Imported Upstream version 4.6.4

552 files changed, 5003 insertions, 654 deletions

diff --git a/testing/tests/ha/both-active/evaltest.dat b/testing/tests/ha/both-active/evaltest.dat
index 3fb52f927..a26d8e568 100644
--- a/testing/tests/ha/both-active/evaltest.dat
+++ b/testing/tests/ha/both-active/evaltest.dat
@@ -4,10 +4,10 @@ moon::ipsec statusall::rw.*PASSIVE.*carol@strongswan.org::YES
 moon::ipsec statusall::rw.*PASSIVE.*dave@strongswan.org::YES
 carol::ipsec statusall::home.*ESTABLISHED::YES
 dave::ipsec statusall::home.*ESTABLISHED::YES
-moon::cat /var/log/daemon.log::HA segment 2 activated::YES
 alice::cat /var/log/daemon.log::HA segment 1 activated::YES
-moon::cat /var/log/daemon.log::installed HA CHILD_SA::YES
+moon::cat /var/log/daemon.log::HA segment 2 activated::YES
 alice::cat /var/log/daemon.log::handling HA CHILD_SA::YES
+moon::cat /var/log/daemon.log::installed HA CHILD_SA::YES
 carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
 dave::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
 carol::tcpdump::IP carol.strongswan.org > mars.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/esp-ah-transport/pretest.dat b/testing/tests/ikev1/esp-ah-transport/pretest.dat
index bd68efb0b..4fe0ee90b 100644
--- a/testing/tests/ikev1/esp-ah-transport/pretest.dat
+++ b/testing/tests/ikev1/esp-ah-transport/pretest.dat
@@ -2,5 +2,5 @@ moon::/etc/init.d/iptables start 2> /dev/null
 carol::/etc/init.d/iptables start 2> /dev/null
 carol::ipsec start
 moon::ipsec start
-sleep 2
+carol::sleep 2
 carol::ipsec up home
diff --git a/testing/tests/ikev1/esp-ah-tunnel/pretest.dat b/testing/tests/ikev1/esp-ah-tunnel/pretest.dat
index bd68efb0b..49973a7a5 100644
--- a/testing/tests/ikev1/esp-ah-tunnel/pretest.dat
+++ b/testing/tests/ikev1/esp-ah-tunnel/pretest.dat
@@ -2,5 +2,5 @@ moon::/etc/init.d/iptables start 2> /dev/null
 carol::/etc/init.d/iptables start 2> /dev/null
 carol::ipsec start
 moon::ipsec start
-sleep 2
+carol::sleep 2 
 carol::ipsec up home
diff --git a/testing/tests/ikev1/starter-also/pretest.dat b/testing/tests/ikev1/starter-also/pretest.dat
index 4f96e61df..c7b4f43be 100644
--- a/testing/tests/ikev1/starter-also/pretest.dat
+++ b/testing/tests/ikev1/starter-also/pretest.dat
@@ -2,5 +2,5 @@ moon::/etc/init.d/iptables start 2> /dev/null
 carol::/etc/init.d/iptables start 2> /dev/null
 carol::ipsec start
 moon::ipsec start --debug-all
-sleep 2
+carol::sleep 2
 carol::ipsec up home
diff --git a/testing/tests/ikev1/strong-certs/description.txt b/testing/tests/ikev1/strong-certs/description.txt
index 22b58668d..8e6e8b4f9 100644
--- a/testing/tests/ikev1/strong-certs/description.txt
+++ b/testing/tests/ikev1/strong-certs/description.txt
@@ -1,6 +1,6 @@
 This is a remote-access scenario with two roadwarriors <b>carol</b> and <b>dave</b>
 setting up a connection each to the VPN gateway <b>moon</b>. Authentication is
 based on strong X.509 certificates with SHA-2 signatures.
-The X.509 certificate of the gateway <b>moon</b> uses a <b>SHA-256</b> hash in
+The X.509 certificate of the gateway <b>moon</b> uses a <b>SHA-224</b> hash in
 its signature whereas the certificates of the roadwarriors <b>carol</b>
 and <b>dave</b> use <b>SHA-384</b> and <b>SHA-512</b>, respectively.
diff --git a/testing/tests/ikev1/strong-certs/hosts/carol/etc/ipsec.d/certs/carolCert-sha384.pem b/testing/tests/ikev1/strong-certs/hosts/carol/etc/ipsec.d/certs/carolCert-sha384.pem
index d4b532323..929f737c8 100644
--- a/testing/tests/ikev1/strong-certs/hosts/carol/etc/ipsec.d/certs/carolCert-sha384.pem
+++ b/testing/tests/ikev1/strong-certs/hosts/carol/etc/ipsec.d/certs/carolCert-sha384.pem
@@ -1,25 +1,25 @@
 -----BEGIN CERTIFICATE-----
-MIIEITCCAwmgAwIBAgIBETANBgkqhkiG9w0BAQwFADBFMQswCQYDVQQGEwJDSDEZ
+MIIEITCCAwmgAwIBAgIBJTANBgkqhkiG9w0BAQwFADBFMQswCQYDVQQGEwJDSDEZ
 MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
-b290IENBMB4XDTA2MTAwODEyMTI1MFoXDTExMTAwNzEyMTI1MFowWTELMAkGA1UE
+b290IENBMB4XDTExMTAxNzEyNDc1OVoXDTE2MTAxNTEyNDc1OVowWTELMAkGA1UE
 BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xEDAOBgNVBAsTB1NIQS0z
 ODQxHTAbBgNVBAMUFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMIIBIjANBgkqhkiG9w0B
-AQEFAAOCAQ8AMIIBCgKCAQEAtCwjB6Yni4jSTbPJ4GX0kM06nr2tDBdU0PH6dZra
-IXNaNiBthBNPNDeCYAQDG/ouwuywAJ6L2Lt0GYEhJSwfXMm87fYSG8qRP+C/nlKz
-3fCfsuZ8yOAo5NAp2kgvbFVdB5cMeOtid21UqUvDxkncjFRDgpERtrjSthalUFYu
-ObIcSMPdlcDho73jzq6zVK5XDJ4l1LHUQLbS4SzyrphCYKekTIoDy3YwRUys6Pdm
-4QlFBIXuBwOYHjclvVu0HQVNSM4nWAJd+204KUm/+8neO0kn1Yakv9yoa47o3KGP
-3XjtmcgY9SqBbuF+8yDcZQ7+5zUBjc0J+d8txdPoIjLi7wIDAQABo4IBBjCCAQIw
-CQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYEFIUlEfDm3V0eDmRrpIvj
-4FiPpGlpMG0GA1UdIwRmMGSAFF2n3XAGUTJ+57Zts7Xl4GDqLk3voUmkRzBFMQsw
+AQEFAAOCAQ8AMIIBCgKCAQEAuByYUPGv67XSQHjpfFjhuH/l/sMIQGhsFcO4ebYv
+7otSsjbH4gasmAOvEFxoIxkOG9IWFAHP1WyiqG3sOsyyfUg6wHl1FTe4Y3kHWZp0
+DvtT6CWnnxQwKibIhXfB3IPHRTcRG1zGN4J3Vl6IofIRlrl0K3NYUUofn0xMKAoS
+hLjwuqq2eviX5NIQDOTnoga2C5Ed58hIc6/YWXzfg9EpB194tcCWmSj7yfq6ruD9
+xAh32ywd10fsi4tt3F/BWzXjySxBlBhvvh6kL/Nqa6OSWaXsvZqXmrYm+hm4LKkO
+ZLZYzBqJRpRm1rEhYqMg2u0SSSTXsNFuw+027n7Vt8+DzwIDAQABo4IBBjCCAQIw
+CQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYEFPk6ATSleHErWFAYkCZD
+BhDo8X1qMG0GA1UdIwRmMGSAFF2n3XAGUTJ+57Zts7Xl4GDqLk3voUmkRzBFMQsw
 CQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMS
 c3Ryb25nU3dhbiBSb290IENBggEAMB8GA1UdEQQYMBaBFGNhcm9sQHN0cm9uZ3N3
 YW4ub3JnMDkGA1UdHwQyMDAwLqAsoCqGKGh0dHA6Ly9jcmwuc3Ryb25nc3dhbi5v
-cmcvc3Ryb25nc3dhbi5jcmwwDQYJKoZIhvcNAQEMBQADggEBAL5ZmFmy8lW4Vdwq
-hWB6qTtLLa1wwCvTXwbV9V+F8dK39AvHj6CHFqTiFhAbGIq/Ryt9cg2XGy1TDjVj
-hQEua7mjp8XH2j2NLY2SiFTMjchbHmMylFk2FrHy2ZnmlRCiH83TAw+EnUWsQKj+
-gL+7Of9SpiaaIblrl+aCiBVktRuXcFSaxjYWTVXOeTCwnxQdF2SNtUKDoCuVPk1J
-XCrs86mj575xL/FGjyN4SVbjTEZ4lm1emxrf/RblZOhCKp7mUic8KyP0kf7o6X8E
-MXXjq9fDQVrSDG/q62uhZu7CyInnBpWnoUKiMImSxRn/cs0r7RUspC5DtJyhE33Y
-DW2BzIc=
+cmcvc3Ryb25nc3dhbi5jcmwwDQYJKoZIhvcNAQEMBQADggEBAHiE/MMyXJXuMuhw
+/lu/UwjCHbbJMA9QrBJe++34OwAV0siM98loVLs23vHXk/52QHRIwZgMLO2FF9Pk
+4JkFOvTXCgNPZKrUL28UhHsnJe8EZVOuir5o6yTSti+J/tR4M2YoY67JjW/KeTwU
+BVBtBVH88gf/xm2mSlIrkHxG3/GWqyEdeY7BOaft1sFTTZ1gKKXQlARtWidho1mf
+5Y1lZ//kOuvMjnk+hEWPWESq8lBzLOmQGBk65vaEH3LVZxSQVJbfG2E0dHgPZNgc
+hFOS8Oc6L6AfKlWHAT0ZCR5+1YsxxnlsftHzxiA0ayGCgpn2qcN+OPjfzPCtC80N
+6oXDLZM=
 -----END CERTIFICATE-----
diff --git a/testing/tests/ikev1/strong-certs/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/ikev1/strong-certs/hosts/carol/etc/ipsec.d/private/carolKey.pem
index f719e4455..1c59bcfe5 100644
--- a/testing/tests/ikev1/strong-certs/hosts/carol/etc/ipsec.d/private/carolKey.pem
+++ b/testing/tests/ikev1/strong-certs/hosts/carol/etc/ipsec.d/private/carolKey.pem
@@ -1,27 +1,27 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIIEogIBAAKCAQEAtCwjB6Yni4jSTbPJ4GX0kM06nr2tDBdU0PH6dZraIXNaNiBt
-hBNPNDeCYAQDG/ouwuywAJ6L2Lt0GYEhJSwfXMm87fYSG8qRP+C/nlKz3fCfsuZ8
-yOAo5NAp2kgvbFVdB5cMeOtid21UqUvDxkncjFRDgpERtrjSthalUFYuObIcSMPd
-lcDho73jzq6zVK5XDJ4l1LHUQLbS4SzyrphCYKekTIoDy3YwRUys6Pdm4QlFBIXu
-BwOYHjclvVu0HQVNSM4nWAJd+204KUm/+8neO0kn1Yakv9yoa47o3KGP3XjtmcgY
-9SqBbuF+8yDcZQ7+5zUBjc0J+d8txdPoIjLi7wIDAQABAoIBAGmMhcUAYKBMui8N
-CVHtSJXftNyz74Fq1aRGbdyhp/H6urmEy8OY8Eh90GHhV9T2/pfwwrbKKtEAF+at
-EDbPn1vjT0v0YO1pAShzyK2+c2KsiVHr1uRy9WH+VNZsfWOwqnw8z/CyrI+cPAGl
-wf4S3SJUZuxBgigSJFbJ83SZ2CCxrF3xyGyHxqiFWp0QMV2FPR3zedmwQiZTJft5
-fu3K5n8xlhHoiS32fuM57eNKKxt0v50JcobpT4uXBqPCrffOlORnjISRoWt/coSy
-pmj1GFyRaaM5StvaEcowdZejIeVInhM+T1WEQ6mxog/JkzBPBStuSdCKxccqiTRs
-ZO4i8xkCgYEA2KBVcgot6LB/UmYkXF2roaag/PYL7V0wdcF3BMJ2rwdT67fIaKm3
-aroxZpVauRLknH8epFpPpxbbLdyBjkNCuwB4NMKGwTZLzN+mFsQKLtFAxz959pPx
-df5G30CmU09pJ+99C1m3AF295tOd4LTsw6OjyqUJpwl0y10EBg/FwN0CgYEA1OuY
-jU8s029Hv6/2HB22rw5UN4Lj/ori/6SGZ5pHAdQVCooVaEd7HRgzPQKXGGMeNAxH
-7oCVJWz16+XHDzyRVnjErn9Ux1mr/axiAiFC5MeNIHT1EZ8/NUCZJ14PANWobJpt
-ft55BiNd92ygzVVsJgDzuWF87MILhk9AA7buMDsCgYBrPm0uyQVTZlWSOIkVxTXc
-EH8w3Kqo93KvSXkfvRo+qpUMZG7uCd+JEea1D4nbiBPvuis0WJWIdhNKUBk/keLu
-a1wXWpqV+shqA+rY6HLWHLhCLBW4UiO/M4RosDvnkK/RmonAXcjwgHgsV2WYwllY
-vaGwCCaQMGlG6KS+T36qbQKBgELciNc3Gbh7pWhIdVx26DsooMGd1MLGEmp828gE
-5m9ojgL1QauxZrPIOa7a9V+vIHjvslbvAebyxHcDfPMH7gvdeMXjLlg7jIroaw6I
-K110XJjooVybSVoLowx9uPBmJ7GS/PduHUsUKBneftB8Fq4IdoCsYHJorP3MPSnt
-c/apAoGANwqIIdgf+Lu17kDO0svQDzuZR5cRCmGZ8BpC+SpT49VpRaitYNqbSgVy
-kOzXK1ZrO7nPnGkOQQjcaZZjKrUaMFMECFhNTwAv1RQZgkYDA8yAIC0MyACrwiGp
-5fg/ZwLjlOuiJZ3sEUwRsrp72DwXE3x6X0+bJOr+KlPEq200E84=
+MIIEpQIBAAKCAQEAuByYUPGv67XSQHjpfFjhuH/l/sMIQGhsFcO4ebYv7otSsjbH
+4gasmAOvEFxoIxkOG9IWFAHP1WyiqG3sOsyyfUg6wHl1FTe4Y3kHWZp0DvtT6CWn
+nxQwKibIhXfB3IPHRTcRG1zGN4J3Vl6IofIRlrl0K3NYUUofn0xMKAoShLjwuqq2
+eviX5NIQDOTnoga2C5Ed58hIc6/YWXzfg9EpB194tcCWmSj7yfq6ruD9xAh32ywd
+10fsi4tt3F/BWzXjySxBlBhvvh6kL/Nqa6OSWaXsvZqXmrYm+hm4LKkOZLZYzBqJ
+RpRm1rEhYqMg2u0SSSTXsNFuw+027n7Vt8+DzwIDAQABAoIBAQCMhpbjwXWLLd5r
+A18DYDv5PPXpvCdCMfG9swPNMnfnVUQrbpCmPn3iEX2/uShrEaapKXNclf1yY1bL
+xAr43mCmK0lcu9fX+A2vLyOjCrbm8IIcwRDt5NTWd3+6D6xSierBM8TE480PdW9s
+5v7WzRMLvkWjHIkekrsMNYozTWzRC6MgO99hzalWzKSeHHxlieoG7sN8KQ0hmwO+
+lMR6XDwrEnENbDbX//rbPjD4gdkqwAzCyf2IMNAHefAJUrjll2t1aQNknGwpDaAS
+g8Il7iAwIxoP2SrJ89K4Wq4Ifq+tLeX1sjwF0IESi41xNZZ/CrLiJbIPZSyBVRvx
+wwzObUPBAoGBAO6Gu2QaUoIZWpIL5TcAbQIGUx4FPKy2FbKWnU6VL9fmw8DGqKC0
+WX/CCSBmYHQyvlozutX4g8PI6YfgbbuPpgt/yJeLO+33PZK2Cps0//0EmEIvZ7ZM
+kOV+PRNuDIlKQNCaD8LdAcp0KSUc8vo3BAYArrjd1WZze85tqgAHmKR/AoGBAMWZ
+YkyQwBE0+W9P5gmGwuc+q2T3SjpGXjtzyo63K6ra892u49xIklfvNZ3PlgNbTSCo
+tTZLfwRu2uRhh2C8ZsjwfdpMAdT0BNCqEXtdp8JBJiNmrvY17NrSJnMginvu26qM
+QbsaF2Q1BV7OMZHvjgYrCqgokUGcJY6A0OlftjixAoGBALa3mPbOvyOP/nRgDl86
+wUZKyAL4Kgl3llluzOP0nmi6Cnwy8dvhK6oVXl5mbj603GJGvDnKnE0vK819WzHR
+kXW/lk6YRvk8avtm3esVB3+vtF8G52CbeGeEc47dv1av/cSOL8KrAAMxRo96hJqt
+6DQc87sDm8RWdKGmGhLZvtFLAoGAA+bJaBWblTtkiWwccKe2hXZZT/8J+iiVh7r7
+juHS/Oah1giz+w97xDy25EzK+3n8Bd8O5OmMsnu12riKQcC2jtUgxwSlLJ080xno
+inUI8O70X9KRNc9Ow+tOUwubcGMA91cZnSYgvBvH5V1Q4T7HoRuMdFGIvLDmlO+6
+MEFxiaECgYEAw7GqJYl2q6be56WANWA9ecNenr4+ekHZImpK0vb1bYD2LinfFNNK
+9jOHK2tK2jV3DgfUEieItz/uWV3iCJkIfErwu3ZS9qnDBu70OHGpsM1nXRUzZ0Ct
+5vOlBr5h6DMrP+ou/95yeraoibqs2kTUrAdkC80Yk5nbEHFDiD6cJcw=
 -----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev1/strong-certs/hosts/dave/etc/ipsec.d/certs/daveCert-sha512.pem b/testing/tests/ikev1/strong-certs/hosts/dave/etc/ipsec.d/certs/daveCert-sha512.pem
index 73088cd1d..fc769c1c9 100644
--- a/testing/tests/ikev1/strong-certs/hosts/dave/etc/ipsec.d/certs/daveCert-sha512.pem
+++ b/testing/tests/ikev1/strong-certs/hosts/dave/etc/ipsec.d/certs/daveCert-sha512.pem
@@ -1,25 +1,25 @@
 -----BEGIN CERTIFICATE-----
-MIIEHzCCAwegAwIBAgIBEjANBgkqhkiG9w0BAQ0FADBFMQswCQYDVQQGEwJDSDEZ
+MIIEHzCCAwegAwIBAgIBJjANBgkqhkiG9w0BAQ0FADBFMQswCQYDVQQGEwJDSDEZ
 MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
-b290IENBMB4XDTA2MTAwODEyMjExMloXDTExMTAwNzEyMjExMlowWDELMAkGA1UE
+b290IENBMB4XDTExMTAxNzEyNTAzMFoXDTE2MTAxNTEyNTAzMFowWDELMAkGA1UE
 BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xEDAOBgNVBAsTB1NIQS01
 MTIxHDAaBgNVBAMUE2RhdmVAc3Ryb25nc3dhbi5vcmcwggEiMA0GCSqGSIb3DQEB
-AQUAA4IBDwAwggEKAoIBAQDL4+PsltDM0QCCS08tkefhll5Q0nb2VEdRZotBIdt6
-XEY1kmDlw0yQOp0XUznnIhcrxXpKeWpLqJdbo56jSxMaUB3Mod1u+aKvVhCgkOT8
-uQa7gIdcNMuXnfnch7yYYS6YxVfzdr/qXBxmVYNbR9sXy48vAD6glZLEVjDITHJO
-a6tEVSrAOMyeuA9XTYJiGw5loj63YbUr6Ikp6W9SncPCtfX6G2Amk38MTuITu93W
-Pd/bGB06ra6gmMQGAhXuGs14n3QZfQz9PWTp9TPsQNqQZdEjQyNdfeAKtPuz5jnO
-cnZuhvVR0q4sxWuy64vkyZ57luTZAXyxdInBeBOp7sC3AgMBAAGjggEFMIIBATAJ
-BgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNVHQ4EFgQU0wvMMeoe59mocM/RiYnD
-iw9NUm0wbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJ
+AQUAA4IBDwAwggEKAoIBAQCs5SBCzV3Is/w7CIzfBXRGv6uXwyDivRXXYsczeSRf
+5mw/slRVAEtNbX8rQ8BWLIqiJPCLDek5ODkqKI+hArZVpJqMzZyql2Teosrtnokb
+h/yA8EWtEr0jII2RxQ0xb8r25h+DwBosAM15B1rCAMmJOjbEMMBGmAb7y7N0K8nr
+Z8RctwrRdCGVcg+f+LFrklF1tBLs0zGIrJsk1eB0XbrB+fEPar9Lmn+/q2QHGPCt
+aOlR2ZxRsjqsYJW9yI8r33PVVm2aGmS/19UguEG8FC3owud0boHfP91/NvSIWfhP
+iIuDPjJOBPEJ/I6OYjYXXQuOZYwFGau2WrpNDQioPgedAgMBAAGjggEFMIIBATAJ
+BgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNVHQ4EFgQU5re6olyWAt1HfN2l92Rb
+7DDCnxMwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJ
 BgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJz
 dHJvbmdTd2FuIFJvb3QgQ0GCAQAwHgYDVR0RBBcwFYETZGF2ZUBzdHJvbmdzd2Fu
 Lm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3Jn
-L3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBDQUAA4IBAQC/uKe2O9elbSFgpKP5
-7ZjJrCkYu493iH/PDm5G4D76q6WkRvZDqTgGDSIrXrt1xRLIsVJES+HERxfED0DB
-yXNe22p1jR8iZdCesZxmEsKYyLh9XmeixKCfnLvStWCVs0+vqwhJlIkyEAveZ4HR
-Yq121khdmCDDUugpjEl/nU7CLvCRVgFrlhDm1QLs2rYqxwQrJ2SH4/1W0YRdkY2R
-vKZ2ngjLBNjBfXWNXSOpEAG367nVam5lFAepUC0wZTshyCUXt1NzClTnxWABm6M6
-x2Qwg4D6Qt5iXSjR8+DGVh+LaBL/alQi1YYcjkxufdFHnko294c0HsZcTZ3KRghk
-ue1F
+L3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBDQUAA4IBAQAtRPFMSuEnPmqeC2mF
+OE5N26r2p8HfB4FAPwarlg66IIvKvkk1zqn5YfZIXfMU/x5q+85aO31iQmjlAPpo
+KXqRq7V0a0ldjXEr+Tz7xG3jno989dBrD3kQZnwXR57xGt1qTVGY7uQdbgXWzVHM
+GYS6gjUw7Df9vAQcTfUxUpZc5wlDoiRrFkyPc1raFCZF3//Ig9agjO4r1SzPHYw7
+LrHJR1xkd0IWVTW8Z6xB14j452IiimhyK1zAR3zmh1vH9VuHDLHMhyjSl1R+gk5U
+KzDPaqXd4NA7eIQNiAhysYTXfmUYytbFNZw9bamxTxlCmca1snuTIcFM5OYOfxRT
+iKMh
 -----END CERTIFICATE-----
diff --git a/testing/tests/ikev1/strong-certs/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/tests/ikev1/strong-certs/hosts/dave/etc/ipsec.d/private/daveKey.pem
index a4a8a4f22..900f73bac 100644
--- a/testing/tests/ikev1/strong-certs/hosts/dave/etc/ipsec.d/private/daveKey.pem
+++ b/testing/tests/ikev1/strong-certs/hosts/dave/etc/ipsec.d/private/daveKey.pem
@@ -1,27 +1,27 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIIEowIBAAKCAQEAy+Pj7JbQzNEAgktPLZHn4ZZeUNJ29lRHUWaLQSHbelxGNZJg
-5cNMkDqdF1M55yIXK8V6SnlqS6iXW6Oeo0sTGlAdzKHdbvmir1YQoJDk/LkGu4CH
-XDTLl5353Ie8mGEumMVX83a/6lwcZlWDW0fbF8uPLwA+oJWSxFYwyExyTmurRFUq
-wDjMnrgPV02CYhsOZaI+t2G1K+iJKelvUp3DwrX1+htgJpN/DE7iE7vd1j3f2xgd
-Oq2uoJjEBgIV7hrNeJ90GX0M/T1k6fUz7EDakGXRI0MjXX3gCrT7s+Y5znJ2bob1
-UdKuLMVrsuuL5Mmee5bk2QF8sXSJwXgTqe7AtwIDAQABAoIBAH9mxAoW5xvEUTQZ
-SL1p2WH9qquIB2u+l93GXKdzN4iK1hgtgjyvv0y0Q2rKx3iktaPVPqgAnCnwi7to
-Tv0sMSCVBTnTvuDUPhKfjb43K8668vkAxBQarUjtHq7tZiw1NX+ieGWaQyt3KQvM
-zUqhaMbCnJK67Wc8bzwdu1e9ZQOYZlRWke4G8OU3GFkG5XsOPnoQySWAlhB6VEjv
-qUZ6BS8SYTy0Rdzyjc35a3cvtDUqs0MOFVJ+gW44bje2B9X+59Wc8m1PJUf9P5+4
-HyNJl3BYfMUobfDuoSKBtcJtudGClUpBSCvBV34X3cYS//jNTuQxfZVc1HJym94C
-uHj63wECgYEA/7ZyDDGap7dZahmhsU1a7H69zSrhwZDj9SozSnbWHfpml2yleLYO
-fh94Jf8iL8yA4taS7JlB0YCuvvBsvXez2aD2Alh5rYqKYA/TROEXz+MLr4fqwi/X
-ZvG1O5oM1/rJPQ06TKzEsYyAUKY3vInivrzUKIv0UP9D9HdkFWAvTYECgYEAzB6J
-0Rrn15LFGhpzC3m2QH6EjWpoD8FMgGyV9E86d/v8kwBGvxRL8uma/mqP2A3okfuw
-8ONP2HgXM7mUkr5wN9XbSuTRRUkDBsV9+tmR4pzMhKfiXZTekPIfaXTA60Fp9Ip8
-ddojWjs9P57ayxL6YVU/Y6uAON9Jbi7jH5DmGjcCgYEAjSjYGGchqsgKMgnoOoor
-UTY97I5phYNIc8RSAB9N38qk655sUhCeO31/w+nto1lPJOmyva10qgRRctIiFQ2J
-WPAEHhNdSDGcZZ8Wz4U6seXyQ3nSXFQwooF3vGk0Ad5NTMiKkF0nT6PyCZNYXVn4
-s7Zln+RygGwJxWBK/YnVUwECgYARgPzohZokDl4AowwCi+lpFnBfgCR0VWsuCCHD
-1Zd5+o3qPTfT4vWwWwADmTfEm0y6WA8QWS3brlCvCtcGznXpE9m+TmjzvBMaXY00
-Gbw85p1TMuJijAWaAGlZLb3tbqqbYdTSdmZZsoLKFeFFUNdPyXOqJGbWea9eV376
-kf5peQKBgF5S8s7A73IqmvUcfGLdg91ff4PGkDhDjNt+hzACX9pk0LQiCBSM28Tm
-bYwKy3P/Id7lfkPqe/lyTxBMVThBMIgW676g1yNKz21l2L5qakZQvunfqNfaV3iP
-Y0i+BmuXM/SjEP+agX9hVyUZfqxITqUUgHA7GIP1O4/LJAZCbd/X
+MIIEogIBAAKCAQEArOUgQs1dyLP8OwiM3wV0Rr+rl8Mg4r0V12LHM3kkX+ZsP7JU
+VQBLTW1/K0PAViyKoiTwiw3pOTg5KiiPoQK2VaSajM2cqpdk3qLK7Z6JG4f8gPBF
+rRK9IyCNkcUNMW/K9uYfg8AaLADNeQdawgDJiTo2xDDARpgG+8uzdCvJ62fEXLcK
+0XQhlXIPn/ixa5JRdbQS7NMxiKybJNXgdF26wfnxD2q/S5p/v6tkBxjwrWjpUdmc
+UbI6rGCVvciPK99z1VZtmhpkv9fVILhBvBQt6MLndG6B3z/dfzb0iFn4T4iLgz4y
+TgTxCfyOjmI2F10LjmWMBRmrtlq6TQ0IqD4HnQIDAQABAoIBAG0+sa3EGdgxcdTT
+SD+7MIdroL7Z+rOKCnz32yp5BzTZYdi1k3fKIcqgv1PVEXjh2A8wDBWxCoavMd+j
+lW2FSzS+NzF00eMwmfnbHyIZpESTHkdSipQbXQsPDKTov7dXDgYHzi3vehoHv80T
+ipM+8BkXgXdh3nw8n10GjzN+X62v73pQxXooC2JrsxKPubB9NkX8UtcYddrmMQpr
+xOixBsk3VwkIh+3CatBPKJH/Ryk/U9rMU7F7KlAi+xHj3UF3iAvUwYVaJWAeWfci
+KP07cFxsar8Vgf2IK+sbZP6LPky1oiYq+VkIrgX6UPtyyrS60Bf7OFIy5I0Hmm8K
+b0rChbkCgYEA2B1IVtBmNBt/rCwqWgRLf4vW86JGgKAOx15hucPdA1NAHygNLdZC
+bcM6OkP1PEp1mpA0mDgYQQdggzsWKYuJjtf8MN9sZwi6SrRI2Y3OCy7SFLsyDNkz
+xkWo6b5/WGH+cEzVRVkD0RU97xjXudXzcwm1PA5goRcGNg1zdvOi0XsCgYEAzM3d
+tbq3txVh5EK3IeCsvtQGY4IFADdjaC2wgTeOlHo/nGoCB8TuFMN32MHqlmAdspJQ
+PojDKVZhhOknJQpBI1iYVYTJTIwtJM5CeY5gwhnrPVru4LJaa8zXTJdIeZ++nJFR
+Dawt5rsJ+f2yTzQWPm2Ywbril8KBVwqD4V9uQ8cCgYBk/foqJ6U7QIZ/TPxVqKAn
+cI/4tqK/xQxi+qYsi20i+qqCZNMT0oakiJETXWKi1CD1I+KQJ9advPbLHLeUnpKf
+4CsII8CivZ9g/bL1h6D79NtTuM8A1het1ivDX7Re9xxSGnWnvJtd/9E7hJ57R5JG
+9ghtkkJxxTKv28VTlzNFNQKBgDuQ4Jv7a3V3ZZpTARp8UyHJXvZQGY4/jcz+BOkA
+NJrgl2Gxv1dtImWtmEzV0Znc6KZIQch+VGzQb9qNSVJPkjRqjxvIXBfEaVjcGJ9s
+Fp49lZqpuPJnTT8vO6tOEMk2+eRlq3JTkqIZ4kPwUo0QtCuCCrzF0yOaca3UJBlH
+fTV/AoGAElXK1jYXzxJLTik9TW3Jl9w45GP572HAYVBc+gpCtvxVvr9V8qsiDST2
+hovbkEcG6o+rCAgHnzdCxpK0Avnb8yyu4yvBGTWowoBqF9Nyv2aZts83gRxEapZC
+Mc8u9QuIB0QCea13jgWWkkMLr9lt7kmVjR+Nch4lcF4RVqagEEE=
 -----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev1/strong-certs/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/strong-certs/hosts/moon/etc/ipsec.conf
index 67e97ebc2..98d9a8749 100755
--- a/testing/tests/ikev1/strong-certs/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/strong-certs/hosts/moon/etc/ipsec.conf
@@ -15,7 +15,7 @@ conn %default
 
