Merge tag 'v5.1.0-1' into sid

tag strongSwan 5.1.0-1
author: Yves-Alexis Perez <corsac@debian.org> 2013-10-17 21:23:38 +0200
committer: Yves-Alexis Perez <corsac@debian.org> 2013-10-17 21:23:38 +0200
commit: 9d37ad77ef660b92ea51b69d74e14f931d2a04e2 (patch)
tree: d6bbb4a5fed1959f8675df9ee7c03713b543fcc9 /testing/tests
parent: 104f57d4b0fb6d7547d6898352eaa5fb4b222010 (diff)
parent: e5ee4e7fcdd58b7d86bf1b458da2c63e8e19627b (diff)
download: vyos-strongswan-9d37ad77ef660b92ea51b69d74e14f931d2a04e2.tar.gz
vyos-strongswan-9d37ad77ef660b92ea51b69d74e14f931d2a04e2.zip
3767 files changed, 23658 insertions, 28582 deletions
diff --git a/testing/tests/af-alg-ikev1/alg-camellia/description.txt b/testing/tests/af-alg-ikev1/alg-camellia/description.txt
deleted file mode 100644
index a9633ee84..000000000
--- a/testing/tests/af-alg-ikev1/alg-camellia/description.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Roadwarrior <b>carol</b> proposes  to gateway <b>moon</b> the cipher suite
-<b>CAMELLIA_CBC_128 / HMAC_SHA2_256 / MODP_2048</b> for the IKE protocol and 
-<b>CAMELLIA_CBC_128 / HMAC_SHA2_256_128 </b> for ESP packets. A ping from <b>carol</b> to
-<b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/af-alg-ikev1/alg-camellia/evaltest.dat b/testing/tests/af-alg-ikev1/alg-camellia/evaltest.dat
deleted file mode 100644
index 93f82906e..000000000
--- a/testing/tests/af-alg-ikev1/alg-camellia/evaltest.dat
+++ /dev/null
@@ -1,11 +0,0 @@
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ipsec statusall::IKE proposal: CAMELLIA_CBC_128/HMAC_SHA2_256/MODP_2048::YES
-moon::ipsec statusall::IKE proposal: CAMELLIA_CBC_128/HMAC_SHA2_256/MODP_2048::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
-carol::ipsec statusall::ESP proposal: CAMELLIA_CBC_128/HMAC_SHA2_256::YES
-moon::ipsec statusall::ESP proposal: CAMELLIA_CBC_128/HMAC_SHA2_256::YES
-carol::ip xfrm state::enc cbc(camellia)::YES
-moon::ip xfrm state::enc cbc(camellia)::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 200::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 200::YES
diff --git a/testing/tests/af-alg-ikev1/alg-camellia/hosts/carol/etc/ipsec.conf b/testing/tests/af-alg-ikev1/alg-camellia/hosts/carol/etc/ipsec.conf
deleted file mode 100755
index cf51269a5..000000000
--- a/testing/tests/af-alg-ikev1/alg-camellia/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug="control crypt"
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	ike=camellia128-sha256-modp2048!
-	esp=camellia128-sha256!
-
-conn home
-	left=PH_IP_CAROL
-	leftcert=carolCert.pem
-	leftid=carol@strongswan.org
-	right=PH_IP_MOON
-	rightsubnet=10.1.0.0/16
-	rightid=@moon.strongswan.org
-	auto=add
diff --git a/testing/tests/af-alg-ikev1/alg-camellia/hosts/carol/etc/strongswan.conf b/testing/tests/af-alg-ikev1/alg-camellia/hosts/carol/etc/strongswan.conf
deleted file mode 100644
index 04c2358ed..000000000
--- a/testing/tests/af-alg-ikev1/alg-camellia/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = pem pkcs1 x509 af-alg gmp random curl kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-}
diff --git a/testing/tests/af-alg-ikev1/alg-camellia/hosts/moon/etc/ipsec.conf b/testing/tests/af-alg-ikev1/alg-camellia/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index 5571dc086..000000000
--- a/testing/tests/af-alg-ikev1/alg-camellia/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug="control crypt"
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-       
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	ike=camellia128-sha256-modp2048!
-	esp=camellia128-sha256!
