | ... | ${tg_to_dut1} | ${tg_to_dut1_mac} | ${dut1_to_tg_mac}
+| | ... | ${tg_to_dut2} | ${dut2_to_tg_mac} | ${tg_to_dut2_mac}
+| | And Send packet and verify headers
+| | ... | ${tg_node} | ${tg2_ip6} | ${tg1_ip6}
+| | ... | ${tg_to_dut2} | ${tg_to_dut2_mac} | ${dut2_to_tg_mac}
+| | ... | ${tg_to_dut1} | ${dut1_to_tg_mac} | ${tg_to_dut1_mac}
+
+*** Keywords ***
+| Setup Topology
+| | Configure path in 3-node circular topology
+| | ... | ${nodes['TG']} | ${nodes['DUT1']} | ${nodes['DUT2']} | ${nodes['TG']}
+| | Set interfaces in 3-node circular topology up
+| | Vpp Set If IPv6 Addr | ${dut1_node} | ${dut1_to_dut2} | ${dut1_to_dut2_ip6}
+| | ... | ${prefix6}
+| | Vpp Set If IPv6 Addr | ${dut1_node} | ${dut1_to_dut2} | ${dut1_to_dut2_ip6}
+| | ... | ${prefix6}
+| | Vpp Set If IPv6 Addr | ${dut1_node} | ${dut1_to_tg} | ${dut1_to_tg_ip6}
+| | ... | ${prefix6}
+| | Vpp Set If IPv6 Addr | ${dut2_node} | ${dut2_to_dut1} | ${dut2_to_dut1_ip6}
+| | ... | ${prefix6}
+| | Vpp Set If IPv6 Addr | ${dut2_node} | ${dut2_to_tg} | ${dut2_to_tg_ip6}
+| | ... | ${prefix6}
+| | Add IP Neighbor | ${dut1_node} | ${dut1_to_tg} | ${tg1_ip6}
+| | ... | ${tg_to_dut1_mac}
+| | Add IP Neighbor | ${dut2_node} | ${dut2_to_tg} | ${tg2_ip6}
+| | ... | ${tg_to_dut2_mac}
+| | Add IP Neighbor | ${dut1_node} | ${dut1_to_dut2} | ${dut2_to_dut1_ip6}
+| | ... | ${dut2_to_dut1_mac}
+| | Add IP Neighbor | ${dut2_node} | ${dut2_to_dut1} | ${dut1_to_dut2_ip6}
+| | ... | ${dut1_to_dut2_mac}
+| | Vpp All RA Suppress Link Layer | ${nodes}
diff --git a/tests/vpp/func/crypto/eth2p-ethip4ipsectnl-ip4base-func.robot b/tests/vpp/func/crypto/eth2p-ethip4ipsectnl-ip4base-func.robot
deleted file mode 100644
index 814d8ee45c..0000000000
--- a/tests/vpp/func/crypto/eth2p-ethip4ipsectnl-ip4base-func.robot
+++ /dev/null
@@ -1,523 +0,0 @@
-# Copyright (c) 2016 Cisco and/or its affiliates.
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at:
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-*** Settings ***
-| Resource | resources/libraries/robot/crypto/ipsec.robot
-| Library | resources.libraries.python.Trace
-| Force Tags | 3_NODE_SINGLE_LINK_TOPO | 3_NODE_DOUBLE_LINK_TOPO
-| ...        | VM_ENV | HW_ENV | SKIP_VPP_PATCH
-| ...
-| Test Setup | Set up IPv4 IPSec functional test
-| ...
-| Test Teardown | Tear down IPSec functional test | ${dut_node}
-| ...
-| Documentation | *IPv4 IPsec tunnel mode test suite.*
-| ...
-| ... | *[Top] Network topologies:* TG-DUT1 2-node topology with one link\
-| ... | between nodes.
-| ... | *[Cfg] DUT configuration:* On DUT1 create loopback interface, configure\
-| ... | loopback an physical interface IPv4 addresses, static ARP record, route\
-| ... | and IPsec manual keyed connection in tunnel mode.
-| ... | *[Ver] TG verification:* ESP packet is sent from TG to DUT1. ESP packet\
-| ... | is received on TG from DUT1.
-| ... | *[Ref] Applicable standard specifications:* RFC4303.
-
-*** Variables ***
-| ${tg_spi}= | ${1000}
-| ${dut_spi}= | ${1001}
-| ${ESP_PROTO}= | ${50}
-| ${tg_if_ip4}= | 192.168.100.2
-| ${dut_if_ip4}= | 192.168.100.3
-| ${tg_lo_ip4}= | 192.168.3.3
-| ${dut_lo_ip4}= | 192.168.4.4
-| ${ip4_plen}= | ${24}
-
-*** Test Cases ***
-| TC01: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity
-| | [Documentation]
-| | ... | [Top] TG-DUT1.
-| | ... | [Ref] RFC4303.
-| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
-| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel mode.
-| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
-| | ${encr_alg}= | Crypto Alg AES CBC 128
-| | ${auth_alg}= | Integ Alg SHA1 96
-| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
-| | When Configure manual keyed connection for IPSec
-| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
-| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
-| | ... | ${dut_tun_ip} | ${tg_tun_ip}
-| | Then Send IPsec Packet and verify ESP encapsulation in received packet
-| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
-| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
-| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
-| | ... | ${dut_tun_ip}
-
-| TC02: VPP process ESP packet in Tunnel Mode with AES-CBC-192 encryption and SHA1-96 integrity
-| | [Documentation]
-| | ... | [Top] TG-DUT1.
-| | ... | [Ref] RFC4303.
-| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
-| | ... | algorithm AES-CBC-192 and integrity algorithm SHA1-96 in tunnel mode.
-| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
-| | [Tags] | SKIP_PATCH
-| | ${encr_alg}= | Crypto Alg AES CBC 192
-| | ${auth_alg}= | Integ Alg SHA1 96
-| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
-| | When Configure manual keyed connection for IPSec
-| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
-| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
-| | ... | ${dut_tun_ip} | ${tg_tun_ip}
-| | Then Send IPsec Packet and verify ESP encapsulation in received packet
-| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
-| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
-| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
-| | ... | ${dut_tun_ip}
-
-| TC03: VPP process ESP packet in Tunnel Mode with AES-CBC-256 encryption and SHA1-96 integrity
-| | [Documentation]
-| | ... | [Top] TG-DUT1.
-| | ... | [Ref] RFC4303.
-| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
-| | ... | algorithm AES-CBC-256 and integrity algorithm SHA1-96 in tunnel mode.
-| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
-| | [Tags] | SKIP_PATCH
-| | ${encr_alg}= | Crypto Alg AES CBC 256
-| | ${auth_alg}= | Integ Alg SHA1 96
-| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
-| | When Configure manual keyed connection for IPSec
-| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
-| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
-| | ... | ${dut_tun_ip} | ${tg_tun_ip}
-| | Then Send IPsec Packet and verify ESP encapsulation in received packet
-| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
-| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
-| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
-| | ... | ${dut_tun_ip}
-
-| TC04: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA-256-128 integrity
-| | [Documentation]
-| | ... | [Top] TG-DUT1.
-| | ... | [Ref] RFC4303.
-| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
-| | ... | algorithm AES-CBC-128 and integrity algorithm SHA-256-128 in tunnel\
-| | ... | mode.
-| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
-| | [Tags] | SKIP_PATCH
-| | ${encr_alg}= | Crypto Alg AES CBC 128
-| | ${auth_alg}= | Integ Alg SHA 256 128
-| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
-| | When Configure manual keyed connection for IPSec
-| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
-| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
-| | ... | ${dut_tun_ip} | ${tg_tun_ip}
-| | Then Send IPsec Packet and verify ESP encapsulation in received packet
-| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
-| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
-| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
-| | ... | ${dut_tun_ip}
-
-| TC05: VPP process ESP packet in Tunnel Mode with AES-CBC-192 encryption and SHA-256-128 integrity
-| | [Documentation]
-| | ... | [Top] TG-DUT1.
-| | ... | [Ref] RFC4303.
-| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
-| | ... | algorithm AES-CBC-192 and integrity algorithm SHA-256-128 in tunnel\
-| | ... | mode.
-| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
-| | ${encr_alg}= | Crypto Alg AES CBC 192
-| | ${auth_alg}= | Integ Alg SHA 256 128
-| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
-| | When Configure manual keyed connection for IPSec
-| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
-| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
-| | ... | ${dut_tun_ip} | ${tg_tun_ip}
-| | Then Send IPsec Packet and verify ESP encapsulation in received packet
-| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
-| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
-| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
-| | ... | ${dut_tun_ip}
-
-| TC06: VPP process ESP packet in Tunnel Mode with AES-CBC-256 encryption and SHA-256-128 integrity
-| | [Documentation]
-| | ... | [Top] TG-DUT1.
-| | ... | [Ref] RFC4303.
-| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
-| | ... | algorithm AES-CBC-256 and integrity algorithm SHA-256-128 in tunnel\
-| | ... | mode.
-| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
-| | [Tags] | SKIP_PATCH
-| | ${encr_alg}= | Crypto Alg AES CBC 256
-| | ${auth_alg}= | Integ Alg SHA 256 128
-| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
-| | When Configure manual keyed connection for IPSec
-| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
-| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
-| | ... | ${dut_tun_ip} | ${tg_tun_ip}
-| | Then Send IPsec Packet and verify ESP encapsulation in received packet
-| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
-| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
-| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
-| | ... | ${dut_tun_ip}
-
-| TC07: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA-384-192 integrity
-| | [Documentation]
-| | ... | [Top] TG-DUT1.
-| | ... | [Ref] RFC4303.
-| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
-| | ... | algorithm AES-CBC-128 and integrity algorithm SHA-384-192 in tunnel\
-| | ... | mode.
-| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
-| | [Tags] | SKIP_PATCH
-| | ${encr_alg}= | Crypto Alg AES CBC 128
-| | ${auth_alg}= | Integ Alg SHA 384 192
-| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
-| | When Configure manual keyed connection for IPSec
-| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
-| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
-| | ... | ${dut_tun_ip} | ${tg_tun_ip}
-| | Then Send IPsec Packet and verify ESP encapsulation in received packet
-| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
-| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
-| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
-| | ... | ${dut_tun_ip}
-
-| TC08: VPP process ESP packet in Tunnel Mode with AES-CBC-192 encryption and SHA-384-192 integrity
-| | [Documentation]
-| | ... | [Top] TG-DUT1.
-| | ... | [Ref] RFC4303.
-| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
-| | ... | algorithm AES-CBC-192 and integrity algorithm SHA-384-192 in tunnel\
-| | ... | mode.
-| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
-| | [Tags] | SKIP_PATCH
-| | ${encr_alg}= | Crypto Alg AES CBC 192
-| | ${auth_alg}= | Integ Alg SHA 384 192
-| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
-| | When Configure manual keyed connection for IPSec
-| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
-| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
-| | ... | ${dut_tun_ip} | ${tg_tun_ip}
-| | Then Send IPsec Packet and verify ESP encapsulation in received packet
-| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
-| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
-| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
-| | ... | ${dut_tun_ip}
-
-| TC09: VPP process ESP packet in Tunnel Mode with AES-CBC-256 encryption and SHA-384-192 integrity
-| | [Documentation]
-| | ... | [Top] TG-DUT1.
-| | ... | [Ref] RFC4303.
-| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
-| | ... | algorithm AES-CBC-256 and integrity algorithm SHA-384-192 in tunnel\
-| | ... | mode.
-| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
-| | ${encr_alg}= | Crypto Alg AES CBC 256
-| | ${auth_alg}= | Integ Alg SHA 384 192
-| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
-| | When Configure manual keyed connection for IPSec
-| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
-| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
-| | ... | ${dut_tun_ip} | ${tg_tun_ip}
-| | Then Send IPsec Packet and verify ESP encapsulation in received packet
-| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
-| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
-| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
-| | ... | ${dut_tun_ip}
-
-| TC10: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA-512-256 integrity
-| | [Documentation]
-| | ... | [Top] TG-DUT1.
-| | ... | [Ref] RFC4303.
-| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
-| | ... | algorithm AES-CBC-128 and integrity algorithm SHA-512-256 in tunnel\
-| | ... | mode.
-| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
-| | [Tags] | SKIP_PATCH
-| | ${encr_alg}= | Crypto Alg AES CBC 128
-| | ${auth_alg}= | Integ Alg SHA 512 256
-| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
-| | When Configure manual keyed connection for IPSec
-| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
-| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
-| | ... | ${dut_tun_ip} | ${tg_tun_ip}
-| | Then Send IPsec Packet and verify ESP encapsulation in received packet
-| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
-| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
-| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
-| | ... | ${dut_tun_ip}
-
-| TC11: VPP process ESP packet in Tunnel Mode with AES-CBC-192 encryption and SHA-512-256 integrity
-| | [Documentation]
-| | ... | [Top] TG-DUT1.
-| | ... | [Ref] RFC4303.
-| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
-| | ... | algorithm AES-CBC-192 and integrity algorithm SHA-512-256 in tunnel\
-| | ... | mode.
-| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
-| | [Tags] | SKIP_PATCH
-| | ${encr_alg}= | Crypto Alg AES CBC 192
-| | ${auth_alg}= | Integ Alg SHA 512 256
-| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
-| | When Configure manual keyed connection for IPSec
-| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
-| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
-| | ... | ${dut_tun_ip} | ${tg_tun_ip}
-| | Then Send IPsec Packet and verify ESP encapsulation in received packet
-| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
-| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
-| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
-| | ... | ${dut_tun_ip}
-
-| TC12: VPP process ESP packet in Tunnel Mode with AES-CBC-256 encryption and SHA-512-256 integrity
-| | [Documentation]
-| | ... | [Top] TG-DUT1.
-| | ... | [Ref] RFC4303.
-| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
-| | ... | algorithm AES-CBC-256 and integrity algorithm SHA-512-256 in tunnel\
-| | ... | mode.
-| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
-| | ${encr_alg}= | Crypto Alg AES CBC 256
-| | ${auth_alg}= | Integ Alg SHA 512 256
-| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
-| | When Configure manual keyed connection for IPSec
-| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
-| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
-| | ... | ${dut_tun_ip} | ${tg_tun_ip}
-| | Then Send IPsec Packet and verify ESP encapsulation in received packet
-| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
-| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
-| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
-| | ... | ${dut_tun_ip}
-
-| TC13: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity - different encryption alogrithms used
-| | [Documentation]
-| | ... | [Top] TG-DUT1.
-| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
-| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel mode.
-| | ... | [Ver] Send an ESP packet encrypted by encryption key different from\
-| | ... | encryption key stored on VPP node from TG to VPP node and expect no\
-| | ... | response to be received on TG.
-| | ... | [Ref] RFC4303.
-| | ${encr_alg}= | Crypto Alg AES CBC 128
-| | ${auth_alg}= | Integ Alg SHA1 96
-| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
-| | ${encr_key2}= | And Get Second Random String | ${encr_alg} | Crypto
-| | When Configure manual keyed connection for IPSec
-| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
-| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
-| | ... | ${dut_tun_ip} | ${tg_tun_ip}
-| | Then Run Keyword And Expect Error | ESP packet Rx timeout
-| | ... | Send IPsec Packet and verify ESP encapsulation in received packet
-| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
-| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key} | ${tg_spi}
-| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
-| | ... | ${dut_tun_ip}
-
-| TC14: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity - different integrity alogrithms used
-| | [Documentation]
-| | ... | [Top] TG-DUT1.
-| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
-| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel mode.
-| | ... | [Ver] Send an ESP packet authenticated by integrity key different\
-| | ... | from integrity key stored on VPP node from TG to VPP node and expect\
-| | ... | no response to be received on TG.
-| | ... | [Ref] RFC4303.
-| | ${encr_alg}= | Crypto Alg AES CBC 128
-| | ${auth_alg}= | Integ Alg SHA1 96
-| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
-| | ${auth_key2}= | And Get Second Random String | ${auth_alg} | Integ
-| | When Configure manual keyed connection for IPSec
-| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
-| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
-| | ... | ${dut_tun_ip} | ${tg_tun_ip}
-| | Then Run Keyword And Expect Error | ESP packet Rx timeout
-| | ... | Send IPsec Packet and verify ESP encapsulation in received packet
-| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
-| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key2} | ${tg_spi}
-| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
-| | ... | ${dut_tun_ip}
-
-| TC15: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity - different encryption and integrity alogrithms used
-| | [Documentation]
-| | ... | [Top] TG-DUT1.
-| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
-| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel mode.
-| | ... | [Ver] Send an ESP packet authenticated by integrity key and encrypted\
-| | ... | by encryption key different from integrity and encryption keys stored\
-| | ... | on VPP node from TG to VPP node and expect no response to be received\
-| | ... | on TG.
-| | ... | [Ref] RFC4303.
-| | ${encr_alg}= | Crypto Alg AES CBC 128
-| | ${auth_alg}= | Integ Alg SHA1 96
-| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
-| | ${encr_key2}= | And Get Second Random String | ${encr_alg} | Crypto
-| | ${auth_key2}= | And Get Second Random String | ${auth_alg} | Integ
-| | When Configure manual keyed connection for IPSec
-| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
-| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
-| | ... | ${dut_tun_ip} | ${tg_tun_ip}
-| | Then Run Keyword And Expect Error | ESP packet Rx timeout
-| | ... | Send IPsec Packet and verify ESP encapsulation in received packet
-| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
-| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key2} | ${tg_spi}
-| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
-| | ... | ${dut_tun_ip}
-
-| TC16: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys
-| | [Documentation]
-| | ... | [Top] TG-DUT1.
-| | ... | [Ref] RFC4303.
-| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
-| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel\
-| | ... | mode. Then update SA keys - use new keys.
-| | ... | [Ver] Send and receive ESP packet between TG and VPP node before\
-| | ... | and after SA keys update.
-| | ${encr_alg}= | Crypto Alg AES CBC 128
-| | ${auth_alg}= | Integ Alg SHA1 96
-| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
-| | When Configure manual keyed connection for IPSec
-| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
-| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
-| | ... | ${dut_tun_ip} | ${tg_tun_ip}
-| | Then Send IPsec Packet and verify ESP encapsulation in received packet
-| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
-| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
-| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
-| | ... | ${dut_tun_ip}
-| | ${new_encr_key}= | Given Get Second Random String | ${encr_alg} | Crypto
-| | ${new_auth_key}= | And Get Second Random String | ${auth_alg} | Integ
-| | When Update IPSec SA keys | ${dut_node} | ${l_sa_id} | ${r_sa_id}
-| | ... | ${new_encr_key} | ${new_auth_key}
-| | Then Send IPsec Packet and verify ESP encapsulation in received packet
-| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
-| | ... | ${encr_alg} | ${new_encr_key} | ${auth_alg} | ${new_auth_key}
-| | ... | ${tg_spi} | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
-| | ... | ${dut_tun_ip}
-
-| TC17: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys - different encryption alogrithms used
-| | [Documentation]
-| | ... | [Top] TG-DUT1.
-| | ... | [Ref] RFC4303.
-| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
-| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel
-| | ... | mode. Then update SA keys - use new keys.
-| | ... | [Ver] Send an ESP packet encrypted by encryption key different from\
-| | ... | encryption key stored on VPP node from TG to VPP node and expect no\
-| | ... | response to be received on TG before and after SA keys update.
-| | ${encr_alg}= | Crypto Alg AES CBC 128
-| | ${auth_alg}= | Integ Alg SHA1 96
-| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
-| | When Configure manual keyed connection for IPSec
-| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
-| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
-| | ... | ${dut_tun_ip} | ${tg_tun_ip}
-| | ${encr_key2}= | And Get Second Random String | ${encr_alg} | Crypto
-| | Then Run Keyword And Expect Error | ESP packet Rx timeout
-| | ... | Send IPsec Packet and verify ESP encapsulation in received packet
-| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
-| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key} | ${tg_spi}
-| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
-| | ... | ${dut_tun_ip}
-| | ${new_encr_key}= | Given Get Second Random String | ${encr_alg} | Crypto
-| | ${new_auth_key}= | And Get Second Random String | ${auth_alg} | Integ
-| | When Update IPSec SA keys | ${dut_node} | ${l_sa_id} | ${r_sa_id}
-| | ... | ${new_encr_key} | ${new_auth_key}
-| | Then Run Keyword And Expect Error | ESP packet Rx timeout
-| | ... | Send IPsec Packet and verify ESP encapsulation in received packet
-| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
-| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${new_auth_key} | ${tg_spi}
-| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
-| | ... | ${dut_tun_ip}
-
-| TC18: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys - different integrity alogrithms used
-| | [Documentation]
-| | ... | [Top] TG-DUT1.
-| | ... | [Ref] RFC4303.
-| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
-| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel\
-| | ... | mode. Then update SA keys - use new keys.
-| | ... | [Ver] Send an ESP packet authenticated by integrity key different\
-| | ... | from integrity key stored on VPP node from TG to VPP node and expect\
-| | ... | no response to be received on TG before and after SA keys update.
-| | ${encr_alg}= | Crypto Alg AES CBC 128
-| | ${auth_alg}= | Integ Alg SHA1 96
-| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
-| | When Configure manual keyed connection for IPSec
-| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
-| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
-| | ... | ${dut_tun_ip} | ${tg_tun_ip}
-| | ${auth_key2}= | And Get Second Random String | ${auth_alg} | Integ
-| | Then Run Keyword And Expect Error | ESP packet Rx timeout
-| | ... | Send IPsec Packet and verify ESP encapsulation in received packet
-| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
-| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key2} | ${tg_spi}
-| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
-| | ... | ${dut_tun_ip}
-| | ${new_encr_key}= | Given Get Second Random String | ${encr_alg} | Crypto
-| | ${new_auth_key}= | And Get Second Random String | ${auth_alg} | Integ
-| | When Update IPSec SA keys | ${dut_node} | ${l_sa_id} | ${r_sa_id}
-| | ... | ${new_encr_key} | ${new_auth_key}
-| | Then Run Keyword And Expect Error | ESP packet Rx timeout
-| | ... | Send IPsec Packet and verify ESP encapsulation in received packet
-| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
-| | ... | ${encr_alg} | ${new_encr_key} | ${auth_alg} | ${auth_key2} | ${tg_spi}
-| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
-| | ... | ${dut_tun_ip}
-
-| TC19: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys - different encryption and integrity alogrithms used
-| | [Documentation]
-| | ... | [Top] TG-DUT1.
-| | ... | [Ref] RFC4303.
-| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
-| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel\
-| | ... | mode. Then update SA keys - use new keys.