 conn rw
 	left=PH_IP_MOON
-	leftcert=moonCert-sha256.pem
+	leftcert=moonCert-sha224.pem
 	leftid=@moon.strongswan.org
 	leftsubnet=10.1.0.0/16
 	leftfirewall=yes
diff --git a/testing/tests/ikev1/strong-certs/hosts/moon/etc/ipsec.d/certs/moonCert-sha224.pem b/testing/tests/ikev1/strong-certs/hosts/moon/etc/ipsec.d/certs/moonCert-sha224.pem
new file mode 100644
index 000000000..bda4f528e
--- /dev/null
+++ b/testing/tests/ikev1/strong-certs/hosts/moon/etc/ipsec.d/certs/moonCert-sha224.pem
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIENDCCAxygAwIBAgIBJDANBgkqhkiG9w0BAQ4FADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTExMTAxNzEyNDUwN1oXDTE2MTAxNTEyNDUwN1owWDELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xEDAOBgNVBAsTB1NIQS0y
+MjQxHDAaBgNVBAMTE21vb24uc3Ryb25nc3dhbi5vcmcwggEiMA0GCSqGSIb3DQEB
+AQUAA4IBDwAwggEKAoIBAQDEPYW1tmcbkgNMcnOHXAKHlgL2k7r1+rVWJ/8NF9vI
+7MpQ8qomHPV3G00CYSQsCDgBVvK71pasiz+dsYdHAY28ihb2m/lsaSquwsb0Fexj
+hJiqaohcLJk0MjTDUdArh6iddvDAYMDkfApM49TaXNxdz0sffV5KOIH0hrQe0wsw
+P2p/SHTATNh3ebTLr8Y7dMKecxFrKQswZc+d7gvIftZXRvjsUprc77dDURGByPw3
+N+/23chuDXNNaxMylWQhmiTUne8tIyg0vtur3do5Dq1IqQKqvxSfBjRL6ZJU0/6l
+KuhChV0cSVd2H2zzovuke5XzHzUsoESWXWYK9qIEj2HRAgMBAAGjggEaMIIBFjAJ
+BgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNVHQ4EFgQUT4FJonJgeZBpFHc8iosc
+WWM+mPswbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJ
+BgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJz
+dHJvbmdTd2FuIFJvb3QgQ0GCAQAwHgYDVR0RBBcwFYITbW9vbi5zdHJvbmdzd2Fu
+Lm9yZzATBgNVHSUEDDAKBggrBgEFBQcDATA5BgNVHR8EMjAwMC6gLKAqhihodHRw
+Oi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEB
+DgUAA4IBAQA60WN0QwQuFVYg/C156POjKENZP9CGF8NyiC/NUYqgbIrGGTTpwTxs
+pW/+YDG1tVtCkqtLGsO0uZRe8Ihs3afNsPMNlCiTCPgrs5erc4ZTv5MB7Ap2lyL5
+NSQ9SggICbQhkHQHP6TINtas9+FrAw10jWIa107DYLLC7Ea77Y5vryL6/ymrpwdL
+Vwm9kAkGYvm0lmzw6YfzPskKc3MpWnjBTraPG42Z8oWTEDJnBtS761k60lNwndKC
+JdRUxoOOegzsKIIzorRz9xCN2zA2CAeChqHMbBpNCRwl0dQ00ztXReONl97iNgw6
+NrdHsqCiH8Q+I2JCxU230Zl6UFKARLo+
+-----END CERTIFICATE-----
diff --git a/testing/tests/ikev1/strong-certs/hosts/moon/etc/ipsec.d/certs/moonCert-sha256.pem b/testing/tests/ikev1/strong-certs/hosts/moon/etc/ipsec.d/certs/moonCert-sha256.pem
deleted file mode 100644
index 307f4953e..000000000
--- a/testing/tests/ikev1/strong-certs/hosts/moon/etc/ipsec.d/certs/moonCert-sha256.pem
+++ /dev/null
@@ -1,25 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIEHzCCAwegAwIBAgIBEDANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
-MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
-b290IENBMB4XDTA2MTAwODEwNTgxMVoXDTExMTAwNzEwNTgxMVowWDELMAkGA1UE
-BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xEDAOBgNVBAsTB1NIQS0y
-NTYxHDAaBgNVBAMTE21vb24uc3Ryb25nc3dhbi5vcmcwggEiMA0GCSqGSIb3DQEB
-AQUAA4IBDwAwggEKAoIBAQDzXHm8D8sY1lmX7o1KK0jt/M+UzAI2Ifpx7nAqoviH
-XQIPe56BOAm4zHhEIlojEMFd1nncplXvDDGjuV/2F0KK1bFxbNtom88Ix1jrRWtk
-FLopYwj3ERC2970OhNO3nuPLrnEAzj6k3XPGMTA3drGnpRf162f7mHAdmYIRXtWm
-mfaecs4wGFs8BFGdeDfo6SPhQXZSBwZqjzQxvk1PA7E1qifgR5IGNZkNQRQ9IZD0
-86xzjmZgg5DaJcQKw45elpiVKQN6OkdWTngR3uUBfseWNeRGP5UxCUbDnPijWUbA
-6ZAdEfFXLgSpSoXHLNttvGg+SWm0kgKTpHYWYhvpflKNAgMBAAGjggEFMIIBATAJ
-BgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNVHQ4EFgQU0gL3aEo/H8c/Ld/GkBTb
-W9Ma+nUwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJ
-BgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJz
-dHJvbmdTd2FuIFJvb3QgQ0GCAQAwHgYDVR0RBBcwFYITbW9vbi5zdHJvbmdzd2Fu
-Lm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3Jn
-L3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQCItzRn3TNWUzczBd8z
-MtdPEsRl5Oi4fV3UecQxhjxAmJDLsEZT5I4uNa1XoLkJm6jVdSL7k+bjzjmpNJ1H
-uL49cqia2yTdGP4IU0K8dTGaflg3ccaLLGGXTWU/NtgdI1o6yuZTwb6a9ZL7wWZT
-x21BAsvyPTzCpUS1yCK4bFeYOxOYDphUGcwb0JTuRxx2/710b+p64BYiCfVkQJxT
-eF1ZtjSW6nJgzMRg5n2zNpdrdXMMCPI6Nl7V6wxbs3Cphmz5qx3lijwi7nZt+jE5
-qK5gphph1MkKIhnA7MF66KEcx5Rknao68yLBBDIA/AISZ3bCIj8R1SGgl/tMYfep
-sbRF
------END CERTIFICATE-----
diff --git a/testing/tests/ikev1/strong-certs/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/tests/ikev1/strong-certs/hosts/moon/etc/ipsec.d/private/moonKey.pem
index 58ddc1525..51a33597e 100644
--- a/testing/tests/ikev1/strong-certs/hosts/moon/etc/ipsec.d/private/moonKey.pem
+++ b/testing/tests/ikev1/strong-certs/hosts/moon/etc/ipsec.d/private/moonKey.pem
@@ -1,27 +1,27 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIIEowIBAAKCAQEA81x5vA/LGNZZl+6NSitI7fzPlMwCNiH6ce5wKqL4h10CD3ue
-gTgJuMx4RCJaIxDBXdZ53KZV7wwxo7lf9hdCitWxcWzbaJvPCMdY60VrZBS6KWMI
-9xEQtve9DoTTt57jy65xAM4+pN1zxjEwN3axp6UX9etn+5hwHZmCEV7Vppn2nnLO
-MBhbPARRnXg36Okj4UF2UgcGao80Mb5NTwOxNaon4EeSBjWZDUEUPSGQ9POsc45m
-YIOQ2iXECsOOXpaYlSkDejpHVk54Ed7lAX7HljXkRj+VMQlGw5z4o1lGwOmQHRHx
-Vy4EqUqFxyzbbbxoPklptJICk6R2FmIb6X5SjQIDAQABAoIBAFl1Rf6eo57mtJqI
-A4IfNTjetQPSloGFrgWRi8PwkoFX7Dj6zUJc8h3vc8pAAnhfYWV4QOWec3pjNiAk
-NaVF2Z0lfoveYy0qEUn91a7untJ0WBZ8pEAGEunfWazroNQf4UbvQfT028xI55UU
-YdARnq6snok01s2CtLv8wPZXsRwDRzs3FGg+S9ZCyYJ/NdRVn9JdjJLqi79mqGqM
-il2bia6xmS7C/FVbHo3qS1G3WTXuwN6wLRihAzAzgvByeRnj1P3XuBU5xdAUwulm
-6/LAcdZ/teWhR0z/NGAkCJ5NZa9u6u0OAyc6HSrPG6sGo8fQjXNWUIMwP2ucpg8q
-Cvxt0GECgYEA/xfPo9d3cAFCnrBkefamtOU2jOOJeFVoapYQpEpOR0soTKx1BqUz
-MWoqDuwjQTutwmfOlsDCL7T7QCQwAOQ4jwNdxwTm1EysNojVTkwoFJBicmvjrjof
-MYyXv6EuDJnSDSmeTLuiDL91VoYgE1IeJjrunDLTCEFYBObI/LOjCmUCgYEA9Dn8
-a5wm15t4pSFJl81vLfY8lz4FtCWYygqmafh1HEb8UOAFZAEtCe7ulb1E4ce/IaNt
-/YALjbMFT5D0jhRwmljBLHzJh3v9H0jl/0vudXxrzS7bqfHnbB0enJWsZBCfDBA6
-hiZd645F4gJyWcI/MQXP199w+UgV/v80XGyFUQkCgYBejo/8VrFCRmVQd2g3QXOY
-GGL5JJrfjSEwaUHv9E9B5B0jFsYmWXQ5e/XtJCEJXDrTljEg9oDEuFxt8TwOCIri
-kEfhrvJ1fZpUeLJA3L/6p26mpVF3UrofXtMdSHzOVPJkyKmSHfc6rHmtQfh/0O+2
-EiBCrCBHrhkXcAjOizQDdQKBgQDNb9l9S6UAyK77eLzHDO/w4aimMG3r05Rqn/rM
-OUuJtcyY21itfq+8I1hebQ98POHyEd971jHhyC03eN++hEMUEoSsP2vmo82Qe2m9
-DspP2ZF0z23Hzsy0jOorHVwd8D1ZkG0qWyu18b+nFhfKmTM+sXzcQgBuMM0P6uzI
-siCSwQKBgCOPBbSSXEIMUAKcsJ0p+j2fEy6CKmb/lOu+Aw1uvVNZI+xoOuXTmj9h
-Jf79Lbhj16vmj0BPhRPyVEpgGIbNLiAU8518xGGaNdJgxQONwn9UGSJz4bgsbNBj
-icwIRVYbKF13EKJp50tFpY+4FK2Z6Bg2KXh5RWWQdYcTApWBjyrZ
+MIIEpQIBAAKCAQEAxD2FtbZnG5IDTHJzh1wCh5YC9pO69fq1Vif/DRfbyOzKUPKq
+Jhz1dxtNAmEkLAg4AVbyu9aWrIs/nbGHRwGNvIoW9pv5bGkqrsLG9BXsY4SYqmqI
+XCyZNDI0w1HQK4eonXbwwGDA5HwKTOPU2lzcXc9LH31eSjiB9Ia0HtMLMD9qf0h0
+wEzYd3m0y6/GO3TCnnMRaykLMGXPne4LyH7WV0b47FKa3O+3Q1ERgcj8Nzfv9t3I
+bg1zTWsTMpVkIZok1J3vLSMoNL7bq93aOQ6tSKkCqr8UnwY0S+mSVNP+pSroQoVd
+HElXdh9s86L7pHuV8x81LKBEll1mCvaiBI9h0QIDAQABAoIBAEnZeTMb9ItslG81
+dwKOfqk1q+HNUIN3GLzWimYL/3sKmUyDNcLoDPwIux9VHT6wzRq79Nb5d3RxZrxa
+bbUsAYHdWazun5vLq/Nee26pvW7qHGWtd6lwYytAZZjHdhabk7nGY+2Ru6WAhIPR
+DW4rmgZ3lya/kDdQMp+p/ajH9SLvYdo8rc3e2a5pJJitR3iU9rFO8PRSD6is7ldr
+FxYDMWv+Latkscpku4fww8X6XlHo3u7usogs5FHjNePeJjNkzdj5X958OmzxN4JJ
+jKheFALXJuMYY/9MLWaygkZgWuD1yr8chBtH+kxJLqbv9/pBaQqehEDfGOgfPnQi
+OxccUS0CgYEA4VL/hsJvhziqd+MHryrYvPQgHZJf+ksMpRelD/zEJRjAGnyT2hDQ
+R1H9jKP689E6lhCire9ag79rkF4lOvVWpM4f1XOPwX9Oap93dRn5PZLCMKfmnuo7
+RSC3qsGRdzIB0j0e9XQXW3tzoSVJtASd0X7qMTujaWQef7hNPW/To9MCgYEA3vTk
+YQGARsJIjvF1xu7ut1NC1GyQbvDShylmrOBPTBRgzIEjWnifDH79BAXr9yTigqR/
+qHZhWC0bPPY2x6iFi4dTa30vNGqP61GU4HouQDZ/Lf7TXL7pTHRSihL3x9f2nIu+
+nyEhfrYomt0M960OHS5izXP/27vXItLTazshMUsCgYEAn3lOwOH8bYf9nrxgQ+nf
+XFysHkHrDArx+Caz/Iy5hkfuLtDdFAmyX8f33AJzKv16qZs8iD5Poc9pIdSAJSpf
+GGWKwlf39stThMM4mPi5HoswRZ+P6gl9yX9OftxhSCtsfpAjyTVREr5dKEBr2a0q
+xYs91XqQPZdOvraCdGkhMWECgYEAiQFTlYimmtSoYa5fAW+xoVW4q3BLEOFLfWMj
+hPgRwl6DXSe94cpdcgBW2jIJXkV8K2uKRqr4BocxRbTG1MnpxmPSDytN5pfU+HWZ
+Vpe99BeI72q31zY5hpG0ZsRhHpzHHkuBR6fEPWkSapeLcGcXVTc736R4hT5YZT3I
+TQx4ySECgYEArIxFy2zEbQH8znJoRwshSSanGovSCRxpoP+j5WHlccMQAjDhoFMg
+KLCXbbnNyM4qlvwHG4Z27Fgexvk5dPHYnQlW9A4YP4o6SFf6RnxW1ZdR/Kc4aY/6
+rXxt+Q0rf4qRKbTh90yDnc2YQj11g9BgvFliIM2GOTq8NUtjQVRgNm4=
 -----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev2/compress/evaltest.dat b/testing/tests/ikev2/compress/evaltest.dat
index 279033f2b..22dd94866 100644
--- a/testing/tests/ikev2/compress/evaltest.dat
+++ b/testing/tests/ikev2/compress/evaltest.dat
@@ -1,5 +1,5 @@
-moon::cat /var/log/daemon.log::IKE_AUTH request.*N(IPCOMP_SUPP)::YES
-moon::cat /var/log/daemon.log::IKE_AUTH response.*N(IPCOMP_SUPP)::YES
+moon::cat /var/log/daemon.log::IKE_AUTH request.*N(IPCOMP_SUP)::YES
+moon::cat /var/log/daemon.log::IKE_AUTH response.*N(IPCOMP_SUP)::YES
 carol::ipsec status::home.*INSTALLED::YES
 moon::ipsec status::rw.*INSTALLED::YES
 moon::ip xfrm state::proto comp spi::YES
diff --git a/testing/tests/ikev2/esp-alg-md5-128/description.txt b/testing/tests/ikev2/esp-alg-md5-128/description.txt
new file mode 100644
index 000000000..7a14be2ae
--- /dev/null
+++ b/testing/tests/ikev2/esp-alg-md5-128/description.txt
@@ -0,0 +1,3 @@
+Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite
+<b>3DES_CBC / HMAC_MD5_128</b> by defining <b>esp=3des-md5_128!</b> in ipsec.conf.
+A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev2/esp-alg-md5-128/evaltest.dat b/testing/tests/ikev2/esp-alg-md5-128/evaltest.dat
new file mode 100644
index 000000000..d65d71240
--- /dev/null
+++ b/testing/tests/ikev2/esp-alg-md5-128/evaltest.dat
@@ -0,0 +1,9 @@
+moon::ipsec statusall::rw.*INSTALLED::YES
+carol::ipsec statusall::home.*INSTALLED::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::ipsec statusall::3DES_CBC/HMAC_MD5_128::YES
+carol::ipsec statusall::3DES_CBC/HMAC_MD5_128::YES
+moon::ip xfrm state::auth hmac(md5)::YES
+carol::ip xfrm state::auth hmac(md5)::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 184::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 184::YES
diff --git a/testing/tests/ikev2/esp-alg-md5-128/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/esp-alg-md5-128/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..09797799f
--- /dev/null
+++ b/testing/tests/ikev2/esp-alg-md5-128/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=yes
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	ike=3des-md5-modp1024!
+	esp=3des-md5_128!
+
+conn home
+	left=PH_IP_CAROL
+	leftfirewall=yes
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add 
diff --git a/testing/tests/ikev2/esp-alg-md5-128/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-md5-128/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..339b56987
--- /dev/null
+++ b/testing/tests/ikev2/esp-alg-md5-128/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev2/esp-alg-md5-128/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/esp-alg-md5-128/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..ae83aaf58
--- /dev/null
+++ b/testing/tests/ikev2/esp-alg-md5-128/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=yes
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	ike=3des-md5-modp1024!
+	esp=3des-md5_128!
+
+conn rw
+	left=PH_IP_MOON
+	leftfirewall=yes
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	right=%any
+	auto=add
diff --git a/testing/tests/ikev2/esp-alg-md5-128/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-md5-128/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..339b56987
--- /dev/null
+++ b/testing/tests/ikev2/esp-alg-md5-128/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev2/esp-alg-md5-128/posttest.dat b/testing/tests/ikev2/esp-alg-md5-128/posttest.dat
new file mode 100644
index 000000000..94a400606
--- /dev/null
+++ b/testing/tests/ikev2/esp-alg-md5-128/posttest.dat
@@ -0,0 +1,4 @@
+moon::ipsec stop
+carol::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/esp-alg-md5-128/pretest.dat b/testing/tests/ikev2/esp-alg-md5-128/pretest.dat
new file mode 100644
index 000000000..3c3df0196
--- /dev/null
+++ b/testing/tests/ikev2/esp-alg-md5-128/pretest.dat
@@ -0,0 +1,7 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+carol::ipsec start
+carol::sleep 1 
+carol::ipsec up home
+carol::sleep 1
diff --git a/testing/tests/ikev2/esp-alg-md5-128/test.conf b/testing/tests/ikev2/esp-alg-md5-128/test.conf
new file mode 100644
index 000000000..9cd583b16
--- /dev/null
+++ b/testing/tests/ikev2/esp-alg-md5-128/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/esp-alg-sha1-160/description.txt b/testing/tests/ikev2/esp-alg-sha1-160/description.txt
new file mode 100644
index 000000000..caa1d3f8a
--- /dev/null
+++ b/testing/tests/ikev2/esp-alg-sha1-160/description.txt
@@ -0,0 +1,3 @@
+Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite
+<b>AES_CBC_128 / HMAC_SHA1_160</b> by defining <b>esp=aes128-sha1_160!</b> in ipsec.conf.
+A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev2/esp-alg-sha1-160/evaltest.dat b/testing/tests/ikev2/esp-alg-sha1-160/evaltest.dat
new file mode 100644
index 000000000..b0277271d
--- /dev/null
+++ b/testing/tests/ikev2/esp-alg-sha1-160/evaltest.dat
@@ -0,0 +1,9 @@
+moon::ipsec statusall::rw.*INSTALLED::YES
+carol::ipsec statusall::home.*INSTALLED::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::ipsec statusall::AES_CBC_128/HMAC_SHA1_160::YES
+carol::ipsec statusall::AES_CBC_128/HMAC_SHA1_160::YES
+moon::ip xfrm state::auth hmac(sha1)::YES
+carol::ip xfrm state::auth hmac(sha1)::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 204::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 204::YES
diff --git a/testing/tests/ikev2/esp-alg-sha1-160/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/esp-alg-sha1-160/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..3991d517d
--- /dev/null
+++ b/testing/tests/ikev2/esp-alg-sha1-160/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=yes
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	ike=aes128-sha1-modp1536!
+	esp=aes128-sha1_160!
+
+conn home
+	left=PH_IP_CAROL
+	leftfirewall=yes
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add 
diff --git a/testing/tests/ikev2/esp-alg-sha1-160/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-sha1-160/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..339b56987
--- /dev/null
+++ b/testing/tests/ikev2/esp-alg-sha1-160/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev2/esp-alg-sha1-160/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/esp-alg-sha1-160/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..893419585
--- /dev/null
+++ b/testing/tests/ikev2/esp-alg-sha1-160/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=yes
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	ike=aes128-sha1-modp1536!
+	esp=aes128-sha1_160!
+
+conn rw
+	left=PH_IP_MOON
+	leftfirewall=yes
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	right=%any
+	auto=add
diff --git a/testing/tests/ikev2/esp-alg-sha1-160/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-sha1-160/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..339b56987
--- /dev/null
+++ b/testing/tests/ikev2/esp-alg-sha1-160/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev2/esp-alg-sha1-160/posttest.dat b/testing/tests/ikev2/esp-alg-sha1-160/posttest.dat
new file mode 100644
index 000000000..94a400606
--- /dev/null
+++ b/testing/tests/ikev2/esp-alg-sha1-160/posttest.dat
@@ -0,0 +1,4 @@
+moon::ipsec stop
+carol::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/esp-alg-sha1-160/pretest.dat b/testing/tests/ikev2/esp-alg-sha1-160/pretest.dat
new file mode 100644
index 000000000..3c3df0196
--- /dev/null
+++ b/testing/tests/ikev2/esp-alg-sha1-160/pretest.dat
@@ -0,0 +1,7 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+carol::ipsec start
+carol::sleep 1 
+carol::ipsec up home
+carol::sleep 1
diff --git a/testing/tests/ikev2/esp-alg-sha1-160/test.conf b/testing/tests/ikev2/esp-alg-sha1-160/test.conf
new file mode 100644
index 000000000..9cd583b16
--- /dev/null
+++ b/testing/tests/ikev2/esp-alg-sha1-160/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/net2net-esn/description.txt b/testing/tests/ikev2/net2net-esn/description.txt
new file mode 100644
index 000000000..da847b6a4
--- /dev/null
+++ b/testing/tests/ikev2/net2net-esn/description.txt
@@ -0,0 +1,7 @@
+A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
+With <b>esp=aes128-sha1-esn-noesn!</b> gateway <b>moon</b> proposes the use of
+<b>Extended Sequence Numbers</b> but can also live without them. Gateway <b>sun</b>
+defines <b>esp=aes128-sha1-esn!</b> and thus decides on the use of ESN.
+<p/>
+Upon the successful establishment of the CHILD SA with ESN, client <b>alice</b> behind
+gateway <b>moon</b> pings client <b>bob</b> located behind gateway <b>sun</b> 10 times.
diff --git a/testing/tests/ikev2/net2net-esn/evaltest.dat b/testing/tests/ikev2/net2net-esn/evaltest.dat
new file mode 100644
index 000000000..928783c87
--- /dev/null
+++ b/testing/tests/ikev2/net2net-esn/evaltest.dat
@@ -0,0 +1,14 @@
+sun::cat /var/log/daemon.log::received proposals: ESP:AES_CBC_128/HMAC_SHA1_96/EXT_SEQ/NO_EXT_SEQ::YES
+sun::cat /var/log/daemon.log::selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/EXT_SEQ::YES
+sun::cat /var/log/daemon.log::using extended sequence numbers (ESN)::YES
+moon::cat /var/log/daemon.log::using extended sequence numbers (ESN)::YES
+moon::ipsec statusall::net-net.*ESTABLISHED::YES
+sun::ipsec statusall::net-net.*ESTABLISHED::YES
+sun::ip -s xfrm state::flag af-unspec.*(0x10100000)::YES
+moon::ip -s xfrm state::flag af-unspec.*(0x10100000)::YES
+alice::ping -c 10 -i 0 -f PH_IP_BOB::10 packets transmitted, 10 received, 0% packet loss::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
+moon::ipsec statusall::AES_CBC_128/HMAC_SHA1_96/ESN::YES
+sun::ipsec statusall::AES_CBC_128/HMAC_SHA1_96/ESN::YES
+
diff --git a/testing/tests/ikev2/net2net-esn/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-esn/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..98f4864d3
--- /dev/null
+++ b/testing/tests/ikev2/net2net-esn/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,28 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+	charondebug="cfg 2, knl 2"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	ike=aes128-sha1-modp1536!
+	esp=aes128-sha1-esn-noesn!
+	mobike=no
+
+conn net-net 
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	leftfirewall=yes
+	right=PH_IP_SUN
+	rightid=@sun.strongswan.org
+	rightsubnet=10.2.0.0/16
+	auto=add
diff --git a/testing/tests/ikev2/net2net-esn/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-esn/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..cb17a9e07
--- /dev/null
+++ b/testing/tests/ikev2/net2net-esn/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  multiple_authentication = no
+}
diff --git a/testing/tests/ikev2/net2net-esn/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-esn/hosts/sun/etc/ipsec.conf
new file mode 100755
index 000000000..26fde389e
--- /dev/null
+++ b/testing/tests/ikev2/net2net-esn/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,28 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+	charondebug="cfg 2, knl 2"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+        keyingtries=1
+	keyexchange=ikev2
+	ike=aes128-sha1-modp1536!
+	esp=aes128-sha1-esn!
+	mobike=no
+
+conn net-net 
+	left=PH_IP_SUN
+	leftcert=sunCert.pem
+	leftid=@sun.strongswan.org
+	leftsubnet=10.2.0.0/16
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/ikev2/net2net-esn/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-esn/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..cb17a9e07
--- /dev/null
+++ b/testing/tests/ikev2/net2net-esn/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  multiple_authentication = no
+}
diff --git a/testing/tests/ikev2/net2net-esn/posttest.dat b/testing/tests/ikev2/net2net-esn/posttest.dat
new file mode 100644
index 000000000..a4c96e10f
--- /dev/null
+++ b/testing/tests/ikev2/net2net-esn/posttest.dat
@@ -0,0 +1,5 @@
+moon::ipsec stop
+sun::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+sun::/etc/init.d/iptables stop 2> /dev/null
+
diff --git a/testing/tests/ikev2/net2net-esn/pretest.dat b/testing/tests/ikev2/net2net-esn/pretest.dat
new file mode 100644
index 000000000..2d7a78acb
--- /dev/null
+++ b/testing/tests/ikev2/net2net-esn/pretest.dat
@@ -0,0 +1,6 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+sun::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+sun::ipsec start
+moon::sleep 1 
+moon::ipsec up net-net
diff --git a/testing/tests/ikev2/net2net-esn/test.conf b/testing/tests/ikev2/net2net-esn/test.conf
new file mode 100644
index 000000000..d9a61590f
--- /dev/null
+++ b/testing/tests/ikev2/net2net-esn/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-w-s-b.png"
+ 
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev2/net2net-pubkey/description.txt b/testing/tests/ikev2/net2net-pubkey/description.txt
new file mode 100644
index 000000000..1cb90f13f
--- /dev/null
+++ b/testing/tests/ikev2/net2net-pubkey/description.txt
@@ -0,0 +1,7 @@
+A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
+The authentication is based on <b>raw RSA keys</b> loaded in PKCS#1 format.
+<p/>
+Upon the successful establishment of the IPsec tunnel, <b>leftfirewall=yes</b>
+automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b>
+pings client <b>bob</b> located behind gateway <b>sun</b>.
diff --git a/testing/tests/ikev2/net2net-pubkey/evaltest.dat b/testing/tests/ikev2/net2net-pubkey/evaltest.dat
new file mode 100644
index 000000000..0ccfb7efd
--- /dev/null
+++ b/testing/tests/ikev2/net2net-pubkey/evaltest.dat
@@ -0,0 +1,7 @@
+moon::ipsec status::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun::ipsec status::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon::ipsec status::INSTALLED, TUNNEL::YES
+sun::ipsec status::INSTALLED, TUNNEL::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/net2net-pubkey/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-pubkey/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..945cf3a40
--- /dev/null
+++ b/testing/tests/ikev2/net2net-pubkey/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	
+conn net-net
+	left=PH_IP_MOON
+	leftsubnet=10.1.0.0/16
+	leftid=@moon.strongswan.org
+	leftrsasigkey=moonPub.der
+	leftauth=pubkey
+	leftfirewall=yes
+	right=PH_IP_SUN
+	rightsubnet=10.2.0.0/16
+	rightid=@sun.strongswan.org
+	rightrsasigkey=sunPub.der
+	rightauth=pubkey
+	auto=add
diff --git a/testing/tests/ikev2/net2net-pubkey/hosts/moon/etc/ipsec.d/certs/moonPub.der b/testing/tests/ikev2/net2net-pubkey/hosts/moon/etc/ipsec.d/certs/moonPub.der
new file mode 100644
index 000000000..55bd362a5
--- /dev/null
+++ b/testing/tests/ikev2/net2net-pubkey/hosts/moon/etc/ipsec.d/certs/moonPub.der
diff --git a/testing/tests/ikev2/net2net-pubkey/hosts/moon/etc/ipsec.d/certs/sunPub.der b/testing/tests/ikev2/net2net-pubkey/hosts/moon/etc/ipsec.d/certs/sunPub.der
new file mode 100644
index 000000000..8d0c644f1
--- /dev/null
+++ b/testing/tests/ikev2/net2net-pubkey/hosts/moon/etc/ipsec.d/certs/sunPub.der
diff --git a/testing/tests/ikev2/net2net-pubkey/hosts/moon/etc/ipsec.d/private/moonKey.der b/testing/tests/ikev2/net2net-pubkey/hosts/moon/etc/ipsec.d/private/moonKey.der
new file mode 100644
index 000000000..49e0111f2
--- /dev/null
+++ b/testing/tests/ikev2/net2net-pubkey/hosts/moon/etc/ipsec.d/private/moonKey.der
diff --git a/testing/tests/ikev2/net2net-pubkey/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/net2net-pubkey/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..b9ec17dbc
--- /dev/null
+++ b/testing/tests/ikev2/net2net-pubkey/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA moonKey.der
diff --git a/testing/tests/ikev2/net2net-pubkey/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-pubkey/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..0581bae5c
--- /dev/null
+++ b/testing/tests/ikev2/net2net-pubkey/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = sha1 sha2 md5 aes des hmac gmp pem pkcs1 pubkey random curl kernel-netlink socket-default stroke updown
+}
diff --git a/testing/tests/ikev2/net2net-pubkey/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-pubkey/hosts/sun/etc/ipsec.conf
new file mode 100755
index 000000000..5c07de8a2
--- /dev/null
+++ b/testing/tests/ikev2/net2net-pubkey/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	
+conn net-net
+	left=PH_IP_SUN
+	leftsubnet=10.2.0.0/16
+	leftid=@sun.strongswan.org
+	leftrsasigkey=sunPub.der
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	rightrsasigkey=moonPub.der
+	auto=add
diff --git a/testing/tests/ikev2/net2net-pubkey/hosts/sun/etc/ipsec.d/certs/moonPub.der b/testing/tests/ikev2/net2net-pubkey/hosts/sun/etc/ipsec.d/certs/moonPub.der
new file mode 100644
index 000000000..55bd362a5
--- /dev/null
+++ b/testing/tests/ikev2/net2net-pubkey/hosts/sun/etc/ipsec.d/certs/moonPub.der
diff --git a/testing/tests/ikev2/net2net-pubkey/hosts/sun/etc/ipsec.d/certs/sunPub.der b/testing/tests/ikev2/net2net-pubkey/hosts/sun/etc/ipsec.d/certs/sunPub.der
new file mode 100644
index 000000000..8d0c644f1
--- /dev/null
+++ b/testing/tests/ikev2/net2net-pubkey/hosts/sun/etc/ipsec.d/certs/sunPub.der
diff --git a/testing/tests/ikev2/net2net-pubkey/hosts/sun/etc/ipsec.d/private/sunKey.der b/testing/tests/ikev2/net2net-pubkey/hosts/sun/etc/ipsec.d/private/sunKey.der
new file mode 100644
index 000000000..7c284f939
--- /dev/null
+++ b/testing/tests/ikev2/net2net-pubkey/hosts/sun/etc/ipsec.d/private/sunKey.der
diff --git a/testing/tests/ikev2/net2net-pubkey/hosts/sun/etc/ipsec.secrets b/testing/tests/ikev2/net2net-pubkey/hosts/sun/etc/ipsec.secrets
new file mode 100644
index 000000000..6aa9ed562
--- /dev/null
+++ b/testing/tests/ikev2/net2net-pubkey/hosts/sun/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA sunKey.der
diff --git a/testing/tests/ikev2/net2net-pubkey/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-pubkey/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..0581bae5c
--- /dev/null
+++ b/testing/tests/ikev2/net2net-pubkey/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = sha1 sha2 md5 aes des hmac gmp pem pkcs1 pubkey random curl kernel-netlink socket-default stroke updown
+}
diff --git a/testing/tests/ikev2/net2net-pubkey/posttest.dat b/testing/tests/ikev2/net2net-pubkey/posttest.dat
new file mode 100644
index 000000000..65b18b7ca
--- /dev/null
+++ b/testing/tests/ikev2/net2net-pubkey/posttest.dat
@@ -0,0 +1,8 @@
+moon::ipsec stop
+sun::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+sun::/etc/init.d/iptables stop 2> /dev/null
+moon::rm /etc/ipsec.d/private/moonKey.der
+sun::rm /etc/ipsec.d/private/sunKey.der
+moon::rm /etc/ipsec.d/certs/*.der
+sun::rm /etc/ipsec.d/certs/*.der
diff --git a/testing/tests/ikev2/net2net-pubkey/pretest.dat b/testing/tests/ikev2/net2net-pubkey/pretest.dat
new file mode 100644
index 000000000..9e40684ab
--- /dev/null
+++ b/testing/tests/ikev2/net2net-pubkey/pretest.dat
@@ -0,0 +1,8 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+sun::/etc/init.d/iptables start 2> /dev/null
+moon::rm /etc/ipsec.d/cacerts/*
+sun::rm /etc/ipsec.d/cacerts/*
+moon::ipsec start
+sun::ipsec start
+moon::sleep 2
+moon::ipsec up net-net
diff --git a/testing/tests/ikev2/net2net-pubkey/test.conf b/testing/tests/ikev2/net2net-pubkey/test.conf
new file mode 100644
index 000000000..f74d0f7d6
--- /dev/null
+++ b/testing/tests/ikev2/net2net-pubkey/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-w-s-b.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev2/net2net-rsa/description.txt b/testing/tests/ikev2/net2net-rsa/description.txt
new file mode 100644
index 000000000..a9310d475
--- /dev/null
+++ b/testing/tests/ikev2/net2net-rsa/description.txt
@@ -0,0 +1,7 @@
+A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
+The authentication is based on <b>raw RSA keys</b> in Base64-encoded RFC 3110 DNSKEY format.
+<p/>
+Upon the successful establishment of the IPsec tunnel, <b>leftfirewall=yes</b>
+automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b>
+pings client <b>bob</b> located behind gateway <b>sun</b>.
diff --git a/testing/tests/ikev2/net2net-rsa/evaltest.dat b/testing/tests/ikev2/net2net-rsa/evaltest.dat
new file mode 100644
index 000000000..0ccfb7efd
--- /dev/null
+++ b/testing/tests/ikev2/net2net-rsa/evaltest.dat
@@ -0,0 +1,7 @@
+moon::ipsec status::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun::ipsec status::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon::ipsec status::INSTALLED, TUNNEL::YES
+sun::ipsec status::INSTALLED, TUNNEL::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/net2net-rsa/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-rsa/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..61b9b710a
--- /dev/null
+++ b/testing/tests/ikev2/net2net-rsa/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	
+conn net-net
+	left=PH_IP_MOON
+	leftsubnet=10.1.0.0/16
+	leftid=@moon.strongswan.org
+	leftrsasigkey=0sAQN+mkeECF5Bm7XnDkkkfmgny/TZndTkN1XzFZWB7nJroM3cTk3zMtdSPX8hY9GQxVGWSsmUBq7mGA5Qx39JpRNpyzxW7wRcMbwqDquG1PRfblLzV1ixdXOGSLUNaXonqDI/h5fCkqTuZtLbE4q3Pf4PmQAwzWVWaTZQ1gXXqUqKlN6218Hm2vbvNRE/CBHuFMmaCz11jckvaPvcqBLZzRTx9b/Mi+qD6xT7k9RpYHmtaGCJ95ed1bY6SZkapgHWu88/3M6bxCzD0KOA3oFbwlkHkFyaGWFB2+fc7L6BfYq0wr/d84tQdOxEn3BwLTrVKo7+6AxDrMi0I+blD2nd9cxj
+	leftauth=pubkey
+	leftfirewall=yes
+	right=PH_IP_SUN
+	rightsubnet=10.2.0.0/16
+	rightid=@sun.strongswan.org
+	rightrsasigkey=0sAQOiSuR9e/WMZFOxK3IdaFBOT2DGoObFDJURejqLcjMpmY2yVbA9Lpc+AEGKxqjb37WG6sVo3fBCDBOAhgmMw9s0b6DTSeXaIQloqW1M8IC+xe1fT+F0BsW1ttaEN0WTF5H+J+a4/arYg4HyiA+sjoqHagnCVPM15Rm5mkmg913XmSCgtkenD4WUq+NfPLuOcggqTjHAAoGD0doswRa3sebyqHQNAb32PXW9ecKi9ExcPrdr5hR5uNXRMYGumBtoxcE6xEvCM/sPRK1hbyynixc5nfMQ5Ymb4mdCUotUGaCyKDa4pF58sYgP6xpd/HXMXGdRP+KxqA4sfes46gp8UuJT
+	rightauth=pubkey
+	auto=add
diff --git a/testing/tests/ikev2/net2net-rsa/hosts/moon/etc/ipsec.d/private/moonKey.der b/testing/tests/ikev2/net2net-rsa/hosts/moon/etc/ipsec.d/private/moonKey.der
new file mode 100644
index 000000000..49e0111f2
--- /dev/null
+++ b/testing/tests/ikev2/net2net-rsa/hosts/moon/etc/ipsec.d/private/moonKey.der
diff --git a/testing/tests/ikev2/net2net-rsa/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/net2net-rsa/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..b9ec17dbc
--- /dev/null
+++ b/testing/tests/ikev2/net2net-rsa/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA moonKey.der
diff --git a/testing/tests/ikev2/net2net-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-rsa/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..3bc16ccda
--- /dev/null
+++ b/testing/tests/ikev2/net2net-rsa/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = sha1 sha2 md5 aes des hmac gmp dnskey pem pkcs1 pubkey random curl kernel-netlink socket-default stroke updown
+}
diff --git a/testing/tests/ikev2/net2net-rsa/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-rsa/hosts/sun/etc/ipsec.conf
new file mode 100755
index 000000000..24e20dc25
--- /dev/null
+++ b/testing/tests/ikev2/net2net-rsa/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	
+conn net-net
+	left=PH_IP_SUN
+	leftsubnet=10.2.0.0/16
+	leftid=@sun.strongswan.org
+	leftrsasigkey=0sAQOiSuR9e/WMZFOxK3IdaFBOT2DGoObFDJURejqLcjMpmY2yVbA9Lpc+AEGKxqjb37WG6sVo3fBCDBOAhgmMw9s0b6DTSeXaIQloqW1M8IC+xe1fT+F0BsW1ttaEN0WTF5H+J+a4/arYg4HyiA+sjoqHagnCVPM15Rm5mkmg913XmSCgtkenD4WUq+NfPLuOcggqTjHAAoGD0doswRa3sebyqHQNAb32PXW9ecKi9ExcPrdr5hR5uNXRMYGumBtoxcE6xEvCM/sPRK1hbyynixc5nfMQ5Ymb4mdCUotUGaCyKDa4pF58sYgP6xpd/HXMXGdRP+KxqA4sfes46gp8UuJT
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	rightrsasigkey=0sAQN+mkeECF5Bm7XnDkkkfmgny/TZndTkN1XzFZWB7nJroM3cTk3zMtdSPX8hY9GQxVGWSsmUBq7mGA5Qx39JpRNpyzxW7wRcMbwqDquG1PRfblLzV1ixdXOGSLUNaXonqDI/h5fCkqTuZtLbE4q3Pf4PmQAwzWVWaTZQ1gXXqUqKlN6218Hm2vbvNRE/CBHuFMmaCz11jckvaPvcqBLZzRTx9b/Mi+qD6xT7k9RpYHmtaGCJ95ed1bY6SZkapgHWu88/3M6bxCzD0KOA3oFbwlkHkFyaGWFB2+fc7L6BfYq0wr/d84tQdOxEn3BwLTrVKo7+6AxDrMi0I+blD2nd9cxj
+	auto=add
diff --git a/testing/tests/ikev2/net2net-rsa/hosts/sun/etc/ipsec.d/private/sunKey.der b/testing/tests/ikev2/net2net-rsa/hosts/sun/etc/ipsec.d/private/sunKey.der
new file mode 100644
index 000000000..7c284f939
--- /dev/null
+++ b/testing/tests/ikev2/net2net-rsa/hosts/sun/etc/ipsec.d/private/sunKey.der
diff --git a/testing/tests/ikev2/net2net-rsa/hosts/sun/etc/ipsec.secrets b/testing/tests/ikev2/net2net-rsa/hosts/sun/etc/ipsec.secrets
new file mode 100644
index 000000000..6aa9ed562
--- /dev/null
+++ b/testing/tests/ikev2/net2net-rsa/hosts/sun/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA sunKey.der
diff --git a/testing/tests/ikev2/net2net-rsa/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-rsa/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..3bc16ccda
--- /dev/null
+++ b/testing/tests/ikev2/net2net-rsa/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = sha1 sha2 md5 aes des hmac gmp dnskey pem pkcs1 pubkey random curl kernel-netlink socket-default stroke updown
+}
diff --git a/testing/tests/ikev2/net2net-rsa/posttest.dat b/testing/tests/ikev2/net2net-rsa/posttest.dat
new file mode 100644
index 000000000..a199946aa
--- /dev/null
+++ b/testing/tests/ikev2/net2net-rsa/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+sun::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+sun::/etc/init.d/iptables stop 2> /dev/null
+moon::rm /etc/ipsec.d/private/moonKey.der
+sun::rm /etc/ipsec.d/private/sunKey.der
diff --git a/testing/tests/ikev2/net2net-rsa/pretest.dat b/testing/tests/ikev2/net2net-rsa/pretest.dat
new file mode 100644
index 000000000..9e40684ab
--- /dev/null
+++ b/testing/tests/ikev2/net2net-rsa/pretest.dat
@@ -0,0 +1,8 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+sun::/etc/init.d/iptables start 2> /dev/null
+moon::rm /etc/ipsec.d/cacerts/*
+sun::rm /etc/ipsec.d/cacerts/*
+moon::ipsec start
+sun::ipsec start
+moon::sleep 2
+moon::ipsec up net-net
diff --git a/testing/tests/ikev2/net2net-rsa/test.conf b/testing/tests/ikev2/net2net-rsa/test.conf
new file mode 100644
index 000000000..f74d0f7d6
--- /dev/null
+++ b/testing/tests/ikev2/net2net-rsa/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-w-s-b.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev2/ocsp-no-signer-cert/evaltest.dat b/testing/tests/ikev2/ocsp-no-signer-cert/evaltest.dat
index 77d3d45e5..a0a045ce8 100644
--- a/testing/tests/ikev2/ocsp-no-signer-cert/evaltest.dat
+++ b/testing/tests/ikev2/ocsp-no-signer-cert/evaltest.dat
@@ -1,7 +1,7 @@
 moon::cat /var/log/daemon.log::requesting ocsp status from::YES
 moon::cat /var/log/daemon.log::ocsp response verification failed::YES
 moon::cat /var/log/daemon.log::certificate status is not available::YES
-moon::cat /var/log/daemon.log::constraint check failed: RULE_OCSP_VALIDATION is FAILED, but requires at least GOOD::YES
+moon::cat /var/log/daemon.log::constraint check failed: RULE_CRL_VALIDATION is FAILED, but requires at least GOOD::YES
 moon::ipsec status::rw.*ESTABLISHED::NO
 carol::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES
 carol::ipsec status::home.*ESTABLISHED::NO
diff --git a/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/ipsec.d/certs/carolCert-ocsp.pem b/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/ipsec.d/certs/carolCert-ocsp.pem
index aeca7e1db..a1c57b0f0 100644
--- a/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/ipsec.d/certs/carolCert-ocsp.pem
+++ b/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/ipsec.d/certs/carolCert-ocsp.pem
@@ -1,26 +1,95 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 39 (0x27)
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=CH, O=Linux strongSwan, CN=strongSwan Root CA
+        Validity
+            Not Before: Mar 15 06:42:00 2012 GMT
+            Not After : Mar 14 06:42:00 2017 GMT
+        Subject: C=CH, O=Linux strongSwan, OU=OCSP, CN=carol@strongswan.org
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+            RSA Public Key: (2048 bit)
+                Modulus (2048 bit):
+                    00:b0:33:dd:ed:c0:d6:9d:01:de:eb:08:c4:f9:6a:
+                    e9:46:10:f6:a4:cd:7d:aa:79:4b:c2:33:1f:61:40:
+                    40:de:06:9f:b8:2a:b0:84:cd:a7:79:c8:ee:a7:24:
+                    69:08:04:89:f8:7b:62:7e:03:9e:0a:d9:df:ff:7c:
+                    20:3c:a7:b1:86:7f:cc:e6:ad:0c:7e:6f:c4:9b:31:
+                    55:57:92:df:7b:94:86:f1:27:3a:0e:fa:0b:92:58:
+                    ad:64:8a:40:46:5d:87:ca:11:20:03:ad:86:68:a5:
+                    0c:8a:19:ce:36:d0:55:bf:1f:00:47:c9:1a:af:c5:
+                    ad:14:3c:d7:0c:9e:28:d9:61:1b:a2:a8:b7:f1:56:
+                    a7:d9:3b:fa:09:08:2c:9b:75:e3:30:64:5e:93:80:
+                    48:94:35:0d:97:ca:ac:57:66:02:86:b6:1b:6b:f1:
+                    4a:86:30:74:48:38:46:1a:7d:07:61:30:15:33:b0:
+                    9d:50:fc:4d:8c:16:1e:30:13:9f:07:04:7a:3b:92:
+                    54:33:c7:3a:0b:67:e2:ba:46:b0:b3:0d:79:7f:e4:
+                    ed:81:bd:34:cb:e5:30:f3:af:d4:dd:52:3e:f5:13:
+                    0e:c0:79:f8:43:c7:f5:b9:b0:12:6a:46:38:db:61:
+                    44:c8:4a:68:7b:77:34:68:63:ef:88:16:be:ae:89:
+                    ff:89
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            X509v3 Key Usage: 
+                Digital Signature, Key Encipherment, Key Agreement
+            X509v3 Subject Key Identifier: 
+                C5:E8:58:D7:63:B0:B8:D4:2E:22:04:E1:CB:35:34:95:DA:74:F0:E6
+            X509v3 Authority Key Identifier: 
+                keyid:5D:A7:DD:70:06:51:32:7E:E7:B6:6D:B3:B5:E5:E0:60:EA:2E:4D:EF
+                DirName:/C=CH/O=Linux strongSwan/CN=strongSwan Root CA
+                serial:00
+
+            X509v3 Subject Alternative Name: 
+                email:carol@strongswan.org
+            Authority Information Access: 
+                OCSP - URI:http://ocsp.strongswan.org:8880
+
+            X509v3 CRL Distribution Points: 
+                URI:http://crl.strongswan.org/strongswan.crl
+
+    Signature Algorithm: sha256WithRSAEncryption
+        b6:2d:d8:bb:40:e9:cf:a9:33:31:6c:91:c7:40:79:8c:5f:89:
+        8e:26:d8:ef:91:67:da:71:75:f9:27:84:21:c3:6c:d1:a5:fb:
+        50:de:b2:02:ad:3c:a4:6b:40:58:30:41:c7:bd:31:ca:df:77:
+        00:c9:ac:5b:10:e3:66:71:6c:be:4a:49:7e:58:92:de:f4:16:
+        51:12:00:2c:33:e2:2c:b5:e5:d4:6e:36:a2:50:ba:86:e3:c6:
+        bb:50:a2:e5:11:69:c4:86:91:fc:4d:65:7e:09:49:bd:d2:ae:
+        cd:70:f8:98:5d:a8:b6:cf:38:c3:19:49:fd:8b:72:3b:1a:cc:
+        fc:19:c9:c1:36:b2:39:ba:ed:9a:cd:db:2d:27:15:b0:ba:8a:
+        64:4a:5c:8f:ff:db:78:7d:cd:78:c3:c6:13:ba:93:7b:b7:57:
+        da:a3:f2:16:9f:f7:24:95:57:df:f4:4f:c5:9f:d6:12:b1:69:
+        39:a7:5a:88:9c:74:be:f7:b0:f3:b4:89:82:46:57:de:7d:a1:
+        42:a2:c2:de:1c:37:19:66:60:2a:df:ed:25:e3:72:d3:f9:9b:
+        84:05:b6:97:6a:63:63:5c:30:5d:01:7a:15:c4:6e:2c:a0:21:
+        d2:31:30:98:60:94:26:44:9a:08:b4:85:8d:52:00:98:ef:cb:
+        07:4f:b7:8e
 -----BEGIN CERTIFICATE-----
-MIIEWzCCA0OgAwIBAgIBEzANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJDSDEZ
+MIIEWzCCA0OgAwIBAgIBJzANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
 MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
-b290IENBMB4XDTA3MDIyNTA3NTg1N1oXDTEyMDIyNDA3NTg1N1owVjELMAkGA1UE
+b290IENBMB4XDTEyMDMxNTA2NDIwMFoXDTE3MDMxNDA2NDIwMFowVjELMAkGA1UE
 BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDTALBgNVBAsTBE9DU1Ax
 HTAbBgNVBAMUFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMIIBIjANBgkqhkiG9w0BAQEF
-AAOCAQ8AMIIBCgKCAQEAyO4WxrPomcQSspX+ZnPit3t+tzYE/wi1E8rH3h5aO3e5
-vVZX3YxNvBqge2RPB3oQHrWwWT8vKmqzZNjJUx4bRIqd1JdTRI7L0f6XJHjnrRv8
-G7M2uHe+JbHQKPRT7IefJ4PZ1FEA8SCwKfWs5vk1/w/cabM6DVzzjtWTV9DXKD6J
-5rRlvXtJDbhAvI2w8pCC1Gt6H8qjVSb7ItJ+SD3BlW3tq3nBsYFJRL24TyQg+Kdt
-kkCRQYirog29q+J59SErjolse59dte+MhNTv+SnVFgpQE9IGEo6yaKMAWLSTv0If
-pPr/QaEV9rcsYFmR3RtHc+QaaP0hvDAPMaKdhQMIUwIDAQABo4IBQzCCAT8wCQYD
-VR0TBAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYEFDRTWKccFIi95BslK3U92mIQ
-2rWGMG0GA1UdIwRmMGSAFF2n3XAGUTJ+57Zts7Xl4GDqLk3voUmkRzBFMQswCQYD
+AAOCAQ8AMIIBCgKCAQEAsDPd7cDWnQHe6wjE+WrpRhD2pM19qnlLwjMfYUBA3gaf
+uCqwhM2necjupyRpCASJ+HtifgOeCtnf/3wgPKexhn/M5q0Mfm/EmzFVV5Lfe5SG
+8Sc6DvoLklitZIpARl2HyhEgA62GaKUMihnONtBVvx8AR8kar8WtFDzXDJ4o2WEb
+oqi38Van2Tv6CQgsm3XjMGRek4BIlDUNl8qsV2YChrYba/FKhjB0SDhGGn0HYTAV
+M7CdUPxNjBYeMBOfBwR6O5JUM8c6C2fiukawsw15f+Ttgb00y+Uw86/U3VI+9RMO
+wHn4Q8f1ubASakY422FEyEpoe3c0aGPviBa+ron/iQIDAQABo4IBQzCCAT8wCQYD
+VR0TBAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYEFMXoWNdjsLjULiIE4cs1NJXa
+dPDmMG0GA1UdIwRmMGSAFF2n3XAGUTJ+57Zts7Xl4GDqLk3voUmkRzBFMQswCQYD
 VQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ry
 b25nU3dhbiBSb290IENBggEAMB8GA1UdEQQYMBaBFGNhcm9sQHN0cm9uZ3N3YW4u
 b3JnMDsGCCsGAQUFBwEBBC8wLTArBggrBgEFBQcwAYYfaHR0cDovL29jc3Auc3Ry
 b25nc3dhbi5vcmc6ODg4MDA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0
-cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQAc
-1bBYLYcc+js3UsHVk7W17Nr/qoNFzQZJ5Er3RjhNAgzAX1wOTrNgKXztwZde1Alj
-o05ZLXUFkB4coQwl7xo7I3EMJPUmSdHoyYyG7c7AgfcL/wwnzz4rWQl74WIZjySc
-ON0Ny9vrzbVboktYof/9Yp/+HgeKopfsaIiuNCAwmAWxiYqvDmlxxn16oOXeJFV8
-pFzZMirQ5l7QRD9iuabOdcnBp8ASH+5AbD4KjFQjo5RBVg92LwOkJo3Pf1twI57s
-pObrcM4JbHVohDornYQYfr9ymkMxJbqqkEgD8oIip0NFSbziam4ZkwgUlRIMUMU1
-/xsH+BXYZtKJbYjlnyc8
+cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQC2
+Ldi7QOnPqTMxbJHHQHmMX4mOJtjvkWfacXX5J4Qhw2zRpftQ3rICrTyka0BYMEHH
+vTHK33cAyaxbEONmcWy+Skl+WJLe9BZREgAsM+IsteXUbjaiULqG48a7UKLlEWnE
+hpH8TWV+CUm90q7NcPiYXai2zzjDGUn9i3I7Gsz8GcnBNrI5uu2azdstJxWwuopk
+SlyP/9t4fc14w8YTupN7t1fao/IWn/cklVff9E/Fn9YSsWk5p1qInHS+97DztImC
+RlfefaFCosLeHDcZZmAq3+0l43LT+ZuEBbaXamNjXDBdAXoVxG4soCHSMTCYYJQm
+RJoItIWNUgCY78sHT7eO
 -----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/ipsec.d/private/carolKey-ocsp.pem b/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/ipsec.d/private/carolKey-ocsp.pem
index 603f071d0..d6a762b1b 100644
--- a/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/ipsec.d/private/carolKey-ocsp.pem
+++ b/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/ipsec.d/private/carolKey-ocsp.pem
@@ -1,27 +1,27 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIIEogIBAAKCAQEAyO4WxrPomcQSspX+ZnPit3t+tzYE/wi1E8rH3h5aO3e5vVZX
-3YxNvBqge2RPB3oQHrWwWT8vKmqzZNjJUx4bRIqd1JdTRI7L0f6XJHjnrRv8G7M2
-uHe+JbHQKPRT7IefJ4PZ1FEA8SCwKfWs5vk1/w/cabM6DVzzjtWTV9DXKD6J5rRl
-vXtJDbhAvI2w8pCC1Gt6H8qjVSb7ItJ+SD3BlW3tq3nBsYFJRL24TyQg+KdtkkCR
-QYirog29q+J59SErjolse59dte+MhNTv+SnVFgpQE9IGEo6yaKMAWLSTv0IfpPr/
-QaEV9rcsYFmR3RtHc+QaaP0hvDAPMaKdhQMIUwIDAQABAoIBAFTGd5+gmpv96TGm
-LW8Gp/poRX+BcDw2bUgLf6aMwd9jVV+4RVw5bTbXOSy2ls19x71dRSlyijDoUgZT
-nSXPhwu1PIBM1JoRcZeJRjXiOUWFkCoTxBuykeyPiFcvNxWN5y2h6M822iHie9FI
-UYomTYzvIT0LnIu00yJJpGAhwhW9BcL+Mo9lfWmhv4I1hXC9RTqZZ4rjPojDeFvL
-maZNCk3kX2pxIJ1kG41/PJjg3JD2uEVrvV7SRuOknM+7f3SDtY60/Wnqx8dfBtjJ
-hEdIxG+XXEOafdqwEPmmM++6V76uD8Rs1eFrrI4rfK6/H2PjppJCYtQeryug0q+0
-UN2u00kCgYEA5qJOcDSzb7CQAi58yYicYc3ShEbaL75V7G5rlnFg4/G1axU19hXQ
-wEPDf87So9hnVroCMewjyDiNgI/OyYK2cv1TABUGAEFAHPzj99jtBT0/R0kX+Jd2
-kPwCU4/T2cHrezwNobrJf010JAvwc52b+U3lWtHxBWeq5KALUVT+BhcCgYEA3wdx
-OwVxTf+OBOBcxPPGUcfsKbf9uVTcXFLNRSBbjzRIOR/bIVgUQaBXem2fJJTm1mWN
-Yl/U14G5orv9693GKgE5IDAMMrDF7mOsX808o3pcXM04MTAyGmQEDDEO8tgmWzWo
-nrYzxe9uBR1tej9IsiEPlD9ZLtWix9C2uV7EcSUCgYBKOrDuMjgSWYxv91BYeOyE
-Gf+IbVlqBmOXPg7Ik+MwWioetevxMSJHz0eLyiBHda4E3sc4FB2MIo+AckiG2Ngp
-+FiPbTTKPjYJXmds7NeUWRsVsXPSocUactG43VC9BEnrFu/4Pqr9mwsnUuRoAbEi
-syx/Z5SgPbZl8RDTc3xyrwKBgBFpB1HQLvQjyvZefV9ymDyyGqF3F3tsQHeEjzmi
-OQOI1UqATh7gPVSSK8IG5LF6XjrGWq8fRAI+wjsN6diLy3hj+A2nMoySeCEP7tjb
-sKwiVSt5abWNSZv9ysMY4U3bycK9AZjCKHB/LFuB3JX6crZVFl5AQ7oAO2DVzi3S
-VAtxAoGALzFZH7o1ZvVJGa23dW7p96G5vgop6Ulp2DLz4Qg6NYIeatZhwX3lls2J
-P7ZxmHiECC7zR67xwv5QKjKfg6t/sOKU/bsyp6c3hOWQjcFbWU3AwlO1TeVX9TMG
-SmPYcKM+KQ969qKD3aP9MQ+t4FERvlQcBAr0Qun3quN2i3eDkDo=
+MIIEogIBAAKCAQEAsDPd7cDWnQHe6wjE+WrpRhD2pM19qnlLwjMfYUBA3gafuCqw
+hM2necjupyRpCASJ+HtifgOeCtnf/3wgPKexhn/M5q0Mfm/EmzFVV5Lfe5SG8Sc6
+DvoLklitZIpARl2HyhEgA62GaKUMihnONtBVvx8AR8kar8WtFDzXDJ4o2WEboqi3
+8Van2Tv6CQgsm3XjMGRek4BIlDUNl8qsV2YChrYba/FKhjB0SDhGGn0HYTAVM7Cd
+UPxNjBYeMBOfBwR6O5JUM8c6C2fiukawsw15f+Ttgb00y+Uw86/U3VI+9RMOwHn4
+Q8f1ubASakY422FEyEpoe3c0aGPviBa+ron/iQIDAQABAoIBAEEGwy5M7mb/G79t
+exP5CqHa/MsRMwFIxlai+z+usMG/fA5BYud/5gCh0MFKRKC63BghoNWUjCzA/1OQ
+AW2hDXjvjTTMREIdCVekuzQYdfVreOliaqDAUqjtpP/nrZTKS6Sc8U2qKmJQFvKY
+V2wPMrXXwQi9BOY9c4R2d36ml7iw6veYhPj0XHy3spJc3V6k7YmbApOQgWDqRwid
+GGnnvDpdD0gAGAOxadCCpV+N9NK+AMSk03Qpcc2ki4THEn2e8Rs1/dH1k5nics/E
+cG9VT9pZtvGXjEX7Wo06v0lXsTRWGWLKhHvzfhIb6uWnC/YUR+7Cv8JYRz+RZn98
+bv5lXokCgYEA1iRf3gH8qwvxQjLtaNKRyr8Bheo3tsOLh2tYriWaUTXqeKAd46zI
+KcWAKtYWJQenVyFvnsMwKNFvFq/HgJGhKTOvZRwsrTb2wXgxcAleOBO+Ts4Vhb9J
+xil8/WcWCKU+GPf8hQOkwVnhv4CxLscCXT2g9zxTpP/JCKmHaucQog8CgYEA0qUC
+NBRMh55bjiHaqsSRvr45iwxzNzd8KK5A/xKyScEl+A4HWdqDpZ+8w9YC4GUQClvH
+cHn5NpWfq9hrNAXPjBzVGXk+JqFcJM/yPImH+Vg8MupJprwVSHJ1mqQ/MPSpxxhy
+iNaWeJX6bhPAgQSOAYbH22uNOGePmMQ8kk3v/OcCgYA7ZzPA3kQ9Hr76Yi5Bmcgf
+ugSuJV73MB+QnVKoXH4GcTJt69zev5t3GvaG64SRGSJupTPVksfVSuPKI1DwdXWD
+fHb3UW2DT2/8E1+DeNXOMIvmSHzn8TyB4BhwIxyVoWEsg/5k17HogQqCmSyNkV8y
+hloUu4NojhwybvTFzvtqOQKBgDL0IVVRt7Vyk/kMrWVziUHXp/m/uDsaG9mHVUee
+USxQIYwgcJzGo+OzgSjqIuX+7GNlEhheGO+gP/CEuGHsKeldrBquXl9f1vc8qf8E
+0bR6KI20aL6BbrCIp3QR2QtRk6QKgOIi7mEa/moUMxPCc0thPAUSviVvv6eXiINn
+gO7vAoGAcvwVy9gDcGTL+4mMjZ07jc/TmQPmOpqosXuDTQZITuovpzY0Nf9KPNJs
+0dTuCaO+N5ZjttxIm6L9h/Ah0BN2Ir+JbplJ5uScWldz0MFJXm1wz7KJCRZQpVIO
+6SJCLSmh4nZ0TIL8V0ABhaFVQK0qq2z/ASljIF6iC68DBEDfuzY=
 -----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/evaltest.dat b/testing/tests/ikev2/ocsp-strict-ifuri/evaltest.dat
index 6a253d830..2e0f059c6 100644
--- a/testing/tests/ikev2/ocsp-strict-ifuri/evaltest.dat
+++ b/testing/tests/ikev2/ocsp-strict-ifuri/evaltest.dat
@@ -1,7 +1,7 @@
 moon::cat /var/log/daemon.log::authentication of.*carol.*successful::YES
 moon::cat /var/log/daemon.log::libcurl http request failed::YES
 moon::cat /var/log/daemon.log::certificate status is not available::YES
-moon::cat /var/log/daemon.log::constraint check failed: RULE_OCSP_VALIDATION is FAILED, but requires at least SKIPPED::YES
+moon::cat /var/log/daemon.log::constraint check failed: RULE_CRL_VALIDATION is FAILED, but requires at least SKIPPED::YES
 moon::ipsec status::ESTABLISHED.*carol::YES
 moon::ipsec status::ESTABLISHED.*dave::NO
 carol::ipsec status::ESTABLISHED::YES
diff --git a/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/ipsec.d/certs/carolCert-ocsp.pem b/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/ipsec.d/certs/carolCert-ocsp.pem
index aeca7e1db..a1c57b0f0 100644
--- a/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/ipsec.d/certs/carolCert-ocsp.pem
+++ b/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/ipsec.d/certs/carolCert-ocsp.pem
@@ -1,26 +1,95 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 39 (0x27)
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=CH, O=Linux strongSwan, CN=strongSwan Root CA
+        Validity
+            Not Before: Mar 15 06:42:00 2012 GMT
+            Not After : Mar 14 06:42:00 2017 GMT
+        Subject: C=CH, O=Linux strongSwan, OU=OCSP, CN=carol@strongswan.org
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+            RSA Public Key: (2048 bit)
+                Modulus (2048 bit):
+                    00:b0:33:dd:ed:c0:d6:9d:01:de:eb:08:c4:f9:6a:
+                    e9:46:10:f6:a4:cd:7d:aa:79:4b:c2:33:1f:61:40:
+                    40:de:06:9f:b8:2a:b0:84:cd:a7:79:c8:ee:a7:24:
+                    69:08:04:89:f8:7b:62:7e:03:9e:0a:d9:df:ff:7c:
+                    20:3c:a7:b1:86:7f:cc:e6:ad:0c:7e:6f:c4:9b:31:
+                    55:57:92:df:7b:94:86:f1:27:3a:0e:fa:0b:92:58:
+                    ad:64:8a:40:46:5d:87:ca:11:20:03:ad:86:68:a5:
+                    0c:8a:19:ce:36:d0:55:bf:1f:00:47:c9:1a:af:c5:
+                    ad:14:3c:d7:0c:9e:28:d9:61:1b:a2:a8:b7:f1:56:
+                    a7:d9:3b:fa:09:08:2c:9b:75:e3:30:64:5e:93:80:
+                    48:94:35:0d:97:ca:ac:57:66:02:86:b6:1b:6b:f1:
+                    4a:86:30:74:48:38:46:1a:7d:07:61:30:15:33:b0:
+                    9d:50:fc:4d:8c:16:1e:30:13:9f:07:04:7a:3b:92:
+                    54:33:c7:3a:0b:67:e2:ba:46:b0:b3:0d:79:7f:e4:
+                    ed:81:bd:34:cb:e5:30:f3:af:d4:dd:52:3e:f5:13:
+                    0e:c0:79:f8:43:c7:f5:b9:b0:12:6a:46:38:db:61:
+                    44:c8:4a:68:7b:77:34:68:63:ef:88:16:be:ae:89:
+                    ff:89
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            X509v3 Key Usage: 
+                Digital Signature, Key Encipherment, Key Agreement
+            X509v3 Subject Key Identifier: 
+                C5:E8:58:D7:63:B0:B8:D4:2E:22:04:E1:CB:35:34:95:DA:74:F0:E6
+            X509v3 Authority Key Identifier: 
+                keyid:5D:A7:DD:70:06:51:32:7E:E7:B6:6D:B3:B5:E5:E0:60:EA:2E:4D:EF
+                DirName:/C=CH/O=Linux strongSwan/CN=strongSwan Root CA
+                serial:00
+
+            X509v3 Subject Alternative Name: 
+                email:carol@strongswan.org
+            Authority Information Access: 
+                OCSP - URI:http://ocsp.strongswan.org:8880
+
+            X509v3 CRL Distribution Points: 
+                URI:http://crl.strongswan.org/strongswan.crl
+
+    Signature Algorithm: sha256WithRSAEncryption
+        b6:2d:d8:bb:40:e9:cf:a9:33:31:6c:91:c7:40:79:8c:5f:89:
+        8e:26:d8:ef:91:67:da:71:75:f9:27:84:21:c3:6c:d1:a5:fb:
+        50:de:b2:02:ad:3c:a4:6b:40:58:30:41:c7:bd:31:ca:df:77:
+        00:c9:ac:5b:10:e3:66:71:6c:be:4a:49:7e:58:92:de:f4:16:
+        51:12:00:2c:33:e2:2c:b5:e5:d4:6e:36:a2:50:ba:86:e3:c6:
+        bb:50:a2:e5:11:69:c4:86:91:fc:4d:65:7e:09:49:bd:d2:ae:
+        cd:70:f8:98:5d:a8:b6:cf:38:c3:19:49:fd:8b:72:3b:1a:cc:
+        fc:19:c9:c1:36:b2:39:ba:ed:9a:cd:db:2d:27:15:b0:ba:8a:
+        64:4a:5c:8f:ff:db:78:7d:cd:78:c3:c6:13:ba:93:7b:b7:57:
+        da:a3:f2:16:9f:f7:24:95:57:df:f4:4f:c5:9f:d6:12:b1:69:
+        39:a7:5a:88:9c:74:be:f7:b0:f3:b4:89:82:46:57:de:7d:a1:
+        42:a2:c2:de:1c:37:19:66:60:2a:df:ed:25:e3:72:d3:f9:9b:
+        84:05:b6:97:6a:63:63:5c:30:5d:01:7a:15:c4:6e:2c:a0:21:
+        d2:31:30:98:60:94:26:44:9a:08:b4:85:8d:52:00:98:ef:cb:
+        07:4f:b7:8e
 -----BEGIN CERTIFICATE-----
-MIIEWzCCA0OgAwIBAgIBEzANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJDSDEZ
+MIIEWzCCA0OgAwIBAgIBJzANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
 MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
-b290IENBMB4XDTA3MDIyNTA3NTg1N1oXDTEyMDIyNDA3NTg1N1owVjELMAkGA1UE
+b290IENBMB4XDTEyMDMxNTA2NDIwMFoXDTE3MDMxNDA2NDIwMFowVjELMAkGA1UE
 BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDTALBgNVBAsTBE9DU1Ax
 HTAbBgNVBAMUFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMIIBIjANBgkqhkiG9w0BAQEF
-AAOCAQ8AMIIBCgKCAQEAyO4WxrPomcQSspX+ZnPit3t+tzYE/wi1E8rH3h5aO3e5
-vVZX3YxNvBqge2RPB3oQHrWwWT8vKmqzZNjJUx4bRIqd1JdTRI7L0f6XJHjnrRv8
-G7M2uHe+JbHQKPRT7IefJ4PZ1FEA8SCwKfWs5vk1/w/cabM6DVzzjtWTV9DXKD6J
-5rRlvXtJDbhAvI2w8pCC1Gt6H8qjVSb7ItJ+SD3BlW3tq3nBsYFJRL24TyQg+Kdt
-kkCRQYirog29q+J59SErjolse59dte+MhNTv+SnVFgpQE9IGEo6yaKMAWLSTv0If
-pPr/QaEV9rcsYFmR3RtHc+QaaP0hvDAPMaKdhQMIUwIDAQABo4IBQzCCAT8wCQYD
-VR0TBAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYEFDRTWKccFIi95BslK3U92mIQ
-2rWGMG0GA1UdIwRmMGSAFF2n3XAGUTJ+57Zts7Xl4GDqLk3voUmkRzBFMQswCQYD
+AAOCAQ8AMIIBCgKCAQEAsDPd7cDWnQHe6wjE+WrpRhD2pM19qnlLwjMfYUBA3gaf
+uCqwhM2necjupyRpCASJ+HtifgOeCtnf/3wgPKexhn/M5q0Mfm/EmzFVV5Lfe5SG
+8Sc6DvoLklitZIpARl2HyhEgA62GaKUMihnONtBVvx8AR8kar8WtFDzXDJ4o2WEb
+oqi38Van2Tv6CQgsm3XjMGRek4BIlDUNl8qsV2YChrYba/FKhjB0SDhGGn0HYTAV
+M7CdUPxNjBYeMBOfBwR6O5JUM8c6C2fiukawsw15f+Ttgb00y+Uw86/U3VI+9RMO
+wHn4Q8f1ubASakY422FEyEpoe3c0aGPviBa+ron/iQIDAQABo4IBQzCCAT8wCQYD
+VR0TBAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYEFMXoWNdjsLjULiIE4cs1NJXa
+dPDmMG0GA1UdIwRmMGSAFF2n3XAGUTJ+57Zts7Xl4GDqLk3voUmkRzBFMQswCQYD
 VQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ry
 b25nU3dhbiBSb290IENBggEAMB8GA1UdEQQYMBaBFGNhcm9sQHN0cm9uZ3N3YW4u
 b3JnMDsGCCsGAQUFBwEBBC8wLTArBggrBgEFBQcwAYYfaHR0cDovL29jc3Auc3Ry
 b25nc3dhbi5vcmc6ODg4MDA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0
-cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQAc
-1bBYLYcc+js3UsHVk7W17Nr/qoNFzQZJ5Er3RjhNAgzAX1wOTrNgKXztwZde1Alj
-o05ZLXUFkB4coQwl7xo7I3EMJPUmSdHoyYyG7c7AgfcL/wwnzz4rWQl74WIZjySc
-ON0Ny9vrzbVboktYof/9Yp/+HgeKopfsaIiuNCAwmAWxiYqvDmlxxn16oOXeJFV8
-pFzZMirQ5l7QRD9iuabOdcnBp8ASH+5AbD4KjFQjo5RBVg92LwOkJo3Pf1twI57s
-pObrcM4JbHVohDornYQYfr9ymkMxJbqqkEgD8oIip0NFSbziam4ZkwgUlRIMUMU1
-/xsH+BXYZtKJbYjlnyc8
+cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQC2
+Ldi7QOnPqTMxbJHHQHmMX4mOJtjvkWfacXX5J4Qhw2zRpftQ3rICrTyka0BYMEHH
+vTHK33cAyaxbEONmcWy+Skl+WJLe9BZREgAsM+IsteXUbjaiULqG48a7UKLlEWnE
+hpH8TWV+CUm90q7NcPiYXai2zzjDGUn9i3I7Gsz8GcnBNrI5uu2azdstJxWwuopk
+SlyP/9t4fc14w8YTupN7t1fao/IWn/cklVff9E/Fn9YSsWk5p1qInHS+97DztImC
+RlfefaFCosLeHDcZZmAq3+0l43LT+ZuEBbaXamNjXDBdAXoVxG4soCHSMTCYYJQm
+RJoItIWNUgCY78sHT7eO
 -----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/ipsec.d/private/carolKey-ocsp.pem b/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/ipsec.d/private/carolKey-ocsp.pem
index 603f071d0..d6a762b1b 100644
--- a/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/ipsec.d/private/carolKey-ocsp.pem
+++ b/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/ipsec.d/private/carolKey-ocsp.pem
@@ -1,27 +1,27 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIIEogIBAAKCAQEAyO4WxrPomcQSspX+ZnPit3t+tzYE/wi1E8rH3h5aO3e5vVZX
-3YxNvBqge2RPB3oQHrWwWT8vKmqzZNjJUx4bRIqd1JdTRI7L0f6XJHjnrRv8G7M2
-uHe+JbHQKPRT7IefJ4PZ1FEA8SCwKfWs5vk1/w/cabM6DVzzjtWTV9DXKD6J5rRl
-vXtJDbhAvI2w8pCC1Gt6H8qjVSb7ItJ+SD3BlW3tq3nBsYFJRL24TyQg+KdtkkCR
-QYirog29q+J59SErjolse59dte+MhNTv+SnVFgpQE9IGEo6yaKMAWLSTv0IfpPr/
-QaEV9rcsYFmR3RtHc+QaaP0hvDAPMaKdhQMIUwIDAQABAoIBAFTGd5+gmpv96TGm
-LW8Gp/poRX+BcDw2bUgLf6aMwd9jVV+4RVw5bTbXOSy2ls19x71dRSlyijDoUgZT
-nSXPhwu1PIBM1JoRcZeJRjXiOUWFkCoTxBuykeyPiFcvNxWN5y2h6M822iHie9FI
-UYomTYzvIT0LnIu00yJJpGAhwhW9BcL+Mo9lfWmhv4I1hXC9RTqZZ4rjPojDeFvL
-maZNCk3kX2pxIJ1kG41/PJjg3JD2uEVrvV7SRuOknM+7f3SDtY60/Wnqx8dfBtjJ
-hEdIxG+XXEOafdqwEPmmM++6V76uD8Rs1eFrrI4rfK6/H2PjppJCYtQeryug0q+0
-UN2u00kCgYEA5qJOcDSzb7CQAi58yYicYc3ShEbaL75V7G5rlnFg4/G1axU19hXQ
-wEPDf87So9hnVroCMewjyDiNgI/OyYK2cv1TABUGAEFAHPzj99jtBT0/R0kX+Jd2
-kPwCU4/T2cHrezwNobrJf010JAvwc52b+U3lWtHxBWeq5KALUVT+BhcCgYEA3wdx
-OwVxTf+OBOBcxPPGUcfsKbf9uVTcXFLNRSBbjzRIOR/bIVgUQaBXem2fJJTm1mWN
-Yl/U14G5orv9693GKgE5IDAMMrDF7mOsX808o3pcXM04MTAyGmQEDDEO8tgmWzWo
-nrYzxe9uBR1tej9IsiEPlD9ZLtWix9C2uV7EcSUCgYBKOrDuMjgSWYxv91BYeOyE
-Gf+IbVlqBmOXPg7Ik+MwWioetevxMSJHz0eLyiBHda4E3sc4FB2MIo+AckiG2Ngp
-+FiPbTTKPjYJXmds7NeUWRsVsXPSocUactG43VC9BEnrFu/4Pqr9mwsnUuRoAbEi
-syx/Z5SgPbZl8RDTc3xyrwKBgBFpB1HQLvQjyvZefV9ymDyyGqF3F3tsQHeEjzmi
-OQOI1UqATh7gPVSSK8IG5LF6XjrGWq8fRAI+wjsN6diLy3hj+A2nMoySeCEP7tjb
-sKwiVSt5abWNSZv9ysMY4U3bycK9AZjCKHB/LFuB3JX6crZVFl5AQ7oAO2DVzi3S
-VAtxAoGALzFZH7o1ZvVJGa23dW7p96G5vgop6Ulp2DLz4Qg6NYIeatZhwX3lls2J
-P7ZxmHiECC7zR67xwv5QKjKfg6t/sOKU/bsyp6c3hOWQjcFbWU3AwlO1TeVX9TMG
-SmPYcKM+KQ969qKD3aP9MQ+t4FERvlQcBAr0Qun3quN2i3eDkDo=
+MIIEogIBAAKCAQEAsDPd7cDWnQHe6wjE+WrpRhD2pM19qnlLwjMfYUBA3gafuCqw
+hM2necjupyRpCASJ+HtifgOeCtnf/3wgPKexhn/M5q0Mfm/EmzFVV5Lfe5SG8Sc6
+DvoLklitZIpARl2HyhEgA62GaKUMihnONtBVvx8AR8kar8WtFDzXDJ4o2WEboqi3
+8Van2Tv6CQgsm3XjMGRek4BIlDUNl8qsV2YChrYba/FKhjB0SDhGGn0HYTAVM7Cd
+UPxNjBYeMBOfBwR6O5JUM8c6C2fiukawsw15f+Ttgb00y+Uw86/U3VI+9RMOwHn4
+Q8f1ubASakY422FEyEpoe3c0aGPviBa+ron/iQIDAQABAoIBAEEGwy5M7mb/G79t
+exP5CqHa/MsRMwFIxlai+z+usMG/fA5BYud/5gCh0MFKRKC63BghoNWUjCzA/1OQ
+AW2hDXjvjTTMREIdCVekuzQYdfVreOliaqDAUqjtpP/nrZTKS6Sc8U2qKmJQFvKY
+V2wPMrXXwQi9BOY9c4R2d36ml7iw6veYhPj0XHy3spJc3V6k7YmbApOQgWDqRwid
+GGnnvDpdD0gAGAOxadCCpV+N9NK+AMSk03Qpcc2ki4THEn2e8Rs1/dH1k5nics/E
+cG9VT9pZtvGXjEX7Wo06v0lXsTRWGWLKhHvzfhIb6uWnC/YUR+7Cv8JYRz+RZn98
+bv5lXokCgYEA1iRf3gH8qwvxQjLtaNKRyr8Bheo3tsOLh2tYriWaUTXqeKAd46zI
+KcWAKtYWJQenVyFvnsMwKNFvFq/HgJGhKTOvZRwsrTb2wXgxcAleOBO+Ts4Vhb9J
+xil8/WcWCKU+GPf8hQOkwVnhv4CxLscCXT2g9zxTpP/JCKmHaucQog8CgYEA0qUC
+NBRMh55bjiHaqsSRvr45iwxzNzd8KK5A/xKyScEl+A4HWdqDpZ+8w9YC4GUQClvH
+cHn5NpWfq9hrNAXPjBzVGXk+JqFcJM/yPImH+Vg8MupJprwVSHJ1mqQ/MPSpxxhy
+iNaWeJX6bhPAgQSOAYbH22uNOGePmMQ8kk3v/OcCgYA7ZzPA3kQ9Hr76Yi5Bmcgf
+ugSuJV73MB+QnVKoXH4GcTJt69zev5t3GvaG64SRGSJupTPVksfVSuPKI1DwdXWD
+fHb3UW2DT2/8E1+DeNXOMIvmSHzn8TyB4BhwIxyVoWEsg/5k17HogQqCmSyNkV8y
+hloUu4NojhwybvTFzvtqOQKBgDL0IVVRt7Vyk/kMrWVziUHXp/m/uDsaG9mHVUee
+USxQIYwgcJzGo+OzgSjqIuX+7GNlEhheGO+gP/CEuGHsKeldrBquXl9f1vc8qf8E
+0bR6KI20aL6BbrCIp3QR2QtRk6QKgOIi7mEa/moUMxPCc0thPAUSviVvv6eXiINn
+gO7vAoGAcvwVy9gDcGTL+4mMjZ07jc/TmQPmOpqosXuDTQZITuovpzY0Nf9KPNJs
+0dTuCaO+N5ZjttxIm6L9h/Ah0BN2Ir+JbplJ5uScWldz0MFJXm1wz7KJCRZQpVIO
+6SJCLSmh4nZ0TIL8V0ABhaFVQK0qq2z/ASljIF6iC68DBEDfuzY=
 -----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev2/ocsp-untrusted-cert/evaltest.dat b/testing/tests/ikev2/ocsp-untrusted-cert/evaltest.dat
index 44945bf5f..45c6ce7c5 100644
--- a/testing/tests/ikev2/ocsp-untrusted-cert/evaltest.dat
+++ b/testing/tests/ikev2/ocsp-untrusted-cert/evaltest.dat
@@ -2,6 +2,6 @@ moon::cat /var/log/daemon.log::requesting ocsp status from::YES
 moon::cat /var/log/daemon.log::self-signed certificate.*is not trusted::YES
 moon::cat /var/log/daemon.log::ocsp response verification failed::YES
 moon::cat /var/log/daemon.log::certificate status is not available::YES
-moon::cat /var/log/daemon.log::constraint check failed: RULE_OCSP_VALIDATION is FAILED, but requires at least GOOD::YES
+moon::cat /var/log/daemon.log::constraint check failed: RULE_CRL_VALIDATION is FAILED, but requires at least GOOD::YES
 moon::ipsec status::rw.*ESTABLISHED::NO
 carol::ipsec status::home.*ESTABLISHED::NO
diff --git a/testing/tests/ikev2/reauth-late/evaltest.dat b/testing/tests/ikev2/reauth-late/evaltest.dat
index 7f083a05e..c0893df65 100644
--- a/testing/tests/ikev2/reauth-late/evaltest.dat
+++ b/testing/tests/ikev2/reauth-late/evaltest.dat
@@ -1,7 +1,7 @@
 moon::ipsec statusall::rw\[2\].*ESTABLISHED::YES
 carol::ipsec statusall::home\[2\].*ESTABLISHED::YES
 carol::cat /var/log/daemon.log::scheduling reauthentication in 2[0-5]s::YES
-carol::cat /var/log/daemon.log::received AUTH_LIFETIME of 3600s, reauthentication already scheduled in 2[0-5]s::YES
+carol::cat /var/log/daemon.log::received AUTH_LIFETIME of 360[01]s, reauthentication already scheduled in 2[0-5]s::YES
 carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/reauth-late/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/reauth-late/hosts/moon/etc/ipsec.conf
index bdd186a04..cb5e86a66 100755
--- a/testing/tests/ikev2/reauth-late/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/reauth-late/hosts/moon/etc/ipsec.conf
@@ -6,8 +6,8 @@ config setup
 	plutostart=no
 