-
-conn rw
-	left=PH_IP_MOON
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-	leftsubnet=10.1.0.0/16
-	right=%any
-	rightid=carol@strongswan.org
-	auto=add
diff --git a/testing/tests/af-alg-ikev1/alg-camellia/hosts/moon/etc/strongswan.conf b/testing/tests/af-alg-ikev1/alg-camellia/hosts/moon/etc/strongswan.conf
deleted file mode 100644
index 04c2358ed..000000000
--- a/testing/tests/af-alg-ikev1/alg-camellia/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = pem pkcs1 x509 af-alg gmp random curl kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-}
diff --git a/testing/tests/af-alg-ikev1/alg-camellia/pretest.dat b/testing/tests/af-alg-ikev1/alg-camellia/pretest.dat
deleted file mode 100644
index 6d2eeb5f9..000000000
--- a/testing/tests/af-alg-ikev1/alg-camellia/pretest.dat
+++ /dev/null
@@ -1,5 +0,0 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
-carol::ipsec start
-moon::ipsec start
-carol::sleep 2 
-carol::ipsec up home
diff --git a/testing/tests/af-alg-ikev1/alg-camellia/test.conf b/testing/tests/af-alg-ikev1/alg-camellia/test.conf
deleted file mode 100644
index 6abbb89a9..000000000
--- a/testing/tests/af-alg-ikev1/alg-camellia/test.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
-
diff --git a/testing/tests/af-alg-ikev1/rw-cert/evaltest.dat b/testing/tests/af-alg-ikev1/rw-cert/evaltest.dat
deleted file mode 100644
index 1a9b9159f..000000000
--- a/testing/tests/af-alg-ikev1/rw-cert/evaltest.dat
+++ /dev/null
@@ -1,10 +0,0 @@
-moon::ipsec statusall::IPsec SA established::YES
-carol::ipsec statusall::IPsec SA established::YES
-dave::ipsec statusall::IPsec SA established::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
-
diff --git a/testing/tests/af-alg-ikev1/rw-cert/hosts/carol/etc/ipsec.conf b/testing/tests/af-alg-ikev1/rw-cert/hosts/carol/etc/ipsec.conf
deleted file mode 100755
index 80dae3719..000000000
--- a/testing/tests/af-alg-ikev1/rw-cert/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-	plutodebug=control
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	ike=3des-sha1-modp1536!
-
-conn home
-	left=PH_IP_CAROL
-	leftcert=carolCert.pem
-	leftid=carol@strongswan.org
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-	rightsubnet=10.1.0.0/16
-	auto=add
diff --git a/testing/tests/af-alg-ikev1/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/af-alg-ikev1/rw-cert/hosts/carol/etc/strongswan.conf
deleted file mode 100644
index fd687c13a..000000000
--- a/testing/tests/af-alg-ikev1/rw-cert/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,15 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = test-vectors pem pkcs1 x509 af-alg gmp random curl kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-  integrity_test = yes
-  crypto_test {
-    on_add = yes
-  }
-}
diff --git a/testing/tests/af-alg-ikev1/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/af-alg-ikev1/rw-cert/hosts/dave/etc/strongswan.conf
deleted file mode 100644
index 5cc54b24f..000000000
--- a/testing/tests/af-alg-ikev1/rw-cert/hosts/dave/etc/strongswan.conf
+++ /dev/null
@@ -1,16 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = test-vectors aes des sha1 sha2 md5 pem pkcs1 x509 gmp random hmac curl kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-  integrity_test = yes
-  crypto_test {
-    required = yes
-    on_add = yes
-  } 
-}
diff --git a/testing/tests/af-alg-ikev1/rw-cert/hosts/moon/etc/ipsec.conf b/testing/tests/af-alg-ikev1/rw-cert/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index f365b07da..000000000
--- a/testing/tests/af-alg-ikev1/rw-cert/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,24 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-	plutodebug=control
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	ike=aes256-sha256-modp2048,3des-sha1-modp1536!
