Imported Upstream version 5.3.3

44 files changed, 354 insertions, 21 deletions

diff --git a/testing/tests/ikev2/alg-chacha20poly1305/description.txt b/testing/tests/ikev2/alg-chacha20poly1305/description.txt
new file mode 100644
index 000000000..dd8918b68
--- /dev/null
+++ b/testing/tests/ikev2/alg-chacha20poly1305/description.txt
@@ -0,0 +1,5 @@
+Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the cipher suite
+<b>CHACHA20_POLY1305_256</b> both for IKE and ESP by defining
+<b>ike=chacha20poly1305-prfsha256-ntru256</b> and
+<b>esp=chacha20poly1305-ntru256</b> in ipsec.conf, respectively.
+A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev2/alg-chacha20poly1305/evaltest.dat b/testing/tests/ikev2/alg-chacha20poly1305/evaltest.dat
new file mode 100644
index 000000000..893e94da8
--- /dev/null
+++ b/testing/tests/ikev2/alg-chacha20poly1305/evaltest.dat
@@ -0,0 +1,13 @@
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon:: ipsec statusall 2> /dev/null::IKE proposal: CHACHA20_POLY1305_256::YES
+carol::ipsec statusall 2> /dev/null::IKE proposal: CHACHA20_POLY1305_256::YES
+moon:: ipsec statusall 2> /dev/null::CHACHA20_POLY1305_256,::YES
+carol::ipsec statusall 2> /dev/null::CHACHA20_POLY1305_256,::YES
+moon:: ip xfrm state::aead rfc7539esp(chacha20,poly1305)::YES
+carol::ip xfrm state::aead rfc7539esp(chacha20,poly1305)::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 184::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 184::YES
diff --git a/testing/tests/ikev2/alg-chacha20poly1305/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/alg-chacha20poly1305/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..eebbaa174
--- /dev/null
+++ b/testing/tests/ikev2/alg-chacha20poly1305/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	ike=chacha20poly1305-prfsha256-ntru256!
+	esp=chacha20poly1305-ntru256!
+
+conn home
+	left=PH_IP_CAROL
+	leftfirewall=yes
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add 
diff --git a/testing/tests/ikev2/alg-chacha20poly1305/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/alg-chacha20poly1305/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..9e655eaa9
--- /dev/null
+++ b/testing/tests/ikev2/alg-chacha20poly1305/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,7 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = chapoly aes des sha1 sha2 md5 pem pkcs1 gmp ntru random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown
+
+  send_vendor_id = yes
+}
diff --git a/testing/tests/ikev2/alg-chacha20poly1305/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/alg-chacha20poly1305/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..b0b57631f
--- /dev/null
+++ b/testing/tests/ikev2/alg-chacha20poly1305/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,21 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+        ike=chacha20poly1305-prfsha256-ntru256!
+        esp=chacha20poly1305-ntru256!
+
+conn rw
+	left=PH_IP_MOON
+	leftfirewall=yes
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	right=%any
+	auto=add
diff --git a/testing/tests/ikev2/alg-chacha20poly1305/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/alg-chacha20poly1305/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..964c520d3