 conn %default
-	ikelifetime=60m
-	keylife=20m
+	ikelifetime=3601
+	keylife=1200
 	rekeymargin=0s
 	keyingtries=1
 
diff --git a/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf
index bbb5a76fd..e070f9a27 100644
--- a/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
+  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown
 }
 
 libstrongswan {
diff --git a/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf
index bbb5a76fd..e070f9a27 100644
--- a/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
+  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown
 }
 
 libstrongswan {
diff --git a/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf
index bbb5a76fd..e070f9a27 100644
--- a/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
+  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown
 }
 
 libstrongswan {
diff --git a/testing/tests/ikev2/rw-eap-aka-rsa/description.txt b/testing/tests/ikev2/rw-eap-aka-rsa/description.txt
index b4f766d6f..1277081b9 100644
--- a/testing/tests/ikev2/rw-eap-aka-rsa/description.txt
+++ b/testing/tests/ikev2/rw-eap-aka-rsa/description.txt
@@ -3,5 +3,5 @@ The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
 in association with the <i>Authentication and Key Agreement</i> protocol
 (<b>EAP-AKA</b>) to authenticate against the gateway. This protocol is used
 in UMTS, but here a secret from <b>ipsec.secrets</b> is used instead of a USIM/(R)UIM.
-Gateway <b>moon</b> additionaly uses an <b>RSA signature</b> to authenticate itself
+Gateway <b>moon</b> additionally uses an <b>RSA signature</b> to authenticate itself
 against <b>carol</b>.
diff --git a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf
index 5821bc12d..d8c77f5b1 100644
--- a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,9 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-aka eap-aka-3gpp2 updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default fips-prf eap-aka eap-aka-3gpp2 updown
+}
+
+libstrongswan {
+  integrity_test = yes
 }
diff --git a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf
index 5821bc12d..d8c77f5b1 100644
--- a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,9 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-aka eap-aka-3gpp2 updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default fips-prf eap-aka eap-aka-3gpp2 updown
+}
+
+libstrongswan {
+  integrity_test = yes
 }
diff --git a/testing/tests/ikev2/rw-eap-md5-id-prompt/description.txt b/testing/tests/ikev2/rw-eap-md5-id-prompt/description.txt
new file mode 100644
index 000000000..b1590090e
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-id-prompt/description.txt
@@ -0,0 +1,9 @@
+The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
+<b>carol</b> uses the <i>Extensible Authentication Protocol</i>
+in association with an  <i>MD5</i> challenge and response protocol
+(<b>EAP-MD5</b>) to authenticate against the gateway. The EAP identity and password
+of the user is kept in <b>ipsec.secrets</b> on the gateway <b>moon</b> and 
+is entered interactively on the client <b>carol</b> using the command
+<b>ipsec stroke user-creds home carol "Ar3etTnp"</b>.
+Gateway <b>moon</b> additionally uses an <b>RSA signature</b> to authenticate itself
+against <b>carol</b>.
diff --git a/testing/tests/ikev2/rw-eap-md5-id-prompt/evaltest.dat b/testing/tests/ikev2/rw-eap-md5-id-prompt/evaltest.dat
new file mode 100644
index 000000000..3f828141c
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-id-prompt/evaltest.dat
@@ -0,0 +1,13 @@
+carol::cat /var/log/daemon.log::configured EAP-Identity carol::YES
+carol::cat /var/log/daemon.log::added EAP secret for carol moon.strongswan.org::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+moon::cat /var/log/daemon.log::authentication of '192.168.0.100' with EAP successful::YES
+moon::cat /var/log/daemon.log::received EAP identity.*carol::YES
+moon::ipsec statusall::rw-eap.*ESTABLISHED::YES
+carol::ipsec statusall::home.*ESTABLISHED::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+
+
diff --git a/testing/tests/ikev2/rw-eap-md5-id-prompt/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-md5-id-prompt/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..7859ee9cc
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-id-prompt/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,21 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_CAROL
+	leftauth=eap
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	rightauth=pubkey
+	auto=add
diff --git a/testing/tests/ikev2/rw-eap-md5-id-prompt/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-md5-id-prompt/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..ddd495699
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-id-prompt/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
diff --git a/testing/tests/ikev2/rw-eap-md5-id-prompt/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-md5-id-prompt/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..fe067d344
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-id-prompt/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-md5 eap-identity updown
+}
diff --git a/testing/tests/ikev2/rw-eap-md5-id-prompt/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-md5-id-prompt/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..c132b9ab8
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-id-prompt/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn rw-eap
+	left=PH_IP_MOON
+	leftsubnet=10.1.0.0/16
+	leftid=@moon.strongswan.org
+	leftcert=moonCert.pem
+	leftauth=pubkey
+	leftfirewall=yes
+	rightauth=eap-md5
+	rightsendcert=never
+	right=%any
+	eap_identity=%any
+	auto=add
diff --git a/testing/tests/ikev2/rw-eap-md5-id-prompt/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-md5-id-prompt/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..e11a2204c
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-id-prompt/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,5 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA moonKey.pem
+
+carol : EAP "Ar3etTnp"
diff --git a/testing/tests/ikev2/rw-eap-md5-id-prompt/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-md5-id-prompt/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..fe067d344
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-id-prompt/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-md5 eap-identity updown
+}
diff --git a/testing/tests/ikev2/rw-eap-md5-id-prompt/posttest.dat b/testing/tests/ikev2/rw-eap-md5-id-prompt/posttest.dat
new file mode 100644
index 000000000..94a400606
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-id-prompt/posttest.dat
@@ -0,0 +1,4 @@
+moon::ipsec stop
+carol::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/rw-eap-md5-id-prompt/pretest.dat b/testing/tests/ikev2/rw-eap-md5-id-prompt/pretest.dat
new file mode 100644
index 000000000..9c301f484
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-id-prompt/pretest.dat
@@ -0,0 +1,8 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+carol::ipsec start
+carol::sleep 1
+carol::ipsec stroke user-creds home carol "Ar3etTnp"
+carol::ipsec up home
+carol::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-md5-id-prompt/test.conf b/testing/tests/ikev2/rw-eap-md5-id-prompt/test.conf
new file mode 100644
index 000000000..2bd21499b
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-id-prompt/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice carol moon"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/rw-eap-md5-rsa/description.txt b/testing/tests/ikev2/rw-eap-md5-rsa/description.txt
index a2ac00d80..d376ee5a8 100644
--- a/testing/tests/ikev2/rw-eap-md5-rsa/description.txt
+++ b/testing/tests/ikev2/rw-eap-md5-rsa/description.txt
@@ -3,5 +3,5 @@ The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
 in association with an  <i>MD5</i> challenge and response protocol
 (<b>EAP-MD5</b>) to authenticate against the gateway. The user password
 is kept in <b>ipsec.secrets</b> on both gateway and client 
-Gateway <b>moon</b> additionaly uses an <b>RSA signature</b> to authenticate itself
+Gateway <b>moon</b> additionally uses an <b>RSA signature</b> to authenticate itself
 against <b>carol</b>.
diff --git a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/description.txt b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/description.txt
index df7041a97..4feadff4c 100644
--- a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/description.txt
+++ b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/description.txt
@@ -4,5 +4,5 @@ in association with the <i>Microsoft CHAP version 2</i> protocol
 (<b>EAP-MSCHAPV2</b>) to authenticate against the gateway. This protocol is used
 e.g. by the Windows 7 Agile VPN client.
 In addition to her IKEv2 identity <b>PH_IP_CAROL</b>, roadwarrior <b>carol</b>
-uses the EAP identy <b>carol</b>. Gateway <b>moon</b> additionaly uses an <b>RSA signature</b>
+uses the EAP identy <b>carol</b>. Gateway <b>moon</b> additionally uses an <b>RSA signature</b>
 to authenticate itself against <b>carol</b>.
diff --git a/testing/tests/ikev2/rw-eap-peap-md5/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-peap-md5/hosts/carol/etc/strongswan.conf
index 2c06d26a6..fd5d3f5f4 100644
--- a/testing/tests/ikev2/rw-eap-peap-md5/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-peap-md5/hosts/carol/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-peap updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-peap updown
   multiple_authentication=no
 }
diff --git a/testing/tests/ikev2/rw-eap-peap-md5/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-peap-md5/hosts/dave/etc/strongswan.conf
index 2c06d26a6..fd5d3f5f4 100644
--- a/testing/tests/ikev2/rw-eap-peap-md5/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-peap-md5/hosts/dave/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-peap updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-peap updown
   multiple_authentication=no
 }
diff --git a/testing/tests/ikev2/rw-eap-peap-md5/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-peap-md5/hosts/moon/etc/strongswan.conf
index 68d2cd95a..f5024111c 100644
--- a/testing/tests/ikev2/rw-eap-peap-md5/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-peap-md5/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-peap updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-peap updown
   multiple_authentication=no
   plugins {
     eap-peap {
diff --git a/testing/tests/ikev2/rw-eap-sim-rsa/description.txt b/testing/tests/ikev2/rw-eap-sim-rsa/description.txt
index 5fc75e1b1..686241809 100644
--- a/testing/tests/ikev2/rw-eap-sim-rsa/description.txt
+++ b/testing/tests/ikev2/rw-eap-sim-rsa/description.txt
@@ -3,5 +3,5 @@ The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
 in association with a GSM <i>Subscriber Identity Module</i> (<b>EAP-SIM</b>)
 to authenticate against the gateway. In this scenario triplets from the file
 <b>/etc/ipsec.d/triplets.dat</b> are used instead of a physical SIM card.
-Gateway <b>moon</b> additionaly uses an <b>RSA signature</b> to authenticate
+Gateway <b>moon</b> additionally uses an <b>RSA signature</b> to authenticate
 itself against <b>carol</b>.
diff --git a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/strongswan.conf
index e468cd4f9..0add0f360 100644
--- a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,9 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown
+}
+
+libstrongswan {
+  integrity_test = yes
 }
diff --git a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/strongswan.conf
index e468cd4f9..527cb2b37 100644
--- a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,10 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown
 }
+
+libstrongswan {
+  integrity_test = yes
+}
+
diff --git a/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf
index 5fe84aea3..4e47e632c 100644
--- a/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-tls updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-tls updown
   multiple_authentication=no
 }
diff --git a/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf
index 5fe84aea3..4e47e632c 100644
--- a/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-tls updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-tls updown
   multiple_authentication=no
 }
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tls-radius/hosts/carol/etc/strongswan.conf
index 5fe84aea3..4e47e632c 100644
--- a/testing/tests/ikev2/rw-eap-tls-radius/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-tls-radius/hosts/carol/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-tls updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-tls updown
   multiple_authentication=no
 }
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/strongswan.conf
index 4d2d3058d..ab71e5908 100644
--- a/testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-radius updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-radius updown
   multiple_authentication=no
   plugins {
     eap-radius {
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/tnc_config
deleted file mode 100644
index a9509a716..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/tnc_config
+++ /dev/null
@@ -1,3 +0,0 @@
-#IMV configuration file for TNC@FHH-TNC-Server
-
-IMV "Dummy" /usr/local/lib/libdummyimv.so.0.7.0
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/dave/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/dave/etc/tnc/dummyimc.file
deleted file mode 100644
index 621e94f0e..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/dave/etc/tnc/dummyimc.file
+++ /dev/null
@@ -1 +0,0 @@
-none
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/tnc_config
deleted file mode 100644
index a9509a716..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/tnc_config
+++ /dev/null
@@ -1,3 +0,0 @@
-#IMV configuration file for TNC@FHH-TNC-Server
-
-IMV "Dummy" /usr/local/lib/libdummyimv.so.0.7.0
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/carol/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/carol/etc/tnc_config
deleted file mode 100644
index a5a9a68f3..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/carol/etc/tnc_config
+++ /dev/null
@@ -1,3 +0,0 @@
-#IMC configuration file for strongSwan client 
-
-IMC "Dummy" /usr/local/lib/libdummyimc.so
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/dave/etc/strongswan.conf
deleted file mode 100644
index c12143cb1..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/dave/etc/strongswan.conf
+++ /dev/null
@@ -1,6 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-11 updown
-  multiple_authentication=no
-}
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/dave/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/dave/etc/tnc_config
deleted file mode 100644
index a5a9a68f3..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/dave/etc/tnc_config
+++ /dev/null
@@ -1,3 +0,0 @@
-#IMC configuration file for strongSwan client 
-
-IMC "Dummy" /usr/local/lib/libdummyimc.so
diff --git a/testing/tests/ikev2/rw-eap-tnc-11/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-11/hosts/carol/etc/strongswan.conf
deleted file mode 100644
index c12143cb1..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-11/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,6 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-11 updown
-  multiple_authentication=no
-}
diff --git a/testing/tests/ikev2/rw-eap-tnc-11/hosts/carol/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-11/hosts/carol/etc/tnc/dummyimc.file
deleted file mode 100644
index f5da834c0..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-11/hosts/carol/etc/tnc/dummyimc.file
+++ /dev/null
@@ -1 +0,0 @@
-allow
diff --git a/testing/tests/ikev2/rw-eap-tnc-11/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-11/hosts/dave/etc/strongswan.conf
deleted file mode 100644
index c12143cb1..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-11/hosts/dave/etc/strongswan.conf
+++ /dev/null
@@ -1,6 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-11 updown
-  multiple_authentication=no
-}
diff --git a/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/carol/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/carol/etc/tnc/dummyimc.file
deleted file mode 100644
index f5da834c0..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/carol/etc/tnc/dummyimc.file
+++ /dev/null
@@ -1 +0,0 @@
-allow
diff --git a/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/carol/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/carol/etc/tnc_config
deleted file mode 100644
index a5a9a68f3..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/carol/etc/tnc_config
+++ /dev/null
@@ -1,3 +0,0 @@
-#IMC configuration file for strongSwan client 
-
-IMC "Dummy" /usr/local/lib/libdummyimc.so
diff --git a/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/dave/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/dave/etc/tnc/dummyimc.file
deleted file mode 100644
index 621e94f0e..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/dave/etc/tnc/dummyimc.file
+++ /dev/null
@@ -1 +0,0 @@
-none
diff --git a/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/dave/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/dave/etc/tnc_config
deleted file mode 100644
index a5a9a68f3..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/dave/etc/tnc_config
+++ /dev/null
@@ -1,3 +0,0 @@
-#IMC configuration file for strongSwan client 
-
-IMC "Dummy" /usr/local/lib/libdummyimc.so
diff --git a/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/moon/etc/tnc/dummyimv.policy b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/moon/etc/tnc/dummyimv.policy
deleted file mode 100644
index 573541ac9..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/moon/etc/tnc/dummyimv.policy
+++ /dev/null
@@ -1 +0,0 @@
-0
diff --git a/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/carol/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/carol/etc/tnc/dummyimc.file
deleted file mode 100644
index f5da834c0..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/carol/etc/tnc/dummyimc.file
+++ /dev/null
@@ -1 +0,0 @@
-allow
diff --git a/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/carol/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/carol/etc/tnc_config
deleted file mode 100644
index a5a9a68f3..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/carol/etc/tnc_config
+++ /dev/null
@@ -1,3 +0,0 @@
-#IMC configuration file for strongSwan client 
-
-IMC "Dummy" /usr/local/lib/libdummyimc.so
diff --git a/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/dave/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/dave/etc/tnc/dummyimc.file
deleted file mode 100644
index c20b5e57f..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/dave/etc/tnc/dummyimc.file
+++ /dev/null
@@ -1 +0,0 @@
-isolate
\ No newline at end of file
diff --git a/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/dave/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/dave/etc/tnc_config
deleted file mode 100644
index a5a9a68f3..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/dave/etc/tnc_config
+++ /dev/null
@@ -1,3 +0,0 @@
-#IMC configuration file for strongSwan client 
-
-IMC "Dummy" /usr/local/lib/libdummyimc.so
diff --git a/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/moon/etc/tnc/dummyimv.policy b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/moon/etc/tnc/dummyimv.policy
deleted file mode 100644
index 573541ac9..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/moon/etc/tnc/dummyimv.policy
+++ /dev/null
@@ -1 +0,0 @@
-0
diff --git a/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/moon/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/moon/etc/tnc_config
deleted file mode 100644
index ac436a344..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/moon/etc/tnc_config
+++ /dev/null
@@ -1,3 +0,0 @@
-#IMV configuration file for strongSwan server 
-
-IMV "Dummy" /usr/local/lib/libdummyimv.so
diff --git a/testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/tnc/dummyimc.file
deleted file mode 100644
index f5da834c0..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/tnc/dummyimc.file
+++ /dev/null
@@ -1 +0,0 @@
-allow
diff --git a/testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/tnc_config
deleted file mode 100644
index d2fabe109..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/tnc_config
+++ /dev/null
@@ -1,4 +0,0 @@
-#IMC configuration file for strongSwan client 
-
-IMC "Dummy"		/usr/local/lib/libdummyimc.so
-#IMC "HostScanner"	/usr/local/lib/libhostscannerimc.so
diff --git a/testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/strongswan.conf
deleted file mode 100644
index b2aa2806a..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/strongswan.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-20 updown
-  multiple_authentication=no
-  plugins {
-    eap-tnc {
-      protocol = tnccs-2.0
-    }
-  }
-}
diff --git a/testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/tnc/dummyimc.file
deleted file mode 100644
index c20b5e57f..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/tnc/dummyimc.file
+++ /dev/null
@@ -1 +0,0 @@
-isolate
\ No newline at end of file
diff --git a/testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/tnc_config
deleted file mode 100644
index d2fabe109..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/tnc_config
+++ /dev/null
@@ -1,4 +0,0 @@
-#IMC configuration file for strongSwan client 
-
-IMC "Dummy"		/usr/local/lib/libdummyimc.so
-#IMC "HostScanner"	/usr/local/lib/libhostscannerimc.so
diff --git a/testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/tnc_config
deleted file mode 100644
index 140caa98f..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/tnc_config
+++ /dev/null
@@ -1,4 +0,0 @@
-#IMV configuration file for strongSwan server 
-
-IMV "Dummy"		/usr/local/lib/libdummyimv.so
-#IMV "HostScanner"	/usr/local/lib/libhostscannerimv.so
diff --git a/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/carol/etc/strongswan.conf
deleted file mode 100644
index 6a12318db..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-11 updown
-  multiple_authentication=no
-  plugins {
-    eap-tnc {
-      protocol = tnccs-1.1
-    }
-  }
-}
diff --git a/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/carol/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/carol/etc/tnc/dummyimc.file
deleted file mode 100644
index f5da834c0..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/carol/etc/tnc/dummyimc.file
+++ /dev/null
@@ -1 +0,0 @@
-allow
diff --git a/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/carol/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/carol/etc/tnc_config
deleted file mode 100644
index d2fabe109..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/carol/etc/tnc_config
+++ /dev/null
@@ -1,4 +0,0 @@
-#IMC configuration file for strongSwan client 
-
-IMC "Dummy"		/usr/local/lib/libdummyimc.so
-#IMC "HostScanner"	/usr/local/lib/libhostscannerimc.so
diff --git a/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/dave/etc/strongswan.conf
deleted file mode 100644
index b2aa2806a..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/dave/etc/strongswan.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-20 updown
-  multiple_authentication=no
-  plugins {
-    eap-tnc {
-      protocol = tnccs-2.0
-    }
-  }
-}
diff --git a/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/dave/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/dave/etc/tnc/dummyimc.file
deleted file mode 100644
index 33945dc1e..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/dave/etc/tnc/dummyimc.file
+++ /dev/null
@@ -1 +0,0 @@
-isolate
diff --git a/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/dave/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/dave/etc/tnc_config
deleted file mode 100644
index d2fabe109..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/dave/etc/tnc_config
+++ /dev/null
@@ -1,4 +0,0 @@
-#IMC configuration file for strongSwan client 
-
-IMC "Dummy"		/usr/local/lib/libdummyimc.so
-#IMC "HostScanner"	/usr/local/lib/libhostscannerimc.so
diff --git a/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/moon/etc/tnc/dummyimv.policy b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/moon/etc/tnc/dummyimv.policy
deleted file mode 100644
index d00491fd7..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/moon/etc/tnc/dummyimv.policy
+++ /dev/null
@@ -1 +0,0 @@
-1
diff --git a/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/moon/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/moon/etc/tnc_config
deleted file mode 100644
index 140caa98f..000000000
--- a/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/moon/etc/tnc_config
+++ /dev/null
@@ -1,4 +0,0 @@
-#IMV configuration file for strongSwan server 
-
-IMV "Dummy"		/usr/local/lib/libdummyimv.so
-#IMV "HostScanner"	/usr/local/lib/libhostscannerimv.so
diff --git a/testing/tests/ikev2/rw-eap-ttls-only/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-ttls-only/hosts/carol/etc/strongswan.conf
index 378bdc540..96620d0c2 100644
--- a/testing/tests/ikev2/rw-eap-ttls-only/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-ttls-only/hosts/carol/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
   multiple_authentication=no
 }
diff --git a/testing/tests/ikev2/rw-eap-ttls-only/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-ttls-only/hosts/dave/etc/strongswan.conf
index 378bdc540..96620d0c2 100644
--- a/testing/tests/ikev2/rw-eap-ttls-only/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-ttls-only/hosts/dave/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
   multiple_authentication=no
 }
diff --git a/testing/tests/ikev2/rw-eap-ttls-only/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-ttls-only/hosts/moon/etc/strongswan.conf
index 8cdcb640c..a68a74712 100644
--- a/testing/tests/ikev2/rw-eap-ttls-only/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-ttls-only/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
   multiple_authentication=no
   plugins {
     eap-ttls {
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/carol/etc/strongswan.conf
index 378bdc540..96620d0c2 100644
--- a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/carol/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
   multiple_authentication=no
 }
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/strongswan.conf
index 378bdc540..96620d0c2 100644
--- a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
   multiple_authentication=no
 }
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/strongswan.conf
index 4d2d3058d..ab71e5908 100644
--- a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-radius updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-radius updown
   multiple_authentication=no
   plugins {
     eap-radius {
diff --git a/testing/tests/ikev2/rw-pkcs8/description.txt b/testing/tests/ikev2/rw-pkcs8/description.txt
new file mode 100644
index 000000000..d5d817f52
--- /dev/null
+++ b/testing/tests/ikev2/rw-pkcs8/description.txt
@@ -0,0 +1,10 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each 
+to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>
+and matching RSA private keys stored in the <b>PKCS#8</b> format. <b>moon</b>'s key
+is unencrypted, <b>carol</b>'s key is encrypted with the default PKCS#5 v1.5
+DES algorithm and <b>dave</b>'s key with the PKCS#5 v2.0 3DES algorithm.
+<p/>
+Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
+automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping
+the client <b>alice</b> behind the gateway <b>moon</b>.
diff --git a/testing/tests/ikev2/rw-pkcs8/evaltest.dat b/testing/tests/ikev2/rw-pkcs8/evaltest.dat
new file mode 100644
index 000000000..06a0f8cda
--- /dev/null
+++ b/testing/tests/ikev2/rw-pkcs8/evaltest.dat
@@ -0,0 +1,10 @@
+moon::ipsec statusall::rw.*ESTABLISHED::YES
+carol::ipsec statusall::home.*ESTABLISHED::YES
+dave::ipsec statusall::home.*ESTABLISHED::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+
diff --git a/testing/tests/ikev2/rw-pkcs8/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-pkcs8/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..bcdb8641b
--- /dev/null
+++ b/testing/tests/ikev2/rw-pkcs8/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+
+conn home
+	left=PH_IP_CAROL
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	keyexchange=ikev2
+	auto=add
diff --git a/testing/tests/ikev2/rw-pkcs8/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/ikev2/rw-pkcs8/hosts/carol/etc/ipsec.d/private/carolKey.pem
new file mode 100644
index 000000000..15d775dc8
--- /dev/null
+++ b/testing/tests/ikev2/rw-pkcs8/hosts/carol/etc/ipsec.d/private/carolKey.pem
@@ -0,0 +1,29 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIE6TAbBgkqhkiG9w0BBQMwDgQI+eazNjQUVoACAggABIIEyMUe2rc1ZsQgFwUm
+MiU+qAl2g7uzI1Pz6XzgvjZrV5n62XXAbIbG4WP08slkD2VXA5iVTnfI7nj0HEtD
+d2eaLU0GKNwmW7eSAXmhwBiUA623Xo0Y/X4eAY9VUfSlVshnNKOsgETQxQhUsKK1
+NXSpXfAjSgd+HDwQ+uvFQQD9WgibO3rIxfuO9+QqwnYXWz/p2bmc128mBibaFxwa
+SdVlYhR9l1hhFHN5cdD5AXFsflbLzGVR6gJpArU1m1soOEYp6q314L75KALYAVaY
+tQTC6gcPtXRZZvNsg9iRttPKsky0XJF7t5YGIqM4NNu5b534iXATm5Lt9jkrNKqm
+3SGD+KDLrk2aIaU9jCgY73Um1MJOls8AzUU0ZqwmAQAYoaZOwMDZ/P0Uw/du3Oaz
+O9FbzfPoS46muRZHMDVXEB0Zt8laSjwryeIU26MNye1xEU0aJJRaQQP2Vq8FTGtM
+Gi4gR9vdjyBhRE51z0kd5vPc7YkpqJNGB59KHRlHVmozo3v7zjkY/ROsiy1a0Vy/
+6ZkwtS0cnFzFhUBvUefzCsRKSiWWULqGIn3Qb7o+JQYc8vxuEua8DGnEmQEUBRgE
+j/YeI8wtObYm+u6eE0lbTopdSkfHu5UzTDYpnYDhW5nwv5ZOKeRBdXyX4BOrITnR
+xEsmp34/ql3/C9W1MXkjStaSRiWfbHt35gVlFaJNXZJXtKVOlFgxFxuslrawGI0c
+DLhPu1aMfHNc8LlD8cN5W2OQ/jsYlQDDd+n1WPpn+9VuBqSlnDl/mn4/0R7Yy53m
++lgruhfA7S26NG+SxHPXBq8PE052ohDLylKRGEqBTJp2aXNEKKZLrK8I1zbdIx1h
+0YAAtERtvqPu2xSvJ7lGuHD+87TlWa54p3H+0UM803RBQUcH5lsNUzQ4lAN/eFgg
+7TK2BqRTqWTVm8he0tVY8XJ4dLPLsXxUKb/tiFvtjBdQM7bq0UlTxign8VGZro7v
+dKkGqdsEEiFzCnOvDwyjOEG7wUVmO/ejWkuI510U80x/APuOUH0zQOTBhMSrz1Eh
+AdWWeSvNuyWyRPNNzlQ4DJd3UKnu4BZu4zobe4imhwCCrkGkfE5FhnyXExA8FppT
+2BNe5AmIfI1joEQyRgXm/nAvwvN9pawKfDxg8gmhBLjVfk50tAydWurhrhF6CnBL
+4h/hhb+C6HZBbNpmY+O12bDk81unZ8Vvtbkix5n7/371XbaAQN1WYxNaH6SDeT1J
+qDRWAZhGPBn7VLVaQ6ZmLB73U8vkcju8r6atWasZTPsZQl2eng9J/5UoL/0Ubri2
+Jlmj/fScAhlK7yM62dVYVwezYtKV8QUcaDmcqO8qhuVCnYlaqu6SO5ApYWkOMzMW
+EpvY0SqD6QkfKvT8bVU9GOaNSMaEKUR7NPPgettVcEkg50TeyBRvXvOAexD6qcE0
+NO/sYx9do0WpY4u85DZt3Toper0hchbEmXVHlxh8CKPgUTFVsDQ6AVyrVWrtoY1k
+VpJutwWV5sPIxq17bFLTJ7pP2NIvNBvwnDedn5WKNDFu9E2U8vAujVdzlQd/gsJi
+JLCreDt+rcmJVBJHMxZC+SpLbR4kNMAe5vwwESVo6wBsxMuyn1b+82C8rum5qbJ9
+RGF8RGrZzrPWbBITPw==
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/testing/tests/ikev2/rw-pkcs8/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-pkcs8/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..6a2aea811
--- /dev/null
+++ b/testing/tests/ikev2/rw-pkcs8/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA carolKey.pem "nH5ZQEWtku0RJEZ6"
diff --git a/testing/tests/ikev2/rw-pkcs8/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-pkcs8/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..3c22edc23
--- /dev/null
+++ b/testing/tests/ikev2/rw-pkcs8/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev2/rw-pkcs8/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-pkcs8/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..ea8bc92a7
--- /dev/null
+++ b/testing/tests/ikev2/rw-pkcs8/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+
+conn home
+	left=PH_IP_DAVE
+	leftcert=daveCert.pem
+	leftid=dave@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	keyexchange=ikev2
+	auto=add
diff --git a/testing/tests/ikev2/rw-pkcs8/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/tests/ikev2/rw-pkcs8/hosts/dave/etc/ipsec.d/private/daveKey.pem
new file mode 100644
index 000000000..199d78984
--- /dev/null
+++ b/testing/tests/ikev2/rw-pkcs8/hosts/dave/etc/ipsec.d/private/daveKey.pem
@@ -0,0 +1,30 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIRwFyB7jCGskCAggA
+MBQGCCqGSIb3DQMHBAjDqug87twvJwSCBMiBb1Y4B1FxGPGQwAgZd6aE8J6xH4VZ
+MNpkm4+MPCVYBvpG1q3I1YcvIw0GcAlLQASGLXEytuVEH5xCUaGdCsa5zVpf+6Ex
+i8Oyqf0dbRRafzN+K+jVLBa+higxXESE6jYxBP/auH4v5pcEy+fbljwDauyEP0bF
+EgURF5nTsa5c+MTmWho+OMy/1pAuP92XmwLeeBXWuRWs+s3wkBOIe3SerW5MOyMN
+mwqqu/6J4RU9VL7kooVE/B0oWJblvBTjeJoKDy5iX/iE2oRqXjihWPXYIhWqeCEB
+2QCpZ1/9hEN7FLX87GBD7yivhhQMF/uBnTRIjmgbKmNtwY1+rybz0MUJrXVfS1iE
+JYHlo4/cqudjsMjtjhTV9n4FJd9IsuSmZjMHVk3enIyhZ1oliugS25OpWKHnybzj
+65cgxVGPTW31o21w/fEqRRR/KzrEaMZiPyO2EEMcKlB7xmEX9cIdvD99OvLMPEuQ
+UA2hzRKO+A4roidNUT7yp8yy3BkQGLAr4JYaFINreeD+9BrIFx1jRbG3z8xqxtwh
+8P+uR2pyLYaDxeyxkjM7zDV4ax/iV1+L+z3GiC5GnPZEKkpm89MdI7fzeChttVVk
+CtpnxR3vxK2HqfcQFrTG5HNldzpAJk/tBrHRcyAnXrKs+XZhpOQ3gYoNY4fGeGYM
+c9NyeAUZkqJ1nCfHBAR9bmmCEwZSmhSt5voqZ+zS3DWKG30WtNpYMNEEchtWq8Op
+IEimZ341pZOjWqJ396zJ8qJ1XncffC/yAnRsb0xvhS149dwkDyH+17qVyF+V/pyb
+5unjg6V9g0yZ9TKyH858sRG8acVXo6NhuxCg0w8mJ4LCxcJSTgDA0lXFQcuTBLlZ
+YaXfD/dr60HfyH2ll4b5hlkww9jrg1uNW++FcsCHsZu5DV5QbhyVIYdhyp4dTV/7
+9SJJPmeMacQCNJqg783bpUyVaEecHAg8H/u+Zir0vWdRdpeekO28NLVqgQuPEqzs
+Y53RCbjlbilzHud50HHUAqN3fKJK51I1GrjrSeV9xSVnB5psjmOjPvEagGu4kv+s
+fu/fEge0HPx9FUA2xJR9u1/8swYsiAugoWxXFJVBSDJh2a4759ftd7b2mid0aX86
+OeJcY164mlLbu3d905Ez5mgVBHXDuk/LRwrvdprw48tqMB0Tv77egKbSeQzyQLD0
+ZhUQFIJ1cBlmFIw2ZdXUVlV2MJcK6XMlFkdyHRBTfiHI1V/Q2QFFLkTb64X3iTHC
+Ckow0ibsT76pDCP+Buotfk7gho6WgiojC0URzZPG/KDHUHO173S6Nr23NBpVzxun
+lKf5LiAC5LDoJmAx/XouYjh77LZLsi+jhuG3/DnIULZt8aSm5RKGZ6A3VgaaCXhp
+tG3kSSCD6gKrYt7FrKHQ1dwPakPaDdOrBtd13823sPth7GMKmbhrC/x4Q768ml/i
+Gk7DQoYbRkqi7t66aiYuJASxpYpsUWwO7MYOz2vGxDdskp/AukwnNJTA8e2rL0ki
+seqJ2l7+snUXZ4SFJ/D+wfMK2WeQRTJB4hgu7AQyp543mQ+EYZaNMtKIdgQL86q7
+MZVAx5ad82GNtAMgGLyf72bE1mkTK44poT6dob25z7MxFsM7zjadNDzcgBiYdEHq
+/8U=
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/testing/tests/ikev2/rw-pkcs8/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-pkcs8/hosts/dave/etc/ipsec.secrets
new file mode 100644
index 000000000..ff6a247f0
--- /dev/null
+++ b/testing/tests/ikev2/rw-pkcs8/hosts/dave/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA daveKey.pem "OJlNZBx+80dLh4wC6fw5LmBd"
diff --git a/testing/tests/ikev2/rw-pkcs8/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-pkcs8/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..3c22edc23
--- /dev/null
+++ b/testing/tests/ikev2/rw-pkcs8/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev2/rw-pkcs8/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-pkcs8/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..274521386
--- /dev/null
+++ b/testing/tests/ikev2/rw-pkcs8/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+
+conn rw
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	leftfirewall=yes
+	right=%any
+	keyexchange=ikev2
+	auto=add
diff --git a/testing/tests/ikev2/rw-pkcs8/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/tests/ikev2/rw-pkcs8/hosts/moon/etc/ipsec.d/private/moonKey.pem
new file mode 100644
index 000000000..02045f510
--- /dev/null
+++ b/testing/tests/ikev2/rw-pkcs8/hosts/moon/etc/ipsec.d/private/moonKey.pem
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDKL2M91Lu6BYYh
+WxWgMS9z9TMSTwszm5rhO7ZIsCtMRo4PAeYw+++SGXt3CPXb/+p+SWKGlm11rPE7
+1eQ3ehgh2C3hAurfmWO0iQQaCw+fdreeIVCqOQIOP6UqZ327h5yYYpHk8VQv4vBJ
+TpxclU1PqnWheqe1ZlLxsW773LRml/fQt/UgvJkCBTZZONLNMfK+7TDnYaVsAtnc
+gvDN78nUNEe2qY92KK7SrBJ6SpUEg49m51F+XgsGcsgWVHS85on3Om/G48crLEVJ
+jdu8CxewSRVgb+lPJWzHd8QsU0Vg/7vlqs3ZRMyNtNKrr4opSvVbA6agGlTXhDCr
+eDiXU8KHAgMBAAECggEAIEUH9epqO/p9uf0rqnGvPTa5fAaZpxcC1UgOg/N6NaZd
+LhADiXXseskOZ6VKeF6UMqvLyedgeROtPPuafTBDgcNbLzqj+iQlQb9MpEt3pt/v
+1pFCqqiGp3eJCQeTjcbLO5cf6gaKhUoXR9wAINbDjB+MvsUw10cJngHP0Osc7/Kw
+d70Hqu9JibdVlGFLFqd4iRouSQNp0qlXHd9c0WUzFjioo8lhhKglnrWIyqs7v6uc
+D3e2bIMOzw8pTcG2el82t14+CV4keGTxmrIS/b804JJTFsoTw0K0ukZOz5PSqOOe
+7iTdY93dk4EBqfS48N6Qdl4cH9pcYuFhzHEnlK6uoQKBgQD4XWCmmQRHkm2hq523
+8JSl1DWxH3DF/vlUGongWJgAEZDP3GUbiiPMv+jnvazSJXdvAWmdBr5a5avEaQ/p
+m4H9nzaelzQ3+8ui79vh3G+Difsr5444R/TwUyOyx7a2pMhcoKpyZCdHQ09DWPC6
+8Qqxc/nD8k6WdFcBed3iPGwkjQKBgQDQZpPrXJK21Rb2MLebG5jqORDLxMRCpHec
+4W9bCYJchY6k38xNM+6z5N6XGn+l0qFT6ag+ZfdSfKd7k+/CV5YOrdjOW1flkNkY
+nlQmUq42d8YjNDo5wdFtvvMGlAbqpJE+66BuCjrzyFOdvUvn2crzzNZUrjl65/qn
+K6gj5LAgYwKBgQDvK8TySfKEFe97O6/TPVt4YeYenn9UPBjQNApIQCiIEGJauQuo
+vJuDBd/8onx1llzwSfTxoVfYYsnJh78qIHXKzfKkQEmqC9FrI/6j/0pn6o01F3Su
+oCSw9e8vsAE023STNqlNJUNp7di7qz+PVqYMgvmoB4REgN50bm4M+lDN1QKBgHsy
+2Ok/rcAGEu/xdulsFCcLG0HLDdbz0X5dyu2/nmBB2EThxK4zMD8K4wfi82k9LoAj
+1oEk2GPcK0qj9w4lpyEAZvX/C+Q7kAu8tbR+Fl0+y1ROcMlqKfu98X+HDNuz8+WF
+eC71P0qUt9G9cV0b5J3iDya6ZGKjNwuShHDLpc9PAoGAMk/6z3BeZ0b3QdJP9qoL
+sUqtVcukHrd1jmzA1R9A/qxrSkWc43SvQkKH9gKwYUUgB5tDa46QzeDd/2eTBOnv
+3XSi/7/m5OG9EjbDYEE/LSZW4As+PLIXVnZxv3OnIqIi5ehdEJ/ix3yvWVH1ufQX
+HHRK+nF/5+kwZIjmq4c0Epg=
+-----END PRIVATE KEY-----
diff --git a/testing/tests/ikev2/rw-pkcs8/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-pkcs8/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..9333bcdf4
--- /dev/null
+++ b/testing/tests/ikev2/rw-pkcs8/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev2/rw-eap-tnc-11/posttest.dat b/testing/tests/ikev2/rw-pkcs8/posttest.dat
index 7cebd7f25..7cebd7f25 100644
--- a/testing/tests/ikev2/rw-eap-tnc-11/posttest.dat
+++ b/testing/tests/ikev2/rw-pkcs8/posttest.dat
diff --git a/testing/tests/ikev2/rw-pkcs8/pretest.dat b/testing/tests/ikev2/rw-pkcs8/pretest.dat
new file mode 100644
index 000000000..42e9d7c24
--- /dev/null
+++ b/testing/tests/ikev2/rw-pkcs8/pretest.dat
@@ -0,0 +1,9 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+dave::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+carol::ipsec up home
+dave::ipsec up home
diff --git a/testing/tests/ikev2/rw-pkcs8/test.conf b/testing/tests/ikev2/rw-pkcs8/test.conf
new file mode 100644
index 000000000..70416826e
--- /dev/null
+++ b/testing/tests/ikev2/rw-pkcs8/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/rw-radius-accounting/description.txt b/testing/tests/ikev2/rw-radius-accounting/description.txt
new file mode 100644
index 000000000..6d0224cdc
--- /dev/null
+++ b/testing/tests/ikev2/rw-radius-accounting/description.txt
@@ -0,0 +1,14 @@
+The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
+At the outset the gateway authenticates itself to the client by sending
+an IKEv2 <b>RSA signature</b> accompanied by a certificate.
+<b>carol</b> then uses the <i>Extensible Authentication Protocol</i>
+in association with an  <i>MD5</i> challenge and response protocol
+(<b>EAP-MD5</b>) to authenticate against the gateway <b>moon</b>.
+In addition to her IKEv2 identity <b>carol@strongswan.org</b>, roadwarrior
+<b>carol</b> uses the EAP identity <b>carol</b>.
+The user password is kept in <b>ipsec.secrets</b> on the client <b>carol</b>
+and the gateway forwards all EAP messages to the RADIUS server <b>alice</b>.
+<p/>
+Since RADIUS accounting is enabled in <b>strongswan.conf</b>, gateway <b>moon</b>
+sends user name, connection time and data volume information to the
+RADIUS server <b>alice</b>.
diff --git a/testing/tests/ikev2/rw-radius-accounting/evaltest.dat b/testing/tests/ikev2/rw-radius-accounting/evaltest.dat
new file mode 100644
index 000000000..d23d6360b
--- /dev/null
+++ b/testing/tests/ikev2/rw-radius-accounting/evaltest.dat
@@ -0,0 +1,15 @@
+carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA signature successful::YES
+moon::cat /var/log/daemon.log::received EAP identity .*carol::YES
+carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
+carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with EAP successful::YES
+moon::cat /var/log/daemon.log::authentication of .*carol@strongswan.org.* with EAP successful::YES
+moon::ipsec statusall::rw-eap.*ESTABLISHED::YES
+carol::ipsec statusall::home.*ESTABLISHED::YES
+carol::ping -c 5 -s 1392 PH_IP_ALICE::1400 bytes from PH_IP_ALICE::YES
+carol::ipsec down home::no output expected::NO
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+alice::cat /var/log/radius/radacct/10.1.0.1/*::User-Name =.*carol::YES
+alice::cat /var/log/radius/radacct/10.1.0.1/*::Acct-Output-Octets = 7100::YES
+alice::cat /var/log/radius/radacct/10.1.0.1/*::Acct-Input-Octets = 7100::YES
+
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/clients.conf b/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/raddb/clients.conf
index f4e179aa4..f4e179aa4 100644
--- a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/clients.conf
+++ b/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/raddb/clients.conf
diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/raddb/eap.conf b/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/raddb/eap.conf
new file mode 100644
index 000000000..623f42904
--- /dev/null
+++ b/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/raddb/eap.conf
@@ -0,0 +1,5 @@
+eap {
+  default_eap_type = md5
+  md5 {
+  }
+}
diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/raddb/proxy.conf b/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/raddb/proxy.conf
new file mode 100644
index 000000000..783587b55
--- /dev/null
+++ b/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/raddb/proxy.conf
@@ -0,0 +1,5 @@
+realm LOCAL {
+  type     = radius
+  authhost = LOCAL
+  accthost = LOCAL
+}
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/radiusd.conf b/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/raddb/radiusd.conf
index 1143a0473..1143a0473 100644
--- a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/radiusd.conf
+++ b/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/raddb/radiusd.conf
diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/raddb/sites-available/default b/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/raddb/sites-available/default
new file mode 100644
index 000000000..2de32a6f2
--- /dev/null
+++ b/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/raddb/sites-available/default
@@ -0,0 +1,43 @@
+authorize {
+  eap {
+    ok = return
+  }
+  files
+}
+
+authenticate {
+  eap
+}
+
+preacct {
+  preprocess
+  acct_unique
+  suffix
+  files
+}
+
+accounting {
+  detail
+  unix
+  radutmp
+  attr_filter.accounting_response
+}
+
+session {
+  radutmp
+}
+
+post-auth {
+  exec
+  Post-Auth-Type REJECT {
+    attr_filter.access_reject
+  }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+  eap
+}
+
diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/raddb/users b/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/raddb/users
new file mode 100644
index 000000000..247b918e3
--- /dev/null
+++ b/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/raddb/users
@@ -0,0 +1 @@
+carol	Cleartext-Password := "Ar3etTnp"
diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-radius-accounting/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..5f779d1af
--- /dev/null
+++ b/testing/tests/ikev2/rw-radius-accounting/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_CAROL
+	leftnexthop=%direct
+	leftid=carol@strongswan.org
+	leftauth=eap
+	leftfirewall=yes
+	eap_identity=carol
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	rightauth=pubkey
+	auto=add
diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-radius-accounting/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..23d79cf2e
--- /dev/null
+++ b/testing/tests/ikev2/rw-radius-accounting/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+carol : EAP "Ar3etTnp"
diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-radius-accounting/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..fe067d344
--- /dev/null
+++ b/testing/tests/ikev2/rw-radius-accounting/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-md5 eap-identity updown
+}
diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/rw-radius-accounting/hosts/moon/etc/init.d/iptables
new file mode 100755
index 000000000..962a418d9
--- /dev/null
+++ b/testing/tests/ikev2/rw-radius-accounting/hosts/moon/etc/init.d/iptables
@@ -0,0 +1,88 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+opts="start stop reload"
+
+depend() {
+	before net
+	need logger
+}
+
+start() {
+	ebegin "Starting firewall"
+
+	# enable IP forwarding
+	echo 1 > /proc/sys/net/ipv4/ip_forward
+	
+	# default policy is DROP
+	/sbin/iptables -P INPUT DROP
+	/sbin/iptables -P OUTPUT DROP
+	/sbin/iptables -P FORWARD DROP
+
+	# allow esp
+	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+	# allow IKE
+	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+	# allow MobIKE
+	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+	# allow crl fetch from winnetou
+	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+	# allow RADIUS protocol with alice
+	iptables -A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
+	iptables -A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
+
+	# allow RADIUS accounting protocol with alice
+	iptables -A INPUT  -i eth1 -p udp --sport 1813 -s PH_IP_ALICE -j ACCEPT
+	iptables -A OUTPUT -o eth1 -p udp --dport 1813 -d PH_IP_ALICE -j ACCEPT
+
+	# allow ssh
+	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
+	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+	eend $?
+}
+
+stop() {
+	ebegin "Stopping firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+	
+			if [ $a == nat ]; then
+				/sbin/iptables -t nat -P PREROUTING ACCEPT
+				/sbin/iptables -t nat -P POSTROUTING ACCEPT
+				/sbin/iptables -t nat -P OUTPUT ACCEPT
+			elif [ $a == mangle ]; then
+				/sbin/iptables -t mangle -P PREROUTING ACCEPT
+				/sbin/iptables -t mangle -P INPUT ACCEPT
+				/sbin/iptables -t mangle -P FORWARD ACCEPT
+				/sbin/iptables -t mangle -P OUTPUT ACCEPT
+				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
+			elif [ $a == filter ]; then
+				/sbin/iptables -t filter -P INPUT ACCEPT
+				/sbin/iptables -t filter -P FORWARD ACCEPT
+				/sbin/iptables -t filter -P OUTPUT ACCEPT
+			fi
+		done
+	eend $?
+}
+
+reload() {
+	ebegin "Flushing firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+		done;
+        eend $?
+	start
+}
+
diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-radius-accounting/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..11ff84400
--- /dev/null
+++ b/testing/tests/ikev2/rw-radius-accounting/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,26 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn rw-eap
+	left=PH_IP_MOON
+	leftsubnet=10.1.0.0/16
+	leftid=@moon.strongswan.org
+	leftcert=moonCert.pem
+	leftauth=pubkey
+	leftfirewall=yes
+	rightid=*@strongswan.org
+	rightsendcert=never
+	rightauth=eap-radius
+	eap_identity=%any
+	right=%any
+	auto=add
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-radius-accounting/hosts/moon/etc/ipsec.secrets
index e86d6aa5c..e86d6aa5c 100644
--- a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/moon/etc/ipsec.secrets
+++ b/testing/tests/ikev2/rw-radius-accounting/hosts/moon/etc/ipsec.secrets
diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-radius-accounting/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..52927c1fd
--- /dev/null
+++ b/testing/tests/ikev2/rw-radius-accounting/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,12 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-radius eap-identity updown
+  plugins {
+    eap-radius {
+      secret = gv6URkSs
+      server = PH_IP_ALICE
+      accounting = yes
+    }
+  }
+}
diff --git a/testing/tests/ikev2/rw-radius-accounting/posttest.dat b/testing/tests/ikev2/rw-radius-accounting/posttest.dat
new file mode 100644
index 000000000..b1f971402
--- /dev/null
+++ b/testing/tests/ikev2/rw-radius-accounting/posttest.dat
@@ -0,0 +1,7 @@
+carol::ipsec stop
+moon::ipsec stop
+alice::/etc/init.d/radiusd stop
+alice::cat /var/log/radius/radacct/10.1.0.1/*
+carol::/etc/init.d/iptables stop 2> /dev/null
+moon::/etc/init.d/iptables stop 2> /dev/null
+
diff --git a/testing/tests/ikev2/rw-radius-accounting/pretest.dat b/testing/tests/ikev2/rw-radius-accounting/pretest.dat
new file mode 100644
index 000000000..30c8bd573
--- /dev/null
+++ b/testing/tests/ikev2/rw-radius-accounting/pretest.dat
@@ -0,0 +1,9 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+alice::rm /var/log/radius/radacct/10.1.0.1/*
+alice::/etc/init.d/radiusd start 
+moon::ipsec start
+carol::ipsec start
+carol::sleep 1
+carol::ipsec up home
+carol::sleep 1
diff --git a/testing/tests/ikev2/rw-radius-accounting/test.conf b/testing/tests/ikev2/rw-radius-accounting/test.conf
new file mode 100644
index 000000000..e0d77b583
--- /dev/null
+++ b/testing/tests/ikev2/rw-radius-accounting/test.conf
@@ -0,0 +1,26 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice carol moon"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
+
+# UML instances on which FreeRadius is started
+#
+RADIUSHOSTS="alice"
+
diff --git a/testing/tests/ikev2/shunt-policies/description.txt b/testing/tests/ikev2/shunt-policies/description.txt
new file mode 100644
index 000000000..dd78a5ef1
--- /dev/null
+++ b/testing/tests/ikev2/shunt-policies/description.txt
@@ -0,0 +1,11 @@
+All traffic from the clients <b>alice</b> and <b>venus</b> is tunneled
+by default gateway <b>moon</b> to VPN gateway <b>sun</b>. In order to
+prevent local traffic within the <b>10.1.0.0/16</b> subnet to enter the
+tunnel, a <b>local-net</b> shunt policy with <b>type=pass</b> is set up.
+In order for the shunt to work, automatic route insertion must be disabled
+by adding <b>install_routes = no</b> to the charon section of <b>strongswan.conf</b>.
+<p/>
+In order to demonstrate the use of <b>type=drop</b> shunt policies, the
+<b>venus-icmp</b> connection prevents ICMP traffic to and from <b>venus</b>
+to use the IPsec tunnel by dropping such packets. Since this policy does not
+apply to the localnet, <b>venus</b> and <b>moon</b> can still ping each other.
diff --git a/testing/tests/ikev2/shunt-policies/evaltest.dat b/testing/tests/ikev2/shunt-policies/evaltest.dat
new file mode 100644
index 000000000..2f6e1a91f
--- /dev/null
+++ b/testing/tests/ikev2/shunt-policies/evaltest.dat
@@ -0,0 +1,16 @@
+moon::ipsec statusall::net-net.*ESTABLISHED::YES
+sun::ipsec statusall::net-net.*ESTABLISHED::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+alice::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES
+venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::NO
+venus::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES
+moon::ping -c 1 -I PH_IP_MOON1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+moon::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
+bob::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+bob::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES
+bob::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::NO
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
+venus::ssh PH_IP_BOB hostname::bob::YES
+bob::ssh PH_IP_VENUS hostname::venus::YES
diff --git a/testing/tests/ikev2/shunt-policies/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/shunt-policies/hosts/moon/etc/init.d/iptables
new file mode 100755
index 000000000..2b90a14c7
--- /dev/null
+++ b/testing/tests/ikev2/shunt-policies/hosts/moon/etc/init.d/iptables
@@ -0,0 +1,84 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+opts="start stop reload"
+
+depend() {
+	before net
+	need logger
+}
+
+start() {
+	ebegin "Starting firewall"
+
+	# enable IP forwarding
+	echo 1 > /proc/sys/net/ipv4/ip_forward
+	
+	# default policy is DROP
+	/sbin/iptables -P INPUT DROP
+	/sbin/iptables -P OUTPUT DROP
+	/sbin/iptables -P FORWARD DROP
+
+	# allow esp
+	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+	# allow IKE
+	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+	# allow MobIKE
+	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+	# allow crl fetch from winnetou
+	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+	# allow ssh
+	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
+	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+	# allow icmp in local net
+	iptables -A INPUT  -i eth1 -p icmp -j ACCEPT
+	iptables -A OUTPUT -o eth1 -p icmp -j ACCEPT
+
+	eend $?
+}
+
+stop() {
+	ebegin "Stopping firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+	
+			if [ $a == nat ]; then
+				/sbin/iptables -t nat -P PREROUTING ACCEPT
+				/sbin/iptables -t nat -P POSTROUTING ACCEPT
+				/sbin/iptables -t nat -P OUTPUT ACCEPT
+			elif [ $a == mangle ]; then
+				/sbin/iptables -t mangle -P PREROUTING ACCEPT
+				/sbin/iptables -t mangle -P INPUT ACCEPT
+				/sbin/iptables -t mangle -P FORWARD ACCEPT
+				/sbin/iptables -t mangle -P OUTPUT ACCEPT
+				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
+			elif [ $a == filter ]; then
+				/sbin/iptables -t filter -P INPUT ACCEPT
+				/sbin/iptables -t filter -P FORWARD ACCEPT
+				/sbin/iptables -t filter -P OUTPUT ACCEPT
+			fi
+		done
+	eend $?
+}
+
+reload() {
+	ebegin "Flushing firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+		done;
+        eend $?
+	start
+}
+
diff --git a/testing/tests/ikev2/shunt-policies/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/shunt-policies/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..a4958f295
--- /dev/null
+++ b/testing/tests/ikev2/shunt-policies/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,43 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	mobike=no
+
+conn local-net
+	leftsubnet=10.1.0.0/16
+	rightsubnet=10.1.0.0/16
+	authby=never
+	type=pass
+	auto=route
+
+conn venus-icmp
+	leftsubnet=10.1.0.20/32
+	rightsubnet=0.0.0.0/0
+	leftprotoport=icmp
+	rightprotoport=icmp
+	leftauth=any
+	rightauth=any	
+	type=drop
+	auto=route
+
+conn net-net 
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	leftfirewall=yes
+	lefthostaccess=yes
+	right=PH_IP_SUN
+	rightid=@sun.strongswan.org
+	rightsubnet=0.0.0.0/0
+	auto=add
diff --git a/testing/tests/ikev2/shunt-policies/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/shunt-policies/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..a2e9134c0
--- /dev/null
+++ b/testing/tests/ikev2/shunt-policies/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,7 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  multiple_authentication = no
+  install_routes = no
+}
diff --git a/testing/tests/ikev2/shunt-policies/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/shunt-policies/hosts/sun/etc/ipsec.conf
new file mode 100755
index 000000000..c3b36fb7c
--- /dev/null
+++ b/testing/tests/ikev2/shunt-policies/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+        keyingtries=1
+	keyexchange=ikev2
+	mobike=no
+
+conn net-net 
+	left=PH_IP_SUN
+	leftcert=sunCert.pem
+	leftid=@sun.strongswan.org
+	leftsubnet=0.0.0.0/0
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/ikev2/shunt-policies/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/shunt-policies/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..cb17a9e07
--- /dev/null
+++ b/testing/tests/ikev2/shunt-policies/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  multiple_authentication = no
+}
diff --git a/testing/tests/ikev2/shunt-policies/posttest.dat b/testing/tests/ikev2/shunt-policies/posttest.dat
new file mode 100644
index 000000000..a4c96e10f
--- /dev/null
+++ b/testing/tests/ikev2/shunt-policies/posttest.dat
@@ -0,0 +1,5 @@
+moon::ipsec stop
+sun::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+sun::/etc/init.d/iptables stop 2> /dev/null
+
diff --git a/testing/tests/ikev2/shunt-policies/pretest.dat b/testing/tests/ikev2/shunt-policies/pretest.dat
new file mode 100644
index 000000000..2d7a78acb
--- /dev/null
+++ b/testing/tests/ikev2/shunt-policies/pretest.dat
@@ -0,0 +1,6 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+sun::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+sun::ipsec start
+moon::sleep 1 
+moon::ipsec up net-net
diff --git a/testing/tests/ikev2/shunt-policies/test.conf b/testing/tests/ikev2/shunt-policies/test.conf
new file mode 100644
index 000000000..cf2ef7424
--- /dev/null
+++ b/testing/tests/ikev2/shunt-policies/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-w-s-b.png"
+ 
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev2/strong-keys-certs/description.txt b/testing/tests/ikev2/strong-keys-certs/description.txt
index 9d0ca5528..fc1280729 100644
--- a/testing/tests/ikev2/strong-keys-certs/description.txt
+++ b/testing/tests/ikev2/strong-keys-certs/description.txt
@@ -2,6 +2,6 @@ This scenario is derived from <a href="../rw-cert"><b>ikev2/rw-cert</b></a>.
 The gateway <b>moon</b> uses a 2048 bit RSA private key protected by <b>AES-128</b>
 encryption whereas the roadwarriors <b>carol</b> and <b>dave</b> have an
 <b>AES-192</b> and <b>AES-256</b> envelope, respectively. 
-The X.509 certificate of the gateway <b>moon</b> uses a <b>SHA-256</b> hash in
+The X.509 certificate of the gateway <b>moon</b> uses a <b>SHA-224</b> hash in
 its signature whereas the certificates of the roadwarriors <b>carol</b>
 and <b>dave</b> use <b>SHA-384</b> and <b>SHA-512</b>, respectively.
diff --git a/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/ipsec.d/certs/carolCert-sha384.pem b/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/ipsec.d/certs/carolCert-sha384.pem
index d4b532323..929f737c8 100644
--- a/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/ipsec.d/certs/carolCert-sha384.pem
+++ b/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/ipsec.d/certs/carolCert-sha384.pem
@@ -1,25 +1,25 @@
 -----BEGIN CERTIFICATE-----
-MIIEITCCAwmgAwIBAgIBETANBgkqhkiG9w0BAQwFADBFMQswCQYDVQQGEwJDSDEZ
+MIIEITCCAwmgAwIBAgIBJTANBgkqhkiG9w0BAQwFADBFMQswCQYDVQQGEwJDSDEZ
 MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
-b290IENBMB4XDTA2MTAwODEyMTI1MFoXDTExMTAwNzEyMTI1MFowWTELMAkGA1UE
+b290IENBMB4XDTExMTAxNzEyNDc1OVoXDTE2MTAxNTEyNDc1OVowWTELMAkGA1UE
 BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xEDAOBgNVBAsTB1NIQS0z
 ODQxHTAbBgNVBAMUFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMIIBIjANBgkqhkiG9w0B
-AQEFAAOCAQ8AMIIBCgKCAQEAtCwjB6Yni4jSTbPJ4GX0kM06nr2tDBdU0PH6dZra
-IXNaNiBthBNPNDeCYAQDG/ouwuywAJ6L2Lt0GYEhJSwfXMm87fYSG8qRP+C/nlKz
-3fCfsuZ8yOAo5NAp2kgvbFVdB5cMeOtid21UqUvDxkncjFRDgpERtrjSthalUFYu
-ObIcSMPdlcDho73jzq6zVK5XDJ4l1LHUQLbS4SzyrphCYKekTIoDy3YwRUys6Pdm
-4QlFBIXuBwOYHjclvVu0HQVNSM4nWAJd+204KUm/+8neO0kn1Yakv9yoa47o3KGP
-3XjtmcgY9SqBbuF+8yDcZQ7+5zUBjc0J+d8txdPoIjLi7wIDAQABo4IBBjCCAQIw
-CQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYEFIUlEfDm3V0eDmRrpIvj
-4FiPpGlpMG0GA1UdIwRmMGSAFF2n3XAGUTJ+57Zts7Xl4GDqLk3voUmkRzBFMQsw
+AQEFAAOCAQ8AMIIBCgKCAQEAuByYUPGv67XSQHjpfFjhuH/l/sMIQGhsFcO4ebYv
+7otSsjbH4gasmAOvEFxoIxkOG9IWFAHP1WyiqG3sOsyyfUg6wHl1FTe4Y3kHWZp0
+DvtT6CWnnxQwKibIhXfB3IPHRTcRG1zGN4J3Vl6IofIRlrl0K3NYUUofn0xMKAoS
+hLjwuqq2eviX5NIQDOTnoga2C5Ed58hIc6/YWXzfg9EpB194tcCWmSj7yfq6ruD9
+xAh32ywd10fsi4tt3F/BWzXjySxBlBhvvh6kL/Nqa6OSWaXsvZqXmrYm+hm4LKkO
+ZLZYzBqJRpRm1rEhYqMg2u0SSSTXsNFuw+027n7Vt8+DzwIDAQABo4IBBjCCAQIw
+CQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYEFPk6ATSleHErWFAYkCZD
+BhDo8X1qMG0GA1UdIwRmMGSAFF2n3XAGUTJ+57Zts7Xl4GDqLk3voUmkRzBFMQsw
 CQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMS
 c3Ryb25nU3dhbiBSb290IENBggEAMB8GA1UdEQQYMBaBFGNhcm9sQHN0cm9uZ3N3
 YW4ub3JnMDkGA1UdHwQyMDAwLqAsoCqGKGh0dHA6Ly9jcmwuc3Ryb25nc3dhbi5v
-cmcvc3Ryb25nc3dhbi5jcmwwDQYJKoZIhvcNAQEMBQADggEBAL5ZmFmy8lW4Vdwq
-hWB6qTtLLa1wwCvTXwbV9V+F8dK39AvHj6CHFqTiFhAbGIq/Ryt9cg2XGy1TDjVj
-hQEua7mjp8XH2j2NLY2SiFTMjchbHmMylFk2FrHy2ZnmlRCiH83TAw+EnUWsQKj+
-gL+7Of9SpiaaIblrl+aCiBVktRuXcFSaxjYWTVXOeTCwnxQdF2SNtUKDoCuVPk1J
-XCrs86mj575xL/FGjyN4SVbjTEZ4lm1emxrf/RblZOhCKp7mUic8KyP0kf7o6X8E
-MXXjq9fDQVrSDG/q62uhZu7CyInnBpWnoUKiMImSxRn/cs0r7RUspC5DtJyhE33Y
-DW2BzIc=
+cmcvc3Ryb25nc3dhbi5jcmwwDQYJKoZIhvcNAQEMBQADggEBAHiE/MMyXJXuMuhw
+/lu/UwjCHbbJMA9QrBJe++34OwAV0siM98loVLs23vHXk/52QHRIwZgMLO2FF9Pk
+4JkFOvTXCgNPZKrUL28UhHsnJe8EZVOuir5o6yTSti+J/tR4M2YoY67JjW/KeTwU
+BVBtBVH88gf/xm2mSlIrkHxG3/GWqyEdeY7BOaft1sFTTZ1gKKXQlARtWidho1mf
+5Y1lZ//kOuvMjnk+hEWPWESq8lBzLOmQGBk65vaEH3LVZxSQVJbfG2E0dHgPZNgc
+hFOS8Oc6L6AfKlWHAT0ZCR5+1YsxxnlsftHzxiA0ayGCgpn2qcN+OPjfzPCtC80N
+6oXDLZM=
 -----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/ipsec.d/private/carolKey-aes192.pem b/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/ipsec.d/private/carolKey-aes192.pem
index 979740525..497d957e3 100644
--- a/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/ipsec.d/private/carolKey-aes192.pem
+++ b/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/ipsec.d/private/carolKey-aes192.pem
@@ -1,30 +1,30 @@
 -----BEGIN RSA PRIVATE KEY-----
 Proc-Type: 4,ENCRYPTED
-DEK-Info: AES-192-CBC,3127472197F76F3E81FF26DCD894FE6F
+DEK-Info: AES-192-CBC,0BFCA887A0607C7629452B14E865F782
 