-| | ... | [Ver] Send an ESP packet authenticated by integrity key and encrypted\
-| | ... | by encryption key different from integrity and encryption keys stored\
-| | ... | on VPP node from TG to VPP node and expect no response to be received\
-| | ... | on TG before and after SA keys update.
-| | ${encr_alg}= | Crypto Alg AES CBC 128
-| | ${auth_alg}= | Integ Alg SHA1 96
-| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
-| | When Configure manual keyed connection for IPSec
-| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
-| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
-| | ... | ${dut_tun_ip} | ${tg_tun_ip}
-| | ${encr_key2}= | And Get Second Random String | ${encr_alg} | Crypto
-| | ${auth_key2}= | And Get Second Random String | ${auth_alg} | Integ
-| | Then Run Keyword And Expect Error | ESP packet Rx timeout
-| | ... | Send IPsec Packet and verify ESP encapsulation in received packet
-| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
-| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key2} | ${tg_spi}
-| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
-| | ... | ${dut_tun_ip}
-| | ${new_encr_key}= | Given Get Second Random String | ${encr_alg} | Crypto
-| | ${new_auth_key}= | And Get Second Random String | ${auth_alg} | Integ
-| | When Update IPSec SA keys | ${dut_node} | ${l_sa_id} | ${r_sa_id}
-| | ... | ${new_encr_key} | ${new_auth_key}
-| | Then Run Keyword And Expect Error | ESP packet Rx timeout
-| | ... | Send IPsec Packet and verify ESP encapsulation in received packet
-| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
-| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key2} | ${tg_spi}
-| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
-| | ... | ${dut_tun_ip}
-
-*** Keywords ***
-| Get Second Random String
-| | [Arguments] | ${req_alg} | ${req_type}
-| | ${req_key_len}= | Run Keyword | Get ${req_type} Alg Key Len | ${req_alg}
-| | ${key}= | Set Variable If | '${req_type}' == 'Crypto' | ${encr_key}
-| | ... | '${req_type}' == 'Integ' | ${auth_key}
-| | :FOR | ${index} | IN RANGE | 100
-| | | ${req_key}= | Generate Random String | ${req_key_len}
-| | | Return From Keyword If | '${req_key}' != '${key}' | ${req_key}
diff --git a/tests/vpp/func/crypto/eth2p-ethip4ipsectpt-ip4base-func.robot b/tests/vpp/func/crypto/eth2p-ethip4ipsectpt-ip4base-func.robot
deleted file mode 100644
index e599cf9506..0000000000
--- a/tests/vpp/func/crypto/eth2p-ethip4ipsectpt-ip4base-func.robot
+++ /dev/null
@@ -1,487 +0,0 @@
-# Copyright (c) 2016 Cisco and/or its affiliates.
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at:
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-*** Settings ***
-| Resource | resources/libraries/robot/crypto/ipsec.robot
-| Library | resources.libraries.python.Trace
-| Force Tags | 3_NODE_SINGLE_LINK_TOPO | 3_NODE_DOUBLE_LINK_TOPO
-| ...        | VM_ENV | HW_ENV | SKIP_VPP_PATCH
-| Test Setup | Set up IPv4 IPSec functional test
-| ...
-| Test Teardown | Tear down IPSec functional test | ${dut_node}
-| ...
-| Documentation | *IPv4 IPsec transport mode test suite.*
-| ...
-| ... | *[Top] Network topologies:* TG-DUT1 2-node topology with one link\
-| ... | between nodes.
-| ... | *[Cfg] DUT configuration:* On DUT1 create loopback interface, configure\
-| ... | loopback an physical interface IPv4 addresses, static ARP record, route\
-| ... | and IPsec manual keyed connection in transport mode.
-| ... | *[Ver] TG verification:* ESP packet is sent from TG to DUT1. ESP packet\
-| ... | is received on TG from DUT1.
-| ... | *[Ref] Applicable standard specifications:* RFC4303.
-
-*** Variables ***
-| ${tg_spi}= | ${1000}
-| ${dut_spi}= | ${1001}
-| ${ESP_PROTO}= | ${50}
-| ${tg_if_ip4}= | 192.168.100.2
-| ${dut_if_ip4}= | 192.168.100.3
-| ${tg_lo_ip4}= | 192.168.3.3
-| ${dut_lo_ip4}= | 192.168.4.4
-| ${ip4_plen}= | ${24}
-
-*** Test Cases ***
-| TC01: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity
-| | [Documentation]
-| | ... | [Top] TG-DUT1.
-| | ... | [Ref] RFC4303.
-| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
-| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport
-| | ... | mode.
-| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
-| | ${encr_alg}= | Crypto Alg AES CBC 128
-| | ${auth_alg}= | Integ Alg SHA1 96
-| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
-| | When Configure manual keyed connection for IPSec
-| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
-| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
-| | Then Send IPsec Packet and verify ESP encapsulation in received packet
-| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
-| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
-| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
-
-| TC02: VPP process ESP packet in Transport Mode with AES-CBC-192 encryption and SHA1-96 integrity
-| | [Documentation]
-| | ... | [Top] TG-DUT1.
-| | ... | [Ref] RFC4303.
-| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
-| | ... | algorithm AES-CBC-192 and integrity algorithm SHA1-96 in transport
-| | ... | mode.
-| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
-| | [Tags] | SKIP_PATCH
-| | ${encr_alg}= | Crypto Alg AES CBC 192
-| | ${auth_alg}= | Integ Alg SHA1 96
-| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
-| | When Configure manual keyed connection for IPSec
-| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
-| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
-| | Then Send IPsec Packet and verify ESP encapsulation in received packet
-| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
-| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
-| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
-
-| TC03: VPP process ESP packet in Transport Mode with AES-CBC-256 encryption and SHA1-96 integrity
-| | [Documentation]
-| | ... | [Top] TG-DUT1.
-| | ... | [Ref] RFC4303.
-| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
-| | ... | algorithm AES-CBC-256 and integrity algorithm SHA1-96 in transport
-| | ... | mode.
-| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
-| | [Tags] | SKIP_PATCH
-| | ${encr_alg}= | Crypto Alg AES CBC 256
-| | ${auth_alg}= | Integ Alg SHA1 96
-| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
-| | When Configure manual keyed connection for IPSec
-| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
-| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
-| | Then Send IPsec Packet and verify ESP encapsulation in received packet
-| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
-| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
-| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
-
-| TC04: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA-256-128 integrity
-| | [Documentation]
-| | ... | [Top] TG-DUT1.
-| | ... | [Ref] RFC4303.
-| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
-| | ... | algorithm AES-CBC-128 and integrity algorithm SHA-256-128 in transport
-| | ... | mode.
-| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
-| | [Tags] | SKIP_PATCH
-| | ${encr_alg}= | Crypto Alg AES CBC 128
-| | ${auth_alg}= | Integ Alg SHA 256 128
-| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
-| | When Configure manual keyed connection for IPSec
-| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
-| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
-| | Then Send IPsec Packet and verify ESP encapsulation in received packet
-| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
-| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
-| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
-
-| TC05: VPP process ESP packet in Transport Mode with AES-CBC-192 encryption and SHA-256-128 integrity
-| | [Documentation]
-| | ... | [Top] TG-DUT1.
-| | ... | [Ref] RFC4303.
-| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
-| | ... | algorithm AES-CBC-192 and integrity algorithm SHA-256-128 in transport
-| | ... | mode.
-| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
-| | ${encr_alg}= | Crypto Alg AES CBC 192
-| | ${auth_alg}= | Integ Alg SHA 256 128
-| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
-| | When Configure manual keyed connection for IPSec
-| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
-| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
-| | Then Send IPsec Packet and verify ESP encapsulation in received packet
-| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
-| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
-| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
-
-| TC06: VPP process ESP packet in Transport Mode with AES-CBC-256 encryption and SHA-256-128 integrity
-| | [Documentation]
-| | ... | [Top] TG-DUT1.
-| | ... | [Ref] RFC4303.
-| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
-| | ... | algorithm AES-CBC-256 and integrity algorithm SHA-256-128 in transport
-| | ... | mode.
-| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
-| | [Tags] | SKIP_PATCH
-| | ${encr_alg}= | Crypto Alg AES CBC 256
-| | ${auth_alg}= | Integ Alg SHA 256 128
-| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
-| | When Configure manual keyed connection for IPSec
-| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
-| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
-| | Then Send IPsec Packet and verify ESP encapsulation in received packet
-| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
-| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
-| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
-
-| TC07: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA-384-192 integrity
-| | [Documentation]
-| | ... | [Top] TG-DUT1.
-| | ... | [Ref] RFC4303.
-| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
-| | ... | algorithm AES-CBC-128 and integrity algorithm SHA-384-192 in transport
-| | ... | mode.
-| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
-| | [Tags] | SKIP_PATCH
-| | ${encr_alg}= | Crypto Alg AES CBC 128
-| | ${auth_alg}= | Integ Alg SHA 384 192
-| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
-| | When Configure manual keyed connection for IPSec
-| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
-| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
-| | Then Send IPsec Packet and verify ESP encapsulation in received packet
-| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
-| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
-| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
-
-| TC08: VPP process ESP packet in Transport Mode with AES-CBC-192 encryption and SHA-384-192 integrity
-| | [Documentation]
-| | ... | [Top] TG-DUT1.
-| | ... | [Ref] RFC4303.
-| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
-| | ... | algorithm AES-CBC-192 and integrity algorithm SHA-384-192 in transport
-| | ... | mode.
-| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
-| | [Tags] | SKIP_PATCH
-| | ${encr_alg}= | Crypto Alg AES CBC 192
-| | ${auth_alg}= | Integ Alg SHA 384 192
-| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
-| | When Configure manual keyed connection for IPSec
-| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
-| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
-| | Then Send IPsec Packet and verify ESP encapsulation in received packet
-| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
-| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
-| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
-
-| TC09: VPP process ESP packet in Transport Mode with AES-CBC-256 encryption and SHA-384-192 integrity
-| | [Documentation]
-| | ... | [Top] TG-DUT1.
-| | ... | [Ref] RFC4303.
-| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
-| | ... | algorithm AES-CBC-256 and integrity algorithm SHA-384-192 in transport
-| | ... | mode.
-| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
-| | ${encr_alg}= | Crypto Alg AES CBC 256
-| | ${auth_alg}= | Integ Alg SHA 384 192
-| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
-| | When Configure manual keyed connection for IPSec
-| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
-| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
-| | Then Send IPsec Packet and verify ESP encapsulation in received packet
-| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
-| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
-| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
-
-| TC10: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA-512-256 integrity
-| | [Documentation]
-| | ... | [Top] TG-DUT1.
-| | ... | [Ref] RFC4303.
-| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
-| | ... | algorithm AES-CBC-128 and integrity algorithm SHA-512-256 in transport
-| | ... | mode.
-| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
-| | [Tags] | SKIP_PATCH
-| | ${encr_alg}= | Crypto Alg AES CBC 128
-| | ${auth_alg}= | Integ Alg SHA 512 256
-| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
-| | When Configure manual keyed connection for IPSec
-| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
-| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
-| | Then Send IPsec Packet and verify ESP encapsulation in received packet
-| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
-| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
-| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
-
-| TC11: VPP process ESP packet in Transport Mode with AES-CBC-192 encryption and SHA-512-256 integrity
-| | [Documentation]
-| | ... | [Top] TG-DUT1.
-| | ... | [Ref] RFC4303.
-| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
-| | ... | algorithm AES-CBC-192 and integrity algorithm SHA-512-256 in transport
-| | ... | mode.
-| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
-| | [Tags] | SKIP_PATCH
-| | ${encr_alg}= | Crypto Alg AES CBC 192
-| | ${auth_alg}= | Integ Alg SHA 512 256
-| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
-| | When Configure manual keyed connection for IPSec
-| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
-| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
-| | Then Send IPsec Packet and verify ESP encapsulation in received packet
-| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
-| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
-| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
-
-| TC12: VPP process ESP packet in Transport Mode with AES-CBC-256 encryption and SHA-512-256 integrity
-| | [Documentation]
-| | ... | [Top] TG-DUT1.
-| | ... | [Ref] RFC4303.
-| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
-| | ... | algorithm AES-CBC-256 and integrity algorithm SHA-512-256 in transport
-| | ... | mode.
-| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
-| | ${encr_alg}= | Crypto Alg AES CBC 256
-| | ${auth_alg}= | Integ Alg SHA 512 256
-| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
-| | When Configure manual keyed connection for IPSec
-| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
-| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
-| | Then Send IPsec Packet and verify ESP encapsulation in received packet
-| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
-| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
-| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
-
-
-| TC13: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity - different encryption alogrithms used
-| | [Documentation]
-| | ... | [Top] TG-DUT1.
-| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
-| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport\
-| | ... | mode.
-| | ... | [Ver] Send an ESP packet encrypted by encryption key different from\
-| | ... | encryption key stored on VPP node from TG to VPP node and expect no\
-| | ... | response to be received on TG.
-| | ... | [Ref] RFC4303.
-| | ${encr_alg}= | Crypto Alg AES CBC 128
-| | ${auth_alg}= | Integ Alg SHA1 96
-| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
-| | ${encr_key2}= | And Get Second Random String | ${encr_alg} | Crypto
-| | When Configure manual keyed connection for IPSec
-| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
-| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
-| | Then Run Keyword And Expect Error | ESP packet Rx timeout
-| | ... | Send IPsec Packet and verify ESP encapsulation in received packet
-| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
-| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key} | ${tg_spi}
-| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
-
-| TC14: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity - different integrity alogrithms used
-| | [Documentation]
-| | ... | [Top] TG-DUT1.
-| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
-| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport\
-| | ... | mode.
-| | ... | [Ver] Send an ESP packet authenticated by integrity key different\
-| | ... | from integrity key stored on VPP node from TG to VPP node and expect\
-| | ... | no response to be received on TG.
-| | ... | [Ref] RFC4303.
-| | ${encr_alg}= | Crypto Alg AES CBC 128
-| | ${auth_alg}= | Integ Alg SHA1 96
-| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
-| | ${auth_key2}= | And Get Second Random String | ${auth_alg} | Integ
-| | When Configure manual keyed connection for IPSec
-| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
-| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
-| | Then Run Keyword And Expect Error | ESP packet Rx timeout
-| | ... | Send IPsec Packet and verify ESP encapsulation in received packet
-| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
-| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key2} | ${tg_spi}
-| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
-
-| TC15: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity - different encryption and integrity alogrithms used
-| | [Documentation]
-| | ... | [Top] TG-DUT1.
-| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
-| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport\
-| | ... | mode.
-| | ... | [Ver] Send an ESP packet authenticated by integrity key and encrypted\
-| | ... | by encryption key different from integrity and encryption keys stored\
-| | ... | on VPP node from TG to VPP node and expect no response to be received\
-| | ... | on TG.
-| | ... | [Ref] RFC4303.
-| | ${encr_alg}= | Crypto Alg AES CBC 128
-| | ${auth_alg}= | Integ Alg SHA1 96
-| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
-| | ${encr_key2}= | And Get Second Random String | ${encr_alg} | Crypto
-| | ${auth_key2}= | And Get Second Random String | ${auth_alg} | Integ
-| | When Configure manual keyed connection for IPSec
-| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
-| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
-| | Then Run Keyword And Expect Error | ESP packet Rx timeout
-| | ... | Send IPsec Packet and verify ESP encapsulation in received packet
-| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
-| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key2} | ${tg_spi}
-| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
-
-| TC16: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys
-| | [Documentation]
-| | ... | [Top] TG-DUT1.
-| | ... | [Ref] RFC4303.
-| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
-| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport\
-| | ... | mode. Then update SA keys - use new keys.
-| | ... | [Ver] Send and receive ESP packet between TG and VPP node before\
-| | ... | and after SA keys update.
-| | ${encr_alg}= | Crypto Alg AES CBC 128
-| | ${auth_alg}= | Integ Alg SHA1 96
-| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
-| | When Configure manual keyed connection for IPSec
-| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
-| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
-| | Then Send IPsec Packet and verify ESP encapsulation in received packet
-| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
-| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
-| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
-| | ${new_encr_key}= | Given Get Second Random String | ${encr_alg} | Crypto
-| | ${new_auth_key}= | And Get Second Random String | ${auth_alg} | Integ
-| | When Update IPSec SA keys | ${dut_node} | ${l_sa_id} | ${r_sa_id}
-| | ... | ${new_encr_key} | ${new_auth_key}
-| | Then Send IPsec Packet and verify ESP encapsulation in received packet
-| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
-| | ... | ${encr_alg} | ${new_encr_key} | ${auth_alg} | ${new_auth_key}
-| | ... | ${tg_spi} | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
-
-| TC17: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys - different encryption alogrithms used
-| | [Documentation]
-| | ... | [Top] TG-DUT1.
-| | ... | [Ref] RFC4303.
-| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
-| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport\
-| | ... | mode. Then update SA keys - use new keys.
-| | ... | [Ver] Send an ESP packet encrypted by encryption key different from\
-| | ... | encryption key stored on VPP node from TG to VPP node and expect no\
-| | ... | response to be received on TG before and after SA keys update.
-| | ${encr_alg}= | Crypto Alg AES CBC 128
-| | ${auth_alg}= | Integ Alg SHA1 96
-| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
-| | When Configure manual keyed connection for IPSec
-| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
-| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
-| | ${encr_key2}= | And Get Second Random String | ${encr_alg} | Crypto
-| | Then Run Keyword And Expect Error | ESP packet Rx timeout
-| | ... | Send IPsec Packet and verify ESP encapsulation in received packet
-| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
-| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key} | ${tg_spi}
-| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
-| | ${new_encr_key}= | Given Get Second Random String | ${encr_alg} | Crypto
-| | ${new_auth_key}= | And Get Second Random String | ${auth_alg} | Integ
-| | When Update IPSec SA keys | ${dut_node} | ${l_sa_id} | ${r_sa_id}
-| | ... | ${new_encr_key} | ${new_auth_key}
-| | Then Run Keyword And Expect Error | ESP packet Rx timeout
-| | ... | Send IPsec Packet and verify ESP encapsulation in received packet
-| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
-| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${new_auth_key} | ${tg_spi}
-| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
-
-| TC18: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys - different integrity alogrithms used
-| | [Documentation]
-| | ... | [Top] TG-DUT1.
-| | ... | [Ref] RFC4303.
-| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
-| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport\
-| | ... | mode. Then update SA keys - use new keys.
-| | ... | [Ver] Send an ESP packet authenticated by integrity key different\
-| | ... | from integrity key stored on VPP node from TG to VPP node and expect\
-| | ... | no response to be received on TG before and after SA keys update.
-| | ${encr_alg}= | Crypto Alg AES CBC 128
-| | ${auth_alg}= | Integ Alg SHA1 96
-| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
-| | When Configure manual keyed connection for IPSec
-| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
-| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
-| | ${auth_key2}= | And Get Second Random String | ${auth_alg} | Integ
-| | Then Run Keyword And Expect Error | ESP packet Rx timeout
-| | ... | Send IPsec Packet and verify ESP encapsulation in received packet
-| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
-| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key2} | ${tg_spi}
-| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
-| | ${new_encr_key}= | Given Get Second Random String | ${encr_alg} | Crypto
-| | ${new_auth_key}= | And Get Second Random String | ${auth_alg} | Integ
-| | When Update IPSec SA keys | ${dut_node} | ${l_sa_id} | ${r_sa_id}
-| | ... | ${new_encr_key} | ${new_auth_key}
-| | Then Run Keyword And Expect Error | ESP packet Rx timeout
-| | ... | Send IPsec Packet and verify ESP encapsulation in received packet
-| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
-| | ... | ${encr_alg} | ${new_encr_key} | ${auth_alg} | ${auth_key2} | ${tg_spi}
-| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
-
-| TC19: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys - different encryption and integrity alogrithms used
-| | [Documentation]
-| | ... | [Top] TG-DUT1.
-| | ... | [Ref] RFC4303.
-| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
-| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport\
-| | ... | mode. Then update SA keys - use new keys.
-| | ... | [Ver] Send an ESP packet authenticated by integrity key and encrypted\
-| | ... | by encryption key different from integrity and encryption keys stored\
-| | ... | on VPP node from TG to VPP node and expect no response to be received\
-| | ... | on TG before and after SA keys update.
-| | ${encr_alg}= | Crypto Alg AES CBC 128
-| | ${auth_alg}= | Integ Alg SHA1 96
-| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
-| | When Configure manual keyed connection for IPSec
-| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
-| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
-| | ${encr_key2}= | And Get Second Random String | ${encr_alg} | Crypto
-| | ${auth_key2}= | And Get Second Random String | ${auth_alg} | Integ
-| | Then Run Keyword And Expect Error | ESP packet Rx timeout
-| | ... | Send IPsec Packet and verify ESP encapsulation in received packet
-| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
-| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key2} | ${tg_spi}
-| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
-| | ${new_encr_key}= | Given Get Second Random String | ${encr_alg} | Crypto
-| | ${new_auth_key}= | And Get Second Random String | ${auth_alg} | Integ
-| | When Update IPSec SA keys | ${dut_node} | ${l_sa_id} | ${r_sa_id}
-| | ... | ${new_encr_key} | ${new_auth_key}
-| | Then Run Keyword And Expect Error | ESP packet Rx timeout
-| | ... | Send IPsec Packet and verify ESP encapsulation in received packet
-| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
-| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key2} | ${tg_spi}
-| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
-
-*** Keywords ***
-| Get Second Random String
-| | [Arguments] | ${req_alg} | ${req_type}
-| | ${req_key_len}= | Run Keyword | Get ${req_type} Alg Key Len | ${req_alg}
-| | ${key}= | Set Variable If | '${req_type}' == 'Crypto' | ${encr_key}
-| | ... | '${req_type}' == 'Integ' | ${auth_key}
-| | :FOR | ${index} | IN RANGE | 100
-| | | ${req_key}= | Generate Random String | ${req_key_len}
-| | | Return From Keyword If | '${req_key}' != '${key}' | ${req_key}
diff --git a/tests/vpp/func/crypto/eth2p-ethip4ipsectptlispgpe-ip4base-func.robot b/tests/vpp/func/crypto/eth2p-ethip4ipsectptlispgpe-ip4base-func.robot
deleted file mode 100644
index 15c10d40fc..0000000000
--- a/tests/vpp/func/crypto/eth2p-ethip4ipsectptlispgpe-ip4base-func.robot
+++ /dev/null
@@ -1,270 +0,0 @@
-# Copyright (c) 2016 Cisco and/or its affiliates.