--- /dev/null
+++ b/testing/tests/ikev2/alg-chacha20poly1305/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,7 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = chapoly aes des sha1 sha2 md5 pem pkcs1 gmp ntru random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown
+
+  send_vendor_id = yes 
+}
diff --git a/testing/tests/ikev2/alg-chacha20poly1305/posttest.dat b/testing/tests/ikev2/alg-chacha20poly1305/posttest.dat
new file mode 100644
index 000000000..046d4cfdc
--- /dev/null
+++ b/testing/tests/ikev2/alg-chacha20poly1305/posttest.dat
@@ -0,0 +1,4 @@
+moon::ipsec stop
+carol::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/alg-chacha20poly1305/pretest.dat b/testing/tests/ikev2/alg-chacha20poly1305/pretest.dat
new file mode 100644
index 000000000..4fc25772b
--- /dev/null
+++ b/testing/tests/ikev2/alg-chacha20poly1305/pretest.dat
@@ -0,0 +1,6 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+moon::ipsec start
+carol::ipsec start
+carol::sleep 1 
+carol::ipsec up home
diff --git a/testing/tests/ikev2/alg-chacha20poly1305/test.conf b/testing/tests/ikev2/alg-chacha20poly1305/test.conf
new file mode 100644
index 000000000..4a5fc470f
--- /dev/null
+++ b/testing/tests/ikev2/alg-chacha20poly1305/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/pretest.dat b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/pretest.dat
index 2d54c6027..eb69d2e45 100644
--- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/pretest.dat
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/pretest.dat
@@ -2,6 +2,8 @@ alice::cat /etc/freeradius/clients.conf
 alice::cat /etc/freeradius/eap.conf
 alice::cat /etc/freeradius/proxy.conf
 alice::cat /etc/freeradius/triplets.dat
+carol::cat /etc/ipsec.d/triplets.dat
+dave::cat /etc/ipsec.d/triplets.dat
 alice::radiusd
 moon::ipsec start
 carol::ipsec start
diff --git a/testing/tests/ikev2/multi-level-ca-loop/hosts/moon/etc/ipsec.d/cacerts/research_by_salesCert.pem b/testing/tests/ikev2/multi-level-ca-loop/hosts/moon/etc/ipsec.d/cacerts/research_by_salesCert.pem
index 37ef9c665..c8ef183c0 100644
--- a/testing/tests/ikev2/multi-level-ca-loop/hosts/moon/etc/ipsec.d/cacerts/research_by_salesCert.pem
+++ b/testing/tests/ikev2/multi-level-ca-loop/hosts/moon/etc/ipsec.d/cacerts/research_by_salesCert.pem
@@ -1,7 +1,7 @@
 -----BEGIN CERTIFICATE-----
-MIID/TCCAuWgAwIBAgIBBjANBgkqhkiG9w0BAQsFADBLMQswCQYDVQQGEwJDSDEZ
+MIID/TCCAuWgAwIBAgIBCjANBgkqhkiG9w0BAQsFADBLMQswCQYDVQQGEwJDSDEZ
 MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEOMAwGA1UECxMFU2FsZXMxETAPBgNV
-BAMTCFNhbGVzIENBMB4XDTEwMDcwMzE1MjgyOVoXDTE1MDcwMjE1MjgyOVowUTEL
+BAMTCFNhbGVzIENBMB4XDTE1MDcyMjEzMzYwMVoXDTE5MDQwMzEzMzYwMVowUTEL
 MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsT
 CFJlc2VhcmNoMRQwEgYDVQQDEwtSZXNlYXJjaCBDQTCCASIwDQYJKoZIhvcNAQEB
 BQADggEPADCCAQoCggEBALY5sjqm4AdbWKc/T7JahWpy9xtdPbHngBN6lbnpYaHf
@@ -15,10 +15,10 @@ x8gPKfPdVCAwbQYDVR0jBGYwZIAUX5sTRvkgcsgA1Yi1p0wul+oLkyihSaRHMEUx
 CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQD
 ExJzdHJvbmdTd2FuIFJvb3QgQ0GCASEwNAYDVR0fBC0wKzApoCegJYYjaHR0cDov