-ixCdabns1DD2EVjOUQYbxes+mSU6WmfUnRPBthTw1K3X7/jYEVRrApZlPoRxfitg
-7aHdqsV70elT48ucP4z410jupq80OI5/3I31zHiqDpmUNXr0ZGs69dC2g01op98Q
-IWfbHygALh0PDjhczHWhDBOx+gJDN58qgMfCI2hUDqpcYD9gvEpkkdM/R3Ggwgiq
-f+HBD4rQHcpvuKCPIOBVAR/4cXE3D8pcls3FJALwNGf03yIm24hEG2mTz5cDIVTw
-m0Bjk5Hbiym4LBreUoVQUF04wDXsuDtz7m1IPkw4GsYpeiomqRyAs7bKUJhbKwaK
-/l2MKoQ06Ofx0kc20CG7/qoboiqUgDEOsNd/qdMVOXcqinONW2v2T8+mEi/iLZDJ
-B6WXoV15PBkHXfaKeA66oFfF8EqggF4gLoPwekz1jvz5hbeTNYCiuFsMV9ntTxoE
-opohFNBvY2ZbJUmmkecgSJcmmByR2cahukh91PjssfZUjMOJjoTpuB3OXF9J6g9U
-RKWYxgcyT1n0e0MbYxe4TXHxxUDa5UBkquELQ2gcmJDO5GFuXF40mcvcz3Bse6I7
-GTRvhSL3hmRvbODE3JVI2dISHJ60Fethjxo5JNmCuBqnSkc2KPvsS7ulqANMnnNE
-5u2g9RMAtYKfkwscLY8zByouCZTS2pAI+LQd/eTm3/TAZWDJx/Z2UA5peFm2At4n
-aerRYP20TeaAI4tcnqsrOpBj0ouphgkGUTGAbBhjR3c2rSoOHxmjQXJOAc59vjgG
-zBl2F9M1xtjuTFZxFLMbnx15W1l5rmhZmSTdDY8C5ePBcjn6umxl6QdwvPjbkMIL
-MoeyM6w1Eqweg+m25CFOCWrFnglZNM6lcsR3X88oz+gzmHOs/VtAQn7vCA2Ukc5m
-RuLro/1juBjMrXd63Mqvxml/0lcSrXH1/ZiTdrdakU5rHNk9554tSL14rBSD86tQ
-u7unnobiXTmE0l/fDVuRYzW/Y8GGEr5S2t7SOuNFnU+tXTdavftJD0D7F8v4/bTf
-ObDe5qJ/7Y7X/8i6L+va1cm5rXNDI1qrBgwmNv7FbY1G0qBIP80ie7FbcsCpXauE
-T5HWTOdJX+xpTVCHXnBriMhlFHXAIKUVdAZqbzgRFWPCOYpzpztgny4l83qP0OLw
-vYxvU7RSGFAamRz05t3vHXy3X8n7JulleE8laBFpwx9Xq/bEAkwwmZq1Y6tbksae
-4G9aJ6Tdr4SA7BsH+FrtLtwFUkzgmKg+MqDGXamFSx0rvhksl3u67tMpGh0Il8KS
-xGfpPXRKaeQwZ18AA1xfPVl01Ajuxhnmmr/ng8WR+DfBpx7uK3lSpUX37Gh06DP5
-Of9oPHpc+Z0Asx/k6XWYGP9G15azUXP5ejebl19QQdZex/wP0MkKNlZ/BH0xJO+a
-FLOkg4OhtTppIA0dOhj/v/WCLC+pdl+78pBOQO7dpuJeYrcVvhiQKMhEJdYiYLXY
-ZcbN+E0Ta8I9fX1D6qgIEhL0NOczEYT9kYYQZJf2LW9k+dxICPV/0hEjaRNyMrei
-C9ZP1k9cEhNMSVRVV2jm2PhOW3nvOFUNkG8OIfFhCri8dXWaGVS/DMb18rpSoB+B
+NG0IHVWcpgMabsPpHUOQeWi5pbAaXeQMkBMAJt2v5UIkB8oKojx4tFt98IKxlkPX
+oUNYiw5Ku5Iz61EgO2Lk7NKYB1RPVYSvqnNOtqOdnbU6mb+rZD8dP42wLmVU91SP
+VkBGCutAV3jP+lP5WYxTqUJI+MHaWaQxxDABgVYwpOgRdri1hqvcqVU0+BIEgnq0
+PzjOGF34zOyProCo3T8R4Y3QkuFy9KJAKfBRVQVyx2Mmu/3cGB6k+7YiU614WBxM
+MlG7gMWx054QrYte5G9RvLCv98katprqbxSFF9Co1aOkLMxdY8vdyEn0I+oUfZuB
+bZ8e5cdWEzdkz34rquh7cty+WyMfwboYgndXtnke33k2nltoP4Nhvgehyo3hQcio
+4elGTyYTlzzSR+bcAtF2otcPL3idTlcCJQ/8gcydotY3oBI44lUhPbIYONKQYYUX
+wYrKdZDHa2zxKRyWLEgbEqfN3S20iITREUu5pTAB4nzNtNf7Af6R81bS5/WsfdDk
+VfJJC+ICX2GWxNefUPR+/wMtHLv2lIDzuBFFborF7v5YYHbQpXpjWbpFVaw7/0Gf
+d5XuHG3OBMmZL0q0rLbSrOfWISJ2QnPmC9bqp6OgncTMDuMXkmyXTDu1F+oT8gZ2
+IBRL94gPvG5hJYaAIZXxxElbxhzmNb4E1nnYikYJXJDvjOk2+yPVZkVOCBGqP5Mn
+p2ieW5ZBBlUtnVcRAalJKxU9l/vPjtQjE1/aeH2Z/B01Rjn65kiVXwyLQxnxBtDA
+ed7Rpdc+wcnlleMLkIg8FntXpb7CIxqNx3eC8yaq7kHDCaWHL+6/4bexb/Q7Nzxi
+H70ITSHu7L4p1KpLJIyaYHRYG0AKjr+vezK5SjREjZMpH+w805QLz5d0QpJSDTWI
+XOkPW/vKvnacvUlPIlQrAS5fxMCQJgQmTGvbKnC+qE1Tbkc4Bz19cZn6Fseq1tPa
+i8w2AKno1t+pRfXXrh7p8A0YxEBA0atf1O7gnyg6aMcMHfm3kSxq6xuPhNI4gG9z
+v3yLNBd/08GGEtHNa6jG3cvankHpG6VUjFd5jwaHpvLZCh8U4sA7r4soXXag49LC
+Y5UkHcjFkcbacBKX39x/AnGUCmP/bq+PLJQ7z35XQ360rqFTlGPISGzLaDiBKFxc
+53xtkkgTqcrZq5Tv9xOIT+EhH7Z7ndAtA4hIs4rSc0d6zde206w3hzqzUwooPppj
+qEd+FSb/lPnKQ5Q9z8pod28+CxCaxqxFBqfDT6ORlegdlvIWDvw4HS6BVWK9ZVy+
+xODJ4t1hTuTNEZUiyG6DMkhuQ41L39mnHxcSjWicS6BLYql+BAxM+Yp62VC5q3p6
+qIG17JjTSOm4FuyO2R9l2/jXjj4l4adPDtCmpJfI6PXjXdptWBITl1YrgHgeEme5
+H+Ag9HQgqbuP8REc4TwwCoMOV38KLsvlxK2oa1o2dJPF3Tck1rQNVM5mY8TnxSN2
+ozygG/ECyMoCyBDJYELfh1SN4OmX8kbsl4t6YxqydmRy9AqaLOwwSCKIWLH0graF
+HwDujb3VkM9nhplw8aNeLZef4M1EpCwVVW+i6h9ADfWClePjJlJ9XTtgZku1TPEA
 -----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/ipsec.d/certs/daveCert-sha512.pem b/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/ipsec.d/certs/daveCert-sha512.pem
index 73088cd1d..fc769c1c9 100644
--- a/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/ipsec.d/certs/daveCert-sha512.pem
+++ b/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/ipsec.d/certs/daveCert-sha512.pem
@@ -1,25 +1,25 @@
 -----BEGIN CERTIFICATE-----
-MIIEHzCCAwegAwIBAgIBEjANBgkqhkiG9w0BAQ0FADBFMQswCQYDVQQGEwJDSDEZ
+MIIEHzCCAwegAwIBAgIBJjANBgkqhkiG9w0BAQ0FADBFMQswCQYDVQQGEwJDSDEZ
 MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
-b290IENBMB4XDTA2MTAwODEyMjExMloXDTExMTAwNzEyMjExMlowWDELMAkGA1UE
+b290IENBMB4XDTExMTAxNzEyNTAzMFoXDTE2MTAxNTEyNTAzMFowWDELMAkGA1UE
 BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xEDAOBgNVBAsTB1NIQS01
 MTIxHDAaBgNVBAMUE2RhdmVAc3Ryb25nc3dhbi5vcmcwggEiMA0GCSqGSIb3DQEB
-AQUAA4IBDwAwggEKAoIBAQDL4+PsltDM0QCCS08tkefhll5Q0nb2VEdRZotBIdt6
-XEY1kmDlw0yQOp0XUznnIhcrxXpKeWpLqJdbo56jSxMaUB3Mod1u+aKvVhCgkOT8
-uQa7gIdcNMuXnfnch7yYYS6YxVfzdr/qXBxmVYNbR9sXy48vAD6glZLEVjDITHJO
-a6tEVSrAOMyeuA9XTYJiGw5loj63YbUr6Ikp6W9SncPCtfX6G2Amk38MTuITu93W
-Pd/bGB06ra6gmMQGAhXuGs14n3QZfQz9PWTp9TPsQNqQZdEjQyNdfeAKtPuz5jnO
-cnZuhvVR0q4sxWuy64vkyZ57luTZAXyxdInBeBOp7sC3AgMBAAGjggEFMIIBATAJ
-BgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNVHQ4EFgQU0wvMMeoe59mocM/RiYnD
-iw9NUm0wbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJ
+AQUAA4IBDwAwggEKAoIBAQCs5SBCzV3Is/w7CIzfBXRGv6uXwyDivRXXYsczeSRf
+5mw/slRVAEtNbX8rQ8BWLIqiJPCLDek5ODkqKI+hArZVpJqMzZyql2Teosrtnokb
+h/yA8EWtEr0jII2RxQ0xb8r25h+DwBosAM15B1rCAMmJOjbEMMBGmAb7y7N0K8nr
+Z8RctwrRdCGVcg+f+LFrklF1tBLs0zGIrJsk1eB0XbrB+fEPar9Lmn+/q2QHGPCt
+aOlR2ZxRsjqsYJW9yI8r33PVVm2aGmS/19UguEG8FC3owud0boHfP91/NvSIWfhP
+iIuDPjJOBPEJ/I6OYjYXXQuOZYwFGau2WrpNDQioPgedAgMBAAGjggEFMIIBATAJ
+BgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNVHQ4EFgQU5re6olyWAt1HfN2l92Rb
+7DDCnxMwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJ
 BgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJz
 dHJvbmdTd2FuIFJvb3QgQ0GCAQAwHgYDVR0RBBcwFYETZGF2ZUBzdHJvbmdzd2Fu
 Lm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3Jn
-L3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBDQUAA4IBAQC/uKe2O9elbSFgpKP5
-7ZjJrCkYu493iH/PDm5G4D76q6WkRvZDqTgGDSIrXrt1xRLIsVJES+HERxfED0DB
-yXNe22p1jR8iZdCesZxmEsKYyLh9XmeixKCfnLvStWCVs0+vqwhJlIkyEAveZ4HR
-Yq121khdmCDDUugpjEl/nU7CLvCRVgFrlhDm1QLs2rYqxwQrJ2SH4/1W0YRdkY2R
-vKZ2ngjLBNjBfXWNXSOpEAG367nVam5lFAepUC0wZTshyCUXt1NzClTnxWABm6M6
-x2Qwg4D6Qt5iXSjR8+DGVh+LaBL/alQi1YYcjkxufdFHnko294c0HsZcTZ3KRghk
-ue1F
+L3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBDQUAA4IBAQAtRPFMSuEnPmqeC2mF
+OE5N26r2p8HfB4FAPwarlg66IIvKvkk1zqn5YfZIXfMU/x5q+85aO31iQmjlAPpo
+KXqRq7V0a0ldjXEr+Tz7xG3jno989dBrD3kQZnwXR57xGt1qTVGY7uQdbgXWzVHM
+GYS6gjUw7Df9vAQcTfUxUpZc5wlDoiRrFkyPc1raFCZF3//Ig9agjO4r1SzPHYw7
+LrHJR1xkd0IWVTW8Z6xB14j452IiimhyK1zAR3zmh1vH9VuHDLHMhyjSl1R+gk5U
+KzDPaqXd4NA7eIQNiAhysYTXfmUYytbFNZw9bamxTxlCmca1snuTIcFM5OYOfxRT
+iKMh
 -----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/ipsec.d/private/daveKey-aes256.pem b/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/ipsec.d/private/daveKey-aes256.pem
index e2a1ccb26..3223c1dfc 100644
--- a/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/ipsec.d/private/daveKey-aes256.pem
+++ b/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/ipsec.d/private/daveKey-aes256.pem
@@ -1,30 +1,30 @@
 -----BEGIN RSA PRIVATE KEY-----
 Proc-Type: 4,ENCRYPTED
-DEK-Info: AES-256-CBC,088DA49D259D5876324277FE7C38F22B
+DEK-Info: AES-256-CBC,8AF4F2ED0B6D096AD675CFDC4F41083B
 
-fChe2r3NjWQnfK3tFIUHtrnYsU+CzbGKmWE1T8ARaLeVC7XtPN99odBYTBOzJj98
-REHk41NWHlVjcY+2ACedniTsQcvuuN3bMHGvyikQeLmg7tc54pQrc85BHfdGrU49
-5Bzhxn29kqY33Dt2aeAMyP3k/b5HyZlCGuQUJx71uPsaEl1so5QE0aIBLaCutIUz
-zZcAAa6ahFhw2oOcU2kj8ACGzXrJvBhVU97/yZTdfqrTJauoPXL/WQ+ScfMBhQ0x
-vaJbaVy8On1SXTMH2K1ehszjpeFTeRVgndkWuUipwm/xlyzoubs8L4BhJZNzV23r
-04ZGYxwSQ0rZBEt+TqopVpc/iMx/vg33P8PHrI45DeoztvjHpD6Fgj5Yh2kGgU5R
-cKD1ejgX3FMwTSI5xumUi8mQ+N2pUIK9polS146dpQRoM8F9hsXkYoK/l9Em5jJA
-V4vBBbVr6E9G0fVyHboqIzAHgFiC3xnCvVC/Cnyit4zD7D0E86pktR0y4Imtxten
-3WUV4rNAVkLR0D5Hoslk9nsqEaOxDBzUVU/zfG8GXItpWQgug5sb6RjcrK0b4Fit
-iHsEO5qLZ09cM+1hoddgibUQd0G+iZDPfPc++SCdZVjcvdSOOtcUCJwQGjOdGi9U
-I30gjh1Vtql67CnykRmk38duTFFNpL3zLNGfiA+kUeHDr0C4zeD2NsK4v/4nLAO1
-OWSYYFGrhbU5C96q3rgczdh+TurgIhM+ktBUJ/7yYV2eTRlRT35Wk03O7STBLinV
-jaXuDBOKb/NAYgA+xtOeBqd1c4cSdOxJEv80G9hhXxxNgf1W1OHDNY6+qXhnLZJU
-o1kbF6QNI+R+ip8643GwdLEcz5s49V7x53TDcCGnW2TwzVVHvj+63u5RPcfu8b9e
-gz0ey++z6OWvEIt/7NiTzA0dZdmiNLY24uHDHvQ5XmMs4XVM1r5wSFXvs/tDuUpK
-/a9zMbr12RDsObVcXXr07FD5Zyh/y2mBEB7xRFXKk5tt++Hvlzbgqxypgq9t5+m8
-PBddV4GarMuZw8bRjMHJ2CVY1VyRGIx+StsHehVMWdfzZTm/Uizq/yPaxqbQE8wY
-Vcm6wgYRekAga6I9XsHZ0TBfKtfZqXf0kXX0A+ymQYbfyUm2MqWV5avOKtBRIqcW
-B9jCKxah7rjQNlI7vzwZ/whePHU2sL4D23aGGZa373Ql2CmB3AetxYtkRGTSILw9
-aT+ZNgh+BGq6lcdlyks29fFuWRlE+NyJIAwmIVEisZGFijFe5WXBhKWsvEt2JT1v
-3qW9lMimOgpkClroPSdb9gQMt1yXDR6z1ty+B41kgy5qSxUiL8z8EUCWPEBPrz5+
-+3KGi1cU5BsfptnkFYCSnVSyRxARh310mruQ2Mb6ipIXX95ejQPSskz5P4u26Olt
-UHyS0lgDc8hZTwJUchE5wqj4bAJs12mKbIbapjYv83OAEW8ybGz8R6QVMp3pAad3
-O2WGef6evGrbGKHI6ACMEHaz8fP8GIMjhbJkPxsXYGRsHbUsqYcSmew3EYW51qSA
-xMhrzZ6e9ow4PYDuNnUc4bFeV0BIVl6kH7KscT1LBtJVJkXDDoddxFiEhcRjOLDr
+2ezZg1fOw6Wcvk2ei1VLqpA1Z5lxroSsibmDu5+UuyJyTtdbPPY0iWxnryVoaXBq
+9VK4AD7lkoJOX/CymbzSSOkBL4t9fN6akefTN6rEY6g8zN2q4al3xxIvZv0WgCDg
+XxqJ8ZsdZmUoe12RbJ6HvMw9UR2m2XZYvwcD9+hzT8Agsy5JBV5Nkgxc52ZVYoIh
+O5E+PI3w1yrXrzIPx9H8nj3VKRGguZCVFtae7ChSSxotoaIQxM6weVkEDUQXtSs9
+CmtXrn/o6uiafzfHx2pPELdsARlnuyvbKATrOr5lwnM4kwUl+bBvoRI7YaUsg/A5
+48gy82PQRZoWH3ofQv1d24sGc6ZctrzRRrCLzDAGDd3fw8bJkV2b/9D1u9O5Df7+
+Vs0fdrRoP8ooa9d131zBy1brDUckTsTIQZ3Sn4FdBI610MX7l5gJ+7vXYqp/rMOt
+Rq8LZoKggzeklwYjum77YFdtbv4m4ihI4DUYHY0xWgMDUMQTFLEUgvAeNrPNRRwI
+Ep1JmV9I7it6DHrCD9QmVWUoxSgRqodQDV4p3npH8WlrJMlL0ReiOJZ45PWOsmvI
+AAjdsKLwqQEfXkckCvtCM7Nuu8pNA7UUm9TqNLFOFR3HWtm0si1IE8iXu3v/o/tx
+OzzRl5pxc1tg8TFiFrNT2+6+HcAJOnWboYJRJzkcW2UzVpSZ04BLiXHPfGue1gG7
+uPZ+pp3k4iQrRRC45I1I0MwE2gOpppt/MUmNVPGqvL/Uu4RGzOjPk6Re4mm3GvIs
+JOD1Pqsg01OUqKTNqsTPEld8vLwFPlOgXwmPLr5cpC/hGo0YUx3ysJ8Hw3FN20V6
++nm9xWpPytNqfaY7jaxhMYZPgz81WOuGrlCv48VkoJiWlrTxbaq2t4IzR2SdyXKd
+HNu6ryFn0WVw6hVm2aE8Al9mLxmaiMhg6HaonPoQSVoHRCCM8/GoJQRx9I6lonTC
+ZY04BuAUT+nmMlEa0vlLI+tbS7gNkSNG/UyUFGRN++vzQE6s2LPfe9FRsdOfnhaO
+W2VqbFbiKkPK+pKXjh7ln+NMrXIGxYVtuKWFEUEp9drh5MQCUFNLTn2Jblb6u0kQ
+WdBP9Ku+ea9VprmUVnTYhaRZbuMwQFlfx9eImZ1UQPs8MWSUWI0t4RB+9kdN66n2
++H3aJTpGv4BGNdSohSCbKKe/VttflnkMQHZmSY1iTDQJhZqbMSAuNv/H3DV1ZBWv
+pR1MYwG/kXbaKaFRTctPE8tLxTvO8GG9JmOPuMgldYD2wq4zAu4Fr+Ve0jjznQGN
+nGDtG7NoUJxJBbcFFPY4pRH3wtLWXlc1WUnPAxen17ZjbYHrvA3WJqTNCdtQ9tan
+StaDqbhDTwSS9HDAvdH7tXLk+lQ+xlaeKFDRd/6K3Tngtjwly+kJjTH1bWR9BXyc
+rHeDSpexPdMgVccuDTGDloebjZ/lZVKqkyL0f4/gDOtw7/0kjTZZXkkoVeVKqQyW
+aHREhiszCHhJzW2c+Uw7mPrd4tfolPsI6mneNtt/6CCf0kl5Nkx1rg7Anzo0YSvK
+vHj7ciRZLri/B4fOFhfZvk4Qgjoq2t7cBKnuAcZuN7pNM8DRruDekrHKY2+uHJnU
 -----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/ipsec.conf
index 64d160f12..f33f26797 100755
--- a/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/ipsec.conf
@@ -14,7 +14,7 @@ conn %default
 
 conn rw
 	left=PH_IP_MOON
-	leftcert=moonCert-sha256.pem
+	leftcert=moonCert-sha224.pem
 	leftid=@moon.strongswan.org
 	leftsubnet=10.1.0.0/16
 	leftfirewall=yes
diff --git a/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/ipsec.d/certs/moonCert-sha224.pem b/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/ipsec.d/certs/moonCert-sha224.pem
new file mode 100644
index 000000000..bda4f528e
--- /dev/null
+++ b/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/ipsec.d/certs/moonCert-sha224.pem
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIENDCCAxygAwIBAgIBJDANBgkqhkiG9w0BAQ4FADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTExMTAxNzEyNDUwN1oXDTE2MTAxNTEyNDUwN1owWDELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xEDAOBgNVBAsTB1NIQS0y
+MjQxHDAaBgNVBAMTE21vb24uc3Ryb25nc3dhbi5vcmcwggEiMA0GCSqGSIb3DQEB
+AQUAA4IBDwAwggEKAoIBAQDEPYW1tmcbkgNMcnOHXAKHlgL2k7r1+rVWJ/8NF9vI
+7MpQ8qomHPV3G00CYSQsCDgBVvK71pasiz+dsYdHAY28ihb2m/lsaSquwsb0Fexj
+hJiqaohcLJk0MjTDUdArh6iddvDAYMDkfApM49TaXNxdz0sffV5KOIH0hrQe0wsw
+P2p/SHTATNh3ebTLr8Y7dMKecxFrKQswZc+d7gvIftZXRvjsUprc77dDURGByPw3
+N+/23chuDXNNaxMylWQhmiTUne8tIyg0vtur3do5Dq1IqQKqvxSfBjRL6ZJU0/6l
+KuhChV0cSVd2H2zzovuke5XzHzUsoESWXWYK9qIEj2HRAgMBAAGjggEaMIIBFjAJ
+BgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNVHQ4EFgQUT4FJonJgeZBpFHc8iosc
+WWM+mPswbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJ
+BgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJz
+dHJvbmdTd2FuIFJvb3QgQ0GCAQAwHgYDVR0RBBcwFYITbW9vbi5zdHJvbmdzd2Fu
+Lm9yZzATBgNVHSUEDDAKBggrBgEFBQcDATA5BgNVHR8EMjAwMC6gLKAqhihodHRw
+Oi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEB
+DgUAA4IBAQA60WN0QwQuFVYg/C156POjKENZP9CGF8NyiC/NUYqgbIrGGTTpwTxs
+pW/+YDG1tVtCkqtLGsO0uZRe8Ihs3afNsPMNlCiTCPgrs5erc4ZTv5MB7Ap2lyL5
+NSQ9SggICbQhkHQHP6TINtas9+FrAw10jWIa107DYLLC7Ea77Y5vryL6/ymrpwdL
+Vwm9kAkGYvm0lmzw6YfzPskKc3MpWnjBTraPG42Z8oWTEDJnBtS761k60lNwndKC
+JdRUxoOOegzsKIIzorRz9xCN2zA2CAeChqHMbBpNCRwl0dQ00ztXReONl97iNgw6
+NrdHsqCiH8Q+I2JCxU230Zl6UFKARLo+
+-----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/ipsec.d/certs/moonCert-sha256.pem b/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/ipsec.d/certs/moonCert-sha256.pem
deleted file mode 100644
index 307f4953e..000000000
--- a/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/ipsec.d/certs/moonCert-sha256.pem
+++ /dev/null
@@ -1,25 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIEHzCCAwegAwIBAgIBEDANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
-MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
-b290IENBMB4XDTA2MTAwODEwNTgxMVoXDTExMTAwNzEwNTgxMVowWDELMAkGA1UE
-BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xEDAOBgNVBAsTB1NIQS0y
-NTYxHDAaBgNVBAMTE21vb24uc3Ryb25nc3dhbi5vcmcwggEiMA0GCSqGSIb3DQEB
-AQUAA4IBDwAwggEKAoIBAQDzXHm8D8sY1lmX7o1KK0jt/M+UzAI2Ifpx7nAqoviH
-XQIPe56BOAm4zHhEIlojEMFd1nncplXvDDGjuV/2F0KK1bFxbNtom88Ix1jrRWtk
-FLopYwj3ERC2970OhNO3nuPLrnEAzj6k3XPGMTA3drGnpRf162f7mHAdmYIRXtWm
-mfaecs4wGFs8BFGdeDfo6SPhQXZSBwZqjzQxvk1PA7E1qifgR5IGNZkNQRQ9IZD0
-86xzjmZgg5DaJcQKw45elpiVKQN6OkdWTngR3uUBfseWNeRGP5UxCUbDnPijWUbA
-6ZAdEfFXLgSpSoXHLNttvGg+SWm0kgKTpHYWYhvpflKNAgMBAAGjggEFMIIBATAJ
-BgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNVHQ4EFgQU0gL3aEo/H8c/Ld/GkBTb
-W9Ma+nUwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJ
-BgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJz
-dHJvbmdTd2FuIFJvb3QgQ0GCAQAwHgYDVR0RBBcwFYITbW9vbi5zdHJvbmdzd2Fu
-Lm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3Jn
-L3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQCItzRn3TNWUzczBd8z
-MtdPEsRl5Oi4fV3UecQxhjxAmJDLsEZT5I4uNa1XoLkJm6jVdSL7k+bjzjmpNJ1H
-uL49cqia2yTdGP4IU0K8dTGaflg3ccaLLGGXTWU/NtgdI1o6yuZTwb6a9ZL7wWZT
-x21BAsvyPTzCpUS1yCK4bFeYOxOYDphUGcwb0JTuRxx2/710b+p64BYiCfVkQJxT
-eF1ZtjSW6nJgzMRg5n2zNpdrdXMMCPI6Nl7V6wxbs3Cphmz5qx3lijwi7nZt+jE5
-qK5gphph1MkKIhnA7MF66KEcx5Rknao68yLBBDIA/AISZ3bCIj8R1SGgl/tMYfep
-sbRF
------END CERTIFICATE-----
diff --git a/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/ipsec.d/private/moonKey-aes128.pem b/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/ipsec.d/private/moonKey-aes128.pem
index bc9ed38c8..90631fb98 100644
--- a/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/ipsec.d/private/moonKey-aes128.pem
+++ b/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/ipsec.d/private/moonKey-aes128.pem
@@ -1,30 +1,30 @@
 -----BEGIN RSA PRIVATE KEY-----
 Proc-Type: 4,ENCRYPTED
-DEK-Info: AES-128-CBC,381AA672F615E55CD044FB981754FDA6
+DEK-Info: AES-128-CBC,3EEEC63B86A4F0864B610F29D446AB99
 