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at:
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-*** Settings ***
-| Library | resources.libraries.python.topology.Topology
-| Library | resources.libraries.python.NodePath
-| Library | resources.libraries.python.Trace
-| Library | resources.libraries.python.LispUtil
-| Library | resources.libraries.python.VhostUser
-| Library | resources.libraries.python.QemuUtils
-| Library | resources.libraries.python.VPPUtil
-| Library | resources.libraries.python.IPsecUtil
-| Resource | resources/libraries/robot/shared/traffic.robot
-| Resource | resources/libraries/robot/shared/default.robot
-| Resource | resources/libraries/robot/shared/interfaces.robot
-| Resource | resources/libraries/robot/shared/testing_path.robot
-| Resource | resources/libraries/robot/crypto/ipsec.robot
-| Resource | resources/libraries/robot/vm/qemu.robot
-| Resource | resources/libraries/robot/overlay/lispgpe.robot
-| Resource | resources/libraries/robot/l2/l2_bridge_domain.robot
-| Resource | resources/libraries/robot/overlay/l2lisp.robot
-# Import configuration and test data:
-| Variables | resources/test_data/lisp/ipv4_ipsec_lispgpe_ipv4/ipv4_ipsec_lispgpe_ipv4.py
-| ...
-| Force Tags | 3_NODE_SINGLE_LINK_TOPO | VM_ENV | LISP | SKIP_VPP_PATCH
-| ...
-| Test Setup | Set up functional test
-| ...
-| Test Teardown | Tear down LISP functional test
-| ...
-| Documentation | *IPv4-ip4-ipsec-lispgpe-ip4 - main fib, vrf (gpe_vni-to-vrf)*
-| ...
-| ... | *[Top] Network Topologies:* TG-DUT1-DUT2-TG 3-node circular topology\
-| ... | with single links between nodes.
-| ... | *[Enc] Packet Encapsulations:* ICMPv4-IPv4-IPSec-LISPGPE-IPv4-ICMPv4.
-| ... | *[Cfg] DUT configuration:* Each DUT is configured with LISP and IPsec.\
-| ... | IPsec is in transport mode. Tests cases are for IPsec configured both\
-| ... | on RLOC interface or lisp_gpe0 interface.
-| ... | *[Ver] TG verification:* Packet is send from TG(if1) across the DUT1 to\
-| ... | DUT2 where it is forwarded to TG(if2).
-| ... | *[Ref] Applicable standard specifications:* RFC6830, RFC4303.
-
-*** Variables ***
-| ${dut2_spi}= | ${1000}
-| ${dut1_spi}= | ${1001}
-
-| ${ESP_PROTO}= | ${50}
-
-| ${bid}= | 10
-
-*** Test Cases ***
-| TC01: DUT1 and DUT2 route IPv4 bidirectionally over LISP GPE tunnel using IPsec (transport) on RLOC Int.
-| | [Documentation]
-| | ... | [Top] TG-DUT1-DUT2-TG.
-| | ... | [Enc] Eth-IPv4-IPSec-LISPGPE-IPv4-ICMPv4 on DUT1-DUT2,\
-| | ... | Eth-IPv4-ICMPv4 on TG-DUTn.
-| | ... | [Cfg] Configure IPv4 LISP static adjacencies on DUT1 and DUT2 with\
-| | ... | IPsec in between DUTs.
-| | ... | [Ver] Case: ip4-lispgpe-ipsec-ip4 - main fib
-| | ... | Make TG send ICMPv4 Echo Req between its interfaces across both\
-| | ... | DUTs and LISP GPE tunnel between them; verify IPv4 headers on\
-| | ... | received packets are correct.
-| | ... | [Ref] RFC6830, RFC4303.
-| | ...
-| | ${encr_alg}= | Crypto Alg AES CBC 128
-| | ${auth_alg}= | Integ Alg SHA1 96
-| | Given Setup 3-node Topology
-| | And Add IP Neighbors
-| | And Configure LISP GPE topology in 3-node circular topology
-| | ... | ${dut1_node} | ${dut1_to_dut2} | ${NONE}
-| | ... | ${dut2_node} | ${dut2_to_dut1} | ${NONE}
-| | ... | ${duts_locator_set} | ${dut1_ip4_eid} | ${dut2_ip4_eid}
-| | ... | ${dut1_to_dut2_ip4_static_adjacency}
-| | ... | ${dut2_to_dut1_ip4_static_adjacency}
-| | And Generate keys for IPSec | ${encr_alg} | ${auth_alg}
-| | When Configure manual keyed connection for IPSec
-| | ... | ${dut1_node} | ${dut1_to_dut2} | ${encr_alg} | ${encr_key}
-| | ... | ${auth_alg} | ${auth_key} | ${dut1_spi} | ${dut2_spi}
-| | ... | ${dut1_to_dut2_ip4} | ${dut2_to_dut1_ip4}
-| | And Configure manual keyed connection for IPSec
-| | ... | ${dut2_node} | ${dut2_to_dut1} | ${encr_alg} | ${encr_key}
-| | ... | ${auth_alg} | ${auth_key} | ${dut2_spi} | ${dut1_spi}
-| | ... | ${dut2_to_dut1_ip4} | ${dut1_to_dut2_ip4}
-| | Then Send packet and verify headers
-| | ... | ${tg_node} | ${tg1_ip4} | ${tg2_ip4}
-| | ... | ${tg_to_dut1} | ${tg_to_dut1_mac} | ${dut1_to_tg_mac}
-| | ... | ${tg_to_dut2} | ${dut2_to_tg_mac} | ${tg_to_dut2_mac}
-| | And Send packet and verify headers
-| | ... | ${tg_node} | ${tg2_ip4} | ${tg1_ip4}
-| | ... | ${tg_to_dut2} | ${tg_to_dut2_mac} | ${dut2_to_tg_mac}
-| | ... | ${tg_to_dut1} | ${dut1_to_tg_mac} | ${tg_to_dut1_mac}
-
-| TC02: DUT1 and DUT2 route IPv4 bidirectionally over LISP GPE tunnel using IPsec (transport) lisp_gpe0 Int.
-| | [Documentation]
-| | ... | [Top] TG-DUT1-DUT2-TG.
-| | ... | [Enc] Eth-IPv4-IPSec-LISPGPE-IPv4-ICMPv4 on DUT1-DUT2,\
-| | ... | Eth-IPv4-ICMPv4 on TG-DUTn.
-| | ... | [Cfg] Configure IPv4 LISP static adjacencies on DUT1 and DUT2 with\
-| | ... | IPsec in between DUTs.
-| | ... | [Ver] Case: ip4-ipsec-lispgpe-ip4 - main fib
-| | ... | Make TG send ICMPv4 Echo Req between its interfaces across both\
-| | ... | DUTs and LISP GPE tunnel between them; verify IPv4 headers on\
-| | ... | received packets are correct.
-| | ... | [Ref] RFC6830, RFC4303.
-| | ...
-| | ${encr_alg}= | Crypto Alg AES CBC 128
-| | ${auth_alg}= | Integ Alg SHA1 96
-| | Given Setup 3-node Topology
-| | And Add IP Neighbors
-| | And Configure LISP GPE topology in 3-node circular topology
-| | ... | ${dut1_node} | ${dut1_to_dut2} | ${NONE}
-| | ... | ${dut2_node} | ${dut2_to_dut1} | ${NONE}
-| | ... | ${duts_locator_set} | ${dut1_ip4_eid} | ${dut2_ip4_eid}
-| | ... | ${dut1_to_dut2_ip4_static_adjacency}
-| | ... | ${dut2_to_dut1_ip4_static_adjacency}
-| | ${lisp_if_idx}= | resources.libraries.python.InterfaceUtil.Get sw if index
-| | ... | ${dut1_node} | lisp_gpe0
-| | And Generate keys for IPSec | ${encr_alg} | ${auth_alg}
-| | When Configure manual keyed connection for IPSec
-| | ... | ${dut1_node} | ${lisp_if_idx} | ${encr_alg} | ${encr_key}
-| | ... | ${auth_alg} | ${auth_key} | ${dut1_spi} | ${dut2_spi} | ${tg1_ip4}
-| | ... | ${tg2_ip4}
-| | And Configure manual keyed connection for IPSec
-| | ... | ${dut2_node} | ${lisp_if_idx} | ${encr_alg} | ${encr_key}
-| | ... | ${auth_alg} | ${auth_key} | ${dut2_spi} | ${dut1_spi} | ${tg2_ip4}
-| | ... | ${tg1_ip4}
-| | Then Send packet and verify headers
-| | ... | ${tg_node} | ${tg1_ip4} | ${tg2_ip4}
-| | ... | ${tg_to_dut1} | ${tg_to_dut1_mac} | ${dut1_to_tg_mac}
-| | ... | ${tg_to_dut2} | ${dut2_to_tg_mac} | ${tg_to_dut2_mac}
-| | And Send packet and verify headers
-| | ... | ${tg_node} | ${tg2_ip4} | ${tg1_ip4}
-| | ... | ${tg_to_dut2} | ${tg_to_dut2_mac} | ${dut2_to_tg_mac}
-| | ... | ${tg_to_dut1} | ${dut1_to_tg_mac} | ${tg_to_dut1_mac}
-
-| TC03: DUT1 and DUT2 route IPv4 bidirectionally over LISP GPE tunnel using IPsec (transport) on RLOC Int and VRF on EID is enabled.
-| | [Documentation]
-| | ... | [Top] TG-DUT1-DUT2-TG.
-| | ... | [Enc] Eth-IPv4-IPSec-LISPGPE-IPv4-ICMPv4 on DUT1-DUT2,\
-| | ... | Eth-IPv4-ICMPv4 on TG-DUTn.
-| | ... | [Cfg] Configure IPv4 LISP static adjacencies on DUT1 and DUT2 with\
-| | ... | IPsec in between DUTs.
-| | ... | [Ver] Case: ip4-lispgpe-ipsec-ip4 - vrf, main fib
-| | ... | Make TG send ICMPv4 Echo Req between its interfaces across both\
-| | ... | DUTs and LISP GPE tunnel between them; verify IPv4 headers on\
-| | ... | received packets are correct.
-| | ... | [Ref] RFC6830, RFC4303.
-| | ...
-| | ${encr_alg}= | Crypto Alg AES CBC 128
-| | ${auth_alg}= | Integ Alg SHA1 96
-| | Given Setup 3-node Topology | ${fib_table_1}
-| | And Add IP Neighbors
-| | When Generate keys for IPSec | ${encr_alg} | ${auth_alg}
-| | And Configure LISP GPE topology in 3-node circular topology
-| | ... | ${dut1_node} | ${dut1_to_dut2} | ${NONE}
-| | ... | ${dut2_node} | ${dut2_to_dut1} | ${NONE}
-| | ... | ${duts_locator_set} | ${dut1_ip4_eid} | ${dut2_ip4_eid}
-| | ... | ${dut1_to_dut2_ip4_static_adjacency}
-| | ... | ${dut2_to_dut1_ip4_static_adjacency}
-| | ... | ${dut1_dut2_vni} | ${fib_table_1}
-| | And Configure manual keyed connection for IPSec
-| | ... | ${dut1_node} | ${dut1_to_dut2} | ${encr_alg} | ${encr_key}
-| | ... | ${auth_alg} | ${auth_key} | ${dut1_spi} | ${dut2_spi}
-| | ... | ${dut1_to_dut2_ip4} | ${dut2_to_dut1_ip4}
-| | And Configure manual keyed connection for IPSec
-| | ... | ${dut2_node} | ${dut2_to_dut1} | ${encr_alg} | ${encr_key}
-| | ... | ${auth_alg} | ${auth_key} | ${dut2_spi} | ${dut1_spi}
-| | ... | ${dut2_to_dut1_ip4} | ${dut1_to_dut2_ip4}
-| | Then Send packet and verify headers
-| | ... | ${tg_node} | ${tg1_ip4} | ${tg2_ip4}
-| | ... | ${tg_to_dut1} | ${tg_to_dut1_mac} | ${dut1_to_tg_mac}
-| | ... | ${tg_to_dut2} | ${dut2_to_tg_mac} | ${tg_to_dut2_mac}
-| | And Send packet and verify headers
-| | ... | ${tg_node} | ${tg2_ip4} | ${tg1_ip4}
-| | ... | ${tg_to_dut2} | ${tg_to_dut2_mac} | ${dut2_to_tg_mac}
-| | ... | ${tg_to_dut1} | ${dut1_to_tg_mac} | ${tg_to_dut1_mac}
-
-| TC04: DUT1 and DUT2 route IPv4 bidirectionally over LISP GPE tunnel using IPsec (transport) on lisp_gpe0 Int and VRF is enabled.
-| | [Documentation]
-| | ... | [Top] TG-DUT1-DUT2-TG.
-| | ... | [Enc] Eth-IPv4-IPSec-LISPGPE-IPv4-ICMPv4 on DUT1-DUT2,\
-| | ... | Eth-IPv4-ICMPv4 on TG-DUTn.
-| | ... | [Cfg] Configure IPv4 LISP static adjacencies on DUT1 and DUT2 with\
-| | ... | IPsec in between DUTs.
-| | ... | [Ver] Case: ip4-ipsec-lispgpe-ip4 - vrf, main fib
-| | ... | Make TG send ICMPv4 Echo Req between its interfaces across both\
-| | ... | DUTs and LISP GPE tunnel between them; verify IPv4 headers on\
-| | ... | received packets are correct.
-| | ... | [Ref] RFC6830, RFC4303.
-| | ...
-| | ${encr_alg}= | Crypto Alg AES CBC 128
-| | ${auth_alg}= | Integ Alg SHA1 96
-| | Given Setup 3-node Topology | ${fib_table_1}
-| | And Add IP Neighbors
-| | And Configure LISP GPE topology in 3-node circular topology
-| | ... | ${dut1_node} | ${dut1_to_dut2} | ${NONE}
-| | ... | ${dut2_node} | ${dut2_to_dut1} | ${NONE}
-| | ... | ${duts_locator_set} | ${dut1_ip4_eid} | ${dut2_ip4_eid}
-| | ... | ${dut1_to_dut2_ip4_static_adjacency}
-| | ... | ${dut2_to_dut1_ip4_static_adjacency}
-| | ... | ${dut1_dut2_vni} | ${fib_table_1}
-| | When Generate keys for IPSec | ${encr_alg} | ${auth_alg}
-| | ${lisp_if_idx}= | resources.libraries.python.InterfaceUtil.Get sw if index
-| | ... | ${dut1_node} | lisp_gpe0
-| | And Configure manual keyed connection for IPSec
-| | ... | ${dut1_node} | ${lisp_if_idx} | ${encr_alg} | ${encr_key}
-| | ... | ${auth_alg} | ${auth_key} | ${dut1_spi} | ${dut2_spi} | ${tg1_ip4}
-| | ... | ${tg2_ip4}
-| | And Configure manual keyed connection for IPSec
-| | ... | ${dut2_node} | ${lisp_if_idx} | ${encr_alg} | ${encr_key}
-| | ... | ${auth_alg} | ${auth_key} | ${dut2_spi} | ${dut1_spi} | ${tg2_ip4}
-| | ... | ${tg1_ip4}
-| | Then Send packet and verify headers
-| | ... | ${tg_node} | ${tg1_ip4} | ${tg2_ip4}
-| | ... | ${tg_to_dut1} | ${tg_to_dut1_mac} | ${dut1_to_tg_mac}
-| | ... | ${tg_to_dut2} | ${dut2_to_tg_mac} | ${tg_to_dut2_mac}
-| | And Send packet and verify headers
-| | ... | ${tg_node} | ${tg2_ip4} | ${tg1_ip4}
-| | ... | ${tg_to_dut2} | ${tg_to_dut2_mac} | ${dut2_to_tg_mac}
-| | ... | ${tg_to_dut1} | ${dut1_to_tg_mac} | ${tg_to_dut1_mac}
-
-*** Keywords ***
-| Setup 3-node Topology
-| | [Documentation]
-| | ... | Setup 3-node topology for this test suite. Set all physical\
-| | ... | interfaces up and assing IP adresses to them.\
-| | ... | You can specify fib table ID where the DUT-TG interfaces assign to.\
-| | ... | Default is 0.
-| | ...
-| | [Arguments] | ${fib_table}=0
-| | Configure path in 3-node circular topology
-| | ... | ${nodes['TG']} | ${nodes['DUT1']} | ${nodes['DUT2']} | ${nodes['TG']}
-| | Set interfaces in 3-node circular topology up
-| | And Add Fib Table | ${dut1_node} | ${fib_table}
-| | Assign Interface To Fib Table | ${dut1_node}
-| | ... | ${dut1_to_tg} | ${fib_table}
-| | And Add Fib Table | ${dut2_node} | ${fib_table}
-| | Assign Interface To Fib Table | ${dut2_node}
-| | ... | ${dut2_to_tg} | ${fib_table}
-| | Set Interface Address | ${dut1_node} | ${dut1_to_dut2} | ${dut1_to_dut2_ip4}
-| | ... | ${prefix4}
-| | Set Interface Address | ${dut1_node} | ${dut1_to_tg} | ${dut1_to_tg_ip4}
-| | ... | ${prefix4}
-| | Set Interface Address | ${dut2_node} | ${dut2_to_dut1} | ${dut2_to_dut1_ip4}
-| | ... | ${prefix4}
-| | Set Interface Address | ${dut2_node} | ${dut2_to_tg} | ${dut2_to_tg_ip4}
-| | ... | ${prefix4}
-
-| Add IP Neighbors
-| | [Documentation]
-| | ... | Add IP neighbors to physical interfaces on DUTs.
-| | ...
-| | Add IP Neighbor | ${dut1_node} | ${dut1_to_tg} | ${tg1_ip4}
-| | ... | ${tg_to_dut1_mac}
-| | Add IP Neighbor | ${dut2_node} | ${dut2_to_tg} | ${tg2_ip4}
-| | ... | ${tg_to_dut2_mac}
-| | Add IP Neighbor | ${dut1_node} | ${dut1_to_dut2} | ${dut2_to_dut1_ip4}
-| | ... | ${dut2_to_dut1_mac}
-| | Add IP Neighbor | ${dut2_node} | ${dut2_to_dut1} | ${dut1_to_dut2_ip4}
-| | ... | ${dut1_to_dut2_mac}
diff --git a/tests/vpp/func/crypto/eth2p-ethip4ipsectptlispgpe-ip6base-func.robot b/tests/vpp/func/crypto/eth2p-ethip4ipsectptlispgpe-ip6base-func.robot
deleted file mode 100644
index 550c9405cc..0000000000
--- a/tests/vpp/func/crypto/eth2p-ethip4ipsectptlispgpe-ip6base-func.robot
+++ /dev/null
@@ -1,160 +0,0 @@
-# Copyright (c) 2016 Cisco and/or its affiliates.
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at:
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-*** Settings ***
-| Library | resources.libraries.python.topology.Topology
-| Library | resources.libraries.python.NodePath
-| Library | resources.libraries.python.Trace
-| Library | resources.libraries.python.IPUtil
-| Library | resources.libraries.python.L2Util
-| Library | resources.libraries.python.LispUtil
-| Library | resources.libraries.python.IPsecUtil
-| Library | resources.libraries.python.VatJsonUtil
-| Library | resources.libraries.python.IPv6Setup
-| Library | resources.libraries.python.VhostUser
-| Library | resources.libraries.python.QemuUtils
-| Library | resources.libraries.python.VPPUtil
-| Library | String
-| Resource | resources/libraries/robot/shared/traffic.robot
-| Resource | resources/libraries/robot/shared/default.robot
-| Resource | resources/libraries/robot/shared/interfaces.robot
-| Resource | resources/libraries/robot/shared/testing_path.robot
-| Resource | resources/libraries/robot/ip/ip6.robot
-| Resource | resources/libraries/robot/crypto/ipsec.robot
-| Resource | resources/libraries/robot/vm/qemu.robot
-| Resource | resources/libraries/robot/overlay/lispgpe.robot
-| Resource | resources/libraries/robot/l2/l2_bridge_domain.robot
-# Import configuration and test data:
-| Variables | resources/test_data/lisp/ipv6_lispgpe_ipv4/ipv6_lispgpe_ipsec_ipv4.py
-| ...
-| Force Tags | 3_NODE_SINGLE_LINK_TOPO | VM_ENV | LISP | SKIP_VPP_PATCH
-| ...
-| Test Setup | Set up functional test
-| ...
-| Test Teardown | Tear down LISP functional test
-| ...
-| Documentation | *IPv6 - ip4-ipsec-lispgpe-ip6 - main fib, vrf, virt2lisp,\
-| ... | phy2lisp*
-| ...
-| ... | *[Top] Network Topologies:* TG-DUT1-DUT2-TG 3-node circular topology\
-| ... | with single links between nodes.
-| ... | *[Enc] Packet Encapsulations:* Eth-IPv4-LISPGPE-IPSec-IPv6-ICMP,\
-| ... | Eth-IPv4-IPSec-LISPGPE-IPv6-ICMP
-| ... | *[Cfg] DUT configuration:* Each DUT is configured with LISP and IPsec.\
-| ... | IPsec is in transport mode. Tests cases are for IPsec configured both\
-| ... | on RLOC interface or lisp_gpe0 interface.
-| ... | *[Ver] TG verification:* Packet is send from TG(if1) across the DUT1 to\
-| ... | DUT2 where it is forwarded to TG(if2).
-| ... | *[Ref] Applicable standard specifications:* RFC6830, RFC4303.
-
-*** Test Cases ***
-| TC01: DUT1 and DUT2 route IPv4 bidirectionally over LISP GPE tunnel using IPsec (transport) on RLOC Int.
-| | [Documentation]
-| | ... | [Top] TG-DUT1-DUT2-TG.
-| | ... | [Enc] Eth-IPv4-LISPGPE-IPSec-IPv6-ICMP on DUT1-DUT2, Eth-IPv6-ICMP\
-| | ... | on TG-DUTn.
-| | ... | [Cfg] Configure IPv6 LISP static adjacencies on DUT1 and DUT2 with\
-| | ... | IPsec in between DUTS.
-| | ... | [Ver] Make TG send ICMPv6 Echo Req between its interfaces across\
-| | ... | both DUTs and LISP GPE tunnel between them; verify IPv6 headers on\
-| | ... | received packets are correct.
-| | ... | [Ref] RFC6830, RFC4303.
-| | ...