 L2NybC5zdHJvbmdzd2FuLm9yZy9zYWxlcy5jcmwwDQYJKoZIhvcNAQELBQADggEB
-ALRTVUS8bpb3NrwWV/aIE6K9MvtX1kPzMUbZgykwOm4g1jfDmqbPw28X6YZESQ2B
-bG1QRh3SUpSoT5vplPcD4OCv3ORKACzGhx4xemd7TpYP8dnptfk66cfFCP+It0t4
-hP45BqlgVZfd5ZAO/ogRQ+2s79Obc5XPq/ShGvConGVOPDuqkWrP/ISIMdBXFHqk
-WyW24e/Kzq7pPMG18Ect7NA4gRXSiWx0U33lhWNasPvSKtKgC6dcmRNqjyTHQoFy
-02FLgKP1p214ThLkSr9dgHT6e69R7ES9Vin3DUgPuJdlXcax/BWm6gLugqHcXVGF
-yuVPkDSgPds6m0KQcEVnuaU=
+AExl2Twec2R2A187Ythn+by+HmP2KYcwt80MwgAXX8jYGiidmv05g6Oa+cvP1Hxo
+ilCZwTbMSOGmSJSpBDeJq3iQOnOONvNuhiu37ziqMY2CBSOVBzxp6gATp1k3m3m9
+oKR/LWl74VhgHxoF4E4Tds4BYzD0T6mrEo5Vi8tNr4T4LKhoe+pfwNvqSzefWEKY
+27ehiMPhQoAr4S/aBynp9qtzrrvGFIFqbINKMCDZy5P3BzI6ki69J6FkvkO75SEa
+31JRvEB8jyfxaJz9EzdvmfEAsSc5Akzc3ZLR7e0T+NaJitbtFoaqZc+1TIfKNbdt
+dSLmfo9Q/ieLbkd0Tljl/Cg=
 -----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/multi-level-ca-loop/hosts/moon/etc/ipsec.d/cacerts/sales_by_researchCert.pem b/testing/tests/ikev2/multi-level-ca-loop/hosts/moon/etc/ipsec.d/cacerts/sales_by_researchCert.pem
index 0a435b90d..4e4195184 100644
--- a/testing/tests/ikev2/multi-level-ca-loop/hosts/moon/etc/ipsec.d/cacerts/sales_by_researchCert.pem
+++ b/testing/tests/ikev2/multi-level-ca-loop/hosts/moon/etc/ipsec.d/cacerts/sales_by_researchCert.pem
@@ -1,8 +1,8 @@
 -----BEGIN CERTIFICATE-----
-MIIEADCCAuigAwIBAgIBBzANBgkqhkiG9w0BAQsFADBRMQswCQYDVQQGEwJDSDEZ
+MIIEADCCAuigAwIBAgIBDDANBgkqhkiG9w0BAQsFADBRMQswCQYDVQQGEwJDSDEZ
 MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS
-BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTEwMDcwMzE1MTgzOVoXDTE1MDcwMjE1MTgz
-OVowSzELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAM
+BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTE1MDcyMjEzMzkxMloXDTE5MDQwMzEzMzkx
+MlowSzELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAM
 BgNVBAsTBVNhbGVzMREwDwYDVQQDEwhTYWxlcyBDQTCCASIwDQYJKoZIhvcNAQEB
 BQADggEPADCCAQoCggEBAMJOTSaZjDe5UR+hJbodcE40WBxWm+r0FiD+FLc2c0hH
 /QcWm1Xfqnc9qaPPGoxO2BfwXgFEHfOdQzHGuthhsvdMPkmWP1Z3uDrwscqrmLyq
@@ -15,10 +15,10 @@ p0wul+oLkygwbQYDVR0jBGYwZIAU53XwoPKtIM3NYCPMx8gPKfPdVCChSaRHMEUx
 CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQD
 ExJzdHJvbmdTd2FuIFJvb3QgQ0GCASAwNwYDVR0fBDAwLjAsoCqgKIYmaHR0cDov
 L2NybC5zdHJvbmdzd2FuLm9yZy9yZXNlYXJjaC5jcmwwDQYJKoZIhvcNAQELBQAD
-ggEBADPiBfTbTkHwRdpt4iAY/wx0AKKwnF636+1E+m8dHn1HhTU8FZkiRCsRSRdx
-qpzprMga6v7ksV29CIJpTciaD48S2zWNsiQ2vfNB4UenG4wKVG8742CQakCzZk/7
-MrHutk+VDcN3oGcu4gFECPzrZiYPTVv74PCFRfd37SYlXmN0KF0Ivzgu2DNwJNMD
-Aa6sHs+/8H/7BbzHxUZkT7zrTuy4M5FGIKllQBxALp/8N/LN4vz0ZbLgbNU7Eo16
-EikbEASUs3Scmna+dFBSfexf0G9oqvHvxjWPiZRw6ZrS5TZkAE1DmdqLWwTNq/Fo
-aeDWsllgAdqMA2fL7i9tsFHZVYk=
+ggEBAA02ru9JhdIdlASKIJeVq71tl1wCpLZXZHwogfJqxQ+4oFghXS1dlqQ6H3bC
+FbjycssfGVEox349edq1s+4vbK+VS9j2kFBAwxw7NUXKOJ1tM0/FjSFrBTDzw53S
+e7V12nzyep5p8Dzd4CMP2ThpKKofNWzaRb9o/K2vsk3nP2W/CVj+E32Chm5ySdl9
+sYHzAlNYoBi/xxHeSzWSzTA9gEMV5onNx025SGUx6TwQejMAD/DEp0QNGaqBD1lC
+916UfBG0voUz8BpQzvRXeFCW3qPbNuJWvu3c/VRhYe5DRz3Cq1R9YoQnZhStjdRr
+v7YJ5uRiz1rJ0yrQ/W1rMNFGirI=
 -----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/mark_updown b/testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/mark_updown