-whvkSUJ2sAIH4EOu8vT9LHcKKKG6W9hl/hO++/awU2AVtHn6mYlkkAqDRJiOZbbT
-vo0ndy+0B0tCoTyKZbiMRNc6bzHPNgS17cVa2wXrzzMo64xRcElzdN14L8UGA7Cc
-Wu3aD0zmzawU9uRZjaQ4qA46FPz/S9/REImZ02QSALIzZJSIIDoUbznBitaHYFve
-eLl7e/0vMS/s03FaRNKrVhids3Z3q7lQoF/z5BzBaKNBaDYDLhMeScjNF6QZnDUe
-k+++/l54pozl+RvQI6RljPhOzutIC5D627zfordITsBRYEhv6KPShy673H4McaRz
-tx2zkflsDyPWDWmRLxA0GfD5jQvbS7aZU1R3iyi/TDXacHXlR92bzVu4AHZClOSn
-fypT1h2YnUQOMMw9XlVKklHCWvgpWbVmjiBbnsIh1WjORLgSielrGP/iXVemgzEI
-kaTErf7B7sx1pIMyQ8IFdniFryUSuGDvOV4Dt/PZhxh2oKIBIaVYwrl3jQvYlyNv
-vpBD6MU2wXU4iP7kt9SN63RjzQoYk7TA7f9JlfXlBrjjwSjPYB1R+MoEfovvEr4j
-PHghYnwtwZ4Ok3kR+zxR/M37iJ252IDkOwTuqEXWQMlOlxIeESlh1OYKVLptZwgB
-0mFzzx4JapkHP34c4ntsFc3AbUh8uSt67zLJ7JDFhSQ6ltNu1/92nOjXh5tzwGvo
-ak5lrUpi2zrgyxSgF7fxOxjXr604f7yxOcoWfXQd354dUXdxrMZigh3ajwsGwXxh
-o5Zv+EVXaIpnHnUYmupJwrKQR1ffdVCPlvys99/BlGnvsBzLx+hmut1pjnFwQCPf
-aj8Z3NhSdWspQiUzWm+DXpqPKt+4CL5mdxcjyye9ATOPf+30iuY25WvwelT4rgGt
-NS0iVMJSHnPVMlcibCwVtCl8hvjzq2TYHGo6cCKDaYJ4+Hy6MjgNrHA011HkJ9iC
-P4Ysyq04/OiFPrl0RS+om29By+4/O+w1t0HpuZIFTm6oRg7zWcXtDWkfrhu9WY7e
-m7FI8O2f3ezPoMbiRJmdEi0RFsgyqkTdQLOUUF1ad5ZHEAVghsgvaPG5aRLhXQin
-gqNvHlDmpekOTDLbEn9cyDf5po45LrUgGOBp6DK+AGb6SymjonNxczlG/eNYHtch
-AXBdz5A/n6uP1DXfmGVyI6kZKU+Fotsly5Iov6SLcEicLcfA2oKHK6AIJL+IWGGL
-kkShWx0Dv/2UbEkKDjFl36Z0oD5wSW6fyYeslD4IFCjXwkdgWd7l4nreisW9YTl/
-PdnVOBq6yQxfK0WlAxfGzAabmknIXkSE/BlTb5y8q92U3tR3YFLFQ1hPaSPIokIu
-Op51DMXOfrbnd1iBrybduktdljoxlcAGmg5Dfz+s9fdkESQfw6oNOP5cHxfctAy9
-k21dKvkI/PqWkgwVv94wX8bWx0LgC0aV3F62qM+Y7/r5N4ZsD76GY7VFIFeSoPKx
-Fn9yZOl8JzszvlWNtG7G6DwBL+ZyHS0rM7UEyTwWp8mLasEO96V6dYxD8LqWNbo4
-hY/6xsZOtNDsPdW/Os7MBD+Wf2fL/gzrD7QJyqcy41K8Oxhn2W+Aso3s9DnJ4eSt
+aUw9rzSBLmvzVlWlCePyRXs2LL10A2QGVjB9jiarsjVLd5k1uVPrLVb6lcTVuGR6
+9pC9sA7+F9Ub1V6oe/n5f1UiHiLeaqdYShfVan7N1z0Kvoaqg1qaVNmbGuZH81Mv
+VH/kvfKbig6Gxyn2wxhxoQ84r5uVyzzrfQlrqcwQze43NuRaxh6Eov/vpel8yB4/
+HNSEyItiDenT6tDO4Exw4H91GYWPbutaTmcsbaDSQS54LMcZZA/NVu0Y/uiJ6lxJ
+5qQ8xejBC07nc/g+GJgFRxetd56FdiTXR4ADVUiSgOrUaUu2t9NIMig9VBNYWsmv
+wlKI1NB/Jt111AhbF+wdw9M0Yqe3O4V0N+jTxTzff+0gky61T5CxbhCMosD/Ohzy
+IhRjeuL2gFvCENd2kn0U/1POe9anPJEo7mYfA8oYpxb/jl8KxIxssxLKGDE5qF8n
++J8jGDFbLkiwm/pDeFSWc1LZqKfZsSsBMhffC4NR/hhCi3eY3HnMpnyngzpWpwwY
+eZnElVXFYro3qEuJbLRUkD/7rrLgU+LMoetdB5I8oaEvKucRo7dulLNXUFCt6tbK
+AXLWn+pTCuLpjtAXxWjF6Hyr7ssLEcLjixDwdb66Ypqm3YncjFemsRFncVQe0R0b
+3LY0FH4+GFFXAOywrMP1rQ+2mhl+BH079bu+BhP3bjusJwqBhlz8j4cnbv/STWGl
+B9XnMXYx1NVOMFF23zMm9ftkPa6PvkZ3TcGJX2S849pxPTPrA0oFLfIPqyYLqZ42
++a2jmMdr7lPtcT4ENshpWZ1L8O25Bl10yll+Upx4T7yDrSD/9P+yv/MyIlGiV1x4
+N1oaaVdTLU+ZZbpjVUmD/eSprGye8FzblEhSkY990m5kupWxiPmHzLCKHRYBOnBS
+rNdyiz7pTXAQQLZBP4/RLDlYuIyXmbmn61PSdF7u6K/daUf+voKHHGi5m5NUhnS7
+zkUx+ZrHUoWhybOeMoQT0lsx0BsD+NiuqUbthkTFXyLD2dhvWcyAtsOW2yLMATa3
+09HPwdjI2ntJx4Msz1jqBY8XicXd+NHS5yx1jvg0POnygX4sU9xF0J3hfk/Phwfd
+Cc7I+jWi+1yPwKi85PHEs0F6SW2kxOx9rmdwXi4EC7Lii3d8LtCR4jEKswzLNwRn
+uceH3+vUv6UZC7EA9cdcmh6RWe3HvTrHNyPoYHng35jT5aZ1lhYx4bg67TJg7I6y
+j2OyP48YhbKvpF2S8uUGdhCZSYJHLqh3yDI1DrzABMZ/9s0xpSfQtzhQYVz5svHk
+Hv93VcbqrYf2Cx0OlxuZG4EEObyYdSqFnqMQBEf/L53oDe9jJKVaXt9IA2XHtyBD
+SAjQeDUUKlzfD+CctjX407qpF2Z22xblGVKzYL1V1oXdN4E8GXq6VWQ8SSwQF/2H
+wQYubDOJ6xxP1PdW+ws2eXhe5g49cSW4PgIpvmxyUEEnKro16RQL4M3Hv5VJYic3
+CRxugrdJWLSrHGnoz/0W5QUTzMX4L2RNf+xeE3eKU74qj2lWEWZgtZLW1waiTqXE
+MBvvFYWh/qMOprpTlXWG5vTag1XLj55uutz1KAVXQRg6AbMKpLXi7wTlZ2nUpUbj
 -----END RSA PRIVATE KEY-----
diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/dave/etc/strongswan.conf
index bdd3f5582..913e599ae 100644
--- a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = aes des sha1 sha2 md5 pem pkcs1 x509 gmp pem pkcs1 openssl random hmac curl kernel-netlink
+  load = aes des sha1 sha2 md5 random pem pkcs1 x509 gmp pem pkcs1 openssl hmac curl kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/dave/etc/strongswan.conf
index bdd3f5582..913e599ae 100644
--- a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 pluto {
-  load = aes des sha1 sha2 md5 pem pkcs1 x509 gmp pem pkcs1 openssl random hmac curl kernel-netlink
+  load = aes des sha1 sha2 md5 random pem pkcs1 x509 gmp pem pkcs1 openssl hmac curl kernel-netlink
 }
 
 # pluto uses optimized DH exponent sizes (RFC 3526)
diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/strongswan.conf
index 8dcf8e96f..01fd353c1 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp pem pkcs1 x509 openssl revocation random hmac stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 random gmp pem pkcs1 x509 openssl revocation hmac stroke kernel-netlink socket-default updown
 }
 
 libstrongswan {
diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/strongswan.conf
index 8dcf8e96f..01fd353c1 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp pem pkcs1 x509 openssl revocation random hmac stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 random gmp pem pkcs1 x509 openssl revocation hmac stroke kernel-netlink socket-default updown
 }
 
 libstrongswan {
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/description.txt b/testing/tests/openssl-ikev2/ecdsa-pkcs8/description.txt
new file mode 100644
index 000000000..294a51cc7
--- /dev/null
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/description.txt
@@ -0,0 +1,14 @@
+The hosts <b>carol</b>, <b>dave</b>, and <b>moon</b> use the <b>openssl</b> plugin
+based on the <b>OpenSSL</b> library for all cryptographical and X.509 certificate functions.
+<p>
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each 
+to gateway <b>moon</b>. The authentication is based on <b>ECDSA signatures</b>
+using <b>Elliptic Curve certificates</b> and matching EC private keys stored in the <b>PKCS#8</b>
+format. <b>moon</b>'s key is unencrypted, <b>carol</b>'s key is encrypted with the default
+PKCS#5 v1.5 DES algorithm and <b>dave</b>'s key with the PKCS#5 v2.0 3DES algorithm. 
+<p/>
+Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
+automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping
+the client <b>alice</b> behind the gateway <b>moon</b>.
+
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/evaltest.dat b/testing/tests/openssl-ikev2/ecdsa-pkcs8/evaltest.dat
new file mode 100644
index 000000000..868da5776
--- /dev/null
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/evaltest.dat
@@ -0,0 +1,14 @@
+moon::cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA-256 signature successful::YES
+moon::cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with ECDSA-384 signature successful::YES
+carol::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA-521 signature successful::YES
+dave::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA-521 signature successful::YES
+moon::ipsec statusall::rw.*ESTABLISHED::YES
+carol::ipsec statusall::home.*ESTABLISHED::YES
+dave::ipsec statusall::home.*ESTABLISHED::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..c75d6b2a1
--- /dev/null
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_CAROL
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem
new file mode 100644
index 000000000..3480a434a
--- /dev/null
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICyDCCAiqgAwIBAgIJAPaidX4i76aJMAkGByqGSM49BAEwSDELMAkGA1UEBhMC
+Q0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9uZ1N3
+YW4gRUMgUm9vdCBDQTAeFw0wODA2MjIxNDM2MDZaFw0xODA2MjAxNDM2MDZaMEgx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD
+ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0EwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYA
+BAEUx1NvjNKzbDHaRPMsqIf/6SbUpzBa78N/WIyF6rYj8e5McAqfTfzUfFJZYoQn
+/mbP3VfjOxRuMDjrlfvdgMxwkwFDigWQfHg3CJbS7eQjjO1MrxxIJUtfSTnF29tM
+h6IYMdxaZKloCGCOrpmGCGdxD2/KwoX1SA3BlnjaNt7kSTonkqOBujCBtzAPBgNV
+HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUul35cbYTtWrR3bo2
+t6rSwe6P2NIweAYDVR0jBHEwb4AUul35cbYTtWrR3bo2t6rSwe6P2NKhTKRKMEgx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD
+ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0GCCQD2onV+Iu+miTAJBgcqhkjOPQQBA4GM
+ADCBiAJCAL5pU3X6NYWjOYe0cxrah27UxtUDLUNkFG/Ojl+gOH4QB0CKY0HXNyrq
+cgba73dXF/U0Cg3Ij/9g4Kd9GgYq0GlSAkIAqgqMKqXni8wbeGMJE2Mn2/8aHM3Q
+3flpHSoeNWOe/VzpRviw+VRgA4vbhhKUXBtQSiea77/DXLwOp5w7rkBoEUg=
+-----END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.d/certs/carolCert.pem
new file mode 100644
index 000000000..29709926a
--- /dev/null
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.d/certs/carolCert.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC7zCCAlGgAwIBAgIBBDAJBgcqhkjOPQQBMEgxCzAJBgNVBAYTAkNIMRkwFwYD
+VQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdTd2FuIEVDIFJv
+b3QgQ0EwHhcNMDgwNjIyMTYyOTE4WhcNMTMwNjIxMTYyOTE4WjBfMQswCQYDVQQG
+EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEWMBQGA1UECxMNRUNEU0Eg
+MjU2IGJpdDEdMBsGA1UEAxQUY2Fyb2xAc3Ryb25nc3dhbi5vcmcwWTATBgcqhkjO
+PQIBBggqhkjOPQMBBwNCAAQgp/Z/GgzvVCDdVcIYqERml0KroZEaVqiF8uy8dlTS
+4mxNs6snDdEWh/LzXTd3NVnCihT2XgHxOk8NrX4hBMMYo4IBFDCCARAwCQYDVR0T
+BAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYEFLdhGhurno1dU2SMx7UGXpa/lgJ9
+MHgGA1UdIwRxMG+AFLpd+XG2E7Vq0d26Nreq0sHuj9jSoUykSjBIMQswCQYDVQQG
+EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25n
+U3dhbiBFQyBSb290IENBggkA9qJ1fiLvpokwHwYDVR0RBBgwFoEUY2Fyb2xAc3Ry
+b25nc3dhbi5vcmcwPAYDVR0fBDUwMzAxoC+gLYYraHR0cDovL2NybC5zdHJvbmdz
+d2FuLm9yZy9zdHJvbmdzd2FuX2VjLmNybDAJBgcqhkjOPQQBA4GMADCBiAJCATa+
+sBFW3vCx/JgLyxU85F2QuLO0/zdNBhIU0kN7kr1cYBBr8mpbhuNKm6iFe2DsFJZx
+ii3DQjwvG46is2Njzi4vAkIA72lPodCDtAFpD/2PUxjzo6xTAFazUejobkdDTUXn
+s0f8qIzzeQuTwLbp6pDmR/JGzhAeRvQT82njCo0PJ8Hbz1c=
+-----END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.d/private/carolKey.pem
new file mode 100644
index 000000000..5151408c4
--- /dev/null
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.d/private/carolKey.pem
@@ -0,0 +1,6 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIGwMBsGCSqGSIb3DQEFAzAOBAgzSp1guD3Y3wICCAAEgZD3lUKsfeQ6rwQA2Q2U
+VIyw2+53Z6kfn2vs9I8M197o4AtunwMJ7N6XY441fzcCbstmZ4HoubcuqCXsw5BA
+liVtV0+vnMY6ViJ5OKgzBNGYW39Bu1A5/2NHh0Hsaoop6VPEY67KyhxHBrBrX6fk
+Hn5eZyUKHa6NNGK9bWLqR8CjRNYQpg8NlwUIIxuFFTBw9oc=
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.secrets b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..4e53ef91a
--- /dev/null
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: ECDSA carolKey.pem "nH5ZQEWtku0RJEZ6"
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..35c522d0e
--- /dev/null
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl pem pkcs1 pkcs8 openssl revocation random hmac stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..080ce9bce
--- /dev/null
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_DAVE
+	leftcert=daveCert.pem
+	leftid=dave@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem
new file mode 100644
index 000000000..3480a434a
--- /dev/null
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICyDCCAiqgAwIBAgIJAPaidX4i76aJMAkGByqGSM49BAEwSDELMAkGA1UEBhMC
+Q0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9uZ1N3
+YW4gRUMgUm9vdCBDQTAeFw0wODA2MjIxNDM2MDZaFw0xODA2MjAxNDM2MDZaMEgx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD
+ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0EwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYA
+BAEUx1NvjNKzbDHaRPMsqIf/6SbUpzBa78N/WIyF6rYj8e5McAqfTfzUfFJZYoQn
+/mbP3VfjOxRuMDjrlfvdgMxwkwFDigWQfHg3CJbS7eQjjO1MrxxIJUtfSTnF29tM
+h6IYMdxaZKloCGCOrpmGCGdxD2/KwoX1SA3BlnjaNt7kSTonkqOBujCBtzAPBgNV
+HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUul35cbYTtWrR3bo2
+t6rSwe6P2NIweAYDVR0jBHEwb4AUul35cbYTtWrR3bo2t6rSwe6P2NKhTKRKMEgx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD
+ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0GCCQD2onV+Iu+miTAJBgcqhkjOPQQBA4GM
+ADCBiAJCAL5pU3X6NYWjOYe0cxrah27UxtUDLUNkFG/Ojl+gOH4QB0CKY0HXNyrq
+cgba73dXF/U0Cg3Ij/9g4Kd9GgYq0GlSAkIAqgqMKqXni8wbeGMJE2Mn2/8aHM3Q
+3flpHSoeNWOe/VzpRviw+VRgA4vbhhKUXBtQSiea77/DXLwOp5w7rkBoEUg=
+-----END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.d/certs/daveCert.pem b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.d/certs/daveCert.pem
new file mode 100644
index 000000000..075d8f1e5
--- /dev/null
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.d/certs/daveCert.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDCTCCAmygAwIBAgIBAzAJBgcqhkjOPQQBMEgxCzAJBgNVBAYTAkNIMRkwFwYD
+VQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdTd2FuIEVDIFJv
+b3QgQ0EwHhcNMDgwNjIyMTYxMzU5WhcNMTMwNjIxMTYxMzU5WjBeMQswCQYDVQQG
+EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEWMBQGA1UECxMNRUNEU0Eg
+Mzg0IGJpdDEcMBoGA1UEAxQTZGF2ZUBzdHJvbmdzd2FuLm9yZzB2MBAGByqGSM49
+AgEGBSuBBAAiA2IABPxEg8AaVNAwCXqg0p21Zc7YzPLA3voAWf233CZJpsjb1w3y
+IeTUeIeGU7aLWAyuXgeBsx+lKzWy00LzPELOgK+3ulTHzBZg7s8kMGhwPWfV4JLA
+zrso5+i64+Y4wvRCBaOCARMwggEPMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0G
+A1UdDgQWBBQxJAy8gaP3RNBt1WTD27/IMzANmTB4BgNVHSMEcTBvgBS6XflxthO1
+atHduja3qtLB7o/Y0qFMpEowSDELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4
+IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9uZ1N3YW4gRUMgUm9vdCBDQYIJAPai
+dX4i76aJMB4GA1UdEQQXMBWBE2RhdmVAc3Ryb25nc3dhbi5vcmcwPAYDVR0fBDUw
+MzAxoC+gLYYraHR0cDovL2NybC5zdHJvbmdzd2FuLm9yZy9zdHJvbmdzd2FuX2Vj
+LmNybDAJBgcqhkjOPQQBA4GLADCBhwJCAZaqaroyGwqd7nb5dVVWjTK8glVzDFJH
+ru4F6R+7fDCGEOaFlxf4GRkSrvQQA8vfgo6Md9XjBwq0r+9s3xt5xJjJAkElSo1/
+wyn8KQ3XN07UIaMvPctipq2OgpfteQK/F81CtZ+YCLEQt3xT7NQpriaKwGQxJAQv
+g+Z+grJzTppAqpwRpg==
+-----END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.d/private/daveKey.pem
new file mode 100644
index 000000000..6555adac1
--- /dev/null
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.d/private/daveKey.pem
@@ -0,0 +1,8 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIBBTBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIYdanoOIx6X4CAggA
+MBQGCCqGSIb3DQMHBAjoXTbsYeKpJwSBwBRbP2I3UOHWIrQhM7OqdWGt1+phdNy8
+5Xbus6e/DUp8xalohZD/QTZT3QpMEDuqJ0U3OIB01RWUmlPeUBx+NaPvLb/tQCZg
+iLwdq5E9otbO9nK9G7NDeV22VigMZhZgtpdKqw7TAqgkzqpGfyM+mcUygiGxWwWC
+UyC4G3rxyZVL2zRS/iDpJCIn2kceQk+mu+or3oX5rzzH82b69RQt36gEvd2rX/WU
+gHH/XkNXhL0y0yRkVhowKHE2ZwMNTDbM3g==
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.secrets b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.secrets
new file mode 100644
index 000000000..56f6e6365
--- /dev/null
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: ECDSA daveKey.pem "OJlNZBx+80dLh4wC6fw5LmBd"
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..35c522d0e
--- /dev/null
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl pem pkcs1 pkcs8 openssl revocation random hmac stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..c932101d2
--- /dev/null
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn rw
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	leftfirewall=yes
+	right=%any
+	auto=add
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem
new file mode 100644
index 000000000..3480a434a
--- /dev/null
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICyDCCAiqgAwIBAgIJAPaidX4i76aJMAkGByqGSM49BAEwSDELMAkGA1UEBhMC
+Q0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9uZ1N3
+YW4gRUMgUm9vdCBDQTAeFw0wODA2MjIxNDM2MDZaFw0xODA2MjAxNDM2MDZaMEgx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD
+ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0EwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYA
+BAEUx1NvjNKzbDHaRPMsqIf/6SbUpzBa78N/WIyF6rYj8e5McAqfTfzUfFJZYoQn
+/mbP3VfjOxRuMDjrlfvdgMxwkwFDigWQfHg3CJbS7eQjjO1MrxxIJUtfSTnF29tM
+h6IYMdxaZKloCGCOrpmGCGdxD2/KwoX1SA3BlnjaNt7kSTonkqOBujCBtzAPBgNV
+HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUul35cbYTtWrR3bo2
+t6rSwe6P2NIweAYDVR0jBHEwb4AUul35cbYTtWrR3bo2t6rSwe6P2NKhTKRKMEgx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD
+ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0GCCQD2onV+Iu+miTAJBgcqhkjOPQQBA4GM
+ADCBiAJCAL5pU3X6NYWjOYe0cxrah27UxtUDLUNkFG/Ojl+gOH4QB0CKY0HXNyrq
+cgba73dXF/U0Cg3Ij/9g4Kd9GgYq0GlSAkIAqgqMKqXni8wbeGMJE2Mn2/8aHM3Q
+3flpHSoeNWOe/VzpRviw+VRgA4vbhhKUXBtQSiea77/DXLwOp5w7rkBoEUg=
+-----END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.d/certs/moonCert.pem b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.d/certs/moonCert.pem
new file mode 100644
index 000000000..5178c7f38
--- /dev/null
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.d/certs/moonCert.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDMDCCApKgAwIBAgIBATAJBgcqhkjOPQQBMEgxCzAJBgNVBAYTAkNIMRkwFwYD
+VQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdTd2FuIEVDIFJv
+b3QgQ0EwHhcNMDgwNjIyMTQ0MzA3WhcNMTMwNjIxMTQ0MzA3WjBeMQswCQYDVQQG
+EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEWMBQGA1UECxMNRUNEU0Eg
+NTIxIGJpdDEcMBoGA1UEAxMTbW9vbi5zdHJvbmdzd2FuLm9yZzCBmzAQBgcqhkjO
+PQIBBgUrgQQAIwOBhgAEALmnl/PUy9v7Qsc914kdzY+TQ6VY2192oRoa9SkpxXrs
+5GnWSJoz3yinpPHdchH0UknKt/C2Ik2k7izDH/Zau5gNAD1PqBrYWtcP+sLnH1G9
+BTibraniAUSpSaDhiWrfTteRNWqkzZI37a6YfKcBZozQcvYMW1co15EwZTptqykX
+Eepuo4IBEzCCAQ8wCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYEFDVU
+Hzs47lOG0dHsezm6aFqdwJwfMHgGA1UdIwRxMG+AFLpd+XG2E7Vq0d26Nreq0sHu
+j9jSoUykSjBIMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dh
+bjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBSb290IENBggkA9qJ1fiLvpokwHgYD
+VR0RBBcwFYITbW9vbi5zdHJvbmdzd2FuLm9yZzA8BgNVHR8ENTAzMDGgL6Athito
+dHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW5fZWMuY3JsMAkGByqG
+SM49BAEDgYwAMIGIAkIBDgZs1pXvm8SwT9S1m6nIHwuZsJDsDri/PWM6NXdMUXEt
+l0p8cfq8PbJlK/0+eLz8Ec1zpWuF5vasFHkVhauHdnECQgEVuYTrlry9gAx7G4kH
+mne2yDxTclEDziWxPG4UkZbkGttf9eZlsXmNoX/Z/fojXxMYZaPqM3eOT2h6ezMD
+CI9WpQ==
+-----END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.d/private/moonKey.pem
new file mode 100644
index 000000000..5c31d677c
--- /dev/null
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.d/private/moonKey.pem
@@ -0,0 +1,8 @@
+-----BEGIN PRIVATE KEY-----
+MIHuAgEAMBAGByqGSM49AgEGBSuBBAAjBIHWMIHTAgEBBEIBrBxHEGICJRNkhm0H
+WfARp+dIzm6Lw7eCbQXNM6jSGL4DVNDVCV42yOKQqifWEcNWxO+wWtBaz91IF5hz
+/m4TbOGhgYkDgYYABAC5p5fz1Mvb+0LHPdeJHc2Pk0OlWNtfdqEaGvUpKcV67ORp
+1kiaM98op6Tx3XIR9FJJyrfwtiJNpO4swx/2WruYDQA9T6ga2FrXD/rC5x9RvQU4
+m62p4gFEqUmg4Ylq307XkTVqpM2SN+2umHynAWaM0HL2DFtXKNeRMGU6baspFxHq
+bg==
+-----END PRIVATE KEY-----
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.secrets b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..1ef3eccb5
--- /dev/null
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: ECDSA moonKey.pem
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..35c522d0e
--- /dev/null
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl pem pkcs1 pkcs8 openssl revocation random hmac stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev2/rw-eap-tnc-20-block/posttest.dat b/testing/tests/openssl-ikev2/ecdsa-pkcs8/posttest.dat
index 7cebd7f25..7cebd7f25 100644
--- a/testing/tests/ikev2/rw-eap-tnc-20-block/posttest.dat
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/posttest.dat
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/pretest.dat b/testing/tests/openssl-ikev2/ecdsa-pkcs8/pretest.dat
new file mode 100644
index 000000000..42e9d7c24
--- /dev/null
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/pretest.dat
@@ -0,0 +1,9 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+dave::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+carol::ipsec up home
+dave::ipsec up home
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/test.conf b/testing/tests/openssl-ikev2/ecdsa-pkcs8/test.conf
new file mode 100644
index 000000000..70416826e
--- /dev/null
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/strongswan.conf
index c78da2c08..2b862e1b3 100644
--- a/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl test-vectors pem pkcs1 openssl revocation random hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
+  load = curl test-vectors pem pkcs1 openssl revocation random hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown
 }
 
 libstrongswan {
diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/strongswan.conf
index e483eba9d..4e74127fe 100644
--- a/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
+  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown
 }
 
 libstrongswan {
diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/strongswan.conf
index 848adaf6a..48b7d16f2 100644
--- a/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl test-vectors pem pkcs1 openssl revocation random hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
+  load = curl test-vectors pem pkcs1 openssl revocation random hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown
 }
 
 libstrongswan {
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/evaltest.dat b/testing/tests/openssl-ikev2/rw-eap-tls-only/evaltest.dat
index dad834ca6..41ebec307 100644
--- a/testing/tests/openssl-ikev2/rw-eap-tls-only/evaltest.dat
+++ b/testing/tests/openssl-ikev2/rw-eap-tls-only/evaltest.dat
@@ -1,5 +1,5 @@
 carol::cat /var/log/daemon.log::server requested EAP_TLS authentication::YES
-carol::cat /var/log/daemon.log::negotiated TLS version TLS 1.2 with suite TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256::YES
+carol::cat /var/log/daemon.log::negotiated TLS 1.2 using suite TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256::YES
 carol::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES
 carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, OU=ECDSA 521 bit, CN=moon.strongswan.org' with EAP successful::YES
 moon::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, OU=ECDSA 256 bit, CN=carol@strongswan.org' with EAP successful::YES
diff --git a/testing/tests/pfkey/shunt-policies/description.txt b/testing/tests/pfkey/shunt-policies/description.txt
new file mode 100644
index 000000000..ad98eb8d5
--- /dev/null
+++ b/testing/tests/pfkey/shunt-policies/description.txt
@@ -0,0 +1,11 @@
+All traffic from the clients <b>alice</b> and <b>venus</b> is tunneled
+by default gateway <b>moon</b> to VPN gateway <b>sun</b>. In order to
+prevent local traffic within the <b>10.1.0.0/16</b> subnet to enter the
+tunnel, a <b>local-net</b> shunt policy with <b>type=pass</b> is set up.
+In order for the shunt to work, automatic route insertion must be disabled
+by adding <b>install_routes = no</b> to the charon section of <b>strongswan.conf</b>.
+<p/>
+In order to demonstrate the use of <b>type=drop</b> shunt policies, the
+<b>venus-icmp</b> connection prevents ICMP traffic to and from <b>venus</b>
+to use the IPsec tunnel by dropping such packets. Since this policy does not
+apply to the local net, <b>venus</b> and <b>moon</b> can still ping each other.
diff --git a/testing/tests/pfkey/shunt-policies/evaltest.dat b/testing/tests/pfkey/shunt-policies/evaltest.dat
new file mode 100644
index 000000000..2f6e1a91f
--- /dev/null
+++ b/testing/tests/pfkey/shunt-policies/evaltest.dat
@@ -0,0 +1,16 @@
+moon::ipsec statusall::net-net.*ESTABLISHED::YES
+sun::ipsec statusall::net-net.*ESTABLISHED::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+alice::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES
+venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::NO
+venus::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES
+moon::ping -c 1 -I PH_IP_MOON1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+moon::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
+bob::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+bob::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES
+bob::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::NO
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
+venus::ssh PH_IP_BOB hostname::bob::YES
+bob::ssh PH_IP_VENUS hostname::venus::YES
diff --git a/testing/tests/pfkey/shunt-policies/hosts/moon/etc/init.d/iptables b/testing/tests/pfkey/shunt-policies/hosts/moon/etc/init.d/iptables
new file mode 100755
index 000000000..2b90a14c7
--- /dev/null
+++ b/testing/tests/pfkey/shunt-policies/hosts/moon/etc/init.d/iptables
@@ -0,0 +1,84 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+opts="start stop reload"
+
+depend() {
+	before net
+	need logger
+}
+
+start() {
+	ebegin "Starting firewall"
+
+	# enable IP forwarding
+	echo 1 > /proc/sys/net/ipv4/ip_forward
+	
+	# default policy is DROP
+	/sbin/iptables -P INPUT DROP
+	/sbin/iptables -P OUTPUT DROP
+	/sbin/iptables -P FORWARD DROP
+
+	# allow esp
+	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+	# allow IKE
+	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+	# allow MobIKE
+	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+	# allow crl fetch from winnetou
+	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+	# allow ssh
+	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
+	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+	# allow icmp in local net
+	iptables -A INPUT  -i eth1 -p icmp -j ACCEPT
+	iptables -A OUTPUT -o eth1 -p icmp -j ACCEPT
+
+	eend $?
+}
+
+stop() {
+	ebegin "Stopping firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+	
+			if [ $a == nat ]; then
+				/sbin/iptables -t nat -P PREROUTING ACCEPT
+				/sbin/iptables -t nat -P POSTROUTING ACCEPT
+				/sbin/iptables -t nat -P OUTPUT ACCEPT
+			elif [ $a == mangle ]; then
+				/sbin/iptables -t mangle -P PREROUTING ACCEPT
+				/sbin/iptables -t mangle -P INPUT ACCEPT
+				/sbin/iptables -t mangle -P FORWARD ACCEPT
+				/sbin/iptables -t mangle -P OUTPUT ACCEPT
+				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
+			elif [ $a == filter ]; then
+				/sbin/iptables -t filter -P INPUT ACCEPT
+				/sbin/iptables -t filter -P FORWARD ACCEPT
+				/sbin/iptables -t filter -P OUTPUT ACCEPT
+			fi
+		done
+	eend $?
+}
+
+reload() {
+	ebegin "Flushing firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+		done;
+        eend $?
+	start
+}
+
diff --git a/testing/tests/pfkey/shunt-policies/hosts/moon/etc/ipsec.conf b/testing/tests/pfkey/shunt-policies/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..a4958f295
--- /dev/null
+++ b/testing/tests/pfkey/shunt-policies/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,43 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	mobike=no
+
+conn local-net
+	leftsubnet=10.1.0.0/16
+	rightsubnet=10.1.0.0/16
+	authby=never
+	type=pass
+	auto=route
+
+conn venus-icmp
+	leftsubnet=10.1.0.20/32
+	rightsubnet=0.0.0.0/0
+	leftprotoport=icmp
+	rightprotoport=icmp
+	leftauth=any
+	rightauth=any	
+	type=drop
+	auto=route
+
+conn net-net 
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	leftfirewall=yes
+	lefthostaccess=yes
+	right=PH_IP_SUN
+	rightid=@sun.strongswan.org
+	rightsubnet=0.0.0.0/0
+	auto=add
diff --git a/testing/tests/pfkey/shunt-policies/hosts/moon/etc/strongswan.conf b/testing/tests/pfkey/shunt-policies/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..87b70994f
--- /dev/null
+++ b/testing/tests/pfkey/shunt-policies/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,7 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
+  multiple_authentication = no
+  install_routes = no
+}
diff --git a/testing/tests/pfkey/shunt-policies/hosts/sun/etc/ipsec.conf b/testing/tests/pfkey/shunt-policies/hosts/sun/etc/ipsec.conf
new file mode 100755
index 000000000..c3b36fb7c
--- /dev/null
+++ b/testing/tests/pfkey/shunt-policies/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+        keyingtries=1
+	keyexchange=ikev2
+	mobike=no
+
+conn net-net 
+	left=PH_IP_SUN
+	leftcert=sunCert.pem
+	leftid=@sun.strongswan.org
+	leftsubnet=0.0.0.0/0
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/pfkey/shunt-policies/hosts/sun/etc/strongswan.conf b/testing/tests/pfkey/shunt-policies/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..10efed787
--- /dev/null
+++ b/testing/tests/pfkey/shunt-policies/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
+  multiple_authentication = no
+}
diff --git a/testing/tests/pfkey/shunt-policies/posttest.dat b/testing/tests/pfkey/shunt-policies/posttest.dat
new file mode 100644
index 000000000..a4c96e10f
--- /dev/null
+++ b/testing/tests/pfkey/shunt-policies/posttest.dat
@@ -0,0 +1,5 @@
+moon::ipsec stop
+sun::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+sun::/etc/init.d/iptables stop 2> /dev/null
+
diff --git a/testing/tests/pfkey/shunt-policies/pretest.dat b/testing/tests/pfkey/shunt-policies/pretest.dat
new file mode 100644
index 000000000..2d7a78acb
--- /dev/null
+++ b/testing/tests/pfkey/shunt-policies/pretest.dat
@@ -0,0 +1,6 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+sun::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+sun::ipsec start
+moon::sleep 1 
+moon::ipsec up net-net
diff --git a/testing/tests/pfkey/shunt-policies/test.conf b/testing/tests/pfkey/shunt-policies/test.conf
new file mode 100644
index 000000000..cf2ef7424
--- /dev/null
+++ b/testing/tests/pfkey/shunt-policies/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-w-s-b.png"
+ 
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
diff --git a/testing/tests/sql/ip-pool-db-expired/hosts/carol/etc/strongswan.conf b/testing/tests/sql/ip-pool-db-expired/hosts/carol/etc/strongswan.conf
index f375db9c9..ee9fbbc66 100644
--- a/testing/tests/sql/ip-pool-db-expired/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/sql/ip-pool-db-expired/hosts/carol/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/ip-pool-db-expired/hosts/dave/etc/strongswan.conf b/testing/tests/sql/ip-pool-db-expired/hosts/dave/etc/strongswan.conf
index f375db9c9..ee9fbbc66 100644
--- a/testing/tests/sql/ip-pool-db-expired/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/sql/ip-pool-db-expired/hosts/dave/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/strongswan.conf b/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/strongswan.conf
index 1c30841cf..3300d3ee8 100644
--- a/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/strongswan.conf
@@ -6,7 +6,7 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql attr-sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql attr-sql
 }
 
 libhydra {
diff --git a/testing/tests/sql/ip-pool-db-restart/hosts/carol/etc/strongswan.conf b/testing/tests/sql/ip-pool-db-restart/hosts/carol/etc/strongswan.conf
index f375db9c9..ee9fbbc66 100644
--- a/testing/tests/sql/ip-pool-db-restart/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/sql/ip-pool-db-restart/hosts/carol/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/ip-pool-db-restart/hosts/dave/etc/strongswan.conf b/testing/tests/sql/ip-pool-db-restart/hosts/dave/etc/strongswan.conf
index f375db9c9..ee9fbbc66 100644
--- a/testing/tests/sql/ip-pool-db-restart/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/sql/ip-pool-db-restart/hosts/dave/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/strongswan.conf b/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/strongswan.conf
index 1c30841cf..3300d3ee8 100644
--- a/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/strongswan.conf
@@ -6,7 +6,7 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql attr-sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql attr-sql
 }
 
 libhydra {
diff --git a/testing/tests/sql/ip-pool-db/hosts/carol/etc/strongswan.conf b/testing/tests/sql/ip-pool-db/hosts/carol/etc/strongswan.conf
index d5f50c361..d09387c35 100644
--- a/testing/tests/sql/ip-pool-db/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/sql/ip-pool-db/hosts/carol/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql resolve
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql resolve
 }
diff --git a/testing/tests/sql/ip-pool-db/hosts/dave/etc/strongswan.conf b/testing/tests/sql/ip-pool-db/hosts/dave/etc/strongswan.conf
index d5f50c361..d09387c35 100644
--- a/testing/tests/sql/ip-pool-db/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/sql/ip-pool-db/hosts/dave/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql resolve
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql resolve
 }
diff --git a/testing/tests/sql/ip-pool-db/hosts/moon/etc/strongswan.conf b/testing/tests/sql/ip-pool-db/hosts/moon/etc/strongswan.conf
index 1c30841cf..3300d3ee8 100644
--- a/testing/tests/sql/ip-pool-db/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/ip-pool-db/hosts/moon/etc/strongswan.conf
@@ -6,7 +6,7 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql attr-sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql attr-sql
 }
 
 libhydra {
diff --git a/testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/strongswan.conf b/testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/strongswan.conf
index f375db9c9..ee9fbbc66 100644
--- a/testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/strongswan.conf b/testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/strongswan.conf
index f375db9c9..ee9fbbc66 100644
--- a/testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/strongswan.conf b/testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/strongswan.conf
index 1c30841cf..3300d3ee8 100644
--- a/testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/strongswan.conf
@@ -6,7 +6,7 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql attr-sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql attr-sql
 }
 
 libhydra {
diff --git a/testing/tests/sql/ip-split-pools-db/hosts/carol/etc/strongswan.conf b/testing/tests/sql/ip-split-pools-db/hosts/carol/etc/strongswan.conf
index f375db9c9..ee9fbbc66 100644
--- a/testing/tests/sql/ip-split-pools-db/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/sql/ip-split-pools-db/hosts/carol/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/ip-split-pools-db/hosts/dave/etc/strongswan.conf b/testing/tests/sql/ip-split-pools-db/hosts/dave/etc/strongswan.conf
index f375db9c9..ee9fbbc66 100644
--- a/testing/tests/sql/ip-split-pools-db/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/sql/ip-split-pools-db/hosts/dave/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/ip-split-pools-db/hosts/moon/etc/strongswan.conf b/testing/tests/sql/ip-split-pools-db/hosts/moon/etc/strongswan.conf
index 1c30841cf..3300d3ee8 100644
--- a/testing/tests/sql/ip-split-pools-db/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/ip-split-pools-db/hosts/moon/etc/strongswan.conf
@@ -6,7 +6,7 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql attr-sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql attr-sql
 }
 
 libhydra {
diff --git a/testing/tests/sql/multi-level-ca/hosts/carol/etc/strongswan.conf b/testing/tests/sql/multi-level-ca/hosts/carol/etc/strongswan.conf
index f375db9c9..ee9fbbc66 100644
--- a/testing/tests/sql/multi-level-ca/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/sql/multi-level-ca/hosts/carol/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/multi-level-ca/hosts/dave/etc/strongswan.conf b/testing/tests/sql/multi-level-ca/hosts/dave/etc/strongswan.conf
index f375db9c9..ee9fbbc66 100644
--- a/testing/tests/sql/multi-level-ca/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/sql/multi-level-ca/hosts/dave/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/multi-level-ca/hosts/moon/etc/strongswan.conf b/testing/tests/sql/multi-level-ca/hosts/moon/etc/strongswan.conf
index f375db9c9..ee9fbbc66 100644
--- a/testing/tests/sql/multi-level-ca/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/multi-level-ca/hosts/moon/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/net2net-cert/hosts/moon/etc/strongswan.conf b/testing/tests/sql/net2net-cert/hosts/moon/etc/strongswan.conf
index f375db9c9..ee9fbbc66 100644
--- a/testing/tests/sql/net2net-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/net2net-cert/hosts/moon/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/net2net-cert/hosts/sun/etc/strongswan.conf b/testing/tests/sql/net2net-cert/hosts/sun/etc/strongswan.conf
index f375db9c9..ee9fbbc66 100644
--- a/testing/tests/sql/net2net-cert/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/sql/net2net-cert/hosts/sun/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/net2net-psk/hosts/moon/etc/strongswan.conf b/testing/tests/sql/net2net-psk/hosts/moon/etc/strongswan.conf
index 0dd41b380..1120fe649 100644
--- a/testing/tests/sql/net2net-psk/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/net2net-psk/hosts/moon/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink socket-default updown sqlite sql
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/net2net-psk/hosts/sun/etc/strongswan.conf b/testing/tests/sql/net2net-psk/hosts/sun/etc/strongswan.conf
index 0dd41b380..1120fe649 100644
--- a/testing/tests/sql/net2net-psk/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/sql/net2net-psk/hosts/sun/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink socket-default updown sqlite sql
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/net2net-route-pem/hosts/moon/etc/strongswan.conf b/testing/tests/sql/net2net-route-pem/hosts/moon/etc/strongswan.conf
index f375db9c9..ee9fbbc66 100644
--- a/testing/tests/sql/net2net-route-pem/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/net2net-route-pem/hosts/moon/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/net2net-route-pem/hosts/sun/etc/strongswan.conf b/testing/tests/sql/net2net-route-pem/hosts/sun/etc/strongswan.conf
index f375db9c9..ee9fbbc66 100644
--- a/testing/tests/sql/net2net-route-pem/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/sql/net2net-route-pem/hosts/sun/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/net2net-start-pem/hosts/moon/etc/strongswan.conf b/testing/tests/sql/net2net-start-pem/hosts/moon/etc/strongswan.conf
index f375db9c9..ee9fbbc66 100644
--- a/testing/tests/sql/net2net-start-pem/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/net2net-start-pem/hosts/moon/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/net2net-start-pem/hosts/sun/etc/strongswan.conf b/testing/tests/sql/net2net-start-pem/hosts/sun/etc/strongswan.conf
index f375db9c9..ee9fbbc66 100644
--- a/testing/tests/sql/net2net-start-pem/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/sql/net2net-start-pem/hosts/sun/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/sql/rw-cert/hosts/carol/etc/strongswan.conf
index bc951c1dd..a09081afe 100644
--- a/testing/tests/sql/rw-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/sql/rw-cert/hosts/carol/etc/strongswan.conf
@@ -6,7 +6,7 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql
+  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
 }
 
 libstrongswan {
diff --git a/testing/tests/sql/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/sql/rw-cert/hosts/dave/etc/strongswan.conf
index bc951c1dd..a09081afe 100644
--- a/testing/tests/sql/rw-cert/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/sql/rw-cert/hosts/dave/etc/strongswan.conf
@@ -6,7 +6,7 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql
+  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
 }
 
 libstrongswan {
diff --git a/testing/tests/sql/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/sql/rw-cert/hosts/moon/etc/strongswan.conf
index bc951c1dd..a09081afe 100644
--- a/testing/tests/sql/rw-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/rw-cert/hosts/moon/etc/strongswan.conf
@@ -6,7 +6,7 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql
+  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
 }
 