-| | ${encr_alg}= | Crypto Alg AES CBC 128
-| | ${auth_alg}= | Integ Alg SHA1 96
-| | Given Setup Topology And Lisp
-| | And Generate keys for IPSec | ${encr_alg} | ${auth_alg}
-| | When Configure manual keyed connection for IPSec
-| | ... | ${dut1_node} | ${dut1_to_dut2} | ${encr_alg} | ${encr_key}
-| | ... | ${auth_alg} | ${auth_key} | ${dut1_spi} | ${dut2_spi}
-| | ... | ${dut1_to_dut2_ip4} | ${dut2_to_dut1_ip4}
-| | And Configure manual keyed connection for IPSec
-| | ... | ${dut2_node} | ${dut2_to_dut1} | ${encr_alg} | ${encr_key}
-| | ... | ${auth_alg} | ${auth_key} | ${dut2_spi} | ${dut1_spi}
-| | ... | ${dut2_to_dut1_ip4} | ${dut1_to_dut2_ip4}
-| | Then Send packet and verify headers
-| | ... | ${tg_node} | ${tg1_ip6} | ${tg2_ip6}
-| | ... | ${tg_to_dut1} | ${tg_to_dut1_mac} | ${dut1_to_tg_mac}
-| | ... | ${tg_to_dut2} | ${dut2_to_tg_mac} | ${tg_to_dut2_mac}
-| | And Send packet and verify headers
-| | ... | ${tg_node} | ${tg2_ip6} | ${tg1_ip6}
-| | ... | ${tg_to_dut2} | ${tg_to_dut2_mac} | ${dut2_to_tg_mac}
-| | ... | ${tg_to_dut1} | ${dut1_to_tg_mac} | ${tg_to_dut1_mac}
-
-| TC02: DUT1 and DUT2 route IPv4 bidirectionally over LISP GPE tunnel using IPsec (transport) on lisp_gpe0 Int.
-| | [Documentation]
-| | ... | [Top] TG-DUT1-DUT2-TG.
-| | ... | [Enc] Eth-IPv4-IPSec-LISPGPE-IPv6-ICMPv6 on DUT1-DUT2, Eth-IPv6-ICMP\
-| | ... | on TG-DUTn.
-| | ... | [Cfg] Configure IPv4 LISP static adjacencies on DUT1 and DUT2 with\
-| | ... | IPsec in between DUTS.
-| | ... | [Ver] Make TG send ICMPv6 Echo Req between its interfaces across\
-| | ... | both DUTs and LISP GPE tunnel between them; verify IPv6 headers on\
-| | ... | received packets are correct.
-| | ... | [Ref] RFC6830, RFC4303.
-| | ...
-| | ${encr_alg}= | Crypto Alg AES CBC 128
-| | ${auth_alg}= | Integ Alg SHA1 96
-| | Given Setup Topology And Lisp
-| | And Generate keys for IPSec | ${encr_alg} | ${auth_alg}
-| | ${lisp_if_idx}= | resources.libraries.python.InterfaceUtil.get sw if index
-| | ... | ${dut1_node} | ${lisp_gpe_int}
-| | When Configure manual keyed connection for IPSec
-| | ... | ${dut1_node} | ${lisp_if_idx} | ${encr_alg} | ${encr_key}
-| | ... | ${auth_alg} | ${auth_key} | ${dut1_spi} | ${dut2_spi}
-| | ... | ${dut1_to_dut2_ip4} | ${dut2_to_dut1_ip4}
-| | And Configure manual keyed connection for IPSec
-| | ... | ${dut2_node} | ${lisp_if_idx} | ${encr_alg} | ${encr_key}
-| | ... | ${auth_alg} | ${auth_key} | ${dut2_spi} | ${dut1_spi}
-| | ... | ${dut2_to_dut1_ip4} | ${dut1_to_dut2_ip4}
-| | Then Send packet and verify headers
-| | ... | ${tg_node} | ${tg1_ip6} | ${tg2_ip6}
-| | ... | ${tg_to_dut1} | ${tg_to_dut1_mac} | ${dut1_to_tg_mac}
-| | ... | ${tg_to_dut2} | ${dut2_to_tg_mac} | ${tg_to_dut2_mac}
-| | And Send packet and verify headers
-| | ... | ${tg_node} | ${tg2_ip6} | ${tg1_ip6}
-| | ... | ${tg_to_dut2} | ${tg_to_dut2_mac} | ${dut2_to_tg_mac}
-| | ... | ${tg_to_dut1} | ${dut1_to_tg_mac} | ${tg_to_dut1_mac}
-
-*** Keywords ***
-| Setup Topology And Lisp
-| | [Documentation] | Setup IPs and neighbors for interfaces on DUT1 and DUT2\
-| | ... | and then setup LISP.
-| | [Arguments] | ${fib_table}=0 | ${vni_table}=0 | ${ip6}=${FALSE}
-| | Configure path in 3-node circular topology
-| | ... | ${nodes['TG']} | ${nodes['DUT1']} | ${nodes['DUT2']} | ${nodes['TG']}
-| | Set interfaces in 3-node circular topology up
-| | Vpp Set If IPv6 Addr | ${dut1_node} | ${dut1_to_dut2} | ${dut1_to_dut2_ip4}
-| | ... | ${prefix4}
-| | Vpp Set If IPv6 Addr | ${dut1_node} | ${dut1_to_tg} | ${dut1_to_tg_ip6}
-| | ... | ${prefix6}
-| | Vpp Set If IPv6 Addr | ${dut2_node} | ${dut2_to_dut1} | ${dut2_to_dut1_ip4}
-| | ... | ${prefix4}
-| | Vpp Set If IPv6 Addr | ${dut2_node} | ${dut2_to_tg} | ${dut2_to_tg_ip6}
-| | ... | ${prefix6}
-| | Add IP Neighbor | ${dut2_node} | ${dut2_to_tg} | ${tg2_ip6}
-| | ... | ${tg_to_dut2_mac}
-| | Add IP Neighbor | ${dut1_node} | ${dut1_to_dut2} | ${dut2_to_dut1_ip4}
-| | ... | ${dut2_to_dut1_mac}
-| | Add IP Neighbor | ${dut2_node} | ${dut2_to_dut1} | ${dut1_to_dut2_ip4}
-| | ... | ${dut1_to_dut2_mac}
-| | Add IP Neighbor | ${dut1_node} | ${dut1_to_tg} | ${tg1_ip6}
-| | ... | ${tg_to_dut1_mac}
-| | Vpp All RA Suppress Link Layer | ${nodes}
-| | Configure LISP GPE topology in 3-node circular topology
-| | ... | ${dut1_node} | ${dut1_to_dut2} | ${NONE}
-| | ... | ${dut2_node} | ${dut2_to_dut1} | ${NONE}
-| | ... | ${duts_locator_set} | ${dut1_ip6_eid} | ${dut2_ip6_eid}
-| | ... | ${dut1_to_dut2_ip_static_adjacency}
-| | ... | ${dut2_to_dut1_ip_static_adjacency}
-| | ... | ${vni_table} | ${fib_table}
diff --git a/tests/vpp/func/crypto/eth2p-ethip4ipsectptlispgpe-ip6basevrf-func.robot b/tests/vpp/func/crypto/eth2p-ethip4ipsectptlispgpe-ip6basevrf-func.robot
deleted file mode 100644
index 8c131181f3..0000000000
--- a/tests/vpp/func/crypto/eth2p-ethip4ipsectptlispgpe-ip6basevrf-func.robot
+++ /dev/null
@@ -1,135 +0,0 @@
-# Copyright (c) 2016 Cisco and/or its affiliates.
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at:
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-*** Settings ***
-| Library | resources.libraries.python.topology.Topology
-| Library | resources.libraries.python.NodePath
-| Library | resources.libraries.python.Trace
-| Library | resources.libraries.python.IPUtil
-| Library | resources.libraries.python.L2Util
-| Library | resources.libraries.python.LispUtil
-| Library | resources.libraries.python.IPsecUtil
-| Library | resources.libraries.python.VatJsonUtil
-| Library | resources.libraries.python.IPv6Setup
-| Library | resources.libraries.python.VhostUser
-| Library | resources.libraries.python.QemuUtils
-| Library | resources.libraries.python.VPPUtil
-| Library | String
-| Resource | resources/libraries/robot/shared/traffic.robot
-| Resource | resources/libraries/robot/shared/default.robot
-| Resource | resources/libraries/robot/shared/interfaces.robot
-| Resource | resources/libraries/robot/shared/testing_path.robot
-| Resource | resources/libraries/robot/ip/ip6.robot
-| Resource | resources/libraries/robot/crypto/ipsec.robot
-| Resource | resources/libraries/robot/vm/qemu.robot
-| Resource | resources/libraries/robot/overlay/lispgpe.robot
-| Resource | resources/libraries/robot/l2/l2_bridge_domain.robot
-# Import configuration and test data:
-| Variables | resources/test_data/lisp/ipv6_lispgpe_ipv4/ipv6_lispgpe_ipsec_ipv4.py
-| ...
-| Force Tags | 3_NODE_SINGLE_LINK_TOPO | VM_ENV | LISP | SKIP_VPP_PATCH
-| ...
-| Test Setup | Set up functional test
-| ...
-| Test Teardown | Tear down LISP functional test
-| ...
-| Documentation | *IPv6 - ip4-ipsec-lispgpe-ip6 - main fib, vrf, virt2lisp,\
-| ... | phy2lisp*
-| ...
-| ... | *[Top] Network Topologies:* TG-DUT1-DUT2-TG 3-node circular topology\
-| ... | with single links between nodes.
-| ... | *[Enc] Packet Encapsulations:* Eth-IPv4-LISPGPE-IPSec-IPv6-ICMP,\
-| ... | Eth-IPv4-IPSec-LISPGPE-IPv6-ICMP
-| ... | *[Cfg] DUT configuration:* Each DUT is configured with LISP and IPsec.\
-| ... | IPsec is in transport mode. Tests cases are for IPsec configured both\
-| ... | on RLOC interface or lisp_gpe0 interface.
-| ... | *[Ver] TG verification:* Packet is send from TG(if1) across the DUT1 to\
-| ... | DUT2 where it is forwarded to TG(if2).
-| ... | *[Ref] Applicable standard specifications:* RFC6830, RFC4303.
-
-*** Test Cases ***
-| TC01: DUT1 and DUT2 route IPv6 bidirectionally over LISP GPE tunnel using physical interfaces and VRF is enabled
-| | [Documentation]
-| | ... | [Top] TG-DUT1-DUT2-TG.
-| | ... | [Enc] Eth-IPv4-IPSec-LISPGPE-IPv6-ICMPv6 on DUT1-DUT2,\
-| | ... | Eth-IPv6-ICMPv6, on TG-DUTn.
-| | ... | [Cfg] Configure IPv4 LISP static adjacencies on DUT1 and DUT2 with\
-| | ... | IPsec in between DUTS.
-| | ... | [Ver] Case: ip4-ipsec-lispgpe-ip6 - vrf, phy2lisp
-| | ... | Make TG send ICMPv6 Echo Req between its interfaces across both\
-| | ... | DUTs and LISP GPE tunnel between them; verify IPv6 headers on\
-| | ... | received packets are correct.
-| | ... | [Ref] RFC6830, RFC4303.
-| | ...
-| | ${encr_alg}= | Crypto Alg AES CBC 128
-| | ${auth_alg}= | Integ Alg SHA1 96
-| | Given Configure path in 3-node circular topology
-| | ... | ${nodes['TG']} | ${nodes['DUT1']} | ${nodes['DUT2']} | ${nodes['TG']}
-| | And Set interfaces in 3-node circular topology up
-| | And Add Fib Table | ${dut1_node} | ${fib_table_1} | ip6=${TRUE}
-| | And Add Fib Table | ${dut2_node} | ${fib_table_1} | ip6=${TRUE}
-| | Assign Interface To Fib Table | ${dut1_node}
-| | ... | ${dut1_to_tg} | ${fib_table_1} | ip6=${TRUE}
-| | Assign Interface To Fib Table | ${dut2_node}
-| | ... | ${dut2_to_tg} | ${fib_table_1} | ip6=${TRUE}
-| | And Generate keys for IPSec | ${encr_alg} | ${auth_alg}
-| | When Configure manual keyed connection for IPSec
-| | ... | ${dut1_node} | ${dut1_to_dut2} | ${encr_alg} | ${encr_key}
-| | ... | ${auth_alg} | ${auth_key} | ${dut1_spi} | ${dut2_spi}
-| | ... | ${dut1_to_dut2_ip4} | ${dut2_to_dut1_ip4}
-| | And Configure manual keyed connection for IPSec
-| | ... | ${dut2_node} | ${dut2_to_dut1} | ${encr_alg} | ${encr_key}
-| | ... | ${auth_alg} | ${auth_key} | ${dut2_spi} | ${dut1_spi}
-| | ... | ${dut2_to_dut1_ip4} | ${dut1_to_dut2_ip4}
-| | Setup Topology And Lisp | ${fib_table_1} | ${dut1_dut2_vni}
-| | Then Send packet and verify headers
-| | ... | ${tg_node} | ${tg1_ip6} | ${tg2_ip6}
-| | ... | ${tg_to_dut1} | ${tg_to_dut1_mac} | ${dut1_to_tg_mac}
-| | ... | ${tg_to_dut2} | ${dut2_to_tg_mac} | ${tg_to_dut2_mac}
-| | And Send packet and verify headers
-| | ... | ${tg_node} | ${tg2_ip6} | ${tg1_ip6}
-| | ... | ${tg_to_dut2} | ${tg_to_dut2_mac} | ${dut2_to_tg_mac}
-| | ... | ${tg_to_dut1} | ${dut1_to_tg_mac} | ${tg_to_dut1_mac}
-
-*** Keywords ***
-| Setup Topology And Lisp
-| | [Documentation] | Setup IPs and neighbors for interfaces on DUT1 and DUT2\
-| | ... | and then setup LISP.
-| | [Arguments] | ${fib_table}=0 | ${vni_table}=0 | ${ip6}=${FALSE}
-| | Configure path in 3-node circular topology
-| | ... | ${nodes['TG']} | ${nodes['DUT1']} | ${nodes['DUT2']} | ${nodes['TG']}
-| | Set interfaces in 3-node circular topology up
-| | Vpp Set If IPv6 Addr | ${dut1_node} | ${dut1_to_dut2} | ${dut1_to_dut2_ip4}
-| | ... | ${prefix4}
-| | Vpp Set If IPv6 Addr | ${dut1_node} | ${dut1_to_tg} | ${dut1_to_tg_ip6}
-| | ... | ${prefix6}
-| | Vpp Set If IPv6 Addr | ${dut2_node} | ${dut2_to_dut1} | ${dut2_to_dut1_ip4}
-| | ... | ${prefix4}
-| | Vpp Set If IPv6 Addr | ${dut2_node} | ${dut2_to_tg} | ${dut2_to_tg_ip6}
-| | ... | ${prefix6}
-| | Add IP Neighbor | ${dut2_node} | ${dut2_to_tg} | ${tg2_ip6}
-| | ... | ${tg_to_dut2_mac}
-| | Add IP Neighbor | ${dut1_node} | ${dut1_to_dut2} | ${dut2_to_dut1_ip4}
-| | ... | ${dut2_to_dut1_mac}
-| | Add IP Neighbor | ${dut2_node} | ${dut2_to_dut1} | ${dut1_to_dut2_ip4}
-| | ... | ${dut1_to_dut2_mac}
-| | Add IP Neighbor | ${dut1_node} | ${dut1_to_tg} | ${tg1_ip6}
-| | ... | ${tg_to_dut1_mac}
-| | Vpp All RA Suppress Link Layer | ${nodes}
-| | Configure LISP GPE topology in 3-node circular topology
-| | ... | ${dut1_node} | ${dut1_to_dut2} | ${NONE}
-| | ... | ${dut2_node} | ${dut2_to_dut1} | ${NONE}
-| | ... | ${duts_locator_set} | ${dut1_ip6_eid} | ${dut2_ip6_eid}
-| | ... | ${dut1_to_dut2_ip_static_adjacency}
-| | ... | ${dut2_to_dut1_ip_static_adjacency}
-| | ... | ${vni_table} | ${fib_table}
diff --git a/tests/vpp/func/crypto/eth2p-ethip6ipsectnl-ip6base-func.robot b/tests/vpp/func/crypto/eth2p-ethip6ipsectnl-ip6base-func.robot
deleted file mode 100644
index 26d109a0b7..0000000000
--- a/tests/vpp/func/crypto/eth2p-ethip6ipsectnl-ip6base-func.robot
+++ /dev/null
@@ -1,523 +0,0 @@
-# Copyright (c) 2016 Cisco and/or its affiliates.
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at:
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-*** Settings ***
-| Resource | resources/libraries/robot/crypto/ipsec.robot
-| Library | resources.libraries.python.Trace
-| Force Tags | 3_NODE_SINGLE_LINK_TOPO | 3_NODE_DOUBLE_LINK_TOPO
-| ...        | VM_ENV | HW_ENV | SKIP_VPP_PATCH
-| Test Setup | Set up IPv6 IPSec functional test
-| ...
-| Test Teardown | Tear down IPSec functional test | ${dut_node}
-| ...
-| Documentation | *IPv6 IPsec tunnel mode test suite.*
-| ...
-| ... | *[Top] Network topologies:* TG-DUT1 2-node topology with one link\
-| ... | between nodes.
-| ... | *[Cfg] DUT configuration:* On DUT1 create loopback interface, configure
-| ... | loopback an physical interface IPv6 addresses, static ARP record, route
-| ... | and IPsec manual keyed connection in tunnel mode.
-| ... | *[Ver] TG verification:* ESP packet is sent from TG to DUT1. ESP packet
-| ... | is received on TG from DUT1.
-| ... | *[Ref] Applicable standard specifications:* RFC4303.
-
-*** Variables ***
-| ${tg_spi}= | ${1000}
-| ${dut_spi}= | ${1001}
-| ${ESP_PROTO}= | ${50}
-| ${tg_if_ip6}= | 3ffe:5f::1
-| ${dut_if_ip6}= | 3ffe:5f::2
-| ${tg_lo_ip6}= | 3ffe:60::3
-| ${dut_lo_ip6}= | 3ffe:60::4
-| ${ip6_plen}= | ${64}
-| ${ip6_plen_rt}= | ${128}
-
-*** Test Cases ***
-| TC01: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity
-| | [Documentation]
-| | ... | [Top] TG-DUT1.
-| | ... | [Ref] RFC4303.
-| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
-| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel mode.
-| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
-| | ${encr_alg}= | Crypto Alg AES CBC 128
-| | ${auth_alg}= | Integ Alg SHA1 96
-| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
-| | When Configure manual keyed connection for IPSec
-| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
-| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
-| | ... | ${dut_tun_ip} | ${tg_tun_ip}
-| | Then Send IPsec Packet and verify ESP encapsulation in received packet
-| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
-| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
-| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
-| | ... | ${dut_tun_ip}
-
-| TC02: VPP process ESP packet in Tunnel Mode with AES-CBC-192 encryption and SHA1-96 integrity
-| | [Documentation]
-| | ... | [Top] TG-DUT1.
-| | ... | [Ref] RFC4303.
-| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
-| | ... | algorithm AES-CBC-192 and integrity algorithm SHA1-96 in tunnel mode.
-| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
-| | [Tags] | SKIP_PATCH
-| | ${encr_alg}= | Crypto Alg AES CBC 192
-| | ${auth_alg}= | Integ Alg SHA1 96
-| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
-| | When Configure manual keyed connection for IPSec
-| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
-| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
-| | ... | ${dut_tun_ip} | ${tg_tun_ip}
-| | Then Send IPsec Packet and verify ESP encapsulation in received packet
-| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
-| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
-| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
-| | ... | ${dut_tun_ip}
-
-| TC03: VPP process ESP packet in Tunnel Mode with AES-CBC-256 encryption and SHA1-96 integrity
-| | [Documentation]
-| | ... | [Top] TG-DUT1.
-| | ... | [Ref] RFC4303.
-| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
-| | ... | algorithm AES-CBC-256 and integrity algorithm SHA1-96 in tunnel mode.
-| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
-| | [Tags] | SKIP_PATCH
-| | ${encr_alg}= | Crypto Alg AES CBC 256
-| | ${auth_alg}= | Integ Alg SHA1 96
-| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
-| | When Configure manual keyed connection for IPSec
-| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
-| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
-| | ... | ${dut_tun_ip} | ${tg_tun_ip}
-| | Then Send IPsec Packet and verify ESP encapsulation in received packet
-| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
-| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
-| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
-| | ... | ${dut_tun_ip}
-
-| TC04: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA-256-128 integrity
-| | [Documentation]
-| | ... | [Top] TG-DUT1.
-| | ... | [Ref] RFC4303.
-| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
-| | ... | algorithm AES-CBC-128 and integrity algorithm SHA-256-128 in tunnel\
-| | ... | mode.
-| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
-| | [Tags] | SKIP_PATCH
-| | ${encr_alg}= | Crypto Alg AES CBC 128
-| | ${auth_alg}= | Integ Alg SHA 256 128
-| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
-| | When Configure manual keyed connection for IPSec
-| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
-| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
-| | ... | ${dut_tun_ip} | ${tg_tun_ip}
-| | Then Send IPsec Packet and verify ESP encapsulation in received packet
-| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
-| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
-| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
-| | ... | ${dut_tun_ip}
-
-| TC05: VPP process ESP packet in Tunnel Mode with AES-CBC-192 encryption and SHA-256-128 integrity
-| | [Documentation]
-| | ... | [Top] TG-DUT1.
-| | ... | [Ref] RFC4303.
-| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
-| | ... | algorithm AES-CBC-192 and integrity algorithm SHA-256-128 in tunnel\
-| | ... | mode.
-| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
-| | ${encr_alg}= | Crypto Alg AES CBC 192
-| | ${auth_alg}= | Integ Alg SHA 256 128
-| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
-| | When Configure manual keyed connection for IPSec
-| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
-| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
-| | ... | ${dut_tun_ip} | ${tg_tun_ip}
-| | Then Send IPsec Packet and verify ESP encapsulation in received packet
-| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
-| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
-| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
-| | ... | ${dut_tun_ip}
-
-| TC06: VPP process ESP packet in Tunnel Mode with AES-CBC-256 encryption and SHA-256-128 integrity
-| | [Documentation]
-| | ... | [Top] TG-DUT1.
-| | ... | [Ref] RFC4303.
-| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
-| | ... | algorithm AES-CBC-256 and integrity algorithm SHA-256-128 in tunnel\
-| | ... | mode.
-| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
-| | [Tags] | SKIP_PATCH
-| | ${encr_alg}= | Crypto Alg AES CBC 256
-| | ${auth_alg}= | Integ Alg SHA 256 128
-| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
-| | When Configure manual keyed connection for IPSec
-| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
-| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
-| | ... | ${dut_tun_ip} | ${tg_tun_ip}
-| | Then Send IPsec Packet and verify ESP encapsulation in received packet
-| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
-| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
-| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
-| | ... | ${dut_tun_ip}
-
-| TC07: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA-384-192 integrity
-| | [Documentation]
-| | ... | [Top] TG-DUT1.
-| | ... | [Ref] RFC4303.
-| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
-| | ... | algorithm AES-CBC-128 and integrity algorithm SHA-384-192 in tunnel\
-| | ... | mode.
-| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
-| | [Tags] | SKIP_PATCH
-| | ${encr_alg}= | Crypto Alg AES CBC 128
-| | ${auth_alg}= | Integ Alg SHA 384 192
-| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
-| | When Configure manual keyed connection for IPSec
-| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
-| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
-| | ... | ${dut_tun_ip} | ${tg_tun_ip}
-| | Then Send IPsec Packet and verify ESP encapsulation in received packet
-| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
-| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
-| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
-| | ... | ${dut_tun_ip}
-
-| TC08: VPP process ESP packet in Tunnel Mode with AES-CBC-192 encryption and SHA-384-192 integrity
-| | [Documentation]
-| | ... | [Top] TG-DUT1.
-| | ... | [Ref] RFC4303.
-| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
-| | ... | algorithm AES-CBC-192 and integrity algorithm SHA-384-192 in tunnel\
-| | ... | mode.
-| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
-| | [Tags] | SKIP_PATCH
-| | ${encr_alg}= | Crypto Alg AES CBC 192
-| | ${auth_alg}= | Integ Alg SHA 384 192
-| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
-| | When Configure manual keyed connection for IPSec
-| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
-| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
-| | ... | ${dut_tun_ip} | ${tg_tun_ip}
-| | Then Send IPsec Packet and verify ESP encapsulation in received packet
-| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
-| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
-| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
-| | ... | ${dut_tun_ip}
-
-| TC09: VPP process ESP packet in Tunnel Mode with AES-CBC-256 encryption and SHA-384-192 integrity
-| | [Documentation]
-| | ... | [Top] TG-DUT1.
-| | ... | [Ref] RFC4303.
-| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
-| | ... | algorithm AES-CBC-256 and integrity algorithm SHA-384-192 in tunnel\
-| | ... | mode.
-| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
-| | ${encr_alg}= | Crypto Alg AES CBC 256
-| | ${auth_alg}= | Integ Alg SHA 384 192
-| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
-| | When Configure manual keyed connection for IPSec
-| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
-| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
-| | ... | ${dut_tun_ip} | ${tg_tun_ip}
-| | Then Send IPsec Packet and verify ESP encapsulation in received packet
-| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
-| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
-| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
-| | ... | ${dut_tun_ip}
-
-| TC10: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA-512-256 integrity
-| | [Documentation]
-| | ... | [Top] TG-DUT1.
-| | ... | [Ref] RFC4303.
-| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
-| | ... | algorithm AES-CBC-128 and integrity algorithm SHA-512-256 in tunnel\
-| | ... | mode.
-| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
-| | [Tags] | SKIP_PATCH
-| | ${encr_alg}= | Crypto Alg AES CBC 128
-| | ${auth_alg}= | Integ Alg SHA 512 256
-| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
-| | When Configure manual keyed connection for IPSec
-| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
-| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
-| | ... | ${dut_tun_ip} | ${tg_tun_ip}
-| | Then Send IPsec Packet and verify ESP encapsulation in received packet
-| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
-| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
-| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
-| | ... | ${dut_tun_ip}
-
-| TC11: VPP process ESP packet in Tunnel Mode with AES-CBC-192 encryption and SHA-512-256 integrity
-| | [Documentation]
-| | ... | [Top] TG-DUT1.
-| | ... | [Ref] RFC4303.
-| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
-| | ... | algorithm AES-CBC-192 and integrity algorithm SHA-512-256 in tunnel\
-| | ... | mode.
-| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
-| | [Tags] | SKIP_PATCH
-| | ${encr_alg}= | Crypto Alg AES CBC 192
-| | ${auth_alg}= | Integ Alg SHA 512 256
-| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
-| | When Configure manual keyed connection for IPSec
-| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
-| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
-| | ... | ${dut_tun_ip} | ${tg_tun_ip}
-| | Then Send IPsec Packet and verify ESP encapsulation in received packet
-| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
-| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
-| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
-| | ... | ${dut_tun_ip}
-
-| TC12: VPP process ESP packet in Tunnel Mode with AES-CBC-256 encryption and SHA-512-256 integrity
-| | [Documentation]
-| | ... | [Top] TG-DUT1.
-| | ... | [Ref] RFC4303.
-| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
-| | ... | algorithm AES-CBC-256 and integrity algorithm SHA-512-256 in tunnel\
-| | ... | mode.
-| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
-| | ${encr_alg}= | Crypto Alg AES CBC 256
-| | ${auth_alg}= | Integ Alg SHA 512 256
-| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
-| | When Configure manual keyed connection for IPSec
-| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
-| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
-| | ... | ${dut_tun_ip} | ${tg_tun_ip}
-| | Then Send IPsec Packet and verify ESP encapsulation in received packet
-| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
-| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
-| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
-| | ... | ${dut_tun_ip}
-
-| TC13: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity - different encryption alogrithms used
-| | [Documentation]
-| | ... | [Top] TG-DUT1.
-| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
-| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel mode.
-| | ... | [Ver] Send an ESP packet encrypted by encryption key different from\
-| | ... | encryption key stored on VPP node from TG to VPP node and expect no\
-| | ... | response to be received on TG.
-| | ... | [Ref] RFC4303.
-| | ${encr_alg}= | Crypto Alg AES CBC 128
-| | ${auth_alg}= | Integ Alg SHA1 96
-| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
-| | ${encr_key2}= | And Get Second Random String | ${encr_alg} | Crypto
-| | When Configure manual keyed connection for IPSec
-| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
-| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
-| | ... | ${dut_tun_ip} | ${tg_tun_ip}
-| | Then Run Keyword And Expect Error | ESP packet Rx timeout
-| | ... | Send IPsec Packet and verify ESP encapsulation in received packet
-| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
-| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key} | ${tg_spi}
-| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
-| | ... | ${dut_tun_ip}
-
-| TC14: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity - different integrity alogrithms used
-| | [Documentation]
-| | ... | [Top] TG-DUT1.
-| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
-| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel mode.
-| | ... | [Ver] Send an ESP packet authenticated by integrity key different\
-| | ... | from integrity key stored on VPP node from TG to VPP node and expect\
-| | ... | no response to be received on TG.
-| | ... | [Ref] RFC4303.
-| | ${encr_alg}= | Crypto Alg AES CBC 128
-| | ${auth_alg}= | Integ Alg SHA1 96
-| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
-| | ${auth_key2}= | And Get Second Random String | ${auth_alg} | Integ
-| | When Configure manual keyed connection for IPSec
-| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
-| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
-| | ... | ${dut_tun_ip} | ${tg_tun_ip}
-| | Then Run Keyword And Expect Error | ESP packet Rx timeout
-| | ... | Send IPsec Packet and verify ESP encapsulation in received packet
-| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
-| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key2} | ${tg_spi}
-| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
-| | ... | ${dut_tun_ip}
-
-| TC15: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity - different encryption and integrity alogrithms used
-| | [Documentation]
-| | ... | [Top] TG-DUT1.
-| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
-| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel mode.
-| | ... | [Ver] Send an ESP packet authenticated by integrity key and encrypted\
-| | ... | by encryption key different from integrity and encryption keys stored\
-| | ... | on VPP node from TG to VPP node and expect no response to be received\
-| | ... | on TG.
-| | ... | [Ref] RFC4303.
-| | ${encr_alg}= | Crypto Alg AES CBC 128
-| | ${auth_alg}= | Integ Alg SHA1 96
-| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
-| | ${encr_key2}= | And Get Second Random String | ${encr_alg} | Crypto
-| | ${auth_key2}= | And Get Second Random String | ${auth_alg} | Integ
-| | When Configure manual keyed connection for IPSec
-| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
-| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
-| | ... | ${dut_tun_ip} | ${tg_tun_ip}
-| | Then Run Keyword And Expect Error | ESP packet Rx timeout
-| | ... | Send IPsec Packet and verify ESP encapsulation in received packet
-| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
-| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key2} | ${tg_spi}
-| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
-| | ... | ${dut_tun_ip}
-
-| TC16: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys
-| | [Documentation]
-| | ... | [Top] TG-DUT1.
-| | ... | [Ref] RFC4303.
-| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
-| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel\
-| | ... | mode. Then update SA keys - use new keys.
-| | ... | [Ver] Send and receive ESP packet between TG and VPP node before\
-| | ... | and after SA keys update.
-| | ${encr_alg}= | Crypto Alg AES CBC 128
-| | ${auth_alg}= | Integ Alg SHA1 96
-| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
-| | When Configure manual keyed connection for IPSec
-| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
-| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
-| | ... | ${dut_tun_ip} | ${tg_tun_ip}
-| | Then Send IPsec Packet and verify ESP encapsulation in received packet
-| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
-| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
-| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
-| | ... | ${dut_tun_ip}
-| | ${new_encr_key}= | Given Get Second Random String | ${encr_alg} | Crypto
-| | ${new_auth_key}= | And Get Second Random String | ${auth_alg} | Integ
-| | When Update IPSec SA keys | ${dut_node} | ${l_sa_id} | ${r_sa_id}
-| | ... | ${new_encr_key} | ${new_auth_key}
-| | Then Send IPsec Packet and verify ESP encapsulation in received packet
-| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
-| | ... | ${encr_alg} | ${new_encr_key} | ${auth_alg} | ${new_auth_key}
-| | ... | ${tg_spi} | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
-| | ... | ${dut_tun_ip}
-
-| TC17: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys - different encryption alogrithms used
-| | [Documentation]
-| | ... | [Top] TG-DUT1.
-| | ... | [Ref] RFC4303.
-| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
-| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel
-| | ... | mode. Then update SA keys - use new keys.
-| | ... | [Ver] Send an ESP packet encrypted by encryption key different from\
-| | ... | encryption key stored on VPP node from TG to VPP node and expect no\
-| | ... | response to be received on TG before and after SA keys update.
-| | ${encr_alg}= | Crypto Alg AES CBC 128
-| | ${auth_alg}= | Integ Alg SHA1 96
-| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
-| | When Configure manual keyed connection for IPSec
-| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
-| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
-| | ... | ${dut_tun_ip} | ${tg_tun_ip}
-| | ${encr_key2}= | And Get Second Random String | ${encr_alg} | Crypto
-| | Then Run Keyword And Expect Error | ESP packet Rx timeout
-| | ... | Send IPsec Packet and verify ESP encapsulation in received packet
-| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
-| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key} | ${tg_spi}
-| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
-| | ... | ${dut_tun_ip}
-| | ${new_encr_key}= | Given Get Second Random String | ${encr_alg} | Crypto
-| | ${new_auth_key}= | And Get Second Random String | ${auth_alg} | Integ
-| | When Update IPSec SA keys | ${dut_node} | ${l_sa_id} | ${r_sa_id}
-| | ... | ${new_encr_key} | ${new_auth_key}
-| | Then Run Keyword And Expect Error | ESP packet Rx timeout
-| | ... | Send IPsec Packet and verify ESP encapsulation in received packet
-| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
-| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${new_auth_key} | ${tg_spi}
-| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
-| | ... | ${dut_tun_ip}
-
-| TC18: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys - different integrity alogrithms used
-| | [Documentation]
-| | ... | [Top] TG-DUT1.
-| | ... | [Ref] RFC4303.
-| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
-| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel\
-| | ... | mode. Then update SA keys - use new keys.
-| | ... | [Ver] Send an ESP packet authenticated by integrity key different\
-| | ... | from integrity key stored on VPP node from TG to VPP node and expect\
-| | ... | no response to be received on TG before and after SA keys update.
-| | ${encr_alg}= | Crypto Alg AES CBC 128
-| | ${auth_alg}= | Integ Alg SHA1 96
-| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
-| | When Configure manual keyed connection for IPSec
-| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
-| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
-| | ... | ${dut_tun_ip} | ${tg_tun_ip}
-| | ${auth_key2}= | And Get Second Random String | ${auth_alg} | Integ
-| | Then Run Keyword And Expect Error | ESP packet Rx timeout
-| | ... | Send IPsec Packet and verify ESP encapsulation in received packet
-| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
-| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key2} | ${tg_spi}
-| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
-| | ... | ${dut_tun_ip}
-| | ${new_encr_key}= | Given Get Second Random String | ${encr_alg} | Crypto
-| | ${new_auth_key}= | And Get Second Random String | ${auth_alg} | Integ
-| | When Update IPSec SA keys | ${dut_node} | ${l_sa_id} | ${r_sa_id}
-| | ... | ${new_encr_key} | ${new_auth_key}
-| | Then Run Keyword And Expect Error | ESP packet Rx timeout
-| | ... | Send IPsec Packet and verify ESP encapsulation in received packet
-| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
-| | ... | ${encr_alg} | ${new_encr_key} | ${auth_alg} | ${auth_key2} | ${tg_spi}
-| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
-| | ... | ${dut_tun_ip}
-
-| TC19: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys - different encryption and integrity alogrithms used
-| | [Documentation]
-| | ... | [Top] TG-DUT1.
-| | ... | [Ref] RFC4303.
-| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
-| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel\
-| | ... | mode. Then update SA keys - use new keys.
-| | ... | [Ver] Send an ESP packet authenticated by integrity key and encrypted\
-| | ... | by encryption key different from integrity and encryption keys stored\
-| | ... | on VPP node from TG to VPP node and expect no response to be received\
-| | ... | on TG before and after SA keys update.
-| | ${encr_alg}= | Crypto Alg AES CBC 128
-| | ${auth_alg}= | Integ Alg SHA1 96
-| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
-| | When Configure manual keyed connection for IPSec
-| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
-| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
-| | ... | ${dut_tun_ip} | ${tg_tun_ip}
-| | ${encr_key2}= | And Get Second Random String | ${encr_alg} | Crypto
-| | ${auth_key2}= | And Get Second Random String | ${auth_alg} | Integ
-| | Then Run Keyword And Expect Error | ESP packet Rx timeout
-| | ... | Send IPsec Packet and verify ESP encapsulation in received packet
-| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
-| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key2} | ${tg_spi}
-| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
-| | ... | ${dut_tun_ip}
-| | ${new_encr_key}= | Given Get Second Random String | ${encr_alg} | Crypto
-| | ${new_auth_key}= | And Get Second Random String | ${auth_alg} | Integ
-| | When Update IPSec SA keys | ${dut_node} | ${l_sa_id} | ${r_sa_id}
-| | ... | ${new_encr_key} | ${new_auth_key}
-| | Then Run Keyword And Expect Error | ESP packet Rx timeout
-| | ... | Send IPsec Packet and verify ESP encapsulation in received packet
-| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
-| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key2} | ${tg_spi}
-| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
-| | ... | ${dut_tun_ip}
-
-*** Keywords ***
-| Get Second Random String
-| | [Arguments] | ${req_alg} | ${req_type}
-| | ${req_key_len}= | Run Keyword | Get ${req_type} Alg Key Len | ${req_alg}
-| | ${key}= | Set Variable If | '${req_type}' == 'Crypto' | ${encr_key}
-| | ... | '${req_type}' == 'Integ' | ${auth_key}
-| | :FOR | ${index} | IN RANGE | 100
-| | | ${req_key}= | Generate Random String | ${req_key_len}
-| | | Return From Keyword If | '${req_key}' != '${key}' | ${req_key}
diff --git a/tests/vpp/func/crypto/eth2p-ethip6ipsectpt-ip6base-func.robot b/tests/vpp/func/crypto/eth2p-ethip6ipsectpt-ip6base-func.robot
deleted file mode 100644
index e36630b681..0000000000
--- a/tests/vpp/func/crypto/eth2p-ethip6ipsectpt-ip6base-func.robot
+++ /dev/null
@@ -1,487 +0,0 @@
-# Copyright (c) 2016 Cisco and/or its affiliates.
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at:
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-*** Settings ***
-| Resource | resources/libraries/robot/crypto/ipsec.robot
-| Library | resources.libraries.python.Trace
-| Force Tags | 3_NODE_SINGLE_LINK_TOPO | 3_NODE_DOUBLE_LINK_TOPO
-| ...        | VM_ENV | HW_ENV | SKIP_VPP_PATCH
-| Test Setup | Set up IPv6 IPSec functional test
-| ...
-| Test Teardown | Tear down IPSec functional test | ${dut_node}
-| ...
-| Documentation | *IPv6 IPsec transport mode test suite.*
-| ...
-| ... | *[Top] Network topologies:* TG-DUT1 2-node topology with one link\
-| ... | between nodes.
-| ... | *[Cfg] DUT configuration:* On DUT1 create loopback interface, configure
-| ... | loopback an physical interface IPv6 addresses, static ARP record, route
-| ... | and IPsec manual keyed connection in transport mode.
-| ... | *[Ver] TG verification:* ESP packet is sent from TG to DUT1. ESP packet
-| ... | is received on TG from DUT1.
-| ... | *[Ref] Applicable standard specifications:* RFC4303.
-
-*** Variables ***
-| ${tg_spi}= | ${1000}
-| ${dut_spi}= | ${1001}
-| ${ESP_PROTO}= | ${50}
-| ${tg_if_ip6}= | 3ffe:5f::1
-| ${dut_if_ip6}= | 3ffe:5f::2
-| ${tg_lo_ip6}= | 3ffe:60::3
-| ${dut_lo_ip6}= | 3ffe:60::4
-| ${ip6_plen}= | ${64}
-| ${ip6_plen_rt}= | ${128}
-
-*** Test Cases ***
-| TC01: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity
-| | [Documentation]
-| | ... | [Top] TG-DUT1.
-| | ... | [Ref] RFC4303.
-| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
-| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport
-| | ... | mode.
-| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
-| | ${encr_alg}= | Crypto Alg AES CBC 128
-| | ${auth_alg}= | Integ Alg SHA1 96
-| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
-| | When Configure manual keyed connection for IPSec
-| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
-| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
-| | Then Send IPsec Packet and verify ESP encapsulation in received packet
-| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
-| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
-| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
-
-| TC02: VPP process ESP packet in Transport Mode with AES-CBC-192 encryption and SHA1-96 integrity
-| | [Documentation]
-| | ... | [Top] TG-DUT1.
-| | ... | [Ref] RFC4303.
-| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
-| | ... | algorithm AES-CBC-192 and integrity algorithm SHA1-96 in transport
-| | ... | mode.
-| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
-| | [Tags] | SKIP_PATCH
-| | ${encr_alg}= | Crypto Alg AES CBC 192
-| | ${auth_alg}= | Integ Alg SHA1 96
-| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
-| | When Configure manual keyed connection for IPSec
-| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
-| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
-| | Then Send IPsec Packet and verify ESP encapsulation in received packet
-| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
-| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
-| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
-
-| TC03: VPP process ESP packet in Transport Mode with AES-CBC-256 encryption and SHA1-96 integrity
-| | [Documentation]
-| | ... | [Top] TG-DUT1.
-| | ... | [Ref] RFC4303.
-| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
-| | ... | algorithm AES-CBC-256 and integrity algorithm SHA1-96 in transport
-| | ... | mode.
-| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
-| | [Tags] | SKIP_PATCH
-| | ${encr_alg}= | Crypto Alg AES CBC 256
-| | ${auth_alg}= | Integ Alg SHA1 96
-| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
-| | When Configure manual keyed connection for IPSec
-| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
-| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
-| | Then Send IPsec Packet and verify ESP encapsulation in received packet
-| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
-| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
-| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
-
-| TC04: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA-256-128 integrity
-| | [Documentation]
-| | ... | [Top] TG-DUT1.
-| | ... | [Ref] RFC4303.
-| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
-| | ... | algorithm AES-CBC-128 and integrity algorithm SHA-256-128 in transport
-| | ... | mode.
-| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
-| | [Tags] | SKIP_PATCH
-| | ${encr_alg}= | Crypto Alg AES CBC 128
-| | ${auth_alg}= | Integ Alg SHA 256 128
-| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
-| | When Configure manual keyed connection for IPSec
-| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
-| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
-| | Then Send IPsec Packet and verify ESP encapsulation in received packet
-| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
-| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
-| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
-
-| TC05: VPP process ESP packet in Transport Mode with AES-CBC-192 encryption and SHA-256-128 integrity
-| | [Documentation]
-| | ... | [Top] TG-DUT1.
-| | ... | [Ref] RFC4303.
-| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
-| | ... | algorithm AES-CBC-192 and integrity algorithm SHA-256-128 in transport
-| | ... | mode.
-| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
-| | ${encr_alg}= | Crypto Alg AES CBC 192
-| | ${auth_alg}= | Integ Alg SHA 256 128
-| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
-| | When Configure manual keyed connection for IPSec
-| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
-| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
-| | Then Send IPsec Packet and verify ESP encapsulation in received packet
-| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
-| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
-| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
-
-| TC06: VPP process ESP packet in Transport Mode with AES-CBC-256 encryption and SHA-256-128 integrity
-| | [Documentation]
-| | ... | [Top] TG-DUT1.
-| | ... | [Ref] RFC4303.
-| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
-| | ... | algorithm AES-CBC-256 and integrity algorithm SHA-256-128 in transport
-| | ... | mode.
-| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
-| | [Tags] | SKIP_PATCH
-| | ${encr_alg}= | Crypto Alg AES CBC 256
-| | ${auth_alg}= | Integ Alg SHA 256 128
-| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
-| | When Configure manual keyed connection for IPSec
-| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
-| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
-| | Then Send IPsec Packet and verify ESP encapsulation in received packet
-| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
-| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
-| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
-
-| TC07: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA-384-192 integrity
-| | [Documentation]
-| | ... | [Top] TG-DUT1.
-| | ... | [Ref] RFC4303.
-| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
-| | ... | algorithm AES-CBC-128 and integrity algorithm SHA-384-192 in transport
-| | ... | mode.
-| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
-| | [Tags] | SKIP_PATCH
-| | ${encr_alg}= | Crypto Alg AES CBC 128
-| | ${auth_alg}= | Integ Alg SHA 384 192
-| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
-| | When Configure manual keyed connection for IPSec
-| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
-| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
-| | Then Send IPsec Packet and verify ESP encapsulation in received packet
-| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
-| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
-| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
-
-| TC08: VPP process ESP packet in Transport Mode with AES-CBC-192 encryption and SHA-384-192 integrity
-| | [Documentation]
-| | ... | [Top] TG-DUT1.
-| | ... | [Ref] RFC4303.
-| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
-| | ... | algorithm AES-CBC-192 and integrity algorithm SHA-384-192 in transport
-| | ... | mode.
-| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
-| | [Tags] | SKIP_PATCH
-| | ${encr_alg}= | Crypto Alg AES CBC 192
-| | ${auth_alg}= | Integ Alg SHA 384 192
-| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
-| | When Configure manual keyed connection for IPSec
-| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
-| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
-| | Then Send IPsec Packet and verify ESP encapsulation in received packet
-| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
-| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
-| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
-
-| TC09: VPP process ESP packet in Transport Mode with AES-CBC-256 encryption and SHA-384-192 integrity
-| | [Documentation]
-| | ... | [Top] TG-DUT1.
-| | ... | [Ref] RFC4303.
-| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
-| | ... | algorithm AES-CBC-256 and integrity algorithm SHA-384-192 in transport
-| | ... | mode.
-| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
-| | ${encr_alg}= | Crypto Alg AES CBC 256
-| | ${auth_alg}= | Integ Alg SHA 384 192
-| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
-| | When Configure manual keyed connection for IPSec
-| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
-| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
-| | Then Send IPsec Packet and verify ESP encapsulation in received packet
-| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
-| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
-| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
-
-| TC10: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA-512-256 integrity
-| | [Documentation]
-| | ... | [Top] TG-DUT1.
-| | ... | [Ref] RFC4303.
-| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
-| | ... | algorithm AES-CBC-128 and integrity algorithm SHA-512-256 in transport
-| | ... | mode.
-| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
-| | [Tags] | SKIP_PATCH
-| | ${encr_alg}= | Crypto Alg AES CBC 128
-| | ${auth_alg}= | Integ Alg SHA 512 256
-| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
-| | When Configure manual keyed connection for IPSec
-| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
-| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
-| | Then Send IPsec Packet and verify ESP encapsulation in received packet
-| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
-| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
-| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
-
-| TC11: VPP process ESP packet in Transport Mode with AES-CBC-192 encryption and SHA-512-256 integrity
-| | [Documentation]
-| | ... | [Top] TG-DUT1.
-| | ... | [Ref] RFC4303.
-| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
-| | ... | algorithm AES-CBC-192 and integrity algorithm SHA-512-256 in transport
-| | ... | mode.
-| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
-| | [Tags] | SKIP_PATCH
-| | ${encr_alg}= | Crypto Alg AES CBC 192
-| | ${auth_alg}= | Integ Alg SHA 512 256
-| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
-| | When Configure manual keyed connection for IPSec
-| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
-| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
-| | Then Send IPsec Packet and verify ESP encapsulation in received packet
-| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
-| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
-| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
-
-| TC12: VPP process ESP packet in Transport Mode with AES-CBC-256 encryption and SHA-512-256 integrity
-| | [Documentation]
-| | ... | [Top] TG-DUT1.
-| | ... | [Ref] RFC4303.
-| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
-| | ... | algorithm AES-CBC-256 and integrity algorithm SHA-512-256 in transport
-| | ... | mode.
-| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
-| | ${encr_alg}= | Crypto Alg AES CBC 256
-| | ${auth_alg}= | Integ Alg SHA 512 256
-| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
-| | When Configure manual keyed connection for IPSec
-| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
-| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
-| | Then Send IPsec Packet and verify ESP encapsulation in received packet
-| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
-| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
-| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
-
-| TC13: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity - different encryption alogrithms used
-| | [Documentation]
-| | ... | [Top] TG-DUT1.
-| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
-| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport\
-| | ... | mode.
-| | ... | [Ver] Send an ESP packet encrypted by encryption key different from\
-| | ... | encryption key stored on VPP node from TG to VPP node and expect no\
-| | ... | response to be received on TG.
-| | ... | [Ref] RFC4303.
-| | ${encr_alg}= | Crypto Alg AES CBC 128
-| | ${auth_alg}= | Integ Alg SHA1 96
-| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
-| | ${encr_key2}= | And Get Second Random String | ${encr_alg} | Crypto
-| | When Configure manual keyed connection for IPSec
-| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
-| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
-| | Then Run Keyword And Expect Error | ESP packet Rx timeout
-| | ... | Send IPsec Packet and verify ESP encapsulation in received packet
-| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
-| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key} | ${tg_spi}
-| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
-
-| TC14: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity - different integrity alogrithms used
-| | [Documentation]
-| | ... | [Top] TG-DUT1.
-| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
-| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport\
-| | ... | mode.
-| | ... | [Ver] Send an ESP packet authenticated by integrity key different\
-| | ... | from integrity key stored on VPP node from TG to VPP node and expect\
-| | ... | no response to be received on TG.
-| | ... | [Ref] RFC4303.
-| | ${encr_alg}= | Crypto Alg AES CBC 128
-| | ${auth_alg}= | Integ Alg SHA1 96
-| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
-| | ${auth_key2}= | And Get Second Random String | ${auth_alg} | Integ
-| | When Configure manual keyed connection for IPSec
-| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
-| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
-| | Then Run Keyword And Expect Error | ESP packet Rx timeout
-| | ... | Send IPsec Packet and verify ESP encapsulation in received packet
-| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
-| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key2} | ${tg_spi}
-| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
-
-| TC15: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity - different encryption and integrity alogrithms used
-| | [Documentation]
-| | ... | [Top] TG-DUT1.
-| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
-| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport\
-| | ... | mode.
-| | ... | [Ver] Send an ESP packet authenticated by integrity key and encrypted\
-| | ... | by encryption key different from integrity and encryption keys stored\
-| | ... | on VPP node from TG to VPP node and expect no response to be received\
-| | ... | on TG.
-| | ... | [Ref] RFC4303.
-| | ${encr_alg}= | Crypto Alg AES CBC 128
-| | ${auth_alg}= | Integ Alg SHA1 96
-| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
-| | ${encr_key2}= | And Get Second Random String | ${encr_alg} | Crypto
-| | ${auth_key2}= | And Get Second Random String | ${auth_alg} | Integ
-| | When Configure manual keyed connection for IPSec
-| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
-| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
-| | Then Run Keyword And Expect Error | ESP packet Rx timeout
-| | ... | Send IPsec Packet and verify ESP encapsulation in received packet
-| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
-| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key2} | ${tg_spi}
-| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
-
-| TC16: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys
-| | [Documentation]
-| | ... | [Top] TG-DUT1.
-| | ... | [Ref] RFC4303.
-| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
-| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport\
-| | ... | mode. Then update SA keys - use new keys.
-| | ... | [Ver] Send and receive ESP packet between TG and VPP node before\
-| | ... | and after SA keys update.
-| | ${encr_alg}= | Crypto Alg AES CBC 128
-| | ${auth_alg}= | Integ Alg SHA1 96
-| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
-| | When Configure manual keyed connection for IPSec
-| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
-| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
-| | Then Send IPsec Packet and verify ESP encapsulation in received packet
-| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
-| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
-| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
-| | ${new_encr_key}= | Given Get Second Random String | ${encr_alg} | Crypto
-| | ${new_auth_key}= | And Get Second Random String | ${auth_alg} | Integ
-| | When Update IPSec SA keys | ${dut_node} | ${l_sa_id} | ${r_sa_id}
-| | ... | ${new_encr_key} | ${new_auth_key}
-| | Then Send IPsec Packet and verify ESP encapsulation in received packet
-| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
-| | ... | ${encr_alg} | ${new_encr_key} | ${auth_alg} | ${new_auth_key}
-| | ... | ${tg_spi} | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
-
-| TC17: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys - different encryption alogrithms used
-| | [Documentation]
-| | ... | [Top] TG-DUT1.
-| | ... | [Ref] RFC4303.
-| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
-| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport\
-| | ... | mode. Then update SA keys - use new keys.
-| | ... | [Ver] Send an ESP packet encrypted by encryption key different from\
-| | ... | encryption key stored on VPP node from TG to VPP node and expect no\
-| | ... | response to be received on TG before and after SA keys update.
-| | ${encr_alg}= | Crypto Alg AES CBC 128
-| | ${auth_alg}= | Integ Alg SHA1 96
-| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
-| | When Configure manual keyed connection for IPSec
-| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
-| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
-| | ${encr_key2}= | And Get Second Random String | ${encr_alg} | Crypto
-| | Then Run Keyword And Expect Error | ESP packet Rx timeout
-| | ... | Send IPsec Packet and verify ESP encapsulation in received packet
-| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
-| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key} | ${tg_spi}
-| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
-| | ${new_encr_key}= | Given Get Second Random String | ${encr_alg} | Crypto
-| | ${new_auth_key}= | And Get Second Random String | ${auth_alg} | Integ
-| | When Update IPSec SA keys | ${dut_node} | ${l_sa_id} | ${r_sa_id}
-| | ... | ${new_encr_key} | ${new_auth_key}
-| | Then Run Keyword And Expect Error | ESP packet Rx timeout
-| | ... | Send IPsec Packet and verify ESP encapsulation in received packet
-| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
-| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${new_auth_key} | ${tg_spi}
-| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
-
-| TC18: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys - different integrity alogrithms used
-| | [Documentation]
-| | ... | [Top] TG-DUT1.
-| | ... | [Ref] RFC4303.
-| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
-| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport\
-| | ... | mode. Then update SA keys - use new keys.
-| | ... | [Ver] Send an ESP packet authenticated by integrity key different\
-| | ... | from integrity key stored on VPP node from TG to VPP node and expect\
-| | ... | no response to be received on TG before and after SA keys update.
-| | ${encr_alg}= | Crypto Alg AES CBC 128
-| | ${auth_alg}= | Integ Alg SHA1 96
-| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
-| | When Configure manual keyed connection for IPSec
-| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
-| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
-| | ${auth_key2}= | And Get Second Random String | ${auth_alg} | Integ
-| | Then Run Keyword And Expect Error | ESP packet Rx timeout
-| | ... | Send IPsec Packet and verify ESP encapsulation in received packet
-| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
-| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key2} | ${tg_spi}
-| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
-| | ${new_encr_key}= | Given Get Second Random String | ${encr_alg} | Crypto
-| | ${new_auth_key}= | And Get Second Random String | ${auth_alg} | Integ
-| | When Update IPSec SA keys | ${dut_node} | ${l_sa_id} | ${r_sa_id}
-| | ... | ${new_encr_key} | ${new_auth_key}
-| | Then Run Keyword And Expect Error | ESP packet Rx timeout
-| | ... | Send IPsec Packet and verify ESP encapsulation in received packet
-| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
-| | ... | ${encr_alg} | ${new_encr_key} | ${auth_alg} | ${auth_key2} | ${tg_spi}
-| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
-
-| TC19: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys - different encryption and integrity alogrithms used
-| | [Documentation]
-| | ... | [Top] TG-DUT1.
-| | ... | [Ref] RFC4303.
-| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
-| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport\
-| | ... | mode. Then update SA keys - use new keys.
-| | ... | [Ver] Send an ESP packet authenticated by integrity key and encrypted\
-| | ... | by encryption key different from integrity and encryption keys stored\
-| | ... | on VPP node from TG to VPP node and expect no response to be received\
-| | ... | on TG before and after SA keys update.
-| | ${encr_alg}= | Crypto Alg AES CBC 128
-| | ${auth_alg}= | Integ Alg SHA1 96
-| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
-| | When Configure manual keyed connection for IPSec
-| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
-| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
-| | ${encr_key2}= | And Get Second Random String | ${encr_alg} | Crypto
-| | ${auth_key2}= | And Get Second Random String | ${auth_alg} | Integ
-| | Then Run Keyword And Expect Error | ESP packet Rx timeout
-| | ... | Send IPsec Packet and verify ESP encapsulation in received packet
-| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
-| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key2} | ${tg_spi}
-| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
-| | ${new_encr_key}= | Given Get Second Random String | ${encr_alg} | Crypto
-| | ${new_auth_key}= | And Get Second Random String | ${auth_alg} | Integ
-| | When Update IPSec SA keys | ${dut_node} | ${l_sa_id} | ${r_sa_id}
-| | ... | ${new_encr_key} | ${new_auth_key}
-| | Then Run Keyword And Expect Error | ESP packet Rx timeout
-| | ... | Send IPsec Packet and verify ESP encapsulation in received packet
-| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
-| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key2} | ${tg_spi}
-| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
-
-*** Keywords ***
-| Get Second Random String
-| | [Arguments] | ${req_alg} | ${req_type}
-| | ${req_key_len}= | Run Keyword | Get ${req_type} Alg Key Len | ${req_alg}
-| | ${key}= | Set Variable If | '${req_type}' == 'Crypto' | ${encr_key}
-| | ... | '${req_type}' == 'Integ' | ${auth_key}
-| | :FOR | ${index} | IN RANGE | 100
-| | | ${req_key}= | Generate Random String | ${req_key_len}
-| | | Return From Keyword If | '${req_key}' != '${key}' | ${req_key}
diff --git a/tests/vpp/func/crypto/eth2p-ethip6ipsectptlispgpe-ip4base-func.robot b/tests/vpp/func/crypto/eth2p-ethip6ipsectptlispgpe-ip4base-func.robot
deleted file mode 100644
index f3bc2e28b1..0000000000
--- a/tests/vpp/func/crypto/eth2p-ethip6ipsectptlispgpe-ip4base-func.robot
+++ /dev/null
@@ -1,158 +0,0 @@
-# Copyright (c) 2016 Cisco and/or its affiliates.
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at:
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-*** Settings ***
-| Library | resources.libraries.python.topology.Topology
-| Library | resources.libraries.python.NodePath
-| Library | resources.libraries.python.Trace
-| Library | resources.libraries.python.IPUtil
-| Library | resources.libraries.python.L2Util
-| Library | resources.libraries.python.LispUtil
-| Library | resources.libraries.python.IPsecUtil
-| Library | resources.libraries.python.VatJsonUtil
-| Library | resources.libraries.python.IPv6Setup
-| Library | resources.libraries.python.VhostUser
-| Library | resources.libraries.python.QemuUtils
-| Library | String
-| Resource | resources/libraries/robot/shared/traffic.robot
-| Resource | resources/libraries/robot/shared/default.robot
-| Resource | resources/libraries/robot/shared/interfaces.robot
-| Resource | resources/libraries/robot/shared/testing_path.robot
-| Resource | resources/libraries/robot/ip/ip6.robot
-| Resource | resources/libraries/robot/crypto/ipsec.robot
-| Resource | resources/libraries/robot/vm/qemu.robot
-| Resource | resources/libraries/robot/overlay/lispgpe.robot
-| Resource | resources/libraries/robot/l2/l2_bridge_domain.robot
-# Import configuration and test data:
-| Variables | resources/test_data/lisp/ipv4_lispgpe_ipv6/ipv4_lispgpe_ipsec_ipv6.py
-| ...
-| Force Tags | 3_NODE_SINGLE_LINK_TOPO | VM_ENV | LISP | SKIP_VPP_PATCH
-| ...
-| Test Setup | Set up functional test
-| ...
-| Test Teardown | Tear down functional test
-| ...
-| Documentation | *IPv6 - ip4-ipsec-lispgpe-ip6 - main fib, virt2lisp, phy2lisp*
-| ...
-| ... | *[Top] Network Topologies:* TG-DUT1-DUT2-TG 3-node circular topology\
-| ... | with single links between nodes.
-| ... | *[Enc] Packet Encapsulations:* Eth-IPv6-LISPGPE-IPSec-IPv4-ICMP,\
-| ... | Eth-IPv6-IPSec-LISPGPE-IPv4-ICMP
-| ... | *[Cfg] DUT configuration:* Each DUT is configured with LISP and IPsec.\
-| ... | IPsec is in transport mode. Tests cases are for IPsec configured both\
-| ... | on RLOC interface or lisp_gpe0 interface.
-| ... | *[Ver] TG verification:* Packet is send from TG(if1) across the DUT1 to\
-| ... | DUT2 where it is forwarded to TG(if2).
-| ... | *[Ref] Applicable standard specifications:* RFC6830, RFC4303.
-
-*** Test Cases ***
-| TC01: DUT1 and DUT2 route IPv4 bidirectionally over LISP GPE tunnel using IPsec (transport) on RLOC Int.
-| | [Documentation]
-| | ... | [Top] TG-DUT1-DUT2-TG.
-| | ... | [Enc] Eth-IPv6-LISPGPE-IPSec-IPv4-ICMP on DUT1-DUT2, Eth-IPv4-ICMP\
-| | ... | on TG-DUTn.
-| | ... | [Cfg] Configure IPv6 LISP static adjacencies on DUT1 and DUT2 with\
-| | ... | IPsec in between DUTS.
-| | ... | [Ver] Make TG send ICMPv6 Echo Req between its interfaces across\
-| | ... | both DUTs and LISP GPE tunnel between them; verify IPv4 headers on\
-| | ... | received packets are correct.
-| | ... | [Ref] RFC6830, RFC4303.
-| | ...
-| | ${encr_alg}= | Crypto Alg AES CBC 128
-| | ${auth_alg}= | Integ Alg SHA1 96
-| | Given Setup Topology And Lisp
-| | And Generate keys for IPSec | ${encr_alg} | ${auth_alg}
-| | When Configure manual keyed connection for IPSec
-| | ... | ${dut1_node} | ${dut1_to_dut2} | ${encr_alg} | ${encr_key}
-| | ... | ${auth_alg} | ${auth_key} | ${dut1_spi} | ${dut2_spi}
-| | ... | ${dut1_to_dut2_ip6} | ${dut2_to_dut1_ip6}
-| | And Configure manual keyed connection for IPSec
-| | ... | ${dut2_node} | ${dut2_to_dut1} | ${encr_alg} | ${encr_key}
-| | ... | ${auth_alg} | ${auth_key} | ${dut2_spi} | ${dut1_spi}
-| | ... | ${dut2_to_dut1_ip6} | ${dut1_to_dut2_ip6}
-| | Then Send packet and verify headers
-| | ... | ${tg_node} | ${tg1_ip4} | ${tg2_ip4}
-| | ... | ${tg_to_dut1} | ${tg_to_dut1_mac} | ${dut1_to_tg_mac}
-| | ... | ${tg_to_dut2} | ${dut2_to_tg_mac} | ${tg_to_dut2_mac}
-| | And Send packet and verify headers
-| | ... | ${tg_node} | ${tg2_ip4} | ${tg1_ip4}
-| | ... | ${tg_to_dut2} | ${tg_to_dut2_mac} | ${dut2_to_tg_mac}
-| | ... | ${tg_to_dut1} | ${dut1_to_tg_mac} | ${tg_to_dut1_mac}
-
-| TC02: DUT1 and DUT2 route IPv4 bidirectionally over LISP GPE tunnel using IPsec (transport) on lisp_gpe0 Int.
-| | [Documentation]
-| | ... | [Top] TG-DUT1-DUT2-TG.
-| | ... | [Enc] Eth-IPv6-IPSec-LISPGPE-IPv4-ICMPv4 on DUT1-DUT2, Eth-IPv4-ICMP\
-| | ... | on TG-DUTn.
-| | ... | [Cfg] Configure IPv6 LISP static adjacencies on DUT1 and DUT2 with\
-| | ... | IPsec in between DUTS.
-| | ... | [Ver] Make TG send ICMPv6 Echo Req between its interfaces across\
-| | ... | both DUTs and LISP GPE tunnel between them; verify IPv4 headers on\
-| | ... | received packets are correct.
-| | ... | [Ref] RFC6830, RFC4303.
-| | ...
-| | ${encr_alg}= | Crypto Alg AES CBC 128
-| | ${auth_alg}= | Integ Alg SHA1 96
-| | Given Setup Topology And Lisp
-| | And Generate keys for IPSec | ${encr_alg} | ${auth_alg}
-| | ${lisp_if_idx}= | resources.libraries.python.InterfaceUtil.get sw if index
-| | ... | ${dut1_node} | ${lisp_gpe_int}
-| | When Configure manual keyed connection for IPSec
-| | ... | ${dut1_node} | ${lisp_if_idx} | ${encr_alg} | ${encr_key}
-| | ... | ${auth_alg} | ${auth_key} | ${dut1_spi} | ${dut2_spi}
-| | ... | ${dut1_to_dut2_ip6} | ${dut2_to_dut1_ip6}
-| | And Configure manual keyed connection for IPSec
-| | ... | ${dut2_node} | ${lisp_if_idx} | ${encr_alg} | ${encr_key}
-| | ... | ${auth_alg} | ${auth_key} | ${dut2_spi} | ${dut1_spi}
-| | ... | ${dut2_to_dut1_ip6} | ${dut1_to_dut2_ip6}
-| | Then Send packet and verify headers
-| | ... | ${tg_node} | ${tg1_ip4} | ${tg2_ip4}
-| | ... | ${tg_to_dut1} | ${tg_to_dut1_mac} | ${dut1_to_tg_mac}
-| | ... | ${tg_to_dut2} | ${dut2_to_tg_mac} | ${tg_to_dut2_mac}
-| | And Send packet and verify headers
-| | ... | ${tg_node} | ${tg2_ip4} | ${tg1_ip4}
-| | ... | ${tg_to_dut2} | ${tg_to_dut2_mac} | ${dut2_to_tg_mac}
-| | ... | ${tg_to_dut1} | ${dut1_to_tg_mac} | ${tg_to_dut1_mac}
-
-*** Keywords ***
-| Setup Topology And Lisp
-| | [Documentation] | Setup IPs and neighbors for interfaces on DUT1 and DUT2\
-| | ... | and then setup LISP.