index e0c15f56a..482ea3f87 100755
--- a/testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/mark_updown
+++ b/testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/mark_updown
@@ -71,7 +71,7 @@
 #       PLUTO_MY_SOURCEIP6_$i
 #              contains IPv4/IPv6 virtual IP received from a responder,
 #              $i enumerates from 1 to the number of IP per address family.
-#              PLUTO_MY_SOURCEIP is a legacy variable and equals to the first
+#              PLUTO_MY_SOURCEIP is a legacy variable and equal to the first
 #              virtual IP, IPv4 or IPv6.
 #
 #       PLUTO_MY_PROTOCOL
@@ -94,6 +94,14 @@
 #              the peer's own IP address / max (where  max  is  32
 #              for IPv4 and 128 for IPv6).
 #
+#       PLUTO_PEER_SOURCEIP
+#       PLUTO_PEER_SOURCEIP4_$i
+#       PLUTO_PEER_SOURCEIP6_$i
+#              contains IPv4/IPv6 virtual IP sent to an initiator,
+#              $i enumerates from 1 to the number of IP per address family.
+#              PLUTO_PEER_SOURCEIP is a legacy variable and equal to the first
+#              virtual IP, IPv4 or IPv6.
+#
 #       PLUTO_PEER_PROTOCOL
 #              is the IP protocol that will be transported.
 #
diff --git a/testing/tests/ikev2/nat-virtual-ip/hosts/moon/etc/nat_updown b/testing/tests/ikev2/nat-virtual-ip/hosts/moon/etc/nat_updown
index 1afd70df8..f3bfd9b36 100755
--- a/testing/tests/ikev2/nat-virtual-ip/hosts/moon/etc/nat_updown
+++ b/testing/tests/ikev2/nat-virtual-ip/hosts/moon/etc/nat_updown
@@ -62,7 +62,7 @@
 #       PLUTO_MY_SOURCEIP6_$i
 #              contains IPv4/IPv6 virtual IP received from a responder,
 #              $i enumerates from 1 to the number of IP per address family.
-#              PLUTO_MY_SOURCEIP is a legacy variable and equals to the first
+#              PLUTO_MY_SOURCEIP is a legacy variable and equal to the first
 #              virtual IP, IPv4 or IPv6.
 #
 #       PLUTO_MY_PROTOCOL
@@ -85,6 +85,14 @@
 #              the peer's own IP address / max (where  max  is  32
 #              for IPv4 and 128 for IPv6).
 #
+#       PLUTO_PEER_SOURCEIP
+#       PLUTO_PEER_SOURCEIP4_$i
+#       PLUTO_PEER_SOURCEIP6_$i
+#              contains IPv4/IPv6 virtual IP sent to an initiator,
+#              $i enumerates from 1 to the number of IP per address family.
+#              PLUTO_PEER_SOURCEIP is a legacy variable and equal to the first
+#              virtual IP, IPv4 or IPv6.