 libstrongswan {
diff --git a/testing/tests/sql/rw-eap-aka-rsa/description.txt b/testing/tests/sql/rw-eap-aka-rsa/description.txt
index b4f766d6f..1277081b9 100644
--- a/testing/tests/sql/rw-eap-aka-rsa/description.txt
+++ b/testing/tests/sql/rw-eap-aka-rsa/description.txt
@@ -3,5 +3,5 @@ The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
 in association with the <i>Authentication and Key Agreement</i> protocol
 (<b>EAP-AKA</b>) to authenticate against the gateway. This protocol is used
 in UMTS, but here a secret from <b>ipsec.secrets</b> is used instead of a USIM/(R)UIM.
-Gateway <b>moon</b> additionaly uses an <b>RSA signature</b> to authenticate itself
+Gateway <b>moon</b> additionally uses an <b>RSA signature</b> to authenticate itself
 against <b>carol</b>.
diff --git a/testing/tests/sql/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/sql/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf
index f17071c95..2fdfe3282 100644
--- a/testing/tests/sql/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/sql/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db
     }
   }
-  load = curl aes des sha1 sha2 md5 fips-prf pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql eap-aka eap-aka-3gpp2
+  load = curl aes des sha1 sha2 md5 fips-prf pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql eap-aka eap-aka-3gpp2
 }
diff --git a/testing/tests/sql/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/sql/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf
index d2558edf4..3661a7bb9 100644
--- a/testing/tests/sql/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db
     }
   }
-  load = aes des sha1 sha2 md5 fips-prf pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql eap-aka eap-aka-3gpp2
+  load = aes des sha1 sha2 md5 fips-prf pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql eap-aka eap-aka-3gpp2
 }
diff --git a/testing/tests/sql/rw-psk-ipv4/hosts/carol/etc/strongswan.conf b/testing/tests/sql/rw-psk-ipv4/hosts/carol/etc/strongswan.conf
index 0dd41b380..1120fe649 100644
--- a/testing/tests/sql/rw-psk-ipv4/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/sql/rw-psk-ipv4/hosts/carol/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink socket-default updown sqlite sql
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/rw-psk-ipv4/hosts/dave/etc/strongswan.conf b/testing/tests/sql/rw-psk-ipv4/hosts/dave/etc/strongswan.conf
index 0dd41b380..1120fe649 100644
--- a/testing/tests/sql/rw-psk-ipv4/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/sql/rw-psk-ipv4/hosts/dave/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink socket-default updown sqlite sql
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/rw-psk-ipv4/hosts/moon/etc/strongswan.conf b/testing/tests/sql/rw-psk-ipv4/hosts/moon/etc/strongswan.conf
index 0dd41b380..1120fe649 100644
--- a/testing/tests/sql/rw-psk-ipv4/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/rw-psk-ipv4/hosts/moon/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink socket-default updown sqlite sql
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/strongswan.conf b/testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/strongswan.conf
index 0dd41b380..1120fe649 100644
--- a/testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink socket-default updown sqlite sql
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/strongswan.conf b/testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/strongswan.conf
index 0dd41b380..1120fe649 100644
--- a/testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink socket-default updown sqlite sql
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/strongswan.conf b/testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/strongswan.conf
index 0dd41b380..1120fe649 100644
--- a/testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink socket-default updown sqlite sql
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf b/testing/tests/sql/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf
index f375db9c9..ee9fbbc66 100644
--- a/testing/tests/sql/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/sql/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf b/testing/tests/sql/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf
index f375db9c9..ee9fbbc66 100644
--- a/testing/tests/sql/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/sql/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf b/testing/tests/sql/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf
index f375db9c9..ee9fbbc66 100644
--- a/testing/tests/sql/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/rw-rsa-keyid/hosts/carol/etc/strongswan.conf b/testing/tests/sql/rw-rsa-keyid/hosts/carol/etc/strongswan.conf
index 34f0c571e..137aecdeb 100644
--- a/testing/tests/sql/rw-rsa-keyid/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/sql/rw-rsa-keyid/hosts/carol/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 pubkey gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 pubkey gmp random x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/rw-rsa-keyid/hosts/dave/etc/strongswan.conf b/testing/tests/sql/rw-rsa-keyid/hosts/dave/etc/strongswan.conf
index 34f0c571e..137aecdeb 100644
--- a/testing/tests/sql/rw-rsa-keyid/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/sql/rw-rsa-keyid/hosts/dave/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 pubkey gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 pubkey gmp random x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/rw-rsa-keyid/hosts/moon/etc/strongswan.conf b/testing/tests/sql/rw-rsa-keyid/hosts/moon/etc/strongswan.conf
index 34f0c571e..137aecdeb 100644
--- a/testing/tests/sql/rw-rsa-keyid/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/rw-rsa-keyid/hosts/moon/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 pubkey gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 pubkey gmp random x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/rw-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/sql/rw-rsa/hosts/carol/etc/strongswan.conf
index 34f0c571e..137aecdeb 100644
--- a/testing/tests/sql/rw-rsa/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/sql/rw-rsa/hosts/carol/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 pubkey gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 pubkey gmp random x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/rw-rsa/hosts/dave/etc/strongswan.conf b/testing/tests/sql/rw-rsa/hosts/dave/etc/strongswan.conf
index 34f0c571e..137aecdeb 100644
--- a/testing/tests/sql/rw-rsa/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/sql/rw-rsa/hosts/dave/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 pubkey gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 pubkey gmp random x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/rw-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/sql/rw-rsa/hosts/moon/etc/strongswan.conf
index 34f0c571e..137aecdeb 100644
--- a/testing/tests/sql/rw-rsa/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/rw-rsa/hosts/moon/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 pubkey gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 pubkey gmp random x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/shunt-policies/description.txt b/testing/tests/sql/shunt-policies/description.txt
new file mode 100644
index 000000000..269e7957c
--- /dev/null
+++ b/testing/tests/sql/shunt-policies/description.txt
@@ -0,0 +1,11 @@
+All traffic from the clients <b>alice</b> and <b>venus</b> is tunneled
+by default gateway <b>moon</b> to VPN gateway <b>sun</b>. In order to
+prevent local traffic within the <b>10.1.0.0/16</b> subnet to enter the
+tunnel, a <b>local-net</b> shunt policy with <b>type=pass</b> is set up.
+In order for the shunt to work, automatic route insertion must be disabled
+by adding <b>install_routes = no</b> to the charon section of <b>strongswan.conf</b>.
+<p/>
+In order to demonstrate the use of <b>type=drop</b> shunt policies, the
+<b>venus-icmp</b> connection prevents ICMP traffic to and from <b>venus</b>
+to use the IPsec tunnel by dropping such packets. Thanks to the <b>local-net</b>
+pass shunt, <b>venus</b> and <b>moon</b> can still ping each other, though.
diff --git a/testing/tests/sql/shunt-policies/evaltest.dat b/testing/tests/sql/shunt-policies/evaltest.dat
new file mode 100644
index 000000000..2f6e1a91f
--- /dev/null
+++ b/testing/tests/sql/shunt-policies/evaltest.dat
@@ -0,0 +1,16 @@
+moon::ipsec statusall::net-net.*ESTABLISHED::YES
+sun::ipsec statusall::net-net.*ESTABLISHED::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+alice::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES
+venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::NO
+venus::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES
+moon::ping -c 1 -I PH_IP_MOON1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+moon::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
+bob::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+bob::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES
+bob::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::NO
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
+venus::ssh PH_IP_BOB hostname::bob::YES
+bob::ssh PH_IP_VENUS hostname::venus::YES
diff --git a/testing/tests/sql/shunt-policies/hosts/moon/etc/init.d/iptables b/testing/tests/sql/shunt-policies/hosts/moon/etc/init.d/iptables
new file mode 100755
index 000000000..2b90a14c7
--- /dev/null
+++ b/testing/tests/sql/shunt-policies/hosts/moon/etc/init.d/iptables
@@ -0,0 +1,84 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+opts="start stop reload"
+
+depend() {
+	before net
+	need logger
+}
+
+start() {
+	ebegin "Starting firewall"
+
+	# enable IP forwarding
+	echo 1 > /proc/sys/net/ipv4/ip_forward
+	
+	# default policy is DROP
+	/sbin/iptables -P INPUT DROP
+	/sbin/iptables -P OUTPUT DROP
+	/sbin/iptables -P FORWARD DROP
+
+	# allow esp
+	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+	# allow IKE
+	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+	# allow MobIKE
+	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+	# allow crl fetch from winnetou
+	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+	# allow ssh
+	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
+	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+	# allow icmp in local net
+	iptables -A INPUT  -i eth1 -p icmp -j ACCEPT
+	iptables -A OUTPUT -o eth1 -p icmp -j ACCEPT
+
+	eend $?
+}
+
+stop() {
+	ebegin "Stopping firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+	
+			if [ $a == nat ]; then
+				/sbin/iptables -t nat -P PREROUTING ACCEPT
+				/sbin/iptables -t nat -P POSTROUTING ACCEPT
+				/sbin/iptables -t nat -P OUTPUT ACCEPT
+			elif [ $a == mangle ]; then
+				/sbin/iptables -t mangle -P PREROUTING ACCEPT
+				/sbin/iptables -t mangle -P INPUT ACCEPT
+				/sbin/iptables -t mangle -P FORWARD ACCEPT
+				/sbin/iptables -t mangle -P OUTPUT ACCEPT
+				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
+			elif [ $a == filter ]; then
+				/sbin/iptables -t filter -P INPUT ACCEPT
+				/sbin/iptables -t filter -P FORWARD ACCEPT
+				/sbin/iptables -t filter -P OUTPUT ACCEPT
+			fi
+		done
+	eend $?
+}
+
+reload() {
+	ebegin "Flushing firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+		done;
+        eend $?
+	start
+}
+
diff --git a/testing/tests/sql/shunt-policies/hosts/moon/etc/ipsec.conf b/testing/tests/sql/shunt-policies/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..3bc29625f
--- /dev/null
+++ b/testing/tests/sql/shunt-policies/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,8 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+        strictcrlpolicy=no
+        plutostart=no
+
+# configuration is read from SQLite database
diff --git a/testing/tests/sql/shunt-policies/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/shunt-policies/hosts/moon/etc/ipsec.d/data.sql
new file mode 100644
index 000000000..4ece72ca1
--- /dev/null
+++ b/testing/tests/sql/shunt-policies/hosts/moon/etc/ipsec.d/data.sql
@@ -0,0 +1,227 @@
+/* Identities */
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */
+  9, X'3045310B300906035504061302434831193017060355040A13104C696E7578207374726F6E675377616E311B3019060355040313127374726F6E675377616E20526F6F74204341'
+ );
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
+  11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def'
+ );
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
+  11, X'ae096b87b44886d3b820978623dabd0eae22ebbc'
+ );
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* moon.strongswan.org */
+  2, X'6d6f6f6e2e7374726f6e677377616e2e6f7267'
+ );
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* sun.strongswan.org */
+  2, X'73756e2e7374726f6e677377616e2e6f7267'
+ );
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */
+  11, X'6a9c74d1f8897989f65a94e989f1fac3649d292e'
+ );
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* %any */
+  0, '%any'
+);
+
+/* Certificates */
+
+INSERT INTO certificates (
+   type, keytype, data
+) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */
+  1, 1, X'308203b53082029da003020102020100300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131303134355a170d3134303930383131303134355a3045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100bff25f62ea3d566e58b3c87a49caf3ac61cfa96377734d842db3f8fd6ea023f7b0132e66265012317386729c6d7c427a8d9f167be138e8ebae2b12b95933baef36a315c3ddf224cee4bb9bd578135d0467382629621ff96b8d45f6e002e5083662dce181805c140b3f2ce93f83aee3c861cff610a39f0189cb3a3c7cb9bf7e2a09544e2170efaa18fdd4ff20fa94be176d7fecff821f68d17152041d9b46f0cfcfc1e4cf43de5d3f3a587763afe9267f53b11699b3264fc55c5189f5682871166cb98307950569641fa30ffb50de134fed2f973cef1a392827862bc4ddaa97bbb01442e293c41070d07224d4be47ae2753eb2bed4bc1da91c68ec780c4620f0f0203010001a381af3081ac300f0603551d130101ff040530030101ff300b0603551d0f040403020106301d0603551d0e041604145da7dd700651327ee7b66db3b5e5e060ea2e4def306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100300d06092a864886f70d010104050003820101009ad74e3e60592dfb9b21c78628bd76b63090c1720c74bf94753cad6fddadc9c776eb39d3bfaa52136bf528840078386308fcf79503bd3d1ad6c15ac38e10c846bff7888a03cfe7fa0e644b522b2af5aedf0bbc508dc48330a180757772771095059b2be148f58dc0c753b59e9d6bfb02e9b685a928a284531b187313fd2b835bc9ea27d0020739a8d485e88bdede9a45cde6d28ed553b0e8e92dabf877bed59abf9d151f15e4f2d00b5e6e49fcb665293d2296697926c2954dae367542ef6e98053e76d2728732f6ce69f284f0b856aa6c2823a9ee29b280a66f50828f9b5cf27f84feca3c31c24897db156c7a833768ab306f51286457a51f09dd53bbb4190f'
+);
+
+INSERT INTO certificates (
+   type, keytype, data
+) VALUES ( /* C=CH, O=Linux strongSwan, CN=moon.strongswan.org */
+  1, 1, X'308204223082030aa003020102020117300d06092a864886f70d01010b05003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3039303832373130303333325a170d3134303832363130303333325a3046310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311c301a060355040313136d6f6f6e2e7374726f6e677377616e2e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100ca2f633dd4bbba0586215b15a0312f73f533124f0b339b9ae13bb648b02b4c468e0f01e630fbef92197b7708f5dbffea7e496286966d75acf13bd5e4377a1821d82de102eadf9963b489041a0b0f9f76b79e2150aa39020e3fa52a677dbb879c986291e4f1542fe2f0494e9c5c954d4faa75a17aa7b56652f1b16efbdcb46697f7d0b7f520bc990205365938d2cd31f2beed30e761a56c02d9dc82f0cdefc9d43447b6a98f7628aed2ac127a4a9504838f66e7517e5e0b0672c8165474bce689f73a6fc6e3c72b2c45498ddbbc0b17b04915606fe94f256cc777c42c534560ffbbe5aacdd944cc8db4d2abaf8a294af55b03a6a01a54d78430ab78389753c2870203010001a382011a3082011630090603551d1304023000300b0603551d0f0404030203a8301d0603551d0e041604146a9c74d1f8897989f65a94e989f1fac3649d292e306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100301e0603551d110417301582136d6f6f6e2e7374726f6e677377616e2e6f726730130603551d25040c300a06082b0601050507030130390603551d1f04323030302ea02ca02a8628687474703a2f2f63726c2e7374726f6e677377616e2e6f72672f7374726f6e677377616e2e63726c300d06092a864886f70d01010b050003820101009cb57836c5e328cda4d58e204bd4ff0c63db841f926d53411c790d516c8e7fdaf191767102343f68003639bda99a684d8c76ad9087fbe55e730ba378a2e442e3b1095875361939c30e75c5145d8bdb6c55f5730a64061c819751f6e4aa6d1dc810fc79dc78aa7790ebaac183988e0c1e3d7ba5729597c7413642d40215041914fc8459e349c47d28825839dd03d77c763d236fc6ba48f95746f3a7b304d06b3c29d9d87666db0eacd080fb2d6bdebf9be1e8265b2b545fb81aa8a18fa056301436c9b8cf599746de81fddb9704f2feb4472f7c0f467fb7281b014167879a0ebda7fae36a5a5607376a803bec8f14f94663102c484a8887ba5b58ed04ee7cec0f'
+);
+
+INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  1, 1
+);
+
+INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  1, 2
+);
+
+INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  1, 3
+);
+
+INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  2, 4 
+);
+
+INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  2, 6 
+);
+
+/* Private Keys */
+
+INSERT INTO private_keys (
+   type, data
+) VALUES ( /* key of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */
+  1, X'308204a30201000282010100ca2f633dd4bbba0586215b15a0312f73f533124f0b339b9ae13bb648b02b4c468e0f01e630fbef92197b7708f5dbffea7e496286966d75acf13bd5e4377a1821d82de102eadf9963b489041a0b0f9f76b79e2150aa39020e3fa52a677dbb879c986291e4f1542fe2f0494e9c5c954d4faa75a17aa7b56652f1b16efbdcb46697f7d0b7f520bc990205365938d2cd31f2beed30e761a56c02d9dc82f0cdefc9d43447b6a98f7628aed2ac127a4a9504838f66e7517e5e0b0672c8165474bce689f73a6fc6e3c72b2c45498ddbbc0b17b04915606fe94f256cc777c42c534560ffbbe5aacdd944cc8db4d2abaf8a294af55b03a6a01a54d78430ab78389753c287020301000102820100204507f5ea6a3bfa7db9fd2baa71af3d36b97c0699a71702d5480e83f37a35a65d2e10038975ec7ac90e67a54a785e9432abcbc9e7607913ad3cfb9a7d304381c35b2f3aa3fa242541bf4ca44b77a6dfefd69142aaa886a777890907938dc6cb3b971fea068a854a1747dc0020d6c38c1f8cbec530d747099e01cfd0eb1ceff2b077bd07aaef4989b75594614b16a778891a2e490369d2a9571ddf5cd165331638a8a3c96184a8259eb588caab3bbfab9c0f77b66c830ecf0f294dc1b67a5f36b75e3e095e247864f19ab212fdbf34e0925316ca13c342b4ba464ecf93d2a8e39eee24dd63dddd938101a9f4b8f0de90765e1c1fda5c62e161cc712794aeaea102818100f85d60a6990447926da1ab9db7f094a5d435b11f70c5fef9541a89e05898001190cfdc651b8a23ccbfe8e7bdacd225776f01699d06be5ae5abc4690fe99b81fd9f369e973437fbcba2efdbe1dc6f8389fb2be78e3847f4f05323b2c7b6b6a4c85ca0aa72642747434f4358f0baf10ab173f9c3f24e9674570179dde23c6c248d02818100d06693eb5c92b6d516f630b79b1b98ea3910cbc4c442a4779ce16f5b09825c858ea4dfcc4d33eeb3e4de971a7fa5d2a153e9a83e65f7527ca77b93efc257960eadd8ce5b57e590d9189e542652ae3677c623343a39c1d16dbef3069406eaa4913eeba06e0a3af3c8539dbd4be7d9caf3ccd654ae397ae7faa72ba823e4b0206302818100ef2bc4f249f28415ef7b3bafd33d5b7861e61e9e7f543c18d0340a4840288810625ab90ba8bc9b8305dffca27c75965cf049f4f1a157d862c9c987bf2a2075cacdf2a44049aa0bd16b23fea3ff4a67ea8d351774aea024b0f5ef2fb00134db749336a94d254369edd8bbab3f8f56a60c82f9a807844480de746e6e0cfa50cdd50281807b32d8e93fadc00612eff176e96c14270b1b41cb0dd6f3d17e5dcaedbf9e6041d844e1c4ae33303f0ae307e2f3693d2e8023d68124d863dc2b4aa3f70e25a7210066f5ff0be43b900bbcb5b47e165d3ecb544e70c96a29fbbdf17f870cdbb3f3e585782ef53f4a94b7d1bd715d1be49de20f26ba6462a3370b928470cba5cf4f028180324ffacf705e6746f741d24ff6aa0bb14aad55cba41eb7758e6cc0d51f40feac6b4a459ce374af424287f602b0614520079b436b8e90cde0ddff679304e9efdd74a2ffbfe6e4e1bd1236c360413f2d2656e00b3e3cb217567671bf73a722a222e5e85d109fe2c77caf5951f5b9f4171c744afa717fe7e9306488e6ab87341298'
+);
+
+INSERT INTO private_key_identity (
+  private_key, identity
+) VALUES (
+  1, 4 
+);
+
+INSERT INTO private_key_identity (
+  private_key, identity
+) VALUES (
+  1, 6 
+);
+
+/* Configurations */
+
+INSERT INTO ike_configs (
+  local, remote
+) VALUES (
+  'PH_IP_MOON', 'PH_IP_SUN'
+);
+
+INSERT INTO ike_configs (
+  local, remote
+) VALUES (
+  '%any', '%any'
+);
+
+INSERT INTO peer_configs (
+  name, ike_cfg, local_id, remote_id, mobike, dpd_delay
+) VALUES (
+  'net-net', 1, 4, 5, 0, 0
+);
+
+INSERT INTO peer_configs (
+  name, ike_cfg, local_id, remote_id, auth_method, mobike, dpd_delay
+) VALUES (
+  'shunts', 2, 7, 7, 0, 0, 0
+);
+INSERT INTO child_configs (
+  name, updown, hostaccess
+) VALUES (
+  'net-net', 'ipsec _updown iptables', 1
+);
+
+INSERT INTO child_configs (
+  name, mode, start_action
+) VALUES (
+  'local-net', 4, 1
+);
+
+INSERT INTO child_configs (
+  name, mode, start_action
+) VALUES (
+  'venus-icmp', 5, 1
+);
+
+INSERT INTO peer_config_child_config (
+  peer_cfg, child_cfg
+) VALUES (
+  1, 1
+);
+
+INSERT INTO peer_config_child_config (
+  peer_cfg, child_cfg
+) VALUES (
+  2, 2
+);
+
+INSERT INTO peer_config_child_config (
+  peer_cfg, child_cfg
+) VALUES (
+  2, 3
+);
+INSERT INTO traffic_selectors (
+  type, start_addr, end_addr
+) VALUES (
+  7, X'0a010000', X'0a01ffff'
+);
+
+INSERT INTO traffic_selectors (
+  type, start_addr, end_addr
+) VALUES (
+  7, X'00000000', X'ffffffff'
+);
+
+INSERT INTO traffic_selectors (
+  type, start_addr, end_addr, protocol
+) VALUES (
+  7, X'0a010014', X'0a010014', 1
+);
+
+INSERT INTO traffic_selectors (
+  type, start_addr, end_addr, protocol
+) VALUES (
+  7, X'00000000', X'ffffffff', 1
+);
+
+INSERT INTO child_config_traffic_selector (
+  child_cfg, traffic_selector, kind
+) VALUES (
+  1, 1, 0
+);
+
+INSERT INTO child_config_traffic_selector (
+	child_cfg, traffic_selector, kind
+) VALUES (
+  1, 2, 1
+);
+
+INSERT INTO child_config_traffic_selector (
+	child_cfg, traffic_selector, kind
+) VALUES (
+  2, 1, 0
+);
+
+INSERT INTO child_config_traffic_selector (
+	child_cfg, traffic_selector, kind
+) VALUES (
+  2, 1, 1
+);
+
+INSERT INTO child_config_traffic_selector (
+	child_cfg, traffic_selector, kind
+) VALUES (
+  3, 3, 0
+);
+
+INSERT INTO child_config_traffic_selector (
+	child_cfg, traffic_selector, kind
+) VALUES (
+  3, 4, 1
+);
diff --git a/testing/tests/sql/shunt-policies/hosts/moon/etc/ipsec.secrets b/testing/tests/sql/shunt-policies/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..76bb21bea
--- /dev/null
+++ b/testing/tests/sql/shunt-policies/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+# secrets are read from SQLite database
diff --git a/testing/tests/sql/shunt-policies/hosts/moon/etc/strongswan.conf b/testing/tests/sql/shunt-policies/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..90be03f69
--- /dev/null
+++ b/testing/tests/sql/shunt-policies/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  plugins {
+    sql {
+      database = sqlite:///etc/ipsec.d/ipsec.db 
+    }
+  }
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
+  install_routes = no
+}
diff --git a/testing/tests/sql/shunt-policies/hosts/sun/etc/ipsec.conf b/testing/tests/sql/shunt-policies/hosts/sun/etc/ipsec.conf
new file mode 100755
index 000000000..3bc29625f
--- /dev/null
+++ b/testing/tests/sql/shunt-policies/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,8 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+        strictcrlpolicy=no
+        plutostart=no
+
+# configuration is read from SQLite database
diff --git a/testing/tests/sql/shunt-policies/hosts/sun/etc/ipsec.d/data.sql b/testing/tests/sql/shunt-policies/hosts/sun/etc/ipsec.d/data.sql
new file mode 100644
index 000000000..3a0fe67bf
--- /dev/null
+++ b/testing/tests/sql/shunt-policies/hosts/sun/etc/ipsec.d/data.sql
@@ -0,0 +1,152 @@
+/* Identities */
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */
+  9, X'3045310B300906035504061302434831193017060355040A13104C696E7578207374726F6E675377616E311B3019060355040313127374726F6E675377616E20526F6F74204341'
+ );
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
+  11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def'
+ );
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
+  11, X'ae096b87b44886d3b820978623dabd0eae22ebbc'
+ );
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* moon.strongswan.org */
+  2, X'6d6f6f6e2e7374726f6e677377616e2e6f7267'
+ );
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* sun.strongswan.org */
+  2, X'73756e2e7374726f6e677377616e2e6f7267'
+ );
+
+INSERT INTO identities (
+  type, data
+) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=sun.strongswan.org' */
+  11, X'56d69e2fdaa8a1cd195c2353e7c5b67096e30bfb'
+ );
+
+/* Certificates */
+
+INSERT INTO certificates (
+   type, keytype, data
+) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */
+  1, 1, X'308203b53082029da003020102020100300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131303134355a170d3134303930383131303134355a3045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100bff25f62ea3d566e58b3c87a49caf3ac61cfa96377734d842db3f8fd6ea023f7b0132e66265012317386729c6d7c427a8d9f167be138e8ebae2b12b95933baef36a315c3ddf224cee4bb9bd578135d0467382629621ff96b8d45f6e002e5083662dce181805c140b3f2ce93f83aee3c861cff610a39f0189cb3a3c7cb9bf7e2a09544e2170efaa18fdd4ff20fa94be176d7fecff821f68d17152041d9b46f0cfcfc1e4cf43de5d3f3a587763afe9267f53b11699b3264fc55c5189f5682871166cb98307950569641fa30ffb50de134fed2f973cef1a392827862bc4ddaa97bbb01442e293c41070d07224d4be47ae2753eb2bed4bc1da91c68ec780c4620f0f0203010001a381af3081ac300f0603551d130101ff040530030101ff300b0603551d0f040403020106301d0603551d0e041604145da7dd700651327ee7b66db3b5e5e060ea2e4def306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100300d06092a864886f70d010104050003820101009ad74e3e60592dfb9b21c78628bd76b63090c1720c74bf94753cad6fddadc9c776eb39d3bfaa52136bf528840078386308fcf79503bd3d1ad6c15ac38e10c846bff7888a03cfe7fa0e644b522b2af5aedf0bbc508dc48330a180757772771095059b2be148f58dc0c753b59e9d6bfb02e9b685a928a284531b187313fd2b835bc9ea27d0020739a8d485e88bdede9a45cde6d28ed553b0e8e92dabf877bed59abf9d151f15e4f2d00b5e6e49fcb665293d2296697926c2954dae367542ef6e98053e76d2728732f6ce69f284f0b856aa6c2823a9ee29b280a66f50828f9b5cf27f84feca3c31c24897db156c7a833768ab306f51286457a51f09dd53bbb4190f'
+);
+
+INSERT INTO certificates (
+   type, keytype, data
+) VALUES ( /* C=CH, O=Linux strongSwan, CN=sun.strongswan.org */
+  1, 1, X'3082042030820308a003020102020116300d06092a864886f70d01010b05003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3039303832373039353930345a170d3134303832363039353930345a3045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b30190603550403131273756e2e7374726f6e677377616e2e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100df95548a67e90e63694fff10dea9e80e5c49f51f8412b49856b695a145661fd8d21eba017aaaad0dd7f75ee1ed836c4a4ebca28c18f61f48de03b1ee135506c26bd958dd602f9bd2ae4d4e16b4f7f0399a29affe9ad88faa34c9ac31a0f8e80ecf5887b0fb29ff85f1f920934b2d9472595fae89edd36b1576e0d7106577e129e4eaf615b119f50594a51413ba176936dff8f58bb1439f437a663d2116f0b2b2821c7d261ab26c0dda9e6f46a9fbc42f4971e30add5fafd30d29668014040b2902387b475ad67b4f08440b784f37dfe34d441806b9f9342aa193dde017aabc5af401085099d570f7b141da94323714a5715bf1637345607c1208770432ba16c10203010001a38201193082011530090603551d1304023000300b0603551d0f0404030203a8301d0603551d0e0416041456d69e2fdaa8a1cd195c2353e7c5b67096e30bfb306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100301d0603551d1104163014821273756e2e7374726f6e677377616e2e6f726730130603551d25040c300a06082b0601050507030130390603551d1f04323030302ea02ca02a8628687474703a2f2f63726c2e7374726f6e677377616e2e6f72672f7374726f6e677377616e2e63726c300d06092a864886f70d01010b05000382010100a37ecb613f40c31d0c2bf9c0159a4f26a52bd04cbe3b952472c771ee7774d12966a6241163c2a6b915c20509c312074bb2d777b254234f4a49120585d29cf1c9b9c8e9e3b360084b7e16abb7e5f58544623466d78e0826dace08e7e2b7d9b54890d12a96c62777fe85f68a3964d3b4fde4d3aee2d97e435eff372104629efd9ecc69c57095859609b32d055e0ad5de5d19c45182943d5a2bc39666ad361f7096c7034a04869371c991bc67abaf7954def351b0d6014bd65a15796c80e394047fc724fd029a88c62c95551ba57d8ac4ed4d391dbb7a1a002ba0028ba7aa89ba9f7e4f14002928ca23027485feceb98c90f1366d5474bb00e866f93ff91bf8c618'
+);
+
+INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  1, 1
+);
+
+INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  1, 2
+);
+
+INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  1, 3
+);
+
+INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  2, 5 
+);
+
+INSERT INTO certificate_identity (
+  certificate, identity
+) VALUES (
+  2, 6 
+);
+
+/* Private Keys */
+
+INSERT INTO private_keys (
+   type, data
+) VALUES ( /* key of 'C=CH, O=Linux strongSwan, CN=sun.strongswan.org' */
+  1, X'308204a40201000282010100df95548a67e90e63694fff10dea9e80e5c49f51f8412b49856b695a145661fd8d21eba017aaaad0dd7f75ee1ed836c4a4ebca28c18f61f48de03b1ee135506c26bd958dd602f9bd2ae4d4e16b4f7f0399a29affe9ad88faa34c9ac31a0f8e80ecf5887b0fb29ff85f1f920934b2d9472595fae89edd36b1576e0d7106577e129e4eaf615b119f50594a51413ba176936dff8f58bb1439f437a663d2116f0b2b2821c7d261ab26c0dda9e6f46a9fbc42f4971e30add5fafd30d29668014040b2902387b475ad67b4f08440b784f37dfe34d441806b9f9342aa193dde017aabc5af401085099d570f7b141da94323714a5715bf1637345607c1208770432ba16c102030100010282010031f9d618cddb393d1d5825426713016cdc5227b970b321acff8cf66b42f0ede3702c30158e8ec1f9db314f031f2d0632a1e0e6507c6fdf545153f01cb0338c3c3f11291cea9819b381048494ecc492ecbd39de3e01ecb048325e75dfee045512a2643e885fcbe672d140877885105e2325390ef183b883321c0d6be51d592b79dfd0f3b522a29509f6c5d3d98c59cc4f4fe9aef978340ffc667e78fd27560eae7245d2d66fa10ad55ef2277ebcec65d1d63cc6b60cbb4d7ba77142554d8817ed174fd539fa8160fc60043f45f4f40dd5989b85874a049bf7f356f250591f6cb2de183e94d8287d712f4df0643b94325b7d4b22bd2d095eb384921c63d33168a502818100f6c92d6977e13cb7b41028dd79010eab910ab83ac2be248a08eb8057804348eb1dc3afb92d67d855bfe891ef0def494bdd109b95c8f5a4e296522d8efd2a4425d0d176e8b0da033d717b77fdb0a14931c2e13b08c7137f0dbf4e1a0ef6919e2c458e40bbecf20004180705e1156bb1d7de09939a8ad096e5346f49e5032a643702818100e7ee610601d43043bea5d304e6502249ce4f70d4de8e903a8fe3a2902878fc7157cb70bf74bc7e0acd7e7a0c3ae1cf2255a22f344a3b9fb13d2347b75ea6a73d15e1327051acffb7f4e56c58f999d7c2e2d878bce0ac09ca2f18d759775c93aa698a45c0c554b99a7147475f1b993fe46c13fed12499006094e806de6db350c702818100e26dd577d6a1579769e405caa7329c26388f3057e1c49a3bf85133d19502a74dea6258c1bbf272e0c292fe0aebab28822dd4061cd964e123712ef75421defce601819eeb8310953674000829413dcaad9894151949a70ec52b48dac9eddbcfd7e8fdcb5161e6ecb2d4e4e4b50f755f98a3c5ffa325489b9ab39084a9564d37e302818047f5087b21a42099541404a55783732fece76ebd4c9374a206b47c62377c59ee1c6c0cfe098cd59a2a695c1a61465fca6a41185e23cddddcd27818af0699b3f75acb74a7ae5f7b332ab2e76baf7d1098f162720b3fb580900f0ea8f9a3f3c008b617e54e4aaadfaed0086a5752abb84bf95036d5d281f9c0fd5203978cf77e4f028181009b29e83640d4b6aa13c81bd79aa890d13aec66c5bff4eddece05cb60320c55bca86a5bd856e364b2809e7d7f2cf94231416927dc39d7f88242b211ac15a38e7fabaca6210537ed1e2f178096f59dc27da21bc09a7b2dc1d5cc7d3bb28fc736c66e6ba19609208b254e4c782462673936445892f4a21a2cfe2066776fe255ce89'
+);
+
+INSERT INTO private_key_identity (
+  private_key, identity
+) VALUES (
+  1, 5 
+);
+
+INSERT INTO private_key_identity (
+  private_key, identity
+) VALUES (
+  1, 6 
+);
+
+/* Configurations */
+
+INSERT INTO ike_configs (
+  local, remote
+) VALUES (
+  'PH_IP_SUN', 'PH_IP_MOON'
+);
+
+INSERT INTO peer_configs (
+  name, ike_cfg, local_id, remote_id, mobike, dpd_delay
+) VALUES (
+  'net-net', 1, 5, 4, 0, 0
+);
+
+INSERT INTO child_configs (
+  name, updown
+) VALUES (
+  'net-net', 'ipsec _updown iptables'
+);
+
+INSERT INTO peer_config_child_config (
+  peer_cfg, child_cfg
+) VALUES (
+  1, 1
+);
+
+INSERT INTO traffic_selectors (
+  type, start_addr, end_addr
+) VALUES (
+  7, X'0a010000', X'0a01ffff'
+);
+
+INSERT INTO traffic_selectors (
+  type, start_addr, end_addr
+) VALUES (
+  7, X'00000000', X'ffffffff'
+);
+
+INSERT INTO child_config_traffic_selector (
+  child_cfg, traffic_selector, kind
+) VALUES (
+  1, 2, 0
+);
+
+INSERT INTO child_config_traffic_selector (
+	child_cfg, traffic_selector, kind
+) VALUES (
+  1, 1, 1
+);
+
diff --git a/testing/tests/sql/shunt-policies/hosts/sun/etc/ipsec.secrets b/testing/tests/sql/shunt-policies/hosts/sun/etc/ipsec.secrets
new file mode 100644
index 000000000..76bb21bea
--- /dev/null
+++ b/testing/tests/sql/shunt-policies/hosts/sun/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+# secrets are read from SQLite database
diff --git a/testing/tests/sql/shunt-policies/hosts/sun/etc/strongswan.conf b/testing/tests/sql/shunt-policies/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..ee9fbbc66
--- /dev/null
+++ b/testing/tests/sql/shunt-policies/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,10 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  plugins {
+    sql {
+      database = sqlite:///etc/ipsec.d/ipsec.db 
+    }
+  }
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
+}
diff --git a/testing/tests/sql/shunt-policies/posttest.dat b/testing/tests/sql/shunt-policies/posttest.dat
new file mode 100644
index 000000000..13f7ede0a
--- /dev/null
+++ b/testing/tests/sql/shunt-policies/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+sun::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+sun::/etc/init.d/iptables stop 2> /dev/null
+moon::rm /etc/ipsec.d/ipsec.*
+sun::rm /etc/ipsec.d/ipsec.*
diff --git a/testing/tests/sql/shunt-policies/pretest.dat b/testing/tests/sql/shunt-policies/pretest.dat
new file mode 100644
index 000000000..2ab18542f
--- /dev/null
+++ b/testing/tests/sql/shunt-policies/pretest.dat
@@ -0,0 +1,12 @@
+moon::rm /etc/ipsec.d/cacerts/*
+sun::rm /etc/ipsec.d/cacerts/*
+moon::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
+sun::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
+moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
+sun::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
+moon::/etc/init.d/iptables start 2> /dev/null
+sun::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+sun::ipsec start
+moon::sleep 1 
+moon::ipsec up net-net
diff --git a/testing/tests/sql/shunt-policies/test.conf b/testing/tests/sql/shunt-policies/test.conf
new file mode 100644
index 000000000..d9a61590f
--- /dev/null
+++ b/testing/tests/sql/shunt-policies/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-w-s-b.png"
+ 
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
diff --git a/testing/tests/tnc/tnccs-11-fhh/description.txt b/testing/tests/tnc/tnccs-11-fhh/description.txt
new file mode 100644
index 000000000..406b163e1
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-fhh/description.txt
@@ -0,0 +1,13 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>
+using EAP-TTLS authentication only with the gateway presenting a server certificate and
+the clients doing EAP-MD5 password-based authentication.
+In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the
+health of <b>carol</b> and <b>dave</b> via the <b>IF-TNCCS 1.1</b> client-server interface.
+The Dummy IMC and IMV from the
+<a href="http://trust.inform.fh-hannover.de/joomla/index.php/projects/tncfhh" target="popup">
+<b>TNC@FHH</b></a> project are used which communicate over a proprietary protocol.
+<p>
+<b>carol</b> passes the health test and <b>dave</b> fails. Based on these measurements the
+clients are connected by gateway <b>moon</b> to the "rw-allow" and "rw-isolate" subnets,
+respectively.
+
diff --git a/testing/tests/ikev2/rw-eap-tnc-11/evaltest.dat b/testing/tests/tnc/tnccs-11-fhh/evaltest.dat
index f7d78d1ca..a02755148 100644
--- a/testing/tests/ikev2/rw-eap-tnc-11/evaltest.dat
+++ b/testing/tests/tnc/tnccs-11-fhh/evaltest.dat
@@ -6,11 +6,9 @@ dave::cat /var/log/daemon.log::TNCCS-Recommendation.*isolate::YES
 dave::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
 dave::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
 dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
-moon::cat /var/log/auth.log::policy enforced on peer 'carol@strongswan.org' is 'allow'::YES
-moon::cat /var/log/daemon.log::policy enforcement point added group membership 'allow'::YES
+moon::cat /var/log/daemon.log::added group membership 'allow'::YES
 moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
-moon::cat /var/log/auth.log::policy enforced on peer 'dave@strongswan.org' is 'isolate'::YES
-moon::cat /var/log/daemon.log::policy enforcement point added group membership 'isolate'::YES
+moon::cat /var/log/daemon.log::added group membership 'isolate'::YES
 moon::cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
 moon::ipsec statusall::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
 moon::ipsec statusall::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
diff --git a/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/ipsec.conf
index c19192dae..ca55d84a2 100755
--- a/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/ipsec.conf
@@ -2,7 +2,7 @@
 
 config setup
 	plutostart=no
-	charondebug="tls 2, tnc 3"
+	charondebug="tnc 3"
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/carol/etc/ipsec.secrets b/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/ipsec.secrets
index 74942afda..74942afda 100644
--- a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/carol/etc/ipsec.secrets
+++ b/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/ipsec.secrets
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/strongswan.conf
index c12143cb1..579601b85 100644
--- a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-11 updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
   multiple_authentication=no
 }
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/carol/etc/tnc/dummyimc.file b/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/tnc/dummyimc.file
index f5da834c0..f5da834c0 100644
--- a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/carol/etc/tnc/dummyimc.file
+++ b/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/tnc/dummyimc.file
diff --git a/testing/tests/ikev2/rw-eap-tnc-11/hosts/carol/etc/tnc/log4cxx.properties b/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/tnc/log4cxx.properties
index b1c694107..b1c694107 100644
--- a/testing/tests/ikev2/rw-eap-tnc-11/hosts/carol/etc/tnc/log4cxx.properties
+++ b/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/tnc/log4cxx.properties
diff --git a/testing/tests/ikev2/rw-eap-tnc-11/hosts/carol/etc/tnc_config b/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/tnc_config
index d2fabe109..d2fabe109 100644
--- a/testing/tests/ikev2/rw-eap-tnc-11/hosts/carol/etc/tnc_config
+++ b/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/tnc_config
diff --git a/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/ipsec.conf
index 7d5ea8b83..93807bb66 100755
--- a/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/ipsec.conf
@@ -2,7 +2,7 @@
 
 config setup
 	plutostart=no
-	charondebug="tls 2, tnc 3"
+	charondebug="tnc 3"
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/dave/etc/ipsec.secrets b/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/ipsec.secrets
index 5496df7ad..5496df7ad 100644
--- a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/dave/etc/ipsec.secrets
+++ b/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/ipsec.secrets
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/strongswan.conf
index c12143cb1..579601b85 100644
--- a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-11 updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
   multiple_authentication=no
 }
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/dave/etc/tnc/dummyimc.file b/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/tnc/dummyimc.file
index c20b5e57f..c20b5e57f 100644
--- a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/dave/etc/tnc/dummyimc.file
+++ b/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/tnc/dummyimc.file
diff --git a/testing/tests/ikev2/rw-eap-tnc-11/hosts/dave/etc/tnc/log4cxx.properties b/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/tnc/log4cxx.properties
index b1c694107..b1c694107 100644
--- a/testing/tests/ikev2/rw-eap-tnc-11/hosts/dave/etc/tnc/log4cxx.properties
+++ b/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/tnc/log4cxx.properties
diff --git a/testing/tests/ikev2/rw-eap-tnc-11/hosts/dave/etc/tnc_config b/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/tnc_config
index d2fabe109..d2fabe109 100644
--- a/testing/tests/ikev2/rw-eap-tnc-11/hosts/dave/etc/tnc_config
+++ b/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/tnc_config
diff --git a/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/ipsec.conf
index 50514c99f..32c3357a3 100755
--- a/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/ipsec.conf
@@ -3,7 +3,7 @@
 config setup
 	strictcrlpolicy=no
 	plutostart=no
-	charondebug="tls 2, tnc 3"
+	charondebug="tnc 3"
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/rw-eap-tnc-11/hosts/moon/etc/ipsec.secrets b/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/ipsec.secrets
index 2e277ccb0..2e277ccb0 100644
--- a/testing/tests/ikev2/rw-eap-tnc-11/hosts/moon/etc/ipsec.secrets
+++ b/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/ipsec.secrets
diff --git a/testing/tests/ikev2/rw-eap-tnc-11/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/strongswan.conf
index f8700d3c5..e3518f5b9 100644
--- a/testing/tests/ikev2/rw-eap-tnc-11/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnccs-11 tnc-imv updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-11 tnc-imv updown
   multiple_authentication=no
   plugins {
     eap-ttls {
diff --git a/testing/tests/ikev2/rw-eap-tnc-11/hosts/moon/etc/tnc/dummyimv.policy b/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/tnc/dummyimv.policy
index d00491fd7..d00491fd7 100644
--- a/testing/tests/ikev2/rw-eap-tnc-11/hosts/moon/etc/tnc/dummyimv.policy
+++ b/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/tnc/dummyimv.policy
diff --git a/testing/tests/ikev2/rw-eap-tnc-11/hosts/moon/etc/tnc/hostscannerimv.policy b/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/tnc/hostscannerimv.policy
index d8215dd3c..d8215dd3c 100644
--- a/testing/tests/ikev2/rw-eap-tnc-11/hosts/moon/etc/tnc/hostscannerimv.policy
+++ b/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/tnc/hostscannerimv.policy
diff --git a/testing/tests/ikev2/rw-eap-tnc-11/hosts/moon/etc/tnc/log4cxx.properties b/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/tnc/log4cxx.properties
index 122d798b3..122d798b3 100644
--- a/testing/tests/ikev2/rw-eap-tnc-11/hosts/moon/etc/tnc/log4cxx.properties
+++ b/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/tnc/log4cxx.properties
diff --git a/testing/tests/ikev2/rw-eap-tnc-11/hosts/moon/etc/tnc_config b/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/tnc_config
index 140caa98f..140caa98f 100644
--- a/testing/tests/ikev2/rw-eap-tnc-11/hosts/moon/etc/tnc_config
+++ b/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/tnc_config
diff --git a/testing/tests/ikev2/rw-eap-tnc-20-tls/posttest.dat b/testing/tests/tnc/tnccs-11-fhh/posttest.dat
index 7cebd7f25..7cebd7f25 100644
--- a/testing/tests/ikev2/rw-eap-tnc-20-tls/posttest.dat
+++ b/testing/tests/tnc/tnccs-11-fhh/posttest.dat
diff --git a/testing/tests/ikev2/rw-eap-tnc-11/pretest.dat b/testing/tests/tnc/tnccs-11-fhh/pretest.dat
index 9896b1e4a..c7a30ee7c 100644
--- a/testing/tests/ikev2/rw-eap-tnc-11/pretest.dat
+++ b/testing/tests/tnc/tnccs-11-fhh/pretest.dat
@@ -6,9 +6,9 @@ carol::cat /etc/tnc_config
 dave::cat /etc/tnc_config
 carol::cat /etc/tnc/dummyimc.file
 dave::cat /etc/tnc/dummyimc.file
-moon::LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties ipsec start
-carol::LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties ipsec start
-dave::LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties ipsec start
+moon::LEAK_DETECTIVE_DISABLE=1 LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties ipsec start
+carol::LEAK_DETECTIVE_DISABLE=1 LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties ipsec start
+dave::LEAK_DETECTIVE_DISABLE=1 LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties ipsec start
 carol::sleep 1
 carol::ipsec up home
 dave::ipsec up home
diff --git a/testing/tests/ikev2/rw-eap-tnc-11/test.conf b/testing/tests/tnc/tnccs-11-fhh/test.conf
index e28b8259b..e28b8259b 100644
--- a/testing/tests/ikev2/rw-eap-tnc-11/test.conf
+++ b/testing/tests/tnc/tnccs-11-fhh/test.conf
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/description.txt b/testing/tests/tnc/tnccs-11-radius-block/description.txt
index 350aefc60..55b63ed47 100644
--- a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/description.txt
+++ b/testing/tests/tnc/tnccs-11-radius-block/description.txt
@@ -1,11 +1,14 @@
 The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
 At the outset the gateway authenticates itself to the clients by sending an IKEv2
 <b>RSA signature</b> accompanied by a certificate.
-<b>carol</b> and <b>dave</b> then set up an <b>EAP-TTLS</b> tunnel each via <b>moon</b> to
-the FreeRADIUS server <b>alice</b> authenticated by an X.509 AAA certificate.
+<b>carol</b> and <b>dave</b> then set up an <b>EAP-TTLS</b> tunnel each via <b>moon</b> to the
+<a href="http://trust.inform.fh-hannover.de/joomla/index.php/projects/tncfhh" target="popup">
+<b>TNC@FHH</b></a>-enhanced FreeRADIUS server <b>alice</b> authenticated by an X.509 AAA certificate.
 The strong EAP-TTLS tunnel protects the ensuing weak client authentication based on <b>EAP-MD5</b>.
 In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the
 health of <b>carol</b> and <b>dave</b> via the <b>IF-TNCCS 1.1</b> client-server interface.
+The IMC and IMV communicate are using the <b>IF-M</b> protocol defined by <b>RFC 5792 PA-TNC</b>.
+<p>
 <b>carol</b> passes the health test and <b>dave</b> fails. Based on these measurements <b>carol</b>
 is authenticated successfully and is granted access to the subnet behind <b>moon</b> whereas 
 <b>dave</b> fails the layered EAP authentication and is rejected.
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/evaltest.dat b/testing/tests/tnc/tnccs-11-radius-block/evaltest.dat
index 517ea9ab2..517ea9ab2 100644
--- a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/evaltest.dat
+++ b/testing/tests/tnc/tnccs-11-radius-block/evaltest.dat
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/clients.conf b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/clients.conf
index f4e179aa4..f4e179aa4 100644
--- a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/clients.conf
+++ b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/clients.conf
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/dictionary b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/dictionary
index 1a27a02fc..1a27a02fc 100644
--- a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/dictionary
+++ b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/dictionary
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/dictionary.tnc b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/dictionary.tnc
index f295467a9..f295467a9 100644
--- a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/dictionary.tnc
+++ b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/dictionary.tnc
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/eap.conf b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/eap.conf
index 31556361e..31556361e 100644
--- a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/eap.conf
+++ b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/eap.conf
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/proxy.conf b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/proxy.conf
index 23cba8d11..23cba8d11 100644
--- a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/proxy.conf
+++ b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/proxy.conf
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/radiusd.conf b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/radiusd.conf
index 1143a0473..1143a0473 100644
--- a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/radiusd.conf
+++ b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/radiusd.conf
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/sites-available/default b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/sites-available/default
index 802fcfd8d..802fcfd8d 100644
--- a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/sites-available/default
+++ b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/sites-available/default
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/sites-available/inner-tunnel b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/sites-available/inner-tunnel
index e088fae14..e088fae14 100644
--- a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/sites-available/inner-tunnel
+++ b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/sites-available/inner-tunnel
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/sites-available/inner-tunnel-second b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/sites-available/inner-tunnel-second
index 2d4961288..2d4961288 100644
--- a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/sites-available/inner-tunnel-second
+++ b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/sites-available/inner-tunnel-second
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/users b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/users
index 50ccf3e76..50ccf3e76 100644
--- a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/users
+++ b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/users
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/strongswan.conf
new file mode 100644
index 000000000..acd4630d2
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+libimcv {
+  debug_level = 3
+  plugins {
+    imv-scanner {
+      closed_port_policy = no
+      tcp_ports = 80 443
+     }
+  }
+}
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/tnc/log4cxx.properties b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/tnc/log4cxx.properties
new file mode 100644
index 000000000..2bdc6e4de
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/tnc/log4cxx.properties
@@ -0,0 +1,15 @@
+# Set root logger level to DEBUG and its appenders to A1 and A2.
+log4j.rootLogger=DEBUG, A1, A2
+
+# A1 is set to be a ConsoleAppender.
+log4j.appender.A1=org.apache.log4j.ConsoleAppender
+log4j.appender.A1.layout=org.apache.log4j.PatternLayout
+log4j.appender.A1.layout.ConversionPattern=[FHH] %m%n
+
+# A2 is set to be a SyslogAppender
+log4j.appender.A2=org.apache.log4j.net.SyslogAppender
+log4j.appender.A2.Facility=DAEMON
+log4j.appender.A2.SyslogHost=localhost
+log4j.appender.A2.Threshold=DEBUG
+log4j.appender.A2.layout=org.apache.log4j.PatternLayout
+log4j.appender.A2.layout.ConversionPattern=[FHH] %m%n
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/tnc_config b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/tnc_config
new file mode 100644
index 000000000..da732f68b
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/tnc_config
@@ -0,0 +1,4 @@
+#IMV configuration file for strongSwan client 
+
+IMV "Test"	/usr/local/lib/ipsec/imcvs/imv-test.so
+IMV "Scanner"	/usr/local/lib/ipsec/imcvs/imv-scanner.so
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/ipsec.conf
index 9cf2b43c4..a639b0426 100755
--- a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/ipsec.conf
@@ -2,7 +2,7 @@
 