-| | Configure path in 3-node circular topology
-| | ... | ${nodes['TG']} | ${nodes['DUT1']} | ${nodes['DUT2']} | ${nodes['TG']}
-| | Set interfaces in 3-node circular topology up
-| | Vpp Set If IPv6 Addr | ${dut1_node} | ${dut1_to_dut2} | ${dut1_to_dut2_ip6}
-| | ... | ${prefix6}
-| | Vpp Set If IPv6 Addr | ${dut1_node} | ${dut1_to_dut2} | ${dut1_to_dut2_ip6}
-| | ... | ${prefix6}
-| | Vpp Set If IPv6 Addr | ${dut1_node} | ${dut1_to_tg} | ${dut1_to_tg_ip4}
-| | ... | ${prefix4}
-| | Vpp Set If IPv6 Addr | ${dut2_node} | ${dut2_to_dut1} | ${dut2_to_dut1_ip6}
-| | ... | ${prefix6}
-| | Vpp Set If IPv6 Addr | ${dut2_node} | ${dut2_to_tg} | ${dut2_to_tg_ip4}
-| | ... | ${prefix4}
-| | Add IP Neighbor | ${dut2_node} | ${dut2_to_tg} | ${tg2_ip4}
-| | ... | ${tg_to_dut2_mac}
-| | Add IP Neighbor | ${dut1_node} | ${dut1_to_dut2} | ${dut2_to_dut1_ip6}
-| | ... | ${dut2_to_dut1_mac}
-| | Add IP Neighbor | ${dut2_node} | ${dut2_to_dut1} | ${dut1_to_dut2_ip6}
-| | ... | ${dut1_to_dut2_mac}
-| | Add IP Neighbor | ${dut1_node} | ${dut1_to_tg} | ${tg1_ip4}
-| | ... | ${tg_to_dut1_mac}
-| | Vpp All RA Suppress Link Layer | ${nodes}
-| | Configure LISP GPE topology in 3-node circular topology
-| | ... | ${dut1_node} | ${dut1_to_dut2} | ${NONE}
-| | ... | ${dut2_node} | ${dut2_to_dut1} | ${NONE}
-| | ... | ${duts_locator_set} | ${dut1_ip4_eid} | ${dut2_ip4_eid}
-| | ... | ${dut1_to_dut2_ip_static_adjacency}
-| | ... | ${dut2_to_dut1_ip_static_adjacency}
diff --git a/tests/vpp/func/crypto/eth2p-ethip6ipsectptlispgpe-ip6base-func.robot b/tests/vpp/func/crypto/eth2p-ethip6ipsectptlispgpe-ip6base-func.robot
deleted file mode 100644
index ca81b425c8..0000000000
--- a/tests/vpp/func/crypto/eth2p-ethip6ipsectptlispgpe-ip6base-func.robot
+++ /dev/null
@@ -1,174 +0,0 @@
-# Copyright (c) 2016 Cisco and/or its affiliates.
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at:
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-*** Settings ***
-| Library | resources.libraries.python.topology.Topology
-| Library | resources.libraries.python.NodePath
-| Library | resources.libraries.python.Trace
-| Library | resources.libraries.python.IPUtil
-| Library | resources.libraries.python.L2Util
-| Library | resources.libraries.python.LispUtil
-| Library | resources.libraries.python.VPPUtil
-| Library | resources.libraries.python.IPsecUtil
-| Library | resources.libraries.python.VatJsonUtil
-| Library | resources.libraries.python.IPv6Setup
-| Library | resources.libraries.python.VhostUser
-| Library | resources.libraries.python.QemuUtils
-| Library | String
-| Resource | resources/libraries/robot/shared/traffic.robot
-| Resource | resources/libraries/robot/shared/default.robot
-| Resource | resources/libraries/robot/shared/interfaces.robot
-| Resource | resources/libraries/robot/shared/testing_path.robot
-| Resource | resources/libraries/robot/ip/ip6.robot
-| Resource | resources/libraries/robot/crypto/ipsec.robot
-| Resource | resources/libraries/robot/vm/qemu.robot
-| Resource | resources/libraries/robot/overlay/lispgpe.robot
-| Resource | resources/libraries/robot/l2/l2_bridge_domain.robot
-# Import configuration and test data:
-| Variables | resources/test_data/lisp/ipv6_lispgpe_ipv6/ipv6_lispgpe_ipsec_ipv6.py
-| ...
-| Force Tags | 3_NODE_SINGLE_LINK_TOPO | VM_ENV | LISP | SKIP_VPP_PATCH
-| ...
-| Test Setup | Run Keywords | Set up functional test
-| ...        | AND          | Vpp All Ra Suppress Link Layer | ${nodes}
-| ...
-| Test Teardown | Tear down functional test
-| ...
-| Documentation | *IPv6 - ip6-ipsec-lispgpe-ip6 - main fib,
-| ... | vrf (gpe_vni-to-vrf), phy2lisp, virt2lisp*
-| ...
-| ... | *[Top] Network Topologies:* TG-DUT1-DUT2-TG 3-node circular topology\
-| ... | with single links between nodes.
-| ... | *[Enc] Packet Encapsulations:* Eth-IPv6-IPSec-LISPGPE-IPv6-ICMPv6,\
-| ... | *[Cfg] DUT configuration:* Each DUT is configured with LISP and IPsec.\
-| ... | IPsec is in transport mode. Tests cases are for IPsec configured both\
-| ... | on RLOC interface or lisp_gpe0 interface.
-| ... | *[Ver] TG verification:* Packet is send from TG(if1) across the DUT1\
-| ... | to DUT2 where it is forwarded to TG(if2).
-| ... | *[Ref] Applicable standard specifications:* RFC6830, RFC4303.
-
-*** Variables ***
-| ${dut2_spi}= | ${1000}
-| ${dut1_spi}= | ${1001}
-
-| ${ESP_PROTO}= | ${50}
-
-| ${bid}= | 10
-
-*** Test Cases ***
-| TC01: DUT1 and DUT2 route IPv6 bidirectionally over LISP GPE tunnel using IPsec (transport) on RLOC Int.
-| | [Documentation]
-| | ... | [Top] TG-DUT1-DUT2-TG.
-| | ... | [Enc] Eth-IPv6-IPSec-LISPGPE-IPv6-ICMPv6 on DUT1-DUT2,\
-| | ... | Eth-IPv6-ICMPv6 on TG-DUTn.
-| | ... | [Cfg] Configure IPv6 LISP static adjacencies on DUT1 and DUT2 with\
-| | ... | IPsec in between DUTS.
-| | ... | [Ver] Case: ip6-lispgpe-ipsec-ip6 - main fib, phys2lisp\
-| | ... | Make TG send ICMPv6 Echo Req between its interfaces across\
-| | ... | both DUTs and LISP GPE tunnel between them; verify IPv6 headers on\
-| | ... | received packets are correct.
-| | ... | [Ref] RFC6830, RFC4303.
-| | ...
-| | ${encr_alg}= | Crypto Alg AES CBC 128
-| | ${auth_alg}= | Integ Alg SHA1 96
-| | Given Setup Topology
-| | And Configure LISP GPE topology in 3-node circular topology
-| | ... | ${dut1_node} | ${dut1_to_dut2} | ${NONE}
-| | ... | ${dut2_node} | ${dut2_to_dut1} | ${NONE}
-| | ... | ${duts_locator_set} | ${dut1_ip6_eid} | ${dut2_ip6_eid}
-| | ... | ${dut1_to_dut2_ip6_static_adjacency}
-| | ... | ${dut2_to_dut1_ip6_static_adjacency}
-| | And Generate keys for IPSec | ${encr_alg} | ${auth_alg}
-| | When Configure manual keyed connection for IPSec
-| | ... | ${dut1_node} | ${dut1_to_dut2} | ${encr_alg} | ${encr_key}
-| | ... | ${auth_alg} | ${auth_key} | ${dut1_spi} | ${dut2_spi}
-| | ... | ${dut1_to_dut2_ip6} | ${dut2_to_dut1_ip6}
-| | And Configure manual keyed connection for IPSec
-| | ... | ${dut2_node} | ${dut2_to_dut1} | ${encr_alg} | ${encr_key}
-| | ... | ${auth_alg} | ${auth_key} | ${dut2_spi} | ${dut1_spi}
-| | ... | ${dut2_to_dut1_ip6} | ${dut1_to_dut2_ip6}
-| | Then Send packet and verify headers
-| | ... | ${tg_node} | ${tg1_ip6} | ${tg2_ip6}
-| | ... | ${tg_to_dut1} | ${tg_to_dut1_mac} | ${dut1_to_tg_mac}
-| | ... | ${tg_to_dut2} | ${dut2_to_tg_mac} | ${tg_to_dut2_mac}
-| | And Send packet and verify headers
-| | ... | ${tg_node} | ${tg2_ip6} | ${tg1_ip6}
-| | ... | ${tg_to_dut2} | ${tg_to_dut2_mac} | ${dut2_to_tg_mac}
-| | ... | ${tg_to_dut1} | ${dut1_to_tg_mac} | ${tg_to_dut1_mac}
-
-| TC02: DUT1 and DUT2 route IPv6 bidirectionally over LISP GPE tunnel using IPsec (transport) lisp_gpe0 Int.
-| | [Documentation]
-| | ... | [Top] TG-DUT1-DUT2-TG.
-| | ... | [Enc] Eth-IPv6-IPSec-LISPGPE-IPv6-ICMPv6 on DUT1-DUT2,\
-| | ... | Eth-IPv6-ICMPv6 on TG-DUTn.
-| | ... | [Cfg] Configure IPv6 LISP static adjacencies on DUT1 and DUT2 with\
-| | ... | IPsec in between DUTS.
-| | ... | [Ver] Case: ip6-ipsec-lispgpe-ip6 - main fib, phys2lisp\
-| | ... | Make TG send ICMPv6 Echo Req between its interfaces across\
-| | ... | both DUTs and LISP GPE tunnel between them; verify IPv6 headers on\
-| | ... | received packets are correct.
-| | ... | [Ref] RFC6830, RFC4303.
-| | ...
-| | ${encr_alg}= | Crypto Alg AES CBC 128
-| | ${auth_alg}= | Integ Alg SHA1 96
-| | Given Setup Topology
-| | And Configure LISP GPE topology in 3-node circular topology
-| | ... | ${dut1_node} | ${dut1_to_dut2} | ${NONE}
-| | ... | ${dut2_node} | ${dut2_to_dut1} | ${NONE}
-| | ... | ${duts_locator_set} | ${dut1_ip6_eid} | ${dut2_ip6_eid}
-| | ... | ${dut1_to_dut2_ip6_static_adjacency}
-| | ... | ${dut2_to_dut1_ip6_static_adjacency}
-| | ${lisp_if_idx}= | resources.libraries.python.InterfaceUtil.get sw if index
-| | ... | ${dut1_node} | lisp_gpe0
-| | And Generate keys for IPSec | ${encr_alg} | ${auth_alg}
-| | When Configure manual keyed connection for IPSec
-| | ... | ${dut1_node} | ${lisp_if_idx} | ${encr_alg} | ${encr_key}
-| | ... | ${auth_alg} | ${auth_key} | ${dut1_spi} | ${dut2_spi} | ${tg1_ip6}
-| | ... | ${tg2_ip6}
-| | And Configure manual keyed connection for IPSec
-| | ... | ${dut2_node} | ${lisp_if_idx} | ${encr_alg} | ${encr_key}
-| | ... | ${auth_alg} | ${auth_key} | ${dut2_spi} | ${dut1_spi} | ${tg2_ip6}
-| | ... | ${tg1_ip6}
-| | Then Send packet and verify headers
-| | ... | ${tg_node} | ${tg1_ip6} | ${tg2_ip6}
-| | ... | ${tg_to_dut1} | ${tg_to_dut1_mac} | ${dut1_to_tg_mac}
-| | ... | ${tg_to_dut2} | ${dut2_to_tg_mac} | ${tg_to_dut2_mac}
-| | And Send packet and verify headers
-| | ... | ${tg_node} | ${tg2_ip6} | ${tg1_ip6}
-| | ... | ${tg_to_dut2} | ${tg_to_dut2_mac} | ${dut2_to_tg_mac}
-| | ... | ${tg_to_dut1} | ${dut1_to_tg_mac} | ${tg_to_dut1_mac}
-
-*** Keywords ***
-| Setup Topology
-| | Configure path in 3-node circular topology
-| | ... | ${nodes['TG']} | ${nodes['DUT1']} | ${nodes['DUT2']} | ${nodes['TG']}
-| | Set interfaces in 3-node circular topology up
-| | Vpp Set If IPv6 Addr | ${dut1_node} | ${dut1_to_dut2} | ${dut1_to_dut2_ip6}
-| | ... | ${prefix6}
-| | Vpp Set If IPv6 Addr | ${dut1_node} | ${dut1_to_dut2} | ${dut1_to_dut2_ip6}
-| | ... | ${prefix6}
-| | Vpp Set If IPv6 Addr | ${dut1_node} | ${dut1_to_tg} | ${dut1_to_tg_ip6}
-| | ... | ${prefix6}
-| | Vpp Set If IPv6 Addr | ${dut2_node} | ${dut2_to_dut1} | ${dut2_to_dut1_ip6}
-| | ... | ${prefix6}
-| | Vpp Set If IPv6 Addr | ${dut2_node} | ${dut2_to_tg} | ${dut2_to_tg_ip6}
-| | ... | ${prefix6}
-| | Add IP Neighbor | ${dut1_node} | ${dut1_to_tg} | ${tg1_ip6}
-| | ... | ${tg_to_dut1_mac}
-| | Add IP Neighbor | ${dut2_node} | ${dut2_to_tg} | ${tg2_ip6}
-| | ... | ${tg_to_dut2_mac}
-| | Add IP Neighbor | ${dut1_node} | ${dut1_to_dut2} | ${dut2_to_dut1_ip6}
-| | ... | ${dut2_to_dut1_mac}
-| | Add IP Neighbor | ${dut2_node} | ${dut2_to_dut1} | ${dut1_to_dut2_ip6}
-| | ... | ${dut1_to_dut2_mac}
-| | Vpp All RA Suppress Link Layer | ${nodes}
diff --git a/tests/vpp/func/crypto/sw_device/eth2p-ethip4ipsectnlsw-ip4base-func.robot b/tests/vpp/func/crypto/sw_device/eth2p-ethip4ipsectnlsw-ip4base-func.robot
new file mode 100644
index 0000000000..7f6207e3db
--- /dev/null
+++ b/tests/vpp/func/crypto/sw_device/eth2p-ethip4ipsectnlsw-ip4base-func.robot
@@ -0,0 +1,560 @@
+# Copyright (c) 2017 Cisco and/or its affiliates.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at:
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+*** Settings ***
+| Resource | resources/libraries/robot/crypto/ipsec.robot
+| Library | resources.libraries.python.Trace
+| Force Tags | 3_NODE_SINGLE_LINK_TOPO | 3_NODE_DOUBLE_LINK_TOPO
+| ...        | VM_ENV | HW_ENV | IPSEC | IPSEC_SW
+| ...
+| Test Setup | Set up IPSec SW device functional test | IPv4
+| ...
+| Test Teardown | Tear down IPSec SW device functional test
+| ...
+| Documentation | *IPv4 SW cryptodev IPsec tunnel mode test suite.*
+| ...
+| ... | *[Top] Network topologies:* TG-DUT1 2-node topology with one link\
+| ... | between nodes.
+| ... | *[Cfg] DUT configuration:* With enabled SW crytodev on DUT1 create\
+| ... | loopback interface, configure loopback and physical interface IPv4\
+| ... | addresses, static ARP record, route and IPsec manual keyed connection\
+| ... | in tunnel mode.
+| ... | *[Ver] TG verification:* ESP packet is sent from TG to DUT1. ESP packet\
+| ... | is received on TG from DUT1.
+| ... | *[Ref] Applicable standard specifications:* RFC4303.
+
+*** Variables ***
+| ${tg_spi}= | ${1000}
+| ${dut_spi}= | ${1001}
+| ${ESP_PROTO}= | ${50}
+| ${tg_if_ip4}= | 192.168.100.2
+| ${dut_if_ip4}= | 192.168.100.3
+| ${tg_lo_ip4}= | 192.168.3.3
+| ${dut_lo_ip4}= | 192.168.4.4
+| ${ip4_plen}= | ${24}
+
+*** Test Cases ***
+| TC01: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel mode.
+| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
+| | ...
+| | ${encr_alg}= | Crypto Alg AES CBC 128
+| | ${auth_alg}= | Integ Alg SHA1 96
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
+| | ... | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
+| | ... | ${dut_tun_ip}
+
+| TC02: VPP process ESP packet in Tunnel Mode with AES-CBC-192 encryption and SHA1-96 integrity
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-192 and integrity algorithm SHA1-96 in tunnel mode.
+| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
+| | ...
+| | [Tags] | SKIP_PATCH
+| | ...
+| | ${encr_alg}= | Crypto Alg AES CBC 192
+| | ${auth_alg}= | Integ Alg SHA1 96
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
+| | ... | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
+| | ... | ${dut_tun_ip}
+
+| TC03: VPP process ESP packet in Tunnel Mode with AES-CBC-256 encryption and SHA1-96 integrity
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-256 and integrity algorithm SHA1-96 in tunnel mode.
+| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
+| | ...
+| | [Tags] | SKIP_PATCH
+| | ...
+| | ${encr_alg}= | Crypto Alg AES CBC 256
+| | ${auth_alg}= | Integ Alg SHA1 96
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
+| | ... | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
+| | ... | ${dut_tun_ip}
+
+| TC04: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA-256-128 integrity
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-128 and integrity algorithm SHA-256-128 in tunnel\
+| | ... | mode.
+| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
+| | ...
+| | [Tags] | SKIP_PATCH
+| | ...
+| | ${encr_alg}= | Crypto Alg AES CBC 128
+| | ${auth_alg}= | Integ Alg SHA 256 128
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
+| | ... | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
+| | ... | ${dut_tun_ip}
+
+| TC05: VPP process ESP packet in Tunnel Mode with AES-CBC-192 encryption and SHA-256-128 integrity
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-192 and integrity algorithm SHA-256-128 in tunnel\
+| | ... | mode.
+| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
+| | ...
+| | ${encr_alg}= | Crypto Alg AES CBC 192
+| | ${auth_alg}= | Integ Alg SHA 256 128
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
+| | ... | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
+| | ... | ${dut_tun_ip}
+
+| TC06: VPP process ESP packet in Tunnel Mode with AES-CBC-256 encryption and SHA-256-128 integrity
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-256 and integrity algorithm SHA-256-128 in tunnel\
+| | ... | mode.
+| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
+| | ...
+| | [Tags] | SKIP_PATCH
+| | ...
+| | ${encr_alg}= | Crypto Alg AES CBC 256
+| | ${auth_alg}= | Integ Alg SHA 256 128
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
+| | ... | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
+| | ... | ${dut_tun_ip}
+
+| TC07: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA-384-192 integrity
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-128 and integrity algorithm SHA-384-192 in tunnel\
+| | ... | mode.
+| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
+| | ...
+| | [Tags] | SKIP_PATCH
+| | ...
+| | ${encr_alg}= | Crypto Alg AES CBC 128
+| | ${auth_alg}= | Integ Alg SHA 384 192
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
+| | ... | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
+| | ... | ${dut_tun_ip}
+
+| TC08: VPP process ESP packet in Tunnel Mode with AES-CBC-192 encryption and SHA-384-192 integrity
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-192 and integrity algorithm SHA-384-192 in tunnel\
+| | ... | mode.
+| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
+| | ...
+| | [Tags] | SKIP_PATCH
+| | ...
+| | ${encr_alg}= | Crypto Alg AES CBC 192
+| | ${auth_alg}= | Integ Alg SHA 384 192
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
+| | ... | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
+| | ... | ${dut_tun_ip}
+
+| TC09: VPP process ESP packet in Tunnel Mode with AES-CBC-256 encryption and SHA-384-192 integrity
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-256 and integrity algorithm SHA-384-192 in tunnel\
+| | ... | mode.
+| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
+| | ...
+| | ${encr_alg}= | Crypto Alg AES CBC 256
+| | ${auth_alg}= | Integ Alg SHA 384 192
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
+| | ... | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
+| | ... | ${dut_tun_ip}
+
+| TC10: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA-512-256 integrity
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-128 and integrity algorithm SHA-512-256 in tunnel\
+| | ... | mode.
+| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
+| | ...
+| | [Tags] | SKIP_PATCH
+| | ...
+| | ${encr_alg}= | Crypto Alg AES CBC 128
+| | ${auth_alg}= | Integ Alg SHA 512 256
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
+| | ... | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
+| | ... | ${dut_tun_ip}
+
+| TC11: VPP process ESP packet in Tunnel Mode with AES-CBC-192 encryption and SHA-512-256 integrity
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-192 and integrity algorithm SHA-512-256 in tunnel\
+| | ... | mode.
+| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
+| | ...
+| | [Tags] | SKIP_PATCH
+| | ...
+| | ${encr_alg}= | Crypto Alg AES CBC 192
+| | ${auth_alg}= | Integ Alg SHA 512 256
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
+| | ... | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
+| | ... | ${dut_tun_ip}
+
+| TC12: VPP process ESP packet in Tunnel Mode with AES-CBC-256 encryption and SHA-512-256 integrity
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-256 and integrity algorithm SHA-512-256 in tunnel\
+| | ... | mode.
+| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
+| | ...
+| | ${encr_alg}= | Crypto Alg AES CBC 256
+| | ${auth_alg}= | Integ Alg SHA 512 256
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
+| | ... | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
+| | ... | ${dut_tun_ip}
+
+| TC13: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity - different encryption alogrithms used
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel mode.
+| | ... | [Ver] Send an ESP packet encrypted by encryption key different from\
+| | ... | encryption key stored on VPP node from TG to VPP node and expect no\
+| | ... | response to be received on TG.
+| | ... | [Ref] RFC4303.
+| | ...
+| | ${encr_alg}= | Crypto Alg AES CBC 128
+| | ${auth_alg}= | Integ Alg SHA1 96
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | ${encr_key2}= | And Get Second Random String | ${encr_alg} | Crypto
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
+| | ... | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Run Keyword And Expect Error | ESP packet Rx timeout
+| | ... | Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
+| | ... | ${dut_tun_ip}
+
+| TC14: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity - different integrity alogrithms used
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel mode.
+| | ... | [Ver] Send an ESP packet authenticated by integrity key different\
+| | ... | from integrity key stored on VPP node from TG to VPP node and expect\
+| | ... | no response to be received on TG.
+| | ... | [Ref] RFC4303.
+| | ...
+| | ${encr_alg}= | Crypto Alg AES CBC 128
+| | ${auth_alg}= | Integ Alg SHA1 96
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | ${auth_key2}= | And Get Second Random String | ${auth_alg} | Integ
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
+| | ... | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Run Keyword And Expect Error | ESP packet Rx timeout
+| | ... | Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key2} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
+| | ... | ${dut_tun_ip}
+
+| TC15: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity - different encryption and integrity alogrithms used
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel mode.
+| | ... | [Ver] Send an ESP packet authenticated by integrity key and encrypted\
+| | ... | by encryption key different from integrity and encryption keys stored\
+| | ... | on VPP node from TG to VPP node and expect no response to be received\
+| | ... | on TG.