+#
 #       PLUTO_PEER_PROTOCOL
 #              is the IP protocol that will be transported.
 #
diff --git a/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/mark_updown b/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/mark_updown
index e9ab41c7f..7e12e2fcd 100755
--- a/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/mark_updown
+++ b/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/mark_updown
@@ -71,7 +71,7 @@
 #       PLUTO_MY_SOURCEIP6_$i
 #              contains IPv4/IPv6 virtual IP received from a responder,
 #              $i enumerates from 1 to the number of IP per address family.
-#              PLUTO_MY_SOURCEIP is a legacy variable and equals to the first
+#              PLUTO_MY_SOURCEIP is a legacy variable and equal to the first
 #              virtual IP, IPv4 or IPv6.
 #
 #       PLUTO_MY_PROTOCOL
@@ -94,6 +94,14 @@
 #              the peer's own IP address / max (where  max  is  32
 #              for IPv4 and 128 for IPv6).
 #
+#       PLUTO_PEER_SOURCEIP
+#       PLUTO_PEER_SOURCEIP4_$i
+#       PLUTO_PEER_SOURCEIP6_$i
+#              contains IPv4/IPv6 virtual IP sent to an initiator,
+#              $i enumerates from 1 to the number of IP per address family.
+#              PLUTO_PEER_SOURCEIP is a legacy variable and equal to the first
+#              virtual IP, IPv4 or IPv6.
+#
 #       PLUTO_PEER_PROTOCOL
 #              is the IP protocol that will be transported.
 #
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/pretest.dat b/testing/tests/ikev2/rw-eap-sim-id-radius/pretest.dat
index b9117af36..f8a9cc852 100644
--- a/testing/tests/ikev2/rw-eap-sim-id-radius/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/pretest.dat
@@ -1,6 +1,7 @@
 moon::iptables-restore < /etc/iptables.rules
 carol::iptables-restore < /etc/iptables.rules
 alice::cat /etc/freeradius/triplets.dat
+carol::cat /etc/ipsec.d/triplets.dat
 alice::radiusd
 moon::ipsec start
 carol::ipsec start
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/pretest.dat b/testing/tests/ikev2/rw-eap-sim-only-radius/pretest.dat
index 0b3e901c2..0e9e46bfd 100644
--- a/testing/tests/ikev2/rw-eap-sim-only-radius/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/pretest.dat
@@ -5,6 +5,8 @@ moon::rm /etc/ipsec.d/cacerts/*
 carol::rm /etc/ipsec.d/cacerts/*
 dave::rm /etc/ipsec.d/cacerts/*
 alice::cat /etc/freeradius/triplets.dat
+carol::cat /etc/ipsec.d/triplets.dat
+dave::cat /etc/ipsec.d/triplets.dat
 alice::radiusd
 moon::ipsec start
 carol::ipsec start
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/modules/sim_files b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/modules/sim_files
new file mode 100644
index 000000000..10c26aa15
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/modules/sim_files
@@ -0,0 +1,3 @@
+sim_files {
+	simtriplets = "/etc/freeradius/triplets.dat"
+}
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/pretest.dat b/testing/tests/ikev2/rw-eap-sim-radius/pretest.dat
index c17bec0f7..57c9f11a8 100644
--- a/testing/tests/ikev2/rw-eap-sim-radius/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-sim-radius/pretest.dat
@@ -5,6 +5,8 @@ alice::cat /etc/freeradius/clients.conf
 alice::cat /etc/freeradius/eap.conf
 alice::cat /etc/freeradius/proxy.conf
 alice::cat /etc/freeradius/triplets.dat
+carol::cat /etc/ipsec.d/triplets.dat
+dave::cat /etc/ipsec.d/triplets.dat
 alice::radiusd
 moon::ipsec start
 carol::ipsec start
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/test.conf b/testing/tests/ikev2/rw-eap-sim-radius/test.conf
index f29298850..42d23a50b 100644
--- a/testing/tests/ikev2/rw-eap-sim-radius/test.conf
+++ b/testing/tests/ikev2/rw-eap-sim-radius/test.conf
@@ -19,3 +19,7 @@ TCPDUMPHOSTS="moon"
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
+
+# Guest instances on which FreeRadius is started
+#
+RADIUSHOSTS="alice"
diff --git a/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/mark_updown b/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/mark_updown