 config setup
 	plutostart=no
-	charondebug="tls 2, tnc 3"
+	charondebug="tnc 3, imc 3"
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/carol/etc/ipsec.secrets b/testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/ipsec.secrets
index 74942afda..74942afda 100644
--- a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/carol/etc/ipsec.secrets
+++ b/testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/ipsec.secrets
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..7bff51d6b
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,14 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
+  multiple_authentication=no
+}
+
+libimcv {
+  plugins {
+    imc-test {
+      command = allow
+    }
+  }
+}
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/tnc_config b/testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/tnc_config
new file mode 100644
index 000000000..6166552f5
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/tnc_config
@@ -0,0 +1,4 @@
+#IMC configuration file for strongSwan client 
+
+IMC "Test"	/usr/local/lib/ipsec/imcvs/imc-test.so
+IMC "Scanner"	/usr/local/lib/ipsec/imcvs/imc-scanner.so
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/ipsec.conf
index 998e6c2e5..5da78b4ab 100755
--- a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/ipsec.conf
@@ -2,7 +2,7 @@
 
 config setup
 	plutostart=no
-	charondebug="tls 2, tnc 3"
+	charondebug="tnc 3, imc 3"
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/dave/etc/ipsec.secrets b/testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/ipsec.secrets
index 5496df7ad..5496df7ad 100644
--- a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/dave/etc/ipsec.secrets
+++ b/testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/ipsec.secrets
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/strongswan.conf
index c12143cb1..579601b85 100644
--- a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-11 updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
   multiple_authentication=no
 }
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/tnc_config b/testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/tnc_config
new file mode 100644
index 000000000..6166552f5
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/tnc_config
@@ -0,0 +1,4 @@
+#IMC configuration file for strongSwan client 
+
+IMC "Test"	/usr/local/lib/ipsec/imcvs/imc-test.so
+IMC "Scanner"	/usr/local/lib/ipsec/imcvs/imc-scanner.so
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/moon/etc/init.d/iptables b/testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/init.d/iptables
index 56587b2e8..56587b2e8 100755
--- a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/moon/etc/init.d/iptables
+++ b/testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/init.d/iptables
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/ipsec.conf
index fc8f84638..fc8f84638 100755
--- a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/ipsec.conf
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/moon/etc/ipsec.secrets b/testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/ipsec.secrets
index e86d6aa5c..e86d6aa5c 100644
--- a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/moon/etc/ipsec.secrets
+++ b/testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/ipsec.secrets
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/strongswan.conf
index 4d2d3058d..ab71e5908 100644
--- a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-radius updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-radius updown
   multiple_authentication=no
   plugins {
     eap-radius {
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/posttest.dat b/testing/tests/tnc/tnccs-11-radius-block/posttest.dat
index 132752119..51d8ca1b3 100644
--- a/testing/tests/ikev2/rw-eap-tnc-11-radius/posttest.dat
+++ b/testing/tests/tnc/tnccs-11-radius-block/posttest.dat
@@ -1,8 +1,9 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-alice::/etc/init.d/radiusd stop
+alice::killall radiusd
 alice::rm /etc/raddb/sites-enabled/inner-tunnel-second
 moon::/etc/init.d/iptables stop 2> /dev/null
 carol::/etc/init.d/iptables stop 2> /dev/null
 dave::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/apache2 stop 2> /dev/null
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/pretest.dat b/testing/tests/tnc/tnccs-11-radius-block/pretest.dat
index dc7d5934e..0fa88dbc7 100644
--- a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/pretest.dat
+++ b/testing/tests/tnc/tnccs-11-radius-block/pretest.dat
@@ -1,14 +1,13 @@
 moon::/etc/init.d/iptables start 2> /dev/null
 carol::/etc/init.d/iptables start 2> /dev/null
 dave::/etc/init.d/iptables start 2> /dev/null
+dave::/etc/init.d/apache2 start 2> /dev/null
 alice::ln -s /etc/raddb/sites-available/inner-tunnel-second /etc/raddb/sites-enabled/inner-tunnel-second
 alice::cat /etc/raddb/sites-enabled/inner-tunnel-second
-alice::/etc/init.d/radiusd start
-carol::cat /etc/tnc/dummyimc.file
-dave::cat /etc/tnc/dummyimc.file
+alice::LEAK_DETECTIVE_DISABLE=1 LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties radiusd
 moon::ipsec start
-carol::ipsec start
-dave::ipsec start
+carol::LEAK_DETECTIVE_DISABLE=1 ipsec start
+dave::LEAK_DETECTIVE_DISABLE=1 ipsec start
 carol::sleep 1
 carol::ipsec up home
 dave::ipsec up home
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/test.conf b/testing/tests/tnc/tnccs-11-radius-block/test.conf
index bb6b68687..bb6b68687 100644
--- a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/test.conf
+++ b/testing/tests/tnc/tnccs-11-radius-block/test.conf
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/description.txt b/testing/tests/tnc/tnccs-11-radius/description.txt
index 7eebd3d4d..83e5b96f3 100644
--- a/testing/tests/ikev2/rw-eap-tnc-11-radius/description.txt
+++ b/testing/tests/tnc/tnccs-11-radius/description.txt
@@ -1,10 +1,13 @@
 The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
 At the outset the gateway authenticates itself to the clients by sending an IKEv2
 <b>RSA signature</b> accompanied by a certificate.
-<b>carol</b> and <b>dave</b> then set up an <b>EAP-TTLS</b> tunnel each via <b>moon</b> to
-the FreeRADIUS server <b>alice</b> authenticated by an X.509 AAA certificate.
+<b>carol</b> and <b>dave</b> then set up an <b>EAP-TTLS</b> tunnel each via <b>moon</b> to the
+<a href="http://trust.inform.fh-hannover.de/joomla/index.php/projects/tncfhh" target="popup">
+<b>TNC@FHH</b></a>-enhanced FreeRADIUS server <b>alice</b> authenticated by an X.509 AAA certificate.
 The strong EAP-TTLS tunnel protects the ensuing weak client authentication based on <b>EAP-MD5</b>.
 In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the
 health of <b>carol</b> and <b>dave</b> via the <b>IF-TNCCS 1.1</b> client-server interface.
-<b>carol</b> passes the health test and <b>dave</b> fails. Based on these measurements the
-clients are connected by gateway <b>moon</b> to the "rw-allow" and "rw-isolate" subnets, respectively.
+The communication between IMCs and IMVs is based on the  <b>IF-M</b> protocol defined by <b>RFC 5792 PA-TNC</b>.
+<p>
+<b>carol</b> passes the health test and <b>dave</b> fails. Based on these measurements the clients
+are connected by gateway <b>moon</b> to the "rw-allow" and "rw-isolate" subnets, respectively.
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/evaltest.dat b/testing/tests/tnc/tnccs-11-radius/evaltest.dat
index d0ea22ba9..d0ea22ba9 100644
--- a/testing/tests/ikev2/rw-eap-tnc-11-radius/evaltest.dat
+++ b/testing/tests/tnc/tnccs-11-radius/evaltest.dat
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/clients.conf b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/clients.conf
new file mode 100644
index 000000000..f4e179aa4
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/clients.conf
@@ -0,0 +1,4 @@
+client PH_IP_MOON1 {
+  secret    = gv6URkSs 
+  shortname = moon
+}
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/dictionary b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/dictionary
index 1a27a02fc..1a27a02fc 100644
--- a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/dictionary
+++ b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/dictionary
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/dictionary.tnc b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/dictionary.tnc
index f295467a9..f295467a9 100644
--- a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/dictionary.tnc
+++ b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/dictionary.tnc
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/eap.conf b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/eap.conf
index 31556361e..31556361e 100644
--- a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/eap.conf
+++ b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/eap.conf
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/proxy.conf b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/proxy.conf
index 23cba8d11..23cba8d11 100644
--- a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/proxy.conf
+++ b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/proxy.conf
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/radiusd.conf b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/radiusd.conf
new file mode 100644
index 000000000..1143a0473
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/radiusd.conf
@@ -0,0 +1,120 @@
+# radiusd.conf	-- FreeRADIUS server configuration file.
+
+prefix = /usr
+exec_prefix = ${prefix}
+sysconfdir = /etc
+localstatedir = /var
+sbindir = ${exec_prefix}/sbin
+logdir = ${localstatedir}/log/radius
+raddbdir = ${sysconfdir}/raddb
+radacctdir = ${logdir}/radacct
+
+#  name of the running server.  See also the "-n" command-line option.
+name = radiusd
+
+#  Location of config and logfiles.
+confdir = ${raddbdir}
+run_dir = ${localstatedir}/run/radiusd
+
+# Should likely be ${localstatedir}/lib/radiusd
+db_dir = ${raddbdir}
+
+# libdir: Where to find the rlm_* modules.
+libdir = ${exec_prefix}/lib
+
+#  pidfile: Where to place the PID of the RADIUS server.
+pidfile = ${run_dir}/${name}.pid
+
+#  max_request_time: The maximum time (in seconds) to handle a request.
+max_request_time = 30
+
+#  cleanup_delay: The time to wait (in seconds) before cleaning up
+cleanup_delay = 5
+
+#  max_requests: The maximum number of requests which the server keeps
+max_requests = 1024
+
+#  listen: Make the server listen on a particular IP address, and send
+listen {
+  type = auth
+  ipaddr = PH_IP_ALICE 
+  port = 0
+}
+
+#  This second "listen" section is for listening on the accounting
+#  port, too.
+#
+listen {
+  type  = acct
+  ipaddr = PH_IP_ALICE 
+  port = 0
+}
+
+#  hostname_lookups: Log the names of clients or just their IP addresses
+hostname_lookups = no
+
+#  Core dumps are a bad thing.  This should only be set to 'yes'
+allow_core_dumps = no
+
+#  Regular expressions
+regular_expressions = yes
+extended_expressions = yes
+
+#  Logging section.  The various "log_*" configuration items
+log {
+  destination = files
+  file = ${logdir}/radius.log
+  syslog_facility = daemon
+  stripped_names = no
+  auth = yes 
+  auth_badpass = yes 
+  auth_goodpass = yes 
+}
+
+#  The program to execute to do concurrency checks.
+checkrad = ${sbindir}/checkrad
+
+#  Security considerations
+security {
+  max_attributes = 200
+  reject_delay = 1
+  status_server = yes
+}
+
+# PROXY CONFIGURATION
+proxy_requests = yes
+$INCLUDE proxy.conf
+
+# CLIENTS CONFIGURATION
+$INCLUDE clients.conf
+
+# THREAD POOL CONFIGURATION
+thread pool {
+  start_servers = 5
+  max_servers = 32
+  min_spare_servers = 3
+  max_spare_servers = 10
+  max_requests_per_server = 0
+}
+
+# MODULE CONFIGURATION
+modules {
+  $INCLUDE ${confdir}/modules/
+  $INCLUDE eap.conf
+  $INCLUDE sql.conf
+  $INCLUDE sql/mysql/counter.conf
+}
+
+# Instantiation
+instantiate {
+  exec
+  expr
+  expiration
+  logintime
+}
+
+# Policies
+$INCLUDE policy.conf
+
+# Include all enabled virtual hosts
+$INCLUDE sites-enabled/
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/sites-available/default b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/sites-available/default
index 802fcfd8d..802fcfd8d 100644
--- a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/sites-available/default
+++ b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/sites-available/default
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel
index e088fae14..e088fae14 100644
--- a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel
+++ b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel-second b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel-second
index f91bccc72..f91bccc72 100644
--- a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel-second
+++ b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel-second
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/users b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/users
index 50ccf3e76..50ccf3e76 100644
--- a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/users
+++ b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/users
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/strongswan.conf
new file mode 100644
index 000000000..5d586066b
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/strongswan.conf
@@ -0,0 +1,15 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+libimcv {
+  debug_level = 3 
+  plugins {
+    imv-test {
+      rounds = 1 
+    }
+    imv-scanner {
+      closed_port_policy = yes
+      tcp_ports = 22
+      udp_ports = 500 4500
+    }
+  }
+}
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/tnc/log4cxx.properties b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/tnc/log4cxx.properties
new file mode 100644
index 000000000..2bdc6e4de
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/tnc/log4cxx.properties
@@ -0,0 +1,15 @@
+# Set root logger level to DEBUG and its appenders to A1 and A2.
+log4j.rootLogger=DEBUG, A1, A2
+
+# A1 is set to be a ConsoleAppender.
+log4j.appender.A1=org.apache.log4j.ConsoleAppender
+log4j.appender.A1.layout=org.apache.log4j.PatternLayout
+log4j.appender.A1.layout.ConversionPattern=[FHH] %m%n
+
+# A2 is set to be a SyslogAppender
+log4j.appender.A2=org.apache.log4j.net.SyslogAppender
+log4j.appender.A2.Facility=DAEMON
+log4j.appender.A2.SyslogHost=localhost
+log4j.appender.A2.Threshold=DEBUG
+log4j.appender.A2.layout=org.apache.log4j.PatternLayout
+log4j.appender.A2.layout.ConversionPattern=[FHH] %m%n
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/tnc_config b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/tnc_config
new file mode 100644
index 000000000..da732f68b
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/tnc_config
@@ -0,0 +1,4 @@
+#IMV configuration file for strongSwan client 
+
+IMV "Test"	/usr/local/lib/ipsec/imcvs/imv-test.so
+IMV "Scanner"	/usr/local/lib/ipsec/imcvs/imv-scanner.so
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/ipsec.conf
index 9cf2b43c4..a639b0426 100755
--- a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/ipsec.conf
@@ -2,7 +2,7 @@
 
 config setup
 	plutostart=no
-	charondebug="tls 2, tnc 3"
+	charondebug="tnc 3, imc 3"
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/rw-eap-tnc-11/hosts/carol/etc/ipsec.secrets b/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/ipsec.secrets
index 74942afda..74942afda 100644
--- a/testing/tests/ikev2/rw-eap-tnc-11/hosts/carol/etc/ipsec.secrets
+++ b/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/ipsec.secrets
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..7bff51d6b
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,14 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
+  multiple_authentication=no
+}
+
+libimcv {
+  plugins {
+    imc-test {
+      command = allow
+    }
+  }
+}
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/tnc_config b/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/tnc_config
new file mode 100644
index 000000000..6166552f5
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/tnc_config
@@ -0,0 +1,4 @@
+#IMC configuration file for strongSwan client 
+
+IMC "Test"	/usr/local/lib/ipsec/imcvs/imc-test.so
+IMC "Scanner"	/usr/local/lib/ipsec/imcvs/imc-scanner.so
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/ipsec.conf
index 998e6c2e5..5da78b4ab 100755
--- a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/ipsec.conf
@@ -2,7 +2,7 @@
 
 config setup
 	plutostart=no
-	charondebug="tls 2, tnc 3"
+	charondebug="tnc 3, imc 3"
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/rw-eap-tnc-11/hosts/dave/etc/ipsec.secrets b/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/ipsec.secrets
index 5496df7ad..5496df7ad 100644
--- a/testing/tests/ikev2/rw-eap-tnc-11/hosts/dave/etc/ipsec.secrets
+++ b/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/ipsec.secrets
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..a599122bc
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,14 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
+  multiple_authentication=no
+}
+
+libimcv {
+  plugins {
+    imc-test {
+      command = isolate
+    }
+  }
+}
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/tnc_config b/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/tnc_config
new file mode 100644
index 000000000..6166552f5
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/tnc_config
@@ -0,0 +1,4 @@
+#IMC configuration file for strongSwan client 
+
+IMC "Test"	/usr/local/lib/ipsec/imcvs/imc-test.so
+IMC "Scanner"	/usr/local/lib/ipsec/imcvs/imc-scanner.so
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/moon/etc/init.d/iptables b/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/init.d/iptables
index 56587b2e8..56587b2e8 100755
--- a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/moon/etc/init.d/iptables
+++ b/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/init.d/iptables
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/ipsec.conf
index 33dcdcfb0..33dcdcfb0 100755
--- a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/ipsec.conf
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/ipsec.secrets b/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..e86d6aa5c
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA moonKey.pem
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/strongswan.conf
index f4e456bbe..40be81b48 100644
--- a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-radius updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-radius updown
   multiple_authentication=no
   plugins {
     eap-radius {
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/posttest.dat b/testing/tests/tnc/tnccs-11-radius/posttest.dat
index 132752119..86bd89dea 100644
--- a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/posttest.dat
+++ b/testing/tests/tnc/tnccs-11-radius/posttest.dat
@@ -1,7 +1,7 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-alice::/etc/init.d/radiusd stop
+alice::killall radiusd
 alice::rm /etc/raddb/sites-enabled/inner-tunnel-second
 moon::/etc/init.d/iptables stop 2> /dev/null
 carol::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/pretest.dat b/testing/tests/tnc/tnccs-11-radius/pretest.dat
index 8dd865819..b5d284278 100644
--- a/testing/tests/ikev2/rw-eap-tnc-11-radius/pretest.dat
+++ b/testing/tests/tnc/tnccs-11-radius/pretest.dat
@@ -3,15 +3,13 @@ carol::/etc/init.d/iptables start 2> /dev/null
 dave::/etc/init.d/iptables start 2> /dev/null
 alice::ln -s /etc/raddb/sites-available/inner-tunnel-second /etc/raddb/sites-enabled/inner-tunnel-second
 alice::cat /etc/raddb/sites-enabled/inner-tunnel-second
-alice::/etc/init.d/radiusd start
+alice::LEAK_DETECTIVE_DISABLE=1 LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties radiusd
 alice::cat /etc/tnc_config
 carol::cat /etc/tnc_config
 dave::cat /etc/tnc_config
-carol::cat /etc/tnc/dummyimc.file
-dave::cat /etc/tnc/dummyimc.file
 moon::ipsec start
-carol::ipsec start
-dave::ipsec start
+carol::LEAK_DETECTIVE_DISABLE=1 ipsec start
+dave::LEAK_DETECTIVE_DISABLE=1 ipsec start
 carol::sleep 1
 carol::ipsec up home
 dave::ipsec up home
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/test.conf b/testing/tests/tnc/tnccs-11-radius/test.conf
index 2a52df203..2a52df203 100644
--- a/testing/tests/ikev2/rw-eap-tnc-11-radius/test.conf
+++ b/testing/tests/tnc/tnccs-11-radius/test.conf
diff --git a/testing/tests/ikev2/rw-eap-tnc-11/description.txt b/testing/tests/tnc/tnccs-11/description.txt
index 4b4808c94..2310a6747 100644
--- a/testing/tests/ikev2/rw-eap-tnc-11/description.txt
+++ b/testing/tests/tnc/tnccs-11/description.txt
@@ -3,6 +3,8 @@ using EAP-TTLS authentication only with the gateway presenting a server certific
 the clients doing EAP-MD5 password-based authentication.
 In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the
 health of <b>carol</b> and <b>dave</b> via the <b>IF-TNCCS 1.1</b> client-server interface.
+The IMC and IMV communicate are using the <b>IF-M</b> protocol defined by <b>RFC 5792 PA-TNC</b>.
+<p>
 <b>carol</b> passes the health test and <b>dave</b> fails. Based on these measurements the
 clients are connected by gateway <b>moon</b> to the "rw-allow" and "rw-isolate" subnets,
 respectively.
diff --git a/testing/tests/tnc/tnccs-11/evaltest.dat b/testing/tests/tnc/tnccs-11/evaltest.dat
new file mode 100644
index 000000000..a02755148
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11/evaltest.dat
@@ -0,0 +1,19 @@
+carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES
+carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
+dave::cat /var/log/daemon.log::TNCCS-Recommendation.*isolate::YES
+dave::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
+dave::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
+moon::cat /var/log/daemon.log::added group membership 'allow'::YES
+moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon::cat /var/log/daemon.log::added group membership 'isolate'::YES
+moon::cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
+moon::ipsec statusall::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
+moon::ipsec statusall::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_seq=1::NO
+dave::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
+dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO
+
diff --git a/testing/tests/ikev2/rw-eap-tnc-11/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-11/hosts/carol/etc/ipsec.conf
index c19192dae..105fcbec6 100755
--- a/testing/tests/ikev2/rw-eap-tnc-11/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/tnc/tnccs-11/hosts/carol/etc/ipsec.conf
@@ -2,7 +2,7 @@
 
 config setup
 	plutostart=no
-	charondebug="tls 2, tnc 3"
+	charondebug="tnc 3, imc 3"
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/carol/etc/ipsec.secrets b/testing/tests/tnc/tnccs-11/hosts/carol/etc/ipsec.secrets
index 74942afda..74942afda 100644
--- a/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/carol/etc/ipsec.secrets
+++ b/testing/tests/tnc/tnccs-11/hosts/carol/etc/ipsec.secrets
diff --git a/testing/tests/tnc/tnccs-11/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-11/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..7bff51d6b
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,14 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
+  multiple_authentication=no
+}
+
+libimcv {
+  plugins {
+    imc-test {
+      command = allow
+    }
+  }
+}
diff --git a/testing/tests/tnc/tnccs-11/hosts/carol/etc/tnc_config b/testing/tests/tnc/tnccs-11/hosts/carol/etc/tnc_config
new file mode 100644
index 000000000..6166552f5
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11/hosts/carol/etc/tnc_config
@@ -0,0 +1,4 @@
+#IMC configuration file for strongSwan client 
+
+IMC "Test"	/usr/local/lib/ipsec/imcvs/imc-test.so
+IMC "Scanner"	/usr/local/lib/ipsec/imcvs/imc-scanner.so
diff --git a/testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-11/hosts/dave/etc/ipsec.conf
index 7d5ea8b83..97f322c28 100755
--- a/testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/tnc/tnccs-11/hosts/dave/etc/ipsec.conf
@@ -2,7 +2,7 @@
 
 config setup
 	plutostart=no
-	charondebug="tls 2, tnc 3"
+	charondebug="tnc 3, imc 3"
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/dave/etc/ipsec.secrets b/testing/tests/tnc/tnccs-11/hosts/dave/etc/ipsec.secrets
index 5496df7ad..5496df7ad 100644
--- a/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/dave/etc/ipsec.secrets
+++ b/testing/tests/tnc/tnccs-11/hosts/dave/etc/ipsec.secrets
diff --git a/testing/tests/tnc/tnccs-11/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-11/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..a599122bc
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,14 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
+  multiple_authentication=no
+}
+
+libimcv {
+  plugins {
+    imc-test {
+      command = isolate
+    }
+  }
+}
diff --git a/testing/tests/tnc/tnccs-11/hosts/dave/etc/tnc_config b/testing/tests/tnc/tnccs-11/hosts/dave/etc/tnc_config
new file mode 100644
index 000000000..6166552f5
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11/hosts/dave/etc/tnc_config
@@ -0,0 +1,4 @@
+#IMC configuration file for strongSwan client 
+
+IMC "Test"	/usr/local/lib/ipsec/imcvs/imc-test.so
+IMC "Scanner"	/usr/local/lib/ipsec/imcvs/imc-scanner.so
diff --git a/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-11/hosts/moon/etc/ipsec.conf
index 50514c99f..997db0df7 100755
--- a/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/tnc/tnccs-11/hosts/moon/etc/ipsec.conf
@@ -3,7 +3,7 @@
 config setup
 	strictcrlpolicy=no
 	plutostart=no
-	charondebug="tls 2, tnc 3"
+	charondebug="tnc 3, imv 3"
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/moon/etc/ipsec.secrets b/testing/tests/tnc/tnccs-11/hosts/moon/etc/ipsec.secrets
index 2e277ccb0..2e277ccb0 100644
--- a/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/moon/etc/ipsec.secrets
+++ b/testing/tests/tnc/tnccs-11/hosts/moon/etc/ipsec.secrets
diff --git a/testing/tests/tnc/tnccs-11/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-11/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..60313e946
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,26 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-11 tnc-imv updown
+  multiple_authentication=no
+  plugins {
+    eap-ttls {
+      phase2_method = md5
+      phase2_piggyback = yes
+      phase2_tnc = yes
+    }
+  }
+}
+
+libimcv {
+  plugins {
+    imv-test {
+      rounds = 1
+    }
+    imv-scanner {
+      closed_port_policy = yes
+      tcp_ports = 22
+      udp_ports = 500 4500
+    }
+  }
+}
diff --git a/testing/tests/tnc/tnccs-11/hosts/moon/etc/tnc_config b/testing/tests/tnc/tnccs-11/hosts/moon/etc/tnc_config
new file mode 100644
index 000000000..da732f68b
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11/hosts/moon/etc/tnc_config
@@ -0,0 +1,4 @@
+#IMV configuration file for strongSwan client 
+
+IMV "Test"	/usr/local/lib/ipsec/imcvs/imv-test.so
+IMV "Scanner"	/usr/local/lib/ipsec/imcvs/imv-scanner.so
diff --git a/testing/tests/ikev2/rw-eap-tnc-20/posttest.dat b/testing/tests/tnc/tnccs-11/posttest.dat
index 7cebd7f25..7cebd7f25 100644
--- a/testing/tests/ikev2/rw-eap-tnc-20/posttest.dat
+++ b/testing/tests/tnc/tnccs-11/posttest.dat
diff --git a/testing/tests/tnc/tnccs-11/pretest.dat b/testing/tests/tnc/tnccs-11/pretest.dat
new file mode 100644
index 000000000..dd729cb0b
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11/pretest.dat
@@ -0,0 +1,13 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+dave::/etc/init.d/iptables start 2> /dev/null
+moon::cat /etc/tnc_config
+carol::cat /etc/tnc_config
+dave::cat /etc/tnc_config
+moon::LEAK_DETECTIVE_DISABLE=1 ipsec start
+carol::LEAK_DETECTIVE_DISABLE=1 ipsec start
+dave::LEAK_DETECTIVE_DISABLE=1 ipsec start
+carol::sleep 1
+carol::ipsec up home
+dave::ipsec up home
+dave::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-tnc-20-block/test.conf b/testing/tests/tnc/tnccs-11/test.conf
index e28b8259b..e28b8259b 100644
--- a/testing/tests/ikev2/rw-eap-tnc-20-block/test.conf
+++ b/testing/tests/tnc/tnccs-11/test.conf
diff --git a/testing/tests/ikev2/rw-eap-tnc-20-block/description.txt b/testing/tests/tnc/tnccs-20-block/description.txt
index c7422aa46..425496174 100644
--- a/testing/tests/ikev2/rw-eap-tnc-20-block/description.txt
+++ b/testing/tests/tnc/tnccs-20-block/description.txt
@@ -3,7 +3,8 @@ using EAP-TTLS authentication only with the gateway presenting a server certific
 the clients doing EAP-MD5 password-based authentication.
 In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the
 health of <b>carol</b> and <b>dave</b> via the <b>IF-TNCCS 2.0</b> client-server interface
-compliant with <b>RFC 5793 PB-TNC</b>.
+compliant with <b>RFC 5793 PB-TNC</b>. The IMC and IMV communicate are using the <b>IF-M</b>
+protocol defined by <b>RFC 5792 PA-TNC</b>.
 <p>
 <b>carol</b> passes the health test and <b>dave</b> fails. Based on these measurements
 <b>carol</b> is authenticated successfully and is granted access to the subnet behind
diff --git a/testing/tests/ikev2/rw-eap-tnc-20-block/evaltest.dat b/testing/tests/tnc/tnccs-20-block/evaltest.dat
index e3c482441..f1753c208 100644
--- a/testing/tests/ikev2/rw-eap-tnc-20-block/evaltest.dat
+++ b/testing/tests/tnc/tnccs-20-block/evaltest.dat
@@ -5,10 +5,8 @@ carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/3
 dave::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Denied'::YES
 dave::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
 dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.0/16::NO
-moon::cat /var/log/auth.log::policy enforced on peer 'carol@strongswan.org' is 'allow'::YES
-moon::cat /var/log/daemon.log::policy enforcement point added group membership 'allow'::YES
-moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
-moon::cat /var/log/auth.log::policy enforced on peer 'dave@strongswan.org' is 'no access'::YES
+moon::cat /var/log/daemon.log::added group membership 'allow'::YES
+moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES 
 moon::cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer dave@strongswan.org::YES
 carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
 dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO
diff --git a/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-block/hosts/carol/etc/ipsec.conf
index c19192dae..105fcbec6 100755
--- a/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/tnc/tnccs-20-block/hosts/carol/etc/ipsec.conf
@@ -2,7 +2,7 @@
 
 config setup
 	plutostart=no
-	charondebug="tls 2, tnc 3"
+	charondebug="tnc 3, imc 3"
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-block/hosts/carol/etc/ipsec.secrets
index 74942afda..74942afda 100644
--- a/testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/ipsec.secrets
+++ b/testing/tests/tnc/tnccs-20-block/hosts/carol/etc/ipsec.secrets
diff --git a/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-block/hosts/carol/etc/strongswan.conf
index 1a39b8c57..264e8d121 100644
--- a/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-block/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-20 updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
   multiple_authentication=no
   plugins {
     eap-tnc {
@@ -12,3 +12,11 @@ charon {
     }
   }
 }
+
+libimcv {
+  plugins {
+    imc-test {
+      command = allow
+    }
+  }
+}
diff --git a/testing/tests/tnc/tnccs-20-block/hosts/carol/etc/tnc_config b/testing/tests/tnc/tnccs-20-block/hosts/carol/etc/tnc_config
new file mode 100644
index 000000000..6166552f5
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-block/hosts/carol/etc/tnc_config
@@ -0,0 +1,4 @@
+#IMC configuration file for strongSwan client 
+
+IMC "Test"	/usr/local/lib/ipsec/imcvs/imc-test.so
+IMC "Scanner"	/usr/local/lib/ipsec/imcvs/imc-scanner.so
diff --git a/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-block/hosts/dave/etc/ipsec.conf
index 7d5ea8b83..97f322c28 100755
--- a/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/tnc/tnccs-20-block/hosts/dave/etc/ipsec.conf
@@ -2,7 +2,7 @@
 
 config setup
 	plutostart=no
-	charondebug="tls 2, tnc 3"
+	charondebug="tnc 3, imc 3"
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-block/hosts/dave/etc/ipsec.secrets
index 5496df7ad..5496df7ad 100644
--- a/testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/ipsec.secrets
+++ b/testing/tests/tnc/tnccs-20-block/hosts/dave/etc/ipsec.secrets
diff --git a/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-block/hosts/dave/etc/strongswan.conf
index eb7007726..9167adb47 100644
--- a/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-block/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-20 updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
   multiple_authentication=no
   plugins {
     eap-tnc {
diff --git a/testing/tests/tnc/tnccs-20-block/hosts/dave/etc/tnc_config b/testing/tests/tnc/tnccs-20-block/hosts/dave/etc/tnc_config
new file mode 100644
index 000000000..6166552f5
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-block/hosts/dave/etc/tnc_config
@@ -0,0 +1,4 @@
+#IMC configuration file for strongSwan client 
+
+IMC "Test"	/usr/local/lib/ipsec/imcvs/imc-test.so
+IMC "Scanner"	/usr/local/lib/ipsec/imcvs/imc-scanner.so
diff --git a/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-block/hosts/moon/etc/ipsec.conf
index 6747b4a4a..106cde446 100755
--- a/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/tnc/tnccs-20-block/hosts/moon/etc/ipsec.conf
@@ -3,7 +3,7 @@
 config setup
 	strictcrlpolicy=no
 	plutostart=no
-	charondebug="tls 2, tnc 3"
+	charondebug="tnc 3, imv 3"
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/moon/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-block/hosts/moon/etc/ipsec.secrets
index 2e277ccb0..2e277ccb0 100644
--- a/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/moon/etc/ipsec.secrets
+++ b/testing/tests/tnc/tnccs-20-block/hosts/moon/etc/ipsec.secrets
diff --git a/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-block/hosts/moon/etc/strongswan.conf
index 20caf8e84..d64c89ab8 100644
--- a/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-block/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnccs-20 tnc-imv updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-20 tnc-imv updown
   multiple_authentication=no
   plugins {
     eap-ttls {
@@ -17,3 +17,13 @@ charon {
     }
   }
 }
+
+libimcv {
+  plugins {
+    imv-scanner {
+      closed_port_policy = yes
+      tcp_ports = 22
+      udp_ports = 500 4500
+    }
+  }
+}
diff --git a/testing/tests/tnc/tnccs-20-block/hosts/moon/etc/tnc_config b/testing/tests/tnc/tnccs-20-block/hosts/moon/etc/tnc_config
new file mode 100644
index 000000000..da732f68b
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-block/hosts/moon/etc/tnc_config
@@ -0,0 +1,4 @@
+#IMV configuration file for strongSwan client 
+
+IMV "Test"	/usr/local/lib/ipsec/imcvs/imv-test.so
+IMV "Scanner"	/usr/local/lib/ipsec/imcvs/imv-scanner.so
diff --git a/testing/tests/tnc/tnccs-20-block/posttest.dat b/testing/tests/tnc/tnccs-20-block/posttest.dat
new file mode 100644
index 000000000..50bb7e117
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-block/posttest.dat
@@ -0,0 +1,7 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/apache2 stop 2> /dev/null
diff --git a/testing/tests/ikev2/rw-eap-tnc-20-tls/pretest.dat b/testing/tests/tnc/tnccs-20-block/pretest.dat
index ce897d181..7b0a42fcd 100644
--- a/testing/tests/ikev2/rw-eap-tnc-20-tls/pretest.dat
+++ b/testing/tests/tnc/tnccs-20-block/pretest.dat
@@ -1,11 +1,10 @@
 moon::/etc/init.d/iptables start 2> /dev/null
 carol::/etc/init.d/iptables start 2> /dev/null
 dave::/etc/init.d/iptables start 2> /dev/null
+dave::/etc/init.d/apache2 start 2> /dev/null
 moon::cat /etc/tnc_config
 carol::cat /etc/tnc_config
 dave::cat /etc/tnc_config
-carol::cat /etc/tnc/dummyimc.file
-dave::cat /etc/tnc/dummyimc.file
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/ikev2/rw-eap-tnc-20-tls/test.conf b/testing/tests/tnc/tnccs-20-block/test.conf
index e28b8259b..e28b8259b 100644
--- a/testing/tests/ikev2/rw-eap-tnc-20-tls/test.conf
+++ b/testing/tests/tnc/tnccs-20-block/test.conf
diff --git a/testing/tests/tnc/tnccs-20-client-retry/description.txt b/testing/tests/tnc/tnccs-20-client-retry/description.txt
new file mode 100644
index 000000000..c8e1afd81
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-client-retry/description.txt
@@ -0,0 +1,13 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>
+using EAP-TTLS authentication only with the gateway presenting a server certificate and
+the clients doing EAP-MD5 password-based authentication.
+In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the
+health of <b>carol</b> and <b>dave</b> via the <b>TNCCS 2.0 </b> client-server interface
+compliant with <b>RFC 5793 PB-TNC</b>. The IMC and IMV communicate are using the <b>IF-M</b>
+protocol defined by <b>RFC 5792 PA-TNC</b>.
+<p>
+The first time around both <b>carol</b> and <b>dave</b> fail the health test but they
+request a handshake retry. After remediation <b>carol</b> succeeds but <b>dave</b>
+still fails. Thus based on this second round of measurements the clients are connected
+by gateway <b>moon</b> to the "rw-allow" and "rw-isolate" subnets, respectively.
+</p>
diff --git a/testing/tests/ikev2/rw-eap-tnc-20/evaltest.dat b/testing/tests/tnc/tnccs-20-client-retry/evaltest.dat
index d334a9b97..737c9b9ef 100644
--- a/testing/tests/ikev2/rw-eap-tnc-20/evaltest.dat
+++ b/testing/tests/tnc/tnccs-20-client-retry/evaltest.dat
@@ -6,11 +6,9 @@ dave::cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YE
 dave::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
 dave::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
 dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
-moon::cat /var/log/auth.log::policy enforced on peer 'carol@strongswan.org' is 'allow'::YES
-moon::cat /var/log/daemon.log::policy enforcement point added group membership 'allow'::YES
+moon::cat /var/log/daemon.log::added group membership 'allow'::YES
 moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
-moon::cat /var/log/auth.log::policy enforced on peer 'dave@strongswan.org' is 'isolate'::YES
-moon::cat /var/log/daemon.log::policy enforcement point added group membership 'isolate'::YES
+moon::cat /var/log/daemon.log::added group membership 'isolate'::YES
 moon::cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
 moon::ipsec statusall::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
 moon::ipsec statusall::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
diff --git a/testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-client-retry/hosts/carol/etc/ipsec.conf
index c19192dae..847ca2e7f 100755
--- a/testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/tnc/tnccs-20-client-retry/hosts/carol/etc/ipsec.conf
@@ -2,7 +2,7 @@
 
 config setup
 	plutostart=no
-	charondebug="tls 2, tnc 3"
+	charondebug="tnc 3, imc 2"
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/carol/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-client-retry/hosts/carol/etc/ipsec.secrets
index 74942afda..74942afda 100644
--- a/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/carol/etc/ipsec.secrets
+++ b/testing/tests/tnc/tnccs-20-client-retry/hosts/carol/etc/ipsec.secrets
diff --git a/testing/tests/tnc/tnccs-20-client-retry/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-client-retry/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..885271160
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-client-retry/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,21 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+  multiple_authentication=no
+  plugins {
+    eap-tnc {
+      protocol = tnccs-2.0
+    }
+  }
+}
+
+libimcv {
+  plugins {
+    imc-test {
+      command = isolate 
+      retry = yes
+      retry_command = allow
+    }
+  }
+}
diff --git a/testing/tests/tnc/tnccs-20-client-retry/hosts/carol/etc/tnc_config b/testing/tests/tnc/tnccs-20-client-retry/hosts/carol/etc/tnc_config
new file mode 100644
index 000000000..6166552f5
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-client-retry/hosts/carol/etc/tnc_config
@@ -0,0 +1,4 @@
+#IMC configuration file for strongSwan client 
+
+IMC "Test"	/usr/local/lib/ipsec/imcvs/imc-test.so
+IMC "Scanner"	/usr/local/lib/ipsec/imcvs/imc-scanner.so
diff --git a/testing/tests/ikev2/rw-eap-tnc-11/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-client-retry/hosts/dave/etc/ipsec.conf
index 7d5ea8b83..f0ad4721f 100755
--- a/testing/tests/ikev2/rw-eap-tnc-11/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/tnc/tnccs-20-client-retry/hosts/dave/etc/ipsec.conf
@@ -2,7 +2,7 @@
 
 config setup
 	plutostart=no
-	charondebug="tls 2, tnc 3"
+	charondebug="tnc 3, imc 2"
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/dave/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-client-retry/hosts/dave/etc/ipsec.secrets
index 5496df7ad..5496df7ad 100644
--- a/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/dave/etc/ipsec.secrets
+++ b/testing/tests/tnc/tnccs-20-client-retry/hosts/dave/etc/ipsec.secrets
diff --git a/testing/tests/tnc/tnccs-20-client-retry/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-client-retry/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..7e848a25b
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-client-retry/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,23 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+  multiple_authentication=no
+  plugins {
+    eap-tnc {
+      protocol = tnccs-2.0
+    }
+    tnc-imc {
+      preferred_language = ru , de, en
+    }
+  }
+}
+
+libimcv {
+  plugins {
+    imc-test {
+      command = isolate
+      retry = yes
+    }
+  }
+}
diff --git a/testing/tests/tnc/tnccs-20-client-retry/hosts/dave/etc/tnc_config b/testing/tests/tnc/tnccs-20-client-retry/hosts/dave/etc/tnc_config
new file mode 100644
index 000000000..6166552f5
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-client-retry/hosts/dave/etc/tnc_config
@@ -0,0 +1,4 @@
+#IMC configuration file for strongSwan client 
+
+IMC "Test"	/usr/local/lib/ipsec/imcvs/imc-test.so
+IMC "Scanner"	/usr/local/lib/ipsec/imcvs/imc-scanner.so
diff --git a/testing/tests/ikev2/rw-eap-tnc-11/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-client-retry/hosts/moon/etc/ipsec.conf
index 50514c99f..9eec48402 100755
--- a/testing/tests/ikev2/rw-eap-tnc-11/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/tnc/tnccs-20-client-retry/hosts/moon/etc/ipsec.conf
@@ -3,7 +3,7 @@
 config setup
 	strictcrlpolicy=no
 	plutostart=no
-	charondebug="tls 2, tnc 3"
+	charondebug="tnc 3, imv 2"
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-client-retry/hosts/moon/etc/ipsec.secrets
index 2e277ccb0..2e277ccb0 100644
--- a/testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/ipsec.secrets
+++ b/testing/tests/tnc/tnccs-20-client-retry/hosts/moon/etc/ipsec.secrets
diff --git a/testing/tests/tnc/tnccs-20-client-retry/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-client-retry/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..bfc5d9531
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-client-retry/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,29 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-20 tnc-imv updown
+  multiple_authentication=no
+  plugins {
+    eap-ttls {
+      phase2_method = md5
+      phase2_piggyback = yes
+      phase2_tnc = yes
+    }
+    eap-tnc {
+      protocol = tnccs-2.0
+    }
+  }
+}
+
+libimcv {
+  plugins {
+    imv-test {
+      rounds = 0 
+    }
+    imv-scanner {
+      closed_port_policy = yes
+      tcp_ports = 22
+      udp_ports = 500 4500
+    }
+  }
+}
diff --git a/testing/tests/tnc/tnccs-20-client-retry/hosts/moon/etc/tnc_config b/testing/tests/tnc/tnccs-20-client-retry/hosts/moon/etc/tnc_config
new file mode 100644
index 000000000..da732f68b
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-client-retry/hosts/moon/etc/tnc_config
@@ -0,0 +1,4 @@
+#IMV configuration file for strongSwan client 
+
+IMV "Test"	/usr/local/lib/ipsec/imcvs/imv-test.so
+IMV "Scanner"	/usr/local/lib/ipsec/imcvs/imv-scanner.so
diff --git a/testing/tests/ikev2/rw-eap-tnc-dynamic/posttest.dat b/testing/tests/tnc/tnccs-20-client-retry/posttest.dat
index 7cebd7f25..7cebd7f25 100644
--- a/testing/tests/ikev2/rw-eap-tnc-dynamic/posttest.dat
+++ b/testing/tests/tnc/tnccs-20-client-retry/posttest.dat
diff --git a/testing/tests/tnc/tnccs-20-client-retry/pretest.dat b/testing/tests/tnc/tnccs-20-client-retry/pretest.dat
new file mode 100644
index 000000000..208f9daa9
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-client-retry/pretest.dat
@@ -0,0 +1,13 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+dave::/etc/init.d/iptables start 2> /dev/null
+moon::cat /etc/tnc_config
+carol::cat /etc/tnc_config
+dave::cat /etc/tnc_config
+moon::ipsec start
+carol::ipsec start 
+dave::ipsec start 
+carol::sleep 1
+carol::ipsec up home
+dave::ipsec up home
+dave::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-tnc-20/test.conf b/testing/tests/tnc/tnccs-20-client-retry/test.conf
index e28b8259b..e28b8259b 100644
--- a/testing/tests/ikev2/rw-eap-tnc-20/test.conf
+++ b/testing/tests/tnc/tnccs-20-client-retry/test.conf
diff --git a/testing/tests/tnc/tnccs-20-fhh/description.txt b/testing/tests/tnc/tnccs-20-fhh/description.txt
new file mode 100644
index 000000000..e68f363bb
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fhh/description.txt
@@ -0,0 +1,13 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>
+using EAP-TTLS authentication only with the gateway presenting a server certificate and
+the clients doing EAP-MD5 password-based authentication.
+In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the
+health of <b>carol</b> and <b>dave</b> via the <b>TNCCS 2.0 </b> client-server interface
+compliant with <b>RFC 5793 PB-TNC</b>. The Dummy IMC and IMV from the 
+<a href="http://trust.inform.fh-hannover.de/joomla/index.php/projects/tncfhh" target="popup">
+<b>TNC@FHH</b></a> project are used which communicate over a proprietary protocol.
+<p>
+<b>carol</b> passes the health test and <b>dave</b> fails. Based on these measurements the
+clients are connected by gateway <b>moon</b> to the "rw-allow" and "rw-isolate" subnets,
+respectively.
+</p>
diff --git a/testing/tests/ikev2/rw-eap-tnc-20-tls/evaltest.dat b/testing/tests/tnc/tnccs-20-fhh/evaltest.dat
index c871bb6da..737c9b9ef 100644
--- a/testing/tests/ikev2/rw-eap-tnc-20-tls/evaltest.dat
+++ b/testing/tests/tnc/tnccs-20-fhh/evaltest.dat
@@ -6,11 +6,9 @@ dave::cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YE
 dave::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
 dave::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
 dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
-moon::cat /var/log/auth.log::policy enforced on peer 'carol@strongswan.org' is 'allow'::YES
-moon::cat /var/log/daemon.log::policy enforcement point added group membership 'allow'::YES
+moon::cat /var/log/daemon.log::added group membership 'allow'::YES
 moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
-moon::cat /var/log/auth.log::policy enforced on peer 'dave@strongswan.org' is 'isolate'::YES              
-moon::cat /var/log/daemon.log::policy enforcement point added group membership 'isolate'::YES
+moon::cat /var/log/daemon.log::added group membership 'isolate'::YES
 moon::cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
 moon::ipsec statusall::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
 moon::ipsec statusall::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..847ca2e7f
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutostart=no
+	charondebug="tnc 3, imc 2"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_CAROL
+	leftid=carol@strongswan.org
+	leftauth=eap
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsendcert=never
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..74942afda
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+carol@strongswan.org : EAP "Ar3etTnp"
diff --git a/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/strongswan.conf
index b2aa2806a..8d52bc084 100644
--- a/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-20 updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
   multiple_authentication=no
   plugins {
     eap-tnc {
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/carol/etc/tnc/dummyimc.file b/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/tnc/dummyimc.file
index f5da834c0..f5da834c0 100644
--- a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/carol/etc/tnc/dummyimc.file
+++ b/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/tnc/dummyimc.file
diff --git a/testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/tnc/log4cxx.properties b/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/tnc/log4cxx.properties
index b1c694107..b1c694107 100644
--- a/testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/tnc/log4cxx.properties
+++ b/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/tnc/log4cxx.properties
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/carol/etc/tnc_config b/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/tnc_config
index a5a9a68f3..3ef780933 100644
--- a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/carol/etc/tnc_config
+++ b/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/tnc_config
@@ -1,3 +1,3 @@
 #IMC configuration file for strongSwan client 
 
-IMC "Dummy" /usr/local/lib/libdummyimc.so
+IMC "Dummy"	/usr/local/lib/libdummyimc.so
diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..f0ad4721f
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutostart=no
+	charondebug="tnc 3, imc 2"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_DAVE
+	leftid=dave@strongswan.org
+	leftauth=eap
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsendcert=never
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/ipsec.secrets
new file mode 100644
index 000000000..5496df7ad
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+dave@strongswan.org : EAP "W7R0g3do"
diff --git a/testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/strongswan.conf
index b2aa2806a..8d52bc084 100644
--- a/testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-20 updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
   multiple_authentication=no
   plugins {
     eap-tnc {
diff --git a/testing/tests/ikev2/rw-eap-tnc-11/hosts/dave/etc/tnc/dummyimc.file b/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/tnc/dummyimc.file
index c20b5e57f..c20b5e57f 100644
--- a/testing/tests/ikev2/rw-eap-tnc-11/hosts/dave/etc/tnc/dummyimc.file
+++ b/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/tnc/dummyimc.file
diff --git a/testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/tnc/log4cxx.properties b/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/tnc/log4cxx.properties
index b1c694107..b1c694107 100644
--- a/testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/tnc/log4cxx.properties
+++ b/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/tnc/log4cxx.properties
diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/dave/etc/tnc_config b/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/tnc_config
index a5a9a68f3..8eee8068a 100644
--- a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/dave/etc/tnc_config
+++ b/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/tnc_config
@@ -1,3 +1,3 @@
 #IMC configuration file for strongSwan client 
 
-IMC "Dummy" /usr/local/lib/libdummyimc.so
+IMC "Dummy"     /usr/local/lib/libdummyimc.so
diff --git a/testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/ipsec.conf
index 50514c99f..9eec48402 100755
--- a/testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/ipsec.conf
@@ -3,7 +3,7 @@
 config setup
 	strictcrlpolicy=no
 	plutostart=no
-	charondebug="tls 2, tnc 3"
+	charondebug="tnc 3, imv 2"
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/moon/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/ipsec.secrets
index 2e277ccb0..2e277ccb0 100644
--- a/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/moon/etc/ipsec.secrets
+++ b/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/ipsec.secrets
diff --git a/testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/strongswan.conf
index b76c1cd55..04cae2ebb 100644
--- a/testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnccs-20 tnc-imv updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown
   multiple_authentication=no
   plugins {
     eap-ttls {
diff --git a/testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/tnc/dummyimv.policy b/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/tnc/dummyimv.policy
index d00491fd7..d00491fd7 100644
--- a/testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/tnc/dummyimv.policy
+++ b/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/tnc/dummyimv.policy
diff --git a/testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/tnc/hostscannerimv.policy b/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/tnc/hostscannerimv.policy
index d8215dd3c..d8215dd3c 100644
--- a/testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/tnc/hostscannerimv.policy
+++ b/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/tnc/hostscannerimv.policy
diff --git a/testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/tnc/log4cxx.properties b/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/tnc/log4cxx.properties
index 122d798b3..122d798b3 100644
--- a/testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/tnc/log4cxx.properties
+++ b/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/tnc/log4cxx.properties
diff --git a/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/moon/etc/tnc_config b/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/tnc_config
index ac436a344..fa4324e38 100644
--- a/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/moon/etc/tnc_config
+++ b/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/tnc_config
@@ -1,3 +1,3 @@
 #IMV configuration file for strongSwan server 
 