+| | ... | [Ref] RFC4303.
+| | ...
+| | ${encr_alg}= | Crypto Alg AES CBC 128
+| | ${auth_alg}= | Integ Alg SHA1 96
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | ${encr_key2}= | And Get Second Random String | ${encr_alg} | Crypto
+| | ${auth_key2}= | And Get Second Random String | ${auth_alg} | Integ
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
+| | ... | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Run Keyword And Expect Error | ESP packet Rx timeout
+| | ... | Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key2} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
+| | ... | ${dut_tun_ip}
+
+| TC16: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel\
+| | ... | mode. Then update SA keys - use new keys.
+| | ... | [Ver] Send and receive ESP packet between TG and VPP node before\
+| | ... | and after SA keys update.
+| | ...
+| | [Tags] | EXPECTED_FAILING
+| | ...
+| | ${encr_alg}= | Crypto Alg AES CBC 128
+| | ${auth_alg}= | Integ Alg SHA1 96
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
+| | ... | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
+| | ... | ${dut_tun_ip}
+| | ${new_encr_key}= | Given Get Second Random String | ${encr_alg} | Crypto
+| | ${new_auth_key}= | And Get Second Random String | ${auth_alg} | Integ
+| | When Update IPSec SA keys | ${dut_node} | ${l_sa_id} | ${r_sa_id}
+| | ... | ${new_encr_key} | ${new_auth_key}
+| | Then Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${new_encr_key} | ${auth_alg} | ${new_auth_key}
+| | ... | ${tg_spi} | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
+| | ... | ${dut_tun_ip}
+
+| TC17: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys - different encryption alogrithms used
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel
+| | ... | mode. Then update SA keys - use new keys.
+| | ... | [Ver] Send an ESP packet encrypted by encryption key different from\
+| | ... | encryption key stored on VPP node from TG to VPP node and expect no\
+| | ... | response to be received on TG before and after SA keys update.
+| | ...
+| | [Tags] | EXPECTED_FAILING
+| | ...
+| | ${encr_alg}= | Crypto Alg AES CBC 128
+| | ${auth_alg}= | Integ Alg SHA1 96
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
+| | ... | ${dut_tun_ip} | ${tg_tun_ip}
+| | ${encr_key2}= | And Get Second Random String | ${encr_alg} | Crypto
+| | Then Run Keyword And Expect Error | ESP packet Rx timeout
+| | ... | Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
+| | ... | ${dut_tun_ip}
+| | ${new_encr_key}= | Given Get Second Random String | ${encr_alg} | Crypto
+| | ${new_auth_key}= | And Get Second Random String | ${auth_alg} | Integ
+| | When Update IPSec SA keys | ${dut_node} | ${l_sa_id} | ${r_sa_id}
+| | ... | ${new_encr_key} | ${new_auth_key}
+| | Then Run Keyword And Expect Error | ESP packet Rx timeout
+| | ... | Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${new_auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
+| | ... | ${dut_tun_ip}
+
+| TC18: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys - different integrity alogrithms used
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel\
+| | ... | mode. Then update SA keys - use new keys.
+| | ... | [Ver] Send an ESP packet authenticated by integrity key different\
+| | ... | from integrity key stored on VPP node from TG to VPP node and expect\
+| | ... | no response to be received on TG before and after SA keys update.
+| | ...
+| | [Tags] | EXPECTED_FAILING
+| | ...
+| | ${encr_alg}= | Crypto Alg AES CBC 128
+| | ${auth_alg}= | Integ Alg SHA1 96
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
+| | ... | ${dut_tun_ip} | ${tg_tun_ip}
+| | ${auth_key2}= | And Get Second Random String | ${auth_alg} | Integ
+| | Then Run Keyword And Expect Error | ESP packet Rx timeout
+| | ... | Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key2} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
+| | ... | ${dut_tun_ip}
+| | ${new_encr_key}= | Given Get Second Random String | ${encr_alg} | Crypto
+| | ${new_auth_key}= | And Get Second Random String | ${auth_alg} | Integ
+| | When Update IPSec SA keys | ${dut_node} | ${l_sa_id} | ${r_sa_id}
+| | ... | ${new_encr_key} | ${new_auth_key}
+| | Then Run Keyword And Expect Error | ESP packet Rx timeout
+| | ... | Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${new_encr_key} | ${auth_alg} | ${auth_key2} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
+| | ... | ${dut_tun_ip}
+
+| TC19: VPP process ESP packet in Tunnel Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys - different encryption and integrity alogrithms used
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in tunnel\
+| | ... | mode. Then update SA keys - use new keys.
+| | ... | [Ver] Send an ESP packet authenticated by integrity key and encrypted\
+| | ... | by encryption key different from integrity and encryption keys stored\
+| | ... | on VPP node from TG to VPP node and expect no response to be received\
+| | ... | on TG before and after SA keys update.
+| | ...
+| | [Tags] | EXPECTED_FAILING
+| | ...
+| | ${encr_alg}= | Crypto Alg AES CBC 128
+| | ${auth_alg}= | Integ Alg SHA1 96
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_src_ip} | ${tg_src_ip}
+| | ... | ${dut_tun_ip} | ${tg_tun_ip}
+| | ${encr_key2}= | And Get Second Random String | ${encr_alg} | Crypto
+| | ${auth_key2}= | And Get Second Random String | ${auth_alg} | Integ
+| | Then Run Keyword And Expect Error | ESP packet Rx timeout
+| | ... | Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key2} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
+| | ... | ${dut_tun_ip}
+| | ${new_encr_key}= | Given Get Second Random String | ${encr_alg} | Crypto
+| | ${new_auth_key}= | And Get Second Random String | ${auth_alg} | Integ
+| | When Update IPSec SA keys | ${dut_node} | ${l_sa_id} | ${r_sa_id}
+| | ... | ${new_encr_key} | ${new_auth_key}
+| | Then Run Keyword And Expect Error | ESP packet Rx timeout
+| | ... | Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key2} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_src_ip} | ${dut_src_ip} | ${tg_tun_ip}
+| | ... | ${dut_tun_ip}
+
+*** Keywords ***
+| Get Second Random String
+| | [Arguments] | ${req_alg} | ${req_type}
+| | ...
+| | ${req_key_len}= | Run Keyword | Get ${req_type} Alg Key Len | ${req_alg}
+| | ${key}= | Set Variable If | '${req_type}' == 'Crypto' | ${encr_key}
+| | ... | '${req_type}' == 'Integ' | ${auth_key}
+| | :FOR | ${index} | IN RANGE | 100
+| | | ${req_key}= | Generate Random String | ${req_key_len}
+| | | Return From Keyword If | '${req_key}' != '${key}' | ${req_key}
diff --git a/tests/vpp/func/crypto/sw_device/eth2p-ethip4ipsectptsw-ip4base-func.robot b/tests/vpp/func/crypto/sw_device/eth2p-ethip4ipsectptsw-ip4base-func.robot
new file mode 100644
index 0000000000..85d77be828
--- /dev/null
+++ b/tests/vpp/func/crypto/sw_device/eth2p-ethip4ipsectptsw-ip4base-func.robot
@@ -0,0 +1,535 @@
+# Copyright (c) 2016 Cisco and/or its affiliates.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at:
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+*** Settings ***
+| Resource | resources/libraries/robot/crypto/ipsec.robot
+| Library | resources.libraries.python.Trace
+| Force Tags | 3_NODE_SINGLE_LINK_TOPO | 3_NODE_DOUBLE_LINK_TOPO
+| ...        | VM_ENV | HW_ENV | IPSEC | IPSEC_SW
+| ...
+| Test Setup | Set up IPSec SW device functional test | IPv4
+| ...
+| Test Teardown | Tear down IPSec SW device functional test
+| ...
+| Documentation | *IPv4 IPsec transport mode test suite.*
+| ...
+| ... | *[Top] Network topologies:* TG-DUT1 2-node topology with one link\
+| ... | between nodes.
+| ... | *[Cfg] DUT configuration:* With enabled SW crytodev on DUT1 create\
+| ... | loopback interface, configure loopback and physical interface IPv4\
+| ... | addresses, static ARP record, route and IPsec manual keyed connection\
+| ... | in transport mode.
+| ... | *[Ver] TG verification:* ESP packet is sent from TG to DUT1. ESP packet\
+| ... | is received on TG from DUT1.
+| ... | *[Ref] Applicable standard specifications:* RFC4303.
+
+*** Variables ***
+| ${tg_spi}= | ${1000}
+| ${dut_spi}= | ${1001}
+| ${ESP_PROTO}= | ${50}
+| ${tg_if_ip4}= | 192.168.100.2
+| ${dut_if_ip4}= | 192.168.100.3
+| ${tg_lo_ip4}= | 192.168.3.3
+| ${dut_lo_ip4}= | 192.168.4.4
+| ${ip4_plen}= | ${24}
+
+*** Test Cases ***
+| TC01: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport
+| | ... | mode.
+| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
+| | ...
+| | [Tags] | EXPECTED_FAILING
+| | ...
+| | ${encr_alg}= | Crypto Alg AES CBC 128
+| | ${auth_alg}= | Integ Alg SHA1 96
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
+
+| TC02: VPP process ESP packet in Transport Mode with AES-CBC-192 encryption and SHA1-96 integrity
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-192 and integrity algorithm SHA1-96 in transport
+| | ... | mode.
+| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
+| | ...
+| | [Tags] | SKIP_PATCH | EXPECTED_FAILING
+| | ...
+| | ${encr_alg}= | Crypto Alg AES CBC 192
+| | ${auth_alg}= | Integ Alg SHA1 96
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
+
+| TC03: VPP process ESP packet in Transport Mode with AES-CBC-256 encryption and SHA1-96 integrity
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-256 and integrity algorithm SHA1-96 in transport
+| | ... | mode.
+| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
+| | ...
+| | [Tags] | SKIP_PATCH | EXPECTED_FAILING
+| | ...
+| | ${encr_alg}= | Crypto Alg AES CBC 256
+| | ${auth_alg}= | Integ Alg SHA1 96
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
+
+| TC04: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA-256-128 integrity
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-128 and integrity algorithm SHA-256-128 in transport
+| | ... | mode.
+| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
+| | ...
+| | [Tags] | SKIP_PATCH | EXPECTED_FAILING
+| | ...
+| | ${encr_alg}= | Crypto Alg AES CBC 128
+| | ${auth_alg}= | Integ Alg SHA 256 128
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
+
+| TC05: VPP process ESP packet in Transport Mode with AES-CBC-192 encryption and SHA-256-128 integrity
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-192 and integrity algorithm SHA-256-128 in transport
+| | ... | mode.
+| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
+| | ...
+| | [Tags] | EXPECTED_FAILING
+| | ...
+| | ${encr_alg}= | Crypto Alg AES CBC 192
+| | ${auth_alg}= | Integ Alg SHA 256 128
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
+
+| TC06: VPP process ESP packet in Transport Mode with AES-CBC-256 encryption and SHA-256-128 integrity
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-256 and integrity algorithm SHA-256-128 in transport
+| | ... | mode.
+| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
+| | ...
+| | [Tags] | SKIP_PATCH | EXPECTED_FAILING
+| | ...
+| | ${encr_alg}= | Crypto Alg AES CBC 256
+| | ${auth_alg}= | Integ Alg SHA 256 128
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
+
+| TC07: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA-384-192 integrity
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-128 and integrity algorithm SHA-384-192 in transport
+| | ... | mode.
+| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
+| | ...
+| | [Tags] | SKIP_PATCH | EXPECTED_FAILING
+| | ...
+| | ${encr_alg}= | Crypto Alg AES CBC 128
+| | ${auth_alg}= | Integ Alg SHA 384 192
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
+
+| TC08: VPP process ESP packet in Transport Mode with AES-CBC-192 encryption and SHA-384-192 integrity
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-192 and integrity algorithm SHA-384-192 in transport
+| | ... | mode.
+| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
+| | ...
+| | [Tags] | SKIP_PATCH | EXPECTED_FAILING
+| | ...
+| | ${encr_alg}= | Crypto Alg AES CBC 192
+| | ${auth_alg}= | Integ Alg SHA 384 192
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
+
+| TC09: VPP process ESP packet in Transport Mode with AES-CBC-256 encryption and SHA-384-192 integrity
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-256 and integrity algorithm SHA-384-192 in transport
+| | ... | mode.
+| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
+| | ...
+| | [Tags] | EXPECTED_FAILING
+| | ...
+| | ${encr_alg}= | Crypto Alg AES CBC 256
+| | ${auth_alg}= | Integ Alg SHA 384 192
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
+
+| TC10: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA-512-256 integrity
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-128 and integrity algorithm SHA-512-256 in transport
+| | ... | mode.
+| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
+| | ...
+| | [Tags] | SKIP_PATCH | EXPECTED_FAILING
+| | ...
+| | ${encr_alg}= | Crypto Alg AES CBC 128
+| | ${auth_alg}= | Integ Alg SHA 512 256
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
+
+| TC11: VPP process ESP packet in Transport Mode with AES-CBC-192 encryption and SHA-512-256 integrity
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-192 and integrity algorithm SHA-512-256 in transport
+| | ... | mode.
+| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
+| | ...
+| | [Tags] | SKIP_PATCH | EXPECTED_FAILING
+| | ...
+| | ${encr_alg}= | Crypto Alg AES CBC 192
+| | ${auth_alg}= | Integ Alg SHA 512 256
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
+
+| TC12: VPP process ESP packet in Transport Mode with AES-CBC-256 encryption and SHA-512-256 integrity
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-256 and integrity algorithm SHA-512-256 in transport
+| | ... | mode.
+| | ... | [Ver] Send and receive ESP packet between TG and VPP node.
+| | ...
+| | [Tags] | EXPECTED_FAILING
+| | ...
+| | ${encr_alg}= | Crypto Alg AES CBC 256
+| | ${auth_alg}= | Integ Alg SHA 512 256
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
+
+
+| TC13: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity - different encryption alogrithms used
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport\
+| | ... | mode.
+| | ... | [Ver] Send an ESP packet encrypted by encryption key different from\
+| | ... | encryption key stored on VPP node from TG to VPP node and expect no\
+| | ... | response to be received on TG.
+| | ... | [Ref] RFC4303.
+| | ...
+| | [Tags] | EXPECTED_FAILING
+| | ...
+| | ${encr_alg}= | Crypto Alg AES CBC 128
+| | ${auth_alg}= | Integ Alg SHA1 96
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | ${encr_key2}= | And Get Second Random String | ${encr_alg} | Crypto
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Run Keyword And Expect Error | ESP packet Rx timeout
+| | ... | Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
+
+| TC14: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity - different integrity alogrithms used
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport\
+| | ... | mode.
+| | ... | [Ver] Send an ESP packet authenticated by integrity key different\
+| | ... | from integrity key stored on VPP node from TG to VPP node and expect\
+| | ... | no response to be received on TG.
+| | ... | [Ref] RFC4303.
+| | ...
+| | ${encr_alg}= | Crypto Alg AES CBC 128
+| | ${auth_alg}= | Integ Alg SHA1 96
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | ${auth_key2}= | And Get Second Random String | ${auth_alg} | Integ
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Run Keyword And Expect Error | ESP packet Rx timeout
+| | ... | Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key2} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
+
+| TC15: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity - different encryption and integrity alogrithms used
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport\
+| | ... | mode.
+| | ... | [Ver] Send an ESP packet authenticated by integrity key and encrypted\
+| | ... | by encryption key different from integrity and encryption keys stored\
+| | ... | on VPP node from TG to VPP node and expect no response to be received\
+| | ... | on TG.
+| | ... | [Ref] RFC4303.
+| | ...
+| | ${encr_alg}= | Crypto Alg AES CBC 128
+| | ${auth_alg}= | Integ Alg SHA1 96
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | ${encr_key2}= | And Get Second Random String | ${encr_alg} | Crypto
+| | ${auth_key2}= | And Get Second Random String | ${auth_alg} | Integ
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Run Keyword And Expect Error | ESP packet Rx timeout
+| | ... | Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key2} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
+
+| TC16: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport\
+| | ... | mode. Then update SA keys - use new keys.
+| | ... | [Ver] Send and receive ESP packet between TG and VPP node before\
+| | ... | and after SA keys update.
+| | ...
+| | [Tags] | EXPECTED_FAILING
+| | ...
+| | ${encr_alg}= | Crypto Alg AES CBC 128
+| | ${auth_alg}= | Integ Alg SHA1 96
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
+| | Then Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
+| | ${new_encr_key}= | Given Get Second Random String | ${encr_alg} | Crypto
+| | ${new_auth_key}= | And Get Second Random String | ${auth_alg} | Integ
+| | When Update IPSec SA keys | ${dut_node} | ${l_sa_id} | ${r_sa_id}
+| | ... | ${new_encr_key} | ${new_auth_key}
+| | Then Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${new_encr_key} | ${auth_alg} | ${new_auth_key}
+| | ... | ${tg_spi} | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
+
+| TC17: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys - different encryption alogrithms used
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport\
+| | ... | mode. Then update SA keys - use new keys.
+| | ... | [Ver] Send an ESP packet encrypted by encryption key different from\
+| | ... | encryption key stored on VPP node from TG to VPP node and expect no\
+| | ... | response to be received on TG before and after SA keys update.
+| | ...
+| | [Tags] | EXPECTED_FAILING
+| | ...
+| | ${encr_alg}= | Crypto Alg AES CBC 128
+| | ${auth_alg}= | Integ Alg SHA1 96
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
+| | ${encr_key2}= | And Get Second Random String | ${encr_alg} | Crypto
+| | Then Run Keyword And Expect Error | ESP packet Rx timeout
+| | ... | Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
+| | ${new_encr_key}= | Given Get Second Random String | ${encr_alg} | Crypto
+| | ${new_auth_key}= | And Get Second Random String | ${auth_alg} | Integ
+| | When Update IPSec SA keys | ${dut_node} | ${l_sa_id} | ${r_sa_id}
+| | ... | ${new_encr_key} | ${new_auth_key}
+| | Then Run Keyword And Expect Error | ESP packet Rx timeout
+| | ... | Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${new_auth_key} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
+
+| TC18: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys - different integrity alogrithms used
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport\
+| | ... | mode. Then update SA keys - use new keys.
+| | ... | [Ver] Send an ESP packet authenticated by integrity key different\
+| | ... | from integrity key stored on VPP node from TG to VPP node and expect\
+| | ... | no response to be received on TG before and after SA keys update.
+| | ...
+| | [Tags] | EXPECTED_FAILING
+| | ...
+| | ${encr_alg}= | Crypto Alg AES CBC 128
+| | ${auth_alg}= | Integ Alg SHA1 96
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
+| | ${auth_key2}= | And Get Second Random String | ${auth_alg} | Integ
+| | Then Run Keyword And Expect Error | ESP packet Rx timeout
+| | ... | Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key} | ${auth_alg} | ${auth_key2} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
+| | ${new_encr_key}= | Given Get Second Random String | ${encr_alg} | Crypto
+| | ${new_auth_key}= | And Get Second Random String | ${auth_alg} | Integ
+| | When Update IPSec SA keys | ${dut_node} | ${l_sa_id} | ${r_sa_id}
+| | ... | ${new_encr_key} | ${new_auth_key}
+| | Then Run Keyword And Expect Error | ESP packet Rx timeout
+| | ... | Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${new_encr_key} | ${auth_alg} | ${auth_key2} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
+
+| TC19: VPP process ESP packet in Transport Mode with AES-CBC-128 encryption and SHA1-96 integrity with update SA keys - different encryption and integrity alogrithms used
+| | [Documentation]
+| | ... | [Top] TG-DUT1.
+| | ... | [Ref] RFC4303.
+| | ... | [Cfg] On DUT1 configure IPsec manual keyed connection with encryption\
+| | ... | algorithm AES-CBC-128 and integrity algorithm SHA1-96 in transport\
+| | ... | mode. Then update SA keys - use new keys.
+| | ... | [Ver] Send an ESP packet authenticated by integrity key and encrypted\
+| | ... | by encryption key different from integrity and encryption keys stored\
+| | ... | on VPP node from TG to VPP node and expect no response to be received\
+| | ... | on TG before and after SA keys update.
+| | ...
+| | [Tags] | EXPECTED_FAILING
+| | ...
+| | ${encr_alg}= | Crypto Alg AES CBC 128
+| | ${auth_alg}= | Integ Alg SHA1 96
+| | Given Generate keys for IPSec | ${encr_alg} | ${auth_alg}
+| | When Configure manual keyed connection for IPSec
+| | ... | ${dut_node} | ${dut_if} | ${encr_alg} | ${encr_key} | ${auth_alg}
+| | ... | ${auth_key} | ${dut_spi} | ${tg_spi} | ${dut_tun_ip} | ${tg_tun_ip}
+| | ${encr_key2}= | And Get Second Random String | ${encr_alg} | Crypto
+| | ${auth_key2}= | And Get Second Random String | ${auth_alg} | Integ
+| | Then Run Keyword And Expect Error | ESP packet Rx timeout
+| | ... | Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key2} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
+| | ${new_encr_key}= | Given Get Second Random String | ${encr_alg} | Crypto
+| | ${new_auth_key}= | And Get Second Random String | ${auth_alg} | Integ
+| | When Update IPSec SA keys | ${dut_node} | ${l_sa_id} | ${r_sa_id}
+| | ... | ${new_encr_key} | ${new_auth_key}
+| | Then Run Keyword And Expect Error | ESP packet Rx timeout
+| | ... | Send IPsec Packet and verify ESP encapsulation in received packet
+| | ... | ${tg_node} | ${tg_if} | ${dut_if_mac}
+| | ... | ${encr_alg} | ${encr_key2} | ${auth_alg} | ${auth_key2} | ${tg_spi}
+| | ... | ${dut_spi} | ${tg_tun_ip} | ${dut_tun_ip}
+
+*** Keywords ***
+| Get Second Random String
+| | [Arguments] | ${req_alg} | ${req_type}
+| | ...
+| | ${req_key_len}= | Run Keyword | Get ${req_type} Alg Key Len | ${req_alg}
+| | ${key}= | Set Variable If | '${req_type}' == 'Crypto' | ${encr_key}
+| | ... | '${req_type}' == 'Integ' | ${auth_key}
+| | :FOR | ${index} | IN RANGE | 100
+| | | ${req_key}= | Generate Random String | ${req_key_len}
+| | | Return From Keyword If | '${req_key}' != '${key}' | ${req_key}
-- 
cgit 1.2.3-korg