index b8b45e3b0..00ce6cd9c 100755
--- a/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/mark_updown
+++ b/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/mark_updown
@@ -71,7 +71,7 @@
 #       PLUTO_MY_SOURCEIP6_$i
 #              contains IPv4/IPv6 virtual IP received from a responder,
 #              $i enumerates from 1 to the number of IP per address family.
-#              PLUTO_MY_SOURCEIP is a legacy variable and equals to the first
+#              PLUTO_MY_SOURCEIP is a legacy variable and equal to the first
 #              virtual IP, IPv4 or IPv6.
 #
 #       PLUTO_MY_PROTOCOL
@@ -94,6 +94,14 @@
 #              the peer's own IP address / max (where  max  is  32
 #              for IPv4 and 128 for IPv6).
 #
+#       PLUTO_PEER_SOURCEIP
+#       PLUTO_PEER_SOURCEIP4_$i
+#       PLUTO_PEER_SOURCEIP6_$i
+#              contains IPv4/IPv6 virtual IP sent to an initiator,
+#              $i enumerates from 1 to the number of IP per address family.
+#              PLUTO_PEER_SOURCEIP is a legacy variable and equal to the first
+#              virtual IP, IPv4 or IPv6.
+#
 #       PLUTO_PEER_PROTOCOL
 #              is the IP protocol that will be transported.
 #
diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.d/cacerts/strongswan_blissCert.der b/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.d/cacerts/strongswan_blissCert.der
index cbc7e09c1..fdfd39f13 100644
--- a/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.d/cacerts/strongswan_blissCert.der
+++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.d/cacerts/strongswan_blissCert.der
diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.d/certs/carolCert.der b/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.d/certs/carolCert.der
index 491e245dd..8a520c0b4 100644
--- a/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.d/certs/carolCert.der
+++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.d/certs/carolCert.der
diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.d/cacerts/strongswan_blissCert.der b/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.d/cacerts/strongswan_blissCert.der
index cbc7e09c1..fdfd39f13 100644
--- a/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.d/cacerts/strongswan_blissCert.der
+++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.d/cacerts/strongswan_blissCert.der
diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.d/certs/daveCert.der b/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.d/certs/daveCert.der
index 83a213710..75a114339 100644
--- a/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.d/certs/daveCert.der
+++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.d/certs/daveCert.der
diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.d/cacerts/strongswan_blissCert.der b/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.d/cacerts/strongswan_blissCert.der
index cbc7e09c1..fdfd39f13 100644
--- a/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.d/cacerts/strongswan_blissCert.der
+++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.d/cacerts/strongswan_blissCert.der
diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.d/certs/moonCert.der b/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.d/certs/moonCert.der
index 1ab7d21f7..d0ea364b0 100644
--- a/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.d/certs/moonCert.der
+++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.d/certs/moonCert.der
diff --git a/testing/tests/ikev2/trap-any/description.txt b/testing/tests/ikev2/trap-any/description.txt
new file mode 100644
index 000000000..81e148259
--- /dev/null
+++ b/testing/tests/ikev2/trap-any/description.txt
@@ -0,0 +1,7 @@
+The hosts <b>moon</b>, <b>sun</b> and <b>dave</b> install <b>transport-mode</b> trap
+policies with <b>right=%any</b>.  The remote host is dynamically determined based on
+the acquires received from the kernel.  Host <b>dave</b> additionally limits the remote
+hosts to <b>moon</b> and <b>sun</b> with <b>rightsubnet</b>.  This is tested by
+pinging <b>sun</b> and <b>carol</b> from <b>moon</b>, <b>carol</b> from <b>sun</b>, and
+<b>sun</b> and <b>moon</b> from <b>dave</b>. The latter also pings <b>carol</b>, which
+is not going to be encrypted as <b>carol</b> is not part of the configured <b>rightsubnet</b>.
