In step 10, the UE 40 completes the authentication (if initiated in step 7) and creates a NAS security context. The UE 40 shall respond to the NAS SMC it received from the AMF 48 based on the selected algorithms and parameters. The UE 40 shall encapsulate the NAS SMC Complete in the EAP-5G Response.

In step 11, the N3IWF 42 shall forward the NAS packet containing NAS SMC Complete to the AMF 48 over the N2 interface.

In step 12, the AMF 48 upon reception of the NAS SMC Complete from the UE 40 or upon success of integrity protection verification, initiates the NGAP procedure to set up the AN context. The AMF 48 shall compute the N3IWF key, K_N3IWF, using the uplink NAS COUNT associated with NAS connection identifier “1” for the establishment of the IPsec SA between the UE 40 and the N3IWF 42 and shall include it in the NGAP Initial Context Setup Request sent to the N3IWF 42.

In step 13, the N3IWF 42 sends an EAP-Success/EAP-5G to the UE 40 upon reception of the NGAP Initial Context Setup Request containing the N3IWF key, KN3IWF. This completes the EAP-5G session and no further EAP-5G packets are exchanged. If the N3IWF 42 does not receive the K_N3IWF from AMF 48, the N3IWF 42 shall respond with an EAP-Failure.

In step 14, the IPsec SA is established between the UE 40 and N3IWF 42 by using the N3IWF key K_N3IWF that was created in the UE 40 using the uplink NAS COUNT associated with NAS connection identifier “1” and was received by N3IWF 42 from the AMF 48 in step 12.