-
-conn rw
-	left=PH_IP_MOON
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-	leftsubnet=10.1.0.0/16
-	leftfirewall=yes
-	right=%any
-	auto=add
diff --git a/testing/tests/af-alg-ikev1/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/af-alg-ikev1/rw-cert/hosts/moon/etc/strongswan.conf
deleted file mode 100644
index fd687c13a..000000000
--- a/testing/tests/af-alg-ikev1/rw-cert/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,15 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = test-vectors pem pkcs1 x509 af-alg gmp random curl kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-  integrity_test = yes
-  crypto_test {
-    on_add = yes
-  }
-}
diff --git a/testing/tests/af-alg-ikev1/rw-cert/posttest.dat b/testing/tests/af-alg-ikev1/rw-cert/posttest.dat
deleted file mode 100644
index 7cebd7f25..000000000
--- a/testing/tests/af-alg-ikev1/rw-cert/posttest.dat
+++ /dev/null
@@ -1,6 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/af-alg-ikev1/rw-cert/pretest.dat b/testing/tests/af-alg-ikev1/rw-cert/pretest.dat
deleted file mode 100644
index 42e9d7c24..000000000
--- a/testing/tests/af-alg-ikev1/rw-cert/pretest.dat
+++ /dev/null
@@ -1,9 +0,0 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
-carol::sleep 1
-carol::ipsec up home
-dave::ipsec up home
diff --git a/testing/tests/af-alg-ikev1/rw-cert/test.conf b/testing/tests/af-alg-ikev1/rw-cert/test.conf
deleted file mode 100644
index 70416826e..000000000
--- a/testing/tests/af-alg-ikev1/rw-cert/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon carol winnetou dave"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w-d.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/af-alg-ikev2/alg-camellia/evaltest.dat b/testing/tests/af-alg-ikev2/alg-camellia/evaltest.dat
deleted file mode 100644
index d77c4806e..000000000
--- a/testing/tests/af-alg-ikev2/alg-camellia/evaltest.dat
+++ /dev/null
@@ -1,11 +0,0 @@
-moon::ipsec statusall::rw.*INSTALLED::YES
-carol::ipsec statusall::home.*INSTALLED::YES
-moon::ipsec statusall::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048::YES
-carol::ipsec statusall::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::ipsec statusall::CAMELLIA_CBC_192/HMAC_SHA1_96::YES
-carol::ipsec statusall::CAMELLIA_CBC_192/HMAC_SHA1_96::YES
-moon::ip xfrm state::enc cbc(camellia)::YES
-carol::ip xfrm state::enc cbc(camellia)::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 196::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 196::YES
diff --git a/testing/tests/af-alg-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf b/testing/tests/af-alg-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf
deleted file mode 100644
index 3cd390829..000000000
--- a/testing/tests/af-alg-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = curl pem pkcs1 af-alg gmp random x509 revocation stroke kernel-netlink socket-default updown
-}
diff --git a/testing/tests/af-alg-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf b/testing/tests/af-alg-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf
deleted file mode 100644
index 3cd390829..000000000
--- a/testing/tests/af-alg-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = curl pem pkcs1 af-alg gmp random x509 revocation stroke kernel-netlink socket-default updown
-}
diff --git a/testing/tests/af-alg-ikev2/alg-camellia/posttest.dat b/testing/tests/af-alg-ikev2/alg-camellia/posttest.dat
deleted file mode 100644
index 94a400606..000000000
--- a/testing/tests/af-alg-ikev2/alg-camellia/posttest.dat
+++ /dev/null
@@ -1,4 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/af-alg-ikev2/alg-camellia/pretest.dat b/testing/tests/af-alg-ikev2/alg-camellia/pretest.dat
deleted file mode 100644
index 3c3df0196..000000000
--- a/testing/tests/af-alg-ikev2/alg-camellia/pretest.dat
+++ /dev/null
@@ -1,7 +0,0 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-moon::ipsec start
-carol::ipsec start
-carol::sleep 1 
-carol::ipsec up home
-carol::sleep 1
diff --git a/testing/tests/af-alg-ikev2/alg-camellia/test.conf b/testing/tests/af-alg-ikev2/alg-camellia/test.conf
deleted file mode 100644
index 9cd583b16..000000000
--- a/testing/tests/af-alg-ikev2/alg-camellia/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
diff --git a/testing/tests/af-alg-ikev2/rw-cert/description.txt b/testing/tests/af-alg-ikev2/rw-cert/description.txt
deleted file mode 100644
index d0c5e9200..000000000
--- a/testing/tests/af-alg-ikev2/rw-cert/description.txt
+++ /dev/null
@@ -1,12 +0,0 @@
-The roadwarrior <b>carol</b> and the gateway <b>moon</b> use the <b>Crypto API</b>
-of the Linux kernel via the <b>af_alg</b> userland interface for all symmetric
-encryption and hash functions whereas roadwarrior <b>dave</b> uses the default
-<b>strongSwan</b> cryptographical plugins <b>aes des sha1 sha2 md5 gmp</b>.
-<p>
-The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each 
-to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>.
-Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
-automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
-In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping
-the client <b>alice</b> behind the gateway <b>moon</b>.