diff --git a/testing/tests/ikev2/trap-any/evaltest.dat b/testing/tests/ikev2/trap-any/evaltest.dat
new file mode 100644
index 000000000..bcba9ef08
--- /dev/null
+++ b/testing/tests/ikev2/trap-any/evaltest.dat
@@ -0,0 +1,33 @@
+moon::ping -c 2 -W 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=2::YES
+moon::ping -c 2 -W 1 PH_IP_CAROL::64 bytes from PH_IP_CAROL: icmp_req=2::YES
+sun::ping -c 2 -W 1 PH_IP_CAROL::64 bytes from PH_IP_CAROL: icmp_req=2::YES
+dave::ping -c 2 -W 1 PH_IP_MOON::64 bytes from PH_IP_MOON: icmp_req=2::YES
+dave::ping -c 2 -W 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=2::YES
+dave::ping -c 1 PH_IP_CAROL::64 bytes from PH_IP_CAROL: icmp_req=1::YES
+moon::ipsec status 2> /dev/null::trap-any.*ESTABLISHED.*PH_IP_MOON.*PH_IP_SUN::YES
+moon::ipsec status 2> /dev/null::trap-any.*ESTABLISHED.*PH_IP_MOON.*PH_IP_CAROL::YES
+moon::ipsec status 2> /dev/null::trap-any.*ESTABLISHED.*PH_IP_MOON.*PH_IP_DAVE::YES
+sun:: ipsec status 2> /dev/null::trap-any.*ESTABLISHED.*PH_IP_SUN.*PH_IP_MOON::YES
+sun:: ipsec status 2> /dev/null::trap-any.*ESTABLISHED.*PH_IP_SUN.*PH_IP_DAVE::YES
+sun:: ipsec status 2> /dev/null::trap-any.*ESTABLISHED.*PH_IP_SUN.*PH_IP_CAROL::YES
+dave:: ipsec status 2> /dev/null::trap-any.*ESTABLISHED.*PH_IP_DAVE.*PH_IP_MOON::YES
+dave:: ipsec status 2> /dev/null::trap-any.*ESTABLISHED.*PH_IP_DAVE.*PH_IP_SUN::YES
+carol:: ipsec status 2> /dev/null::trap-any.*ESTABLISHED.*PH_IP_CAROL.*PH_IP_MOON::YES
+carol:: ipsec status 2> /dev/null::trap-any.*ESTABLISHED.*PH_IP_CAROL.*PH_IP_SUN::YES
+carol:: ipsec status 2> /dev/null::trap-any.*ESTABLISHED.*PH_IP_CAROL.*PH_IP_DAVE::NO
+moon::ipsec status 2> /dev/null::trap-any.*INSTALLED, TRANSPORT::YES
+sun:: ipsec status 2> /dev/null::trap-any.*INSTALLED, TRANSPORT::YES
+dave:: ipsec status 2> /dev/null::trap-any.*INSTALLED, TRANSPORT::YES
+carol:: ipsec status 2> /dev/null::trap-any.*INSTALLED, TRANSPORT::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
+sun::tcpdump::IP carol.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > carol.strongswan.org: ESP::YES
+sun::tcpdump::IP dave.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > dave.strongswan.org: ESP::YES
+carol::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+carol::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+carol::tcpdump::IP sun.strongswan.org > carol.strongswan.org: ESP::YES
+carol::tcpdump::IP carol.strongswan.org > sun.strongswan.org: ESP::YES
+carol::tcpdump::IP dave.strongswan.org > carol.strongswan.org: ICMP echo request::YES
+carol::tcpdump::IP carol.strongswan.org > dave.strongswan.org: ICMP echo reply::YES
diff --git a/testing/tests/ikev2/trap-any/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/trap-any/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..a2d62296f
--- /dev/null
+++ b/testing/tests/ikev2/trap-any/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,16 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	charondebug="knl 2"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+
+conn trap-any
+	right=%any
+	type=transport
+	authby=psk
+	auto=add
diff --git a/testing/tests/ikev2/trap-any/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/trap-any/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..34647bc0b
--- /dev/null
+++ b/testing/tests/ikev2/trap-any/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1 @@
+: PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
\ No newline at end of file
diff --git a/testing/tests/ikev2/trap-any/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/trap-any/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..8e685c862
--- /dev/null
+++ b/testing/tests/ikev2/trap-any/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  multiple_authentication = no
+}
diff --git a/testing/tests/ikev2/trap-any/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/trap-any/hosts/dave/etc/ipsec.conf
new file mode 100644
index 000000000..3c7adfbf9
--- /dev/null
+++ b/testing/tests/ikev2/trap-any/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,18 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	charondebug="knl 2"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+
+conn trap-any
+	right=%any
+	rightsubnet=192.168.0.0/30
+	type=transport
+	authby=psk