-IMV "Dummy" /usr/local/lib/libdummyimv.so
+IMV "Dummy"	/usr/local/lib/libdummyimv.so
diff --git a/testing/tests/tnc/tnccs-20-fhh/posttest.dat b/testing/tests/tnc/tnccs-20-fhh/posttest.dat
new file mode 100644
index 000000000..7cebd7f25
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fhh/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/rw-eap-tnc-20/pretest.dat b/testing/tests/tnc/tnccs-20-fhh/pretest.dat
index 1c8eebad5..76ad91f98 100644
--- a/testing/tests/ikev2/rw-eap-tnc-20/pretest.dat
+++ b/testing/tests/tnc/tnccs-20-fhh/pretest.dat
@@ -6,6 +6,7 @@ carol::cat /etc/tnc_config
 dave::cat /etc/tnc_config
 carol::cat /etc/tnc/dummyimc.file
 dave::cat /etc/tnc/dummyimc.file
+moon::cat /etc/tnc/dummyimv.policy
 moon::LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties ipsec start
 carol::LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties ipsec start 
 dave::LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties ipsec start 
diff --git a/testing/tests/ikev2/rw-eap-tnc-dynamic/test.conf b/testing/tests/tnc/tnccs-20-fhh/test.conf
index e28b8259b..e28b8259b 100644
--- a/testing/tests/ikev2/rw-eap-tnc-dynamic/test.conf
+++ b/testing/tests/tnc/tnccs-20-fhh/test.conf
diff --git a/testing/tests/tnc/tnccs-20-pdp/description.txt b/testing/tests/tnc/tnccs-20-pdp/description.txt
new file mode 100644
index 000000000..a178211e1
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pdp/description.txt
@@ -0,0 +1,12 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to the policy enforcement
+point <b>moon</b>. At the outset the gateway authenticates itself to the clients by sending an IKEv2
+<b>RSA signature</b> accompanied by a certificate. <b>carol</b> and <b>dave</b> then set up an
+<b>EAP-TTLS</b> tunnel each via gateway <b>moon</b> to the policy decision point <b>alice</b>
+authenticated by an X.509 AAA certificate. The strong EAP-TTLS tunnel protects the ensuing weak
+client authentication based on <b>EAP-MD5</b>. In a next step the EAP-TNC protocol is used within
+the EAP-TTLS tunnel to determine the health of <b>carol</b> and <b>dave</b> via the <b>IF-TNCCS 2.0</b>
+client-server interface defined by <b>RFC 5793 PB-TNC</b>. The communication between IMCs and IMVs
+is based on the <b>IF-M</b> protocol defined by <b>RFC 5792 PA-TNC</b>.
+<p>
+<b>carol</b> passes the health test and <b>dave</b> fails. Based on these measurements the clients
+are connected by gateway <b>moon</b> to the "rw-allow" and "rw-isolate" subnets, respectively.
diff --git a/testing/tests/tnc/tnccs-20-pdp/evaltest.dat b/testing/tests/tnc/tnccs-20-pdp/evaltest.dat
new file mode 100644
index 000000000..ab78a9b76
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pdp/evaltest.dat
@@ -0,0 +1,19 @@
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+carol::cat /var/log/daemon.log::PB-TNC access recommendation is .*Access Allowed::YES
+carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
+carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
+dave::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+dave::cat /var/log/daemon.log::PB-TNC access recommendation is .*Quarantined::YES
+dave::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
+dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
+moon::cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'allow'::YES
+moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES            
+moon::cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'isolate'::YES
+moon::cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
+moon::ipsec statusall::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
+moon::ipsec statusall::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_seq=1::NO
+dave::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
+dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO
+
diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/ipsec.conf
new file mode 100755
index 000000000..bdba8d32d
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/ipsec.conf
@@ -0,0 +1,10 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutostart=no
+	charondebug="tnc 3, imv 3"
+
+conn aaa
+	leftcert=aaaCert.pem
+	leftid=aaa.strongswan.org
+	auto=add
diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/ipsec.d/certs/aaaCert.pem b/testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/ipsec.d/certs/aaaCert.pem
new file mode 100644
index 000000000..6aeb0c0b1
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/ipsec.d/certs/aaaCert.pem
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEIDCCAwigAwIBAgIBIjANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTEwMDgwNDA4Mzg0MVoXDTE1MDgwMzA4Mzg0MVowRTELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEmFhYS5z
+dHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK2R
+RcAYdZ/jOhHBSjrLDYT1OhRJ2mXjyuSbWyJQogF9c6sY8W2GhTC4e1gNThZM9+Pm
+Vzs0R39kzxsmOFhuTfwIhavMzvkWJ7945WDvTpuo2teK4fTtfix3iuyycVXywa7W
+Uum6vZb4uwNoFsZtlYSUFs+app/1VC3X8vEFvP9p//KW2fwbJ6PzR1XN/8AibxoF
+AnfqAXUenRQ1Xs/07/xF4bkZ5MUNTFTo5H+BAc49lAC16TarSTPnX1D925kIGxni
+wePHlIZrCYQTFr003+YNUehVvUxyv0NuIwlxFPokFPLDkQWk6SDvD87FW5IJ06cg
+EbrCFjcIR9/2vIepJd8CAwEAAaOCARkwggEVMAkGA1UdEwQCMAAwCwYDVR0PBAQD
+AgOoMB0GA1UdDgQWBBQS5lPpgsOE14sz7JGZimSmSbZOeDBtBgNVHSMEZjBkgBRd
+p91wBlEyfue2bbO15eBg6i5N76FJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoT
+EExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIB
+ADAdBgNVHREEFjAUghJhYWEuc3Ryb25nc3dhbi5vcmcwEwYDVR0lBAwwCgYIKwYB
+BQUHAwEwOQYDVR0fBDIwMDAuoCygKoYoaHR0cDovL2NybC5zdHJvbmdzd2FuLm9y
+Zy9zdHJvbmdzd2FuLmNybDANBgkqhkiG9w0BAQsFAAOCAQEAqM2eqrsJmAop2roa
+yNeJt8317sdAll8TvDf+s4EeCtcpDT0cIX5vCumpL6E7nV9NWWDazGCAOkwWDPpp
+iuq6R0Js8r0MbyIUbVgOe3xIOqLKd9YW0sb1IwfR/zvWcPUjnUHlqfRH7gdiR4G2
+bWIvKenl3hOQege/XnJNPUwzxeVX7k/qPivOk4I3pLnBjTRtFQdweHM95ex7Fk/d
+HoeWjw5q3MxS3ZwXpKQxZvWU5SDkkc2NJ0/0sm+wca8NC86cXkGqcLFEgJo2l3Dr
+EpZgxIhllub0M88PU7dQrDmy8OQ5j0fhayB1xpVO+REn3norclXZ2yrl4uz0eWR4
+v42sww==
+-----END CERTIFICATE-----
diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/ipsec.d/private/aaaKey.pem b/testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/ipsec.d/private/aaaKey.pem
new file mode 100644
index 000000000..da8cdb051
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/ipsec.d/private/aaaKey.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEArZFFwBh1n+M6EcFKOssNhPU6FEnaZePK5JtbIlCiAX1zqxjx
+bYaFMLh7WA1OFkz34+ZXOzRHf2TPGyY4WG5N/AiFq8zO+RYnv3jlYO9Om6ja14rh
+9O1+LHeK7LJxVfLBrtZS6bq9lvi7A2gWxm2VhJQWz5qmn/VULdfy8QW8/2n/8pbZ
+/Bsno/NHVc3/wCJvGgUCd+oBdR6dFDVez/Tv/EXhuRnkxQ1MVOjkf4EBzj2UALXp
+NqtJM+dfUP3bmQgbGeLB48eUhmsJhBMWvTTf5g1R6FW9THK/Q24jCXEU+iQU8sOR
+BaTpIO8PzsVbkgnTpyARusIWNwhH3/a8h6kl3wIDAQABAoIBAQCJDzatQqNf5uds
+Ld6YHtBGNf/vFYLJAuCtNaD5sAK+enpkmgXMH3X9yzBbj+Yh5hW6eaJYtiffiZOi
+NMQ50KD0bSZhTBIE0GIC6Uz5BwBkGyr1Gk7kQsZoBt5Fm4O0A0a+8a/3secU2MWV
+IxUZDGANmYOJ3O3HUstuiCDoA0gDyDt44n0RWOhKrPQmTP6vTItd/14Zi1Pg9ez3
+Mej/ulDmVV1R474EwUXbLLPBjP3vk++SLukWn4iWUeeHgDHSn0b/T5csUcH0kQMI
+aYRU2FOoCPZpRxyTr9aZxcHhr5EhQSCg7zc8u0IjpTFm8kZ4uN+60777w1A/FH5X
+YHq+yqVBAoGBANy6zM0egvyWQaX4YeoML65393iXt9OXW3uedMbmWc9VJ0bH7qdq
+b4X5Xume8yY1/hF8nh7aC1npfVjdBuDse0iHJ/eBGfCJ2VoC6/ZoCzBD7q0Qn2If
+/Sr/cbtQNTDkROT75hAo6XbewPGt7RjynH8sNmtclsZ0yyXHx0ml90tlAoGBAMlN
+P4ObM0mgP2NMPeDFqUBnHVj/h/KGS9PKrqpsvFOUm5lxJNRIxbEBavWzonphRX1X
+V83RICgCiWDAnqUaPfHh9mVBlyHCTWxrrnu3M9qbr5vZMFTyYiMoLxSfTmW5Qk8t
+cArqBDowQbiaKJE9fHv+32Q0IYRhJFVcxZRdQXHzAoGALRBmJ6qHC5KRrJTdSK9c
+PL55Y8F14lkQcFiVdtYol8/GyQigjMWKJ0wWOJQfCDoVuPQ8RAg4MQ8ebDoT4W/m
+a5RMcJeG+Djsixf1nMT5I816uRKft6TYRyMH0To64dR4zFcxTTNNFtu7gJwFwAYo
+NT6NjbXFgpbtsrTq1vpvVpECgYA0ldlhp8leEl58sg34CaqNCGLCPP5mfG6ShP/b
+xUvtCYUcMFJOojQCaTxnsuVe0so0U/y750VfLkp029yVhKVp6n1TNi8kwn03NWn/
+J3yEPudA7xuRFUBNrtGdsX/pUtvfkx8RutAf4ztH3f1683Txb0MsCfI3gqjbI8D5
+YOMXwQKBgAJnMfPslZIg6jOpBCo6RjdwvjZyPXXyn4dcCyW//2+olPdWnuu+HRCZ
+SkAWB7lSRLSvDZARHb63k+gwSl8lmwrSM53nDwaRdTKjhK2BFWsAKJNOhrOUQqJu
+EXvH4R1NrqOkPqLoG5Iw3XFUh5lQGKvKkU28W6Weolj2saljbW2b
+-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/ipsec.secrets
new file mode 100644
index 000000000..96b9a8dd5
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/ipsec.secrets
@@ -0,0 +1,6 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA aaaKey.pem
+
+carol@strongswan.org : EAP "Ar3etTnp"
+dave@strongswan.org  : EAP "W7R0g3do"
diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/strongswan.conf
new file mode 100644
index 000000000..b3769c7d9
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/strongswan.conf
@@ -0,0 +1,33 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke eap-identity eap-ttls eap-md5 eap-tnc tnc-pdp tnc-imv tnc-tnccs tnccs-20
+  plugins {
+    eap-ttls {
+      phase2_method = md5
+      phase2_piggyback = yes
+      phase2_tnc = yes
+    }
+    eap-tnc {
+      protocol = tnccs-2.0
+    }
+    tnc-pdp {
+      server = aaa.strongswan.org
+      secret = gv6URkSs
+    }
+  }
+}
+
+libimcv {
+  debug_level = 3 
+  plugins {
+    imv-test {
+      rounds = 1 
+    }
+    imv-scanner {
+      closed_port_policy = yes
+      tcp_ports = 22
+      udp_ports = 500 4500
+    }
+  }
+}
diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/tnc_config b/testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/tnc_config
new file mode 100644
index 000000000..da732f68b
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/tnc_config
@@ -0,0 +1,4 @@
+#IMV configuration file for strongSwan client 
+
+IMV "Test"	/usr/local/lib/ipsec/imcvs/imv-test.so
+IMV "Scanner"	/usr/local/lib/ipsec/imcvs/imv-scanner.so
diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pdp/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..a639b0426
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pdp/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutostart=no
+	charondebug="tnc 3, imc 3"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_CAROL
+	leftid=carol@strongswan.org
+	leftauth=eap
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	rightauth=pubkey
+	aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
+	auto=add
diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/carol/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-pdp/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..74942afda
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pdp/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+carol@strongswan.org : EAP "Ar3etTnp"
diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pdp/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..2f9a6d0b7
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pdp/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,18 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+  plugins {
+    eap-tnc {
+      protocol = tnccs-2.0
+    }
+  }
+}
+
+libimcv {
+  plugins {
+    imc-test {
+      command = allow
+    }
+  }
+}
diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/carol/etc/tnc_config b/testing/tests/tnc/tnccs-20-pdp/hosts/carol/etc/tnc_config
new file mode 100644
index 000000000..6166552f5
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pdp/hosts/carol/etc/tnc_config
@@ -0,0 +1,4 @@
+#IMC configuration file for strongSwan client 
+
+IMC "Test"	/usr/local/lib/ipsec/imcvs/imc-test.so
+IMC "Scanner"	/usr/local/lib/ipsec/imcvs/imc-scanner.so
diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pdp/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..5da78b4ab
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pdp/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutostart=no
+	charondebug="tnc 3, imc 3"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_DAVE
+	leftid=dave@strongswan.org
+	leftauth=eap
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	rightauth=pubkey
+	aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
+	auto=add
diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/dave/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-pdp/hosts/dave/etc/ipsec.secrets
new file mode 100644
index 000000000..5496df7ad
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pdp/hosts/dave/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+dave@strongswan.org : EAP "W7R0g3do"
diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pdp/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..050d41b9f
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pdp/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,18 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+  plugins {    
+    eap-tnc {
+      protocol = tnccs-2.0
+    }
+  }
+}
+
+libimcv {
+  plugins {
+    imc-test {
+      command = isolate
+    }
+  }
+}
diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/dave/etc/tnc_config b/testing/tests/tnc/tnccs-20-pdp/hosts/dave/etc/tnc_config
new file mode 100644
index 000000000..6166552f5
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pdp/hosts/dave/etc/tnc_config
@@ -0,0 +1,4 @@
+#IMC configuration file for strongSwan client 
+
+IMC "Test"	/usr/local/lib/ipsec/imcvs/imc-test.so
+IMC "Scanner"	/usr/local/lib/ipsec/imcvs/imc-scanner.so
diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/init.d/iptables b/testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/init.d/iptables
new file mode 100755
index 000000000..56587b2e8
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/init.d/iptables
@@ -0,0 +1,84 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+opts="start stop reload"
+
+depend() {
+	before net
+	need logger
+}
+
+start() {
+	ebegin "Starting firewall"
+
+	# enable IP forwarding
+	echo 1 > /proc/sys/net/ipv4/ip_forward
+	
+	# default policy is DROP
+	/sbin/iptables -P INPUT DROP
+	/sbin/iptables -P OUTPUT DROP
+	/sbin/iptables -P FORWARD DROP
+
+	# allow esp
+	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+	# allow IKE
+	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+	# allow MobIKE
+	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+	# allow crl fetch from winnetou
+	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+	# allow RADIUS protocol with alice
+	iptables -A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
+	iptables -A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
+
+	# allow ssh
+	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
+	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+	eend $?
+}
+
+stop() {
+	ebegin "Stopping firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+	
+			if [ $a == nat ]; then
+				/sbin/iptables -t nat -P PREROUTING ACCEPT
+				/sbin/iptables -t nat -P POSTROUTING ACCEPT
+				/sbin/iptables -t nat -P OUTPUT ACCEPT
+			elif [ $a == mangle ]; then
+				/sbin/iptables -t mangle -P PREROUTING ACCEPT
+				/sbin/iptables -t mangle -P INPUT ACCEPT
+				/sbin/iptables -t mangle -P FORWARD ACCEPT
+				/sbin/iptables -t mangle -P OUTPUT ACCEPT
+				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
+			elif [ $a == filter ]; then
+				/sbin/iptables -t filter -P INPUT ACCEPT
+				/sbin/iptables -t filter -P FORWARD ACCEPT
+				/sbin/iptables -t filter -P OUTPUT ACCEPT
+			fi
+		done
+	eend $?
+}
+
+reload() {
+	ebegin "Flushing firewall"
+		for a in `cat /proc/net/ip_tables_names`; do
+			/sbin/iptables -F -t $a
+			/sbin/iptables -X -t $a
+		done;
+        eend $?
+	start
+}
+
diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..33dcdcfb0
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,35 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn rw-allow
+	rightgroups=allow
+	leftsubnet=10.1.0.0/28
+	also=rw-eap
+	auto=add
+
+conn rw-isolate
+	rightgroups=isolate
+	leftsubnet=10.1.0.16/28
+	also=rw-eap
+	auto=add
+
+conn rw-eap
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftauth=pubkey
+	leftfirewall=yes
+	rightauth=eap-radius
+	rightid=*@strongswan.org
+	rightsendcert=never
+	right=%any
diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..e86d6aa5c
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA moonKey.pem
diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..d298c17ad
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,14 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-radius updown
+  multiple_authentication=no
+  plugins {
+    eap-radius {
+      secret = gv6URkSs
+      #server = PH_IP6_ALICE 
+      server = PH_IP_ALICE
+      filter_id = yes
+    }
+  }
+}
diff --git a/testing/tests/tnc/tnccs-20-pdp/posttest.dat b/testing/tests/tnc/tnccs-20-pdp/posttest.dat
new file mode 100644
index 000000000..16218f385
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pdp/posttest.dat
@@ -0,0 +1,7 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+alice::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/rw-eap-tnc-20-block/pretest.dat b/testing/tests/tnc/tnccs-20-pdp/pretest.dat
index ce897d181..9b9d6b699 100644
--- a/testing/tests/ikev2/rw-eap-tnc-20-block/pretest.dat
+++ b/testing/tests/tnc/tnccs-20-pdp/pretest.dat
@@ -1,11 +1,10 @@
 moon::/etc/init.d/iptables start 2> /dev/null
 carol::/etc/init.d/iptables start 2> /dev/null
 dave::/etc/init.d/iptables start 2> /dev/null
-moon::cat /etc/tnc_config
+alice::cat /etc/tnc_config
 carol::cat /etc/tnc_config
 dave::cat /etc/tnc_config
-carol::cat /etc/tnc/dummyimc.file
-dave::cat /etc/tnc/dummyimc.file
+alice::ipsec start
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/tnc/tnccs-20-pdp/test.conf b/testing/tests/tnc/tnccs-20-pdp/test.conf
new file mode 100644
index 000000000..400628531
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pdp/test.conf
@@ -0,0 +1,26 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice venus moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave alice"
+
+# UML instances on which FreeRadius is started
+#
+RADIUSHOSTS=
+
diff --git a/testing/tests/tnc/tnccs-20-server-retry/description.txt b/testing/tests/tnc/tnccs-20-server-retry/description.txt
new file mode 100644
index 000000000..b37fbd445
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-server-retry/description.txt
@@ -0,0 +1,13 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>
+using EAP-TTLS authentication only with the gateway presenting a server certificate and
+the clients doing EAP-MD5 password-based authentication.
+In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the
+health of <b>carol</b> and <b>dave</b> via the <b>TNCCS 2.0 </b> client-server interface
+compliant with <b>RFC 5793 PB-TNC</b>. The IMC and IMV communicate are using the <b>IF-M</b>
+protocol defined by <b>RFC 5792 PA-TNC</b>.
+<p>
+The first time the TNC clients <b>carol</b> and <b>dave</b> send their measurements,
+TNC server <b>moon</b> requests a handshake retry. In the retry <b>carol</b> succeeds
+and <b>dave</b> fails. Thus based on this second round of measurements the clients are connected
+by gateway <b>moon</b> to the "rw-allow" and "rw-isolate" subnets, respectively.
+</p>
diff --git a/testing/tests/tnc/tnccs-20-server-retry/evaltest.dat b/testing/tests/tnc/tnccs-20-server-retry/evaltest.dat
new file mode 100644
index 000000000..737c9b9ef
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-server-retry/evaltest.dat
@@ -0,0 +1,19 @@
+carol::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'::YES
+carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
+dave::cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YES
+dave::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
+dave::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
+moon::cat /var/log/daemon.log::added group membership 'allow'::YES
+moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon::cat /var/log/daemon.log::added group membership 'isolate'::YES
+moon::cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
+moon::ipsec statusall::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
+moon::ipsec statusall::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_seq=1::NO
+dave::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
+dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO
+
diff --git a/testing/tests/tnc/tnccs-20-server-retry/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-server-retry/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..847ca2e7f
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-server-retry/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutostart=no
+	charondebug="tnc 3, imc 2"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_CAROL
+	leftid=carol@strongswan.org
+	leftauth=eap
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsendcert=never
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/tnc/tnccs-20-server-retry/hosts/carol/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-server-retry/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..74942afda
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-server-retry/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+carol@strongswan.org : EAP "Ar3etTnp"
diff --git a/testing/tests/tnc/tnccs-20-server-retry/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-server-retry/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..e296bcf0b
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-server-retry/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,20 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+  multiple_authentication=no
+  plugins {
+    eap-tnc {
+      protocol = tnccs-2.0
+    }
+  }
+}
+
+libimcv {
+  plugins {
+    imc-test {
+      command = retry 
+      retry_command = allow
+    }
+  }
+}
diff --git a/testing/tests/tnc/tnccs-20-server-retry/hosts/carol/etc/tnc_config b/testing/tests/tnc/tnccs-20-server-retry/hosts/carol/etc/tnc_config
new file mode 100644
index 000000000..6166552f5
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-server-retry/hosts/carol/etc/tnc_config
@@ -0,0 +1,4 @@
+#IMC configuration file for strongSwan client 
+
+IMC "Test"	/usr/local/lib/ipsec/imcvs/imc-test.so
+IMC "Scanner"	/usr/local/lib/ipsec/imcvs/imc-scanner.so
diff --git a/testing/tests/tnc/tnccs-20-server-retry/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-server-retry/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..f0ad4721f
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-server-retry/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutostart=no
+	charondebug="tnc 3, imc 2"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_DAVE
+	leftid=dave@strongswan.org
+	leftauth=eap
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsendcert=never
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/tnc/tnccs-20-server-retry/hosts/dave/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-server-retry/hosts/dave/etc/ipsec.secrets
new file mode 100644
index 000000000..5496df7ad
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-server-retry/hosts/dave/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+dave@strongswan.org : EAP "W7R0g3do"
diff --git a/testing/tests/tnc/tnccs-20-server-retry/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-server-retry/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..fc9c86b86
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-server-retry/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,23 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+  multiple_authentication=no
+  plugins {
+    eap-tnc {
+      protocol = tnccs-2.0
+    }
+    tnc-imc {
+      preferred_language = ru , de, en
+    }
+  }
+}
+
+libimcv {
+  plugins {
+    imc-test {
+      command = retry 
+      retry_command = isolate
+    }
+  }
+}
diff --git a/testing/tests/tnc/tnccs-20-server-retry/hosts/dave/etc/tnc_config b/testing/tests/tnc/tnccs-20-server-retry/hosts/dave/etc/tnc_config
new file mode 100644
index 000000000..6166552f5
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-server-retry/hosts/dave/etc/tnc_config
@@ -0,0 +1,4 @@
+#IMC configuration file for strongSwan client 
+
+IMC "Test"	/usr/local/lib/ipsec/imcvs/imc-test.so
+IMC "Scanner"	/usr/local/lib/ipsec/imcvs/imc-scanner.so
diff --git a/testing/tests/tnc/tnccs-20-server-retry/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-server-retry/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..9eec48402
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-server-retry/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,36 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	strictcrlpolicy=no
+	plutostart=no
+	charondebug="tnc 3, imv 2"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn rw-allow
+	rightgroups=allow
+	leftsubnet=10.1.0.0/28
+	also=rw-eap
+	auto=add
+
+conn rw-isolate
+	rightgroups=isolate
+	leftsubnet=10.1.0.16/28
+	also=rw-eap
+	auto=add
+
+conn rw-eap
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftauth=eap-ttls
+	leftfirewall=yes
+	rightauth=eap-ttls
+	rightid=*@strongswan.org
+	rightsendcert=never
+	right=%any
diff --git a/testing/tests/tnc/tnccs-20-server-retry/hosts/moon/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-server-retry/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..2e277ccb0
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-server-retry/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,6 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA moonKey.pem
+
+carol@strongswan.org : EAP "Ar3etTnp"
+dave@strongswan.org  : EAP "W7R0g3do"
diff --git a/testing/tests/tnc/tnccs-20-server-retry/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-server-retry/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..bfc5d9531
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-server-retry/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,29 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-20 tnc-imv updown
+  multiple_authentication=no
+  plugins {
+    eap-ttls {
+      phase2_method = md5
+      phase2_piggyback = yes
+      phase2_tnc = yes
+    }
+    eap-tnc {
+      protocol = tnccs-2.0
+    }
+  }
+}
+
+libimcv {
+  plugins {
+    imv-test {
+      rounds = 0 
+    }
+    imv-scanner {
+      closed_port_policy = yes
+      tcp_ports = 22
+      udp_ports = 500 4500
+    }
+  }
+}
diff --git a/testing/tests/tnc/tnccs-20-server-retry/hosts/moon/etc/tnc_config b/testing/tests/tnc/tnccs-20-server-retry/hosts/moon/etc/tnc_config
new file mode 100644
index 000000000..da732f68b
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-server-retry/hosts/moon/etc/tnc_config
@@ -0,0 +1,4 @@
+#IMV configuration file for strongSwan client 
+
+IMV "Test"	/usr/local/lib/ipsec/imcvs/imv-test.so
+IMV "Scanner"	/usr/local/lib/ipsec/imcvs/imv-scanner.so
diff --git a/testing/tests/tnc/tnccs-20-server-retry/posttest.dat b/testing/tests/tnc/tnccs-20-server-retry/posttest.dat
new file mode 100644
index 000000000..7cebd7f25
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-server-retry/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/tnc/tnccs-20-server-retry/pretest.dat b/testing/tests/tnc/tnccs-20-server-retry/pretest.dat
new file mode 100644
index 000000000..208f9daa9
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-server-retry/pretest.dat
@@ -0,0 +1,13 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+dave::/etc/init.d/iptables start 2> /dev/null
+moon::cat /etc/tnc_config
+carol::cat /etc/tnc_config
+dave::cat /etc/tnc_config
+moon::ipsec start
+carol::ipsec start 
+dave::ipsec start 
+carol::sleep 1
+carol::ipsec up home
+dave::ipsec up home
+dave::sleep 1
diff --git a/testing/tests/tnc/tnccs-20-server-retry/test.conf b/testing/tests/tnc/tnccs-20-server-retry/test.conf
new file mode 100644
index 000000000..e28b8259b
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-server-retry/test.conf
@@ -0,0 +1,26 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice venus moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
+
+# UML instances on which FreeRadius is started
+#
+RADIUSHOSTS=
+
diff --git a/testing/tests/ikev2/rw-eap-tnc-20-tls/description.txt b/testing/tests/tnc/tnccs-20-tls/description.txt
index 54590a951..a032d2d05 100644
--- a/testing/tests/ikev2/rw-eap-tnc-20-tls/description.txt
+++ b/testing/tests/tnc/tnccs-20-tls/description.txt
@@ -2,7 +2,8 @@ The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gatewa
 both ends doing certificate-based EAP-TLS authentication only.
 In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the
 health of <b>carol</b> and <b>dave</b> via the <b>IF-TNCCS 2.0 </b> client-server interface
-compliant with <b>RFC 5793 PB-TNC</b>.
+compliant with <b>RFC 5793 PB-TNC</b>. The IMC and IMV communicate are using the <b>IF-M</b>
+protocol defined by <b>RFC 5792 PA-TNC</b>.
 <p>
 <b>carol</b> passes the health test and <b>dave</b> fails. Based on these measurements the
 clients are connected by gateway <b>moon</b> to the "rw-allow" and "rw-isolate" subnets,
diff --git a/testing/tests/tnc/tnccs-20-tls/evaltest.dat b/testing/tests/tnc/tnccs-20-tls/evaltest.dat
new file mode 100644
index 000000000..bbc0603b6
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-tls/evaltest.dat
@@ -0,0 +1,19 @@
+carol::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'::YES
+carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
+dave::cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YES
+dave::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
+dave::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
+moon::cat /var/log/daemon.log::added group membership 'allow'::YES
+moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES              
+moon::cat /var/log/daemon.log::added group membership 'isolate'::YES
+moon::cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
+moon::ipsec statusall::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
+moon::ipsec statusall::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_seq=1::NO
+dave::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
+dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO
+
diff --git a/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-tls/hosts/carol/etc/ipsec.conf
index 1b6274215..fe26aaede 100755
--- a/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/tnc/tnccs-20-tls/hosts/carol/etc/ipsec.conf
@@ -2,7 +2,7 @@
 
 config setup
 	plutostart=no
-	charondebug="tls 2, tnc 3"
+	charondebug="tnc 2, imc 2"
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-tls/hosts/carol/etc/strongswan.conf
index b2aa2806a..c38dc7de5 100644
--- a/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-tls/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-20 updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
   multiple_authentication=no
   plugins {
     eap-tnc {
@@ -9,3 +9,11 @@ charon {
     }
   }
 }
+
+libimcv {
+  plugins {
+    imc-test {
+      command = allow
+    }
+  }
+}
diff --git a/testing/tests/tnc/tnccs-20-tls/hosts/carol/etc/tnc_config b/testing/tests/tnc/tnccs-20-tls/hosts/carol/etc/tnc_config
new file mode 100644
index 000000000..6166552f5
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-tls/hosts/carol/etc/tnc_config
@@ -0,0 +1,4 @@
+#IMC configuration file for strongSwan client 
+
+IMC "Test"	/usr/local/lib/ipsec/imcvs/imc-test.so
+IMC "Scanner"	/usr/local/lib/ipsec/imcvs/imc-scanner.so
diff --git a/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-tls/hosts/dave/etc/ipsec.conf
index 54c06b12e..e1cfd14bb 100755
--- a/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/tnc/tnccs-20-tls/hosts/dave/etc/ipsec.conf
@@ -2,7 +2,7 @@
 
 config setup
 	plutostart=no
-	charondebug="tls 2, tnc 3"
+	charondebug="tnc 2, imc 2"
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/tnc/tnccs-20-tls/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-tls/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..f8fe44563
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-tls/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,19 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+  multiple_authentication=no
+  plugins {
+    eap-tnc {
+      protocol = tnccs-2.0
+    }
+  }
+}
+
+libimcv {
+  plugins {
+    imc-test {
+      command = isolate
+    }
+  }
+}
diff --git a/testing/tests/tnc/tnccs-20-tls/hosts/dave/etc/tnc_config b/testing/tests/tnc/tnccs-20-tls/hosts/dave/etc/tnc_config
new file mode 100644
index 000000000..6166552f5
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-tls/hosts/dave/etc/tnc_config
@@ -0,0 +1,4 @@
+#IMC configuration file for strongSwan client 
+
+IMC "Test"	/usr/local/lib/ipsec/imcvs/imc-test.so
+IMC "Scanner"	/usr/local/lib/ipsec/imcvs/imc-scanner.so
diff --git a/testing/tests/tnc/tnccs-20-tls/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-tls/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..80bcb5a5a
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-tls/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,36 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	strictcrlpolicy=no
+	plutostart=no
+	charondebug="tnc 2, imv 2"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn rw-allow
+	rightgroups=allow
+	leftsubnet=10.1.0.0/28
+	also=rw-eap
+	auto=add
+
+conn rw-isolate
+	rightgroups=isolate
+	leftsubnet=10.1.0.16/28
+	also=rw-eap
+	auto=add
+
+conn rw-eap
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftauth=eap-ttls
+	leftfirewall=yes
+	rightauth=eap-ttls
+	rightid=*@strongswan.org
+	rightsendcert=never
+	right=%any
diff --git a/testing/tests/tnc/tnccs-20-tls/hosts/moon/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-tls/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..2e277ccb0
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-tls/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,6 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA moonKey.pem
+
+carol@strongswan.org : EAP "Ar3etTnp"
+dave@strongswan.org  : EAP "W7R0g3do"
diff --git a/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-tls/hosts/moon/etc/strongswan.conf
index 04a243cad..47fb3253f 100644
--- a/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-tls/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnccs-20 tnc-imv updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-20 tnc-imv updown
   multiple_authentication=no
   plugins {
     eap-ttls {
@@ -14,3 +14,13 @@ charon {
     }
   }
 }
+
+libimcv {
+  plugins {
+    imv-scanner {
+      closed_port_policy = no
+      tcp_ports = 80 443
+      udp_ports =
+    }
+  }
+}
diff --git a/testing/tests/tnc/tnccs-20-tls/hosts/moon/etc/tnc_config b/testing/tests/tnc/tnccs-20-tls/hosts/moon/etc/tnc_config
new file mode 100644
index 000000000..da732f68b
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-tls/hosts/moon/etc/tnc_config
@@ -0,0 +1,4 @@
+#IMV configuration file for strongSwan client 
+
+IMV "Test"	/usr/local/lib/ipsec/imcvs/imv-test.so
+IMV "Scanner"	/usr/local/lib/ipsec/imcvs/imv-scanner.so
diff --git a/testing/tests/tnc/tnccs-20-tls/posttest.dat b/testing/tests/tnc/tnccs-20-tls/posttest.dat
new file mode 100644
index 000000000..7cebd7f25
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-tls/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/rw-eap-tnc-dynamic/pretest.dat b/testing/tests/tnc/tnccs-20-tls/pretest.dat
index ce897d181..c332f131b 100644
--- a/testing/tests/ikev2/rw-eap-tnc-dynamic/pretest.dat
+++ b/testing/tests/tnc/tnccs-20-tls/pretest.dat
@@ -4,8 +4,6 @@ dave::/etc/init.d/iptables start 2> /dev/null
 moon::cat /etc/tnc_config
 carol::cat /etc/tnc_config
 dave::cat /etc/tnc_config
-carol::cat /etc/tnc/dummyimc.file
-dave::cat /etc/tnc/dummyimc.file
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/tnc/tnccs-20-tls/test.conf b/testing/tests/tnc/tnccs-20-tls/test.conf
new file mode 100644
index 000000000..e28b8259b
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-tls/test.conf
@@ -0,0 +1,26 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice venus moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
+
+# UML instances on which FreeRadius is started
+#
+RADIUSHOSTS=
+
diff --git a/testing/tests/ikev2/rw-eap-tnc-20/description.txt b/testing/tests/tnc/tnccs-20/description.txt
index 6a9c5dde8..89f2845a9 100644
--- a/testing/tests/ikev2/rw-eap-tnc-20/description.txt
+++ b/testing/tests/tnc/tnccs-20/description.txt
@@ -3,7 +3,8 @@ using EAP-TTLS authentication only with the gateway presenting a server certific
 the clients doing EAP-MD5 password-based authentication.
 In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the
 health of <b>carol</b> and <b>dave</b> via the <b>TNCCS 2.0 </b> client-server interface
-compliant with <b>RFC 5793 PB-TNC</b>.
+compliant with <b>RFC 5793 PB-TNC</b>. The IMC and IMV communicate are using the <b>IF-M</b>
+protocol defined by <b>RFC 5792 PA-TNC</b>.
 <p>
 <b>carol</b> passes the health test and <b>dave</b> fails. Based on these measurements the
 clients are connected by gateway <b>moon</b> to the "rw-allow" and "rw-isolate" subnets,
diff --git a/testing/tests/tnc/tnccs-20/evaltest.dat b/testing/tests/tnc/tnccs-20/evaltest.dat
new file mode 100644
index 000000000..737c9b9ef
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20/evaltest.dat
@@ -0,0 +1,19 @@
+carol::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'::YES
+carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
+dave::cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YES
+dave::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
+dave::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
+moon::cat /var/log/daemon.log::added group membership 'allow'::YES
+moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon::cat /var/log/daemon.log::added group membership 'isolate'::YES
+moon::cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
+moon::ipsec statusall::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
+moon::ipsec statusall::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_seq=1::NO
+dave::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
+dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO
+
diff --git a/testing/tests/tnc/tnccs-20/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-20/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..847ca2e7f
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutostart=no
+	charondebug="tnc 3, imc 2"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_CAROL
+	leftid=carol@strongswan.org
+	leftauth=eap
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsendcert=never
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/tnc/tnccs-20/hosts/carol/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..74942afda
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+carol@strongswan.org : EAP "Ar3etTnp"
diff --git a/testing/tests/tnc/tnccs-20/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..50d7af66b
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,20 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown
+  multiple_authentication=no
+  plugins {
+    eap-tnc {
+      protocol = tnccs-2.0
+    }
+  }
+}
+
+libimcv {
+  plugins {
+    imc-test {
+      command = allow
+      additional_ids = 2
+    }
+  }
+}
diff --git a/testing/tests/tnc/tnccs-20/hosts/carol/etc/tnc_config b/testing/tests/tnc/tnccs-20/hosts/carol/etc/tnc_config
new file mode 100644
index 000000000..6166552f5
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20/hosts/carol/etc/tnc_config
@@ -0,0 +1,4 @@
+#IMC configuration file for strongSwan client 
+
+IMC "Test"	/usr/local/lib/ipsec/imcvs/imc-test.so
+IMC "Scanner"	/usr/local/lib/ipsec/imcvs/imc-scanner.so
diff --git a/testing/tests/tnc/tnccs-20/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-20/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..f0ad4721f
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutostart=no
+	charondebug="tnc 3, imc 2"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_DAVE
+	leftid=dave@strongswan.org
+	leftauth=eap
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsendcert=never
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/tnc/tnccs-20/hosts/dave/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20/hosts/dave/etc/ipsec.secrets
new file mode 100644
index 000000000..5496df7ad
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20/hosts/dave/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+dave@strongswan.org : EAP "W7R0g3do"
diff --git a/testing/tests/tnc/tnccs-20/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..b67541c3c
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,23 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+  multiple_authentication=no
+  plugins {
+    eap-tnc {
+      protocol = tnccs-2.0
+    }
+    tnc-imc {
+      preferred_language = ru, pl  , de
+    }
+  }
+}
+
+libimcv {
+  plugins {
+    imc-test {
+      command = isolate
+      additional_ids = 1
+    }
+  }
+}
diff --git a/testing/tests/tnc/tnccs-20/hosts/dave/etc/tnc_config b/testing/tests/tnc/tnccs-20/hosts/dave/etc/tnc_config
new file mode 100644
index 000000000..6166552f5
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20/hosts/dave/etc/tnc_config
@@ -0,0 +1,4 @@
+#IMC configuration file for strongSwan client 
+
+IMC "Test"	/usr/local/lib/ipsec/imcvs/imc-test.so
+IMC "Scanner"	/usr/local/lib/ipsec/imcvs/imc-scanner.so
diff --git a/testing/tests/tnc/tnccs-20/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-20/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..9eec48402
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,36 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	strictcrlpolicy=no
+	plutostart=no
+	charondebug="tnc 3, imv 2"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn rw-allow
+	rightgroups=allow
+	leftsubnet=10.1.0.0/28
+	also=rw-eap
+	auto=add
+
+conn rw-isolate
+	rightgroups=isolate
+	leftsubnet=10.1.0.16/28
+	also=rw-eap
+	auto=add
+
+conn rw-eap
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftauth=eap-ttls
+	leftfirewall=yes
+	rightauth=eap-ttls
+	rightid=*@strongswan.org
+	rightsendcert=never
+	right=%any
diff --git a/testing/tests/tnc/tnccs-20/hosts/moon/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..2e277ccb0
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,6 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA moonKey.pem
+
+carol@strongswan.org : EAP "Ar3etTnp"
+dave@strongswan.org  : EAP "W7R0g3do"
diff --git a/testing/tests/tnc/tnccs-20/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..9e4ebcf04
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,29 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown
+  multiple_authentication=no
+  plugins {
+    eap-ttls {
+      phase2_method = md5
+      phase2_piggyback = yes
+      phase2_tnc = yes
+    }
+    eap-tnc {
+      protocol = tnccs-2.0
+    }
+  }
+}
+
+libimcv {
+  plugins {
+    imv-test {
+      rounds = 1
+    }
+    imv-scanner {
+      closed_port_policy = yes 
+      udp_ports = 500 4500
+      tcp_ports = 22
+    }
+  }
+}
diff --git a/testing/tests/tnc/tnccs-20/hosts/moon/etc/tnc_config b/testing/tests/tnc/tnccs-20/hosts/moon/etc/tnc_config
new file mode 100644
index 000000000..da732f68b
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20/hosts/moon/etc/tnc_config
@@ -0,0 +1,4 @@
+#IMV configuration file for strongSwan client 
+
+IMV "Test"	/usr/local/lib/ipsec/imcvs/imv-test.so
+IMV "Scanner"	/usr/local/lib/ipsec/imcvs/imv-scanner.so
diff --git a/testing/tests/tnc/tnccs-20/posttest.dat b/testing/tests/tnc/tnccs-20/posttest.dat
new file mode 100644
index 000000000..7cebd7f25
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/tnc/tnccs-20/pretest.dat b/testing/tests/tnc/tnccs-20/pretest.dat
new file mode 100644
index 000000000..208f9daa9
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20/pretest.dat
@@ -0,0 +1,13 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+dave::/etc/init.d/iptables start 2> /dev/null
+moon::cat /etc/tnc_config
+carol::cat /etc/tnc_config
+dave::cat /etc/tnc_config
+moon::ipsec start
+carol::ipsec start 
+dave::ipsec start 
+carol::sleep 1
+carol::ipsec up home
+dave::ipsec up home
+dave::sleep 1
diff --git a/testing/tests/tnc/tnccs-20/test.conf b/testing/tests/tnc/tnccs-20/test.conf
new file mode 100644
index 000000000..e28b8259b
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20/test.conf
@@ -0,0 +1,26 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice venus moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
+
+# UML instances on which FreeRadius is started
+#
+RADIUSHOSTS=
+
diff --git a/testing/tests/ikev2/rw-eap-tnc-dynamic/description.txt b/testing/tests/tnc/tnccs-dynamic/description.txt
index 21e9bc675..21e9bc675 100644
--- a/testing/tests/ikev2/rw-eap-tnc-dynamic/description.txt
+++ b/testing/tests/tnc/tnccs-dynamic/description.txt
diff --git a/testing/tests/ikev2/rw-eap-tnc-dynamic/evaltest.dat b/testing/tests/tnc/tnccs-dynamic/evaltest.dat
index 593ac4505..5cc395ef8 100644
--- a/testing/tests/ikev2/rw-eap-tnc-dynamic/evaltest.dat
+++ b/testing/tests/tnc/tnccs-dynamic/evaltest.dat
@@ -9,15 +9,13 @@ dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32
 moon::cat /var/log/daemon.log::TNCCS 1.1 protocol detected dynamically::YES
 moon::cat /var/log/daemon.log::assigned TNCCS Connection ID 1::YES
 moon::cat /var/log/daemon.log::final recommendation is 'allow' and evaluation is 'compliant'::YES
-moon::cat /var/log/auth.log::policy enforced on peer 'carol@strongswan.org' is 'allow'::YES
-moon::cat /var/log/daemon.log::policy enforcement point added group membership 'allow'::YES
+moon::cat /var/log/daemon.log::added group membership 'allow'::YES
 moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
 moon::cat /var/log/daemon.log::removed TNCCS Connection ID 1::YES
 moon::cat /var/log/daemon.log::TNCCS 2.0 protocol detected dynamically::YES
 moon::cat /var/log/daemon.log::assigned TNCCS Connection ID 2::YES
 moon::cat /var/log/daemon.log::final recommendation is 'isolate' and evaluation is 'non-compliant minor'::YES
-moon::cat /var/log/auth.log::policy enforced on peer 'dave@strongswan.org' is 'isolate'::YES
-moon::cat /var/log/daemon.log::policy enforcement point added group membership 'isolate'::YES
+moon::cat /var/log/daemon.log::added group membership 'isolate'::YES
 moon::cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
 moon::cat /var/log/daemon.log::removed TNCCS Connection ID 2::YES
 moon::ipsec statusall::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
diff --git a/testing/tests/tnc/tnccs-dynamic/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-dynamic/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..105fcbec6
--- /dev/null
+++ b/testing/tests/tnc/tnccs-dynamic/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutostart=no
+	charondebug="tnc 3, imc 3"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_CAROL
+	leftid=carol@strongswan.org
+	leftauth=eap
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsendcert=never
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/tnc/tnccs-dynamic/hosts/carol/etc/ipsec.secrets b/testing/tests/tnc/tnccs-dynamic/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..74942afda
--- /dev/null
+++ b/testing/tests/tnc/tnccs-dynamic/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+carol@strongswan.org : EAP "Ar3etTnp"
diff --git a/testing/tests/tnc/tnccs-dynamic/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-dynamic/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..286eab61d
--- /dev/null
+++ b/testing/tests/tnc/tnccs-dynamic/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,23 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
+  multiple_authentication=no
+  plugins {
+    eap-tnc {
+      protocol = tnccs-1.1
+    }
+  }
+}
+
+libstrongswan {
+  integrity_test = yes
+}
+
+libimcv {
+  plugins {
+    imc-test {
+      command = allow
+    }
+  }
+}
diff --git a/testing/tests/tnc/tnccs-dynamic/hosts/carol/etc/tnc_config b/testing/tests/tnc/tnccs-dynamic/hosts/carol/etc/tnc_config
new file mode 100644
index 000000000..6166552f5
--- /dev/null
+++ b/testing/tests/tnc/tnccs-dynamic/hosts/carol/etc/tnc_config
@@ -0,0 +1,4 @@
+#IMC configuration file for strongSwan client 
+
+IMC "Test"	/usr/local/lib/ipsec/imcvs/imc-test.so
+IMC "Scanner"	/usr/local/lib/ipsec/imcvs/imc-scanner.so
diff --git a/testing/tests/tnc/tnccs-dynamic/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-dynamic/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..97f322c28
--- /dev/null
+++ b/testing/tests/tnc/tnccs-dynamic/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	plutostart=no
+	charondebug="tnc 3, imc 3"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_DAVE
+	leftid=dave@strongswan.org
+	leftauth=eap
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsendcert=never
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/tnc/tnccs-dynamic/hosts/dave/etc/ipsec.secrets b/testing/tests/tnc/tnccs-dynamic/hosts/dave/etc/ipsec.secrets
new file mode 100644
index 000000000..5496df7ad
--- /dev/null
+++ b/testing/tests/tnc/tnccs-dynamic/hosts/dave/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+dave@strongswan.org : EAP "W7R0g3do"
diff --git a/testing/tests/tnc/tnccs-dynamic/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-dynamic/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..a9564bd38
--- /dev/null
+++ b/testing/tests/tnc/tnccs-dynamic/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,23 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+  multiple_authentication=no
+  plugins {
+    eap-tnc {
+      protocol = tnccs-2.0
+    }
+  }
+}
+
+libstrongswan {
+  integrity_test = yes
+}
+
+libimcv {
+  plugins {
+    imc-test {
+      command = isolate
+    }
+  }
+}
diff --git a/testing/tests/tnc/tnccs-dynamic/hosts/dave/etc/tnc_config b/testing/tests/tnc/tnccs-dynamic/hosts/dave/etc/tnc_config
new file mode 100644
index 000000000..6166552f5
--- /dev/null
+++ b/testing/tests/tnc/tnccs-dynamic/hosts/dave/etc/tnc_config
@@ -0,0 +1,4 @@
+#IMC configuration file for strongSwan client 
+
+IMC "Test"	/usr/local/lib/ipsec/imcvs/imc-test.so
+IMC "Scanner"	/usr/local/lib/ipsec/imcvs/imc-scanner.so
diff --git a/testing/tests/tnc/tnccs-dynamic/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-dynamic/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..997db0df7
--- /dev/null
+++ b/testing/tests/tnc/tnccs-dynamic/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,36 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	strictcrlpolicy=no
+	plutostart=no
+	charondebug="tnc 3, imv 3"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn rw-allow
+	rightgroups=allow
+	leftsubnet=10.1.0.0/28
+	also=rw-eap
+	auto=add
+
+conn rw-isolate
+	rightgroups=isolate
+	leftsubnet=10.1.0.16/28
+	also=rw-eap
+	auto=add
+
+conn rw-eap
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftauth=eap-ttls
+	leftfirewall=yes
+	rightauth=eap-ttls
+	rightid=*@strongswan.org
+	rightsendcert=never
+	right=%any
diff --git a/testing/tests/tnc/tnccs-dynamic/hosts/moon/etc/ipsec.secrets b/testing/tests/tnc/tnccs-dynamic/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..2e277ccb0
--- /dev/null
+++ b/testing/tests/tnc/tnccs-dynamic/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,6 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA moonKey.pem
+
+carol@strongswan.org : EAP "Ar3etTnp"
+dave@strongswan.org  : EAP "W7R0g3do"
diff --git a/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-dynamic/hosts/moon/etc/strongswan.conf
index a1a4a4747..ca5fdd041 100644
--- a/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-dynamic/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnccs-11 tnccs-20 tnccs-dynamic tnc-imv updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-dynamic tnccs-11 tnccs-20 tnc-imv updown
   multiple_authentication=no
   plugins {
     eap-ttls {
@@ -14,3 +14,17 @@ charon {
     }
   }
 }
+
+libstrongswan {
+  integrity_test = yes
+}
+
+libimcv {
+  plugins {
+    imv-scanner {
+      closed_port_policy = yes 
+      tcp_ports = 22 
+      udp_ports = 500 4500
+    }
+  }
+}
diff --git a/testing/tests/tnc/tnccs-dynamic/hosts/moon/etc/tnc_config b/testing/tests/tnc/tnccs-dynamic/hosts/moon/etc/tnc_config
new file mode 100644
index 000000000..da732f68b
--- /dev/null
+++ b/testing/tests/tnc/tnccs-dynamic/hosts/moon/etc/tnc_config
@@ -0,0 +1,4 @@
+#IMV configuration file for strongSwan client 
+
+IMV "Test"	/usr/local/lib/ipsec/imcvs/imv-test.so
+IMV "Scanner"	/usr/local/lib/ipsec/imcvs/imv-scanner.so
diff --git a/testing/tests/tnc/tnccs-dynamic/posttest.dat b/testing/tests/tnc/tnccs-dynamic/posttest.dat
new file mode 100644
index 000000000..7cebd7f25
--- /dev/null
+++ b/testing/tests/tnc/tnccs-dynamic/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/tnc/tnccs-dynamic/pretest.dat b/testing/tests/tnc/tnccs-dynamic/pretest.dat
new file mode 100644
index 000000000..a7a3bf412
--- /dev/null
+++ b/testing/tests/tnc/tnccs-dynamic/pretest.dat
@@ -0,0 +1,13 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+dave::/etc/init.d/iptables start 2> /dev/null
+moon::cat /etc/tnc_config
+carol::cat /etc/tnc_config
+dave::cat /etc/tnc_config
+moon::LEAK_DETECTIVE_DISABLE=1 ipsec start
+carol::LEAK_DETECTIVE_DISABLE=1 ipsec start
+dave::ipsec start
+carol::sleep 1
+carol::ipsec up home
+dave::ipsec up home
+dave::sleep 1
diff --git a/testing/tests/tnc/tnccs-dynamic/test.conf b/testing/tests/tnc/tnccs-dynamic/test.conf
new file mode 100644
index 000000000..e28b8259b
--- /dev/null
+++ b/testing/tests/tnc/tnccs-dynamic/test.conf
@@ -0,0 +1,26 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice venus moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
+
+# UML instances on which FreeRadius is started
+#
+RADIUSHOSTS=
+