+	auto=route
+
diff --git a/testing/tests/ikev2/trap-any/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/trap-any/hosts/dave/etc/ipsec.secrets
new file mode 100644
index 000000000..34647bc0b
--- /dev/null
+++ b/testing/tests/ikev2/trap-any/hosts/dave/etc/ipsec.secrets
@@ -0,0 +1 @@
+: PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
\ No newline at end of file
diff --git a/testing/tests/ikev2/trap-any/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/trap-any/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..8e685c862
--- /dev/null
+++ b/testing/tests/ikev2/trap-any/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  multiple_authentication = no
+}
diff --git a/testing/tests/ikev2/trap-any/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/trap-any/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..409bee2cb
--- /dev/null
+++ b/testing/tests/ikev2/trap-any/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	charondebug="knl 2"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+
+# to access the host via SSH in the test environment
+conn pass-ssh
+	authby=never
+	leftsubnet=0.0.0.0/0[tcp/22]
+	rightsubnet=0.0.0.0/0[tcp]
+	type=pass
+	auto=route
+
+conn trap-any
+	right=%any
+	type=transport
+	authby=psk
+	auto=route
diff --git a/testing/tests/ikev2/trap-any/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/trap-any/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..34647bc0b
--- /dev/null
+++ b/testing/tests/ikev2/trap-any/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1 @@
+: PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
\ No newline at end of file
diff --git a/testing/tests/ikev2/trap-any/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/trap-any/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..8e685c862
--- /dev/null
+++ b/testing/tests/ikev2/trap-any/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  multiple_authentication = no
+}
diff --git a/testing/tests/ikev2/trap-any/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/trap-any/hosts/sun/etc/ipsec.conf
new file mode 100644
index 000000000..71edc4c14
--- /dev/null
+++ b/testing/tests/ikev2/trap-any/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	charondebug="knl 2"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+
+# to access the host via SSH in the test environment
+conn pass-ssh
+	authby=never
+	leftsubnet=0.0.0.0/0[tcp/22]
+	rightsubnet=0.0.0.0/0[tcp]
+	type=pass
+	auto=route
+
+conn trap-any
+	right=%any
+	type=transport
+	authby=psk
+	auto=route
+
diff --git a/testing/tests/ikev2/trap-any/hosts/sun/etc/ipsec.secrets b/testing/tests/ikev2/trap-any/hosts/sun/etc/ipsec.secrets
new file mode 100644
index 000000000..34647bc0b
--- /dev/null
+++ b/testing/tests/ikev2/trap-any/hosts/sun/etc/ipsec.secrets
@@ -0,0 +1 @@
+: PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
\ No newline at end of file
diff --git a/testing/tests/ikev2/trap-any/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/trap-any/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..8e685c862
--- /dev/null
+++ b/testing/tests/ikev2/trap-any/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  multiple_authentication = no
+}
diff --git a/testing/tests/ikev2/trap-any/posttest.dat b/testing/tests/ikev2/trap-any/posttest.dat
new file mode 100644
index 000000000..1bf206e26
--- /dev/null
+++ b/testing/tests/ikev2/trap-any/posttest.dat
@@ -0,0 +1,4 @@
+moon::ipsec stop
+sun::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
diff --git a/testing/tests/ikev2/trap-any/pretest.dat b/testing/tests/ikev2/trap-any/pretest.dat
new file mode 100644
index 000000000..0924078b3
--- /dev/null
+++ b/testing/tests/ikev2/trap-any/pretest.dat
@@ -0,0 +1,5 @@
+moon::ipsec start
+sun::ipsec start
+carol::ipsec start
+dave::ipsec start
+moon::sleep 1
diff --git a/testing/tests/ikev2/trap-any/test.conf b/testing/tests/ikev2/trap-any/test.conf
new file mode 100644
index 000000000..742bf02bd
--- /dev/null
+++ b/testing/tests/ikev2/trap-any/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="moon winnetou sun carol dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d-s.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun carol"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun carol dave"