-
diff --git a/testing/tests/af-alg-ikev2/rw-cert/evaltest.dat b/testing/tests/af-alg-ikev2/rw-cert/evaltest.dat
deleted file mode 100644
index 06a0f8cda..000000000
--- a/testing/tests/af-alg-ikev2/rw-cert/evaltest.dat
+++ /dev/null
@@ -1,10 +0,0 @@
-moon::ipsec statusall::rw.*ESTABLISHED::YES
-carol::ipsec statusall::home.*ESTABLISHED::YES
-dave::ipsec statusall::home.*ESTABLISHED::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
-
diff --git a/testing/tests/af-alg-ikev2/rw-cert/posttest.dat b/testing/tests/af-alg-ikev2/rw-cert/posttest.dat
deleted file mode 100644
index 7cebd7f25..000000000
--- a/testing/tests/af-alg-ikev2/rw-cert/posttest.dat
+++ /dev/null
@@ -1,6 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/af-alg-ikev2/rw-cert/pretest.dat b/testing/tests/af-alg-ikev2/rw-cert/pretest.dat
deleted file mode 100644
index 42e9d7c24..000000000
--- a/testing/tests/af-alg-ikev2/rw-cert/pretest.dat
+++ /dev/null
@@ -1,9 +0,0 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
-carol::sleep 1
-carol::ipsec up home
-dave::ipsec up home
diff --git a/testing/tests/af-alg-ikev2/rw-cert/test.conf b/testing/tests/af-alg-ikev2/rw-cert/test.conf
deleted file mode 100644
index 70416826e..000000000
--- a/testing/tests/af-alg-ikev2/rw-cert/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon carol winnetou dave"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w-d.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/af-alg-ikev2/alg-camellia/description.txt b/testing/tests/af-alg/alg-camellia/description.txt
index b3515c333..b3515c333 100644
--- a/testing/tests/af-alg-ikev2/alg-camellia/description.txt
+++ b/testing/tests/af-alg/alg-camellia/description.txt
diff --git a/testing/tests/af-alg/alg-camellia/evaltest.dat b/testing/tests/af-alg/alg-camellia/evaltest.dat
new file mode 100644
index 000000000..2096cb994
--- /dev/null
+++ b/testing/tests/af-alg/alg-camellia/evaltest.dat
@@ -0,0 +1,11 @@
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048::YES
+carol::ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon:: ipsec statusall 2> /dev/null::CAMELLIA_CBC_192/HMAC_SHA2_384_192::YES
+carol::ipsec statusall 2> /dev/null::CAMELLIA_CBC_192/HMAC_SHA2_384_192::YES
+moon:: ip xfrm state::enc cbc(camellia)::YES
+carol::ip xfrm state::enc cbc(camellia)::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 208::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 208::YES
diff --git a/testing/tests/af-alg-ikev2/alg-camellia/hosts/carol/etc/ipsec.conf b/testing/tests/af-alg/alg-camellia/hosts/carol/etc/ipsec.conf
index 37f8a7ecf..11dece402 100755..100644
--- a/testing/tests/af-alg-ikev2/alg-camellia/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/af-alg/alg-camellia/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=yes
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
@@ -12,7 +9,7 @@ conn %default
 	keyingtries=1
 	keyexchange=ikev2
 	ike=camellia256-sha512-modp2048!
-	esp=camellia192-sha1!
+	esp=camellia192-sha384!
 
 conn home
 	left=PH_IP_CAROL
diff --git a/testing/tests/af-alg/alg-camellia/hosts/carol/etc/strongswan.conf b/testing/tests/af-alg/alg-camellia/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..28b9e5822
--- /dev/null
+++ b/testing/tests/af-alg/alg-camellia/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl pem pkcs1 af-alg gmp random nonce x509 revocation stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/af-alg-ikev2/alg-camellia/hosts/moon/etc/ipsec.conf b/testing/tests/af-alg/alg-camellia/hosts/moon/etc/ipsec.conf
index f8d7e3fe9..ecbb94dca 100755..100644
--- a/testing/tests/af-alg-ikev2/alg-camellia/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/af-alg/alg-camellia/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=yes
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
@@ -12,7 +9,7 @@ conn %default
 	keyingtries=1
 	keyexchange=ikev2
 	ike=camellia256-sha512-modp2048!
-	esp=camellia192-sha1!
+	esp=camellia192-sha384!
 
 conn rw
 	left=PH_IP_MOON
diff --git a/testing/tests/af-alg/alg-camellia/hosts/moon/etc/strongswan.conf b/testing/tests/af-alg/alg-camellia/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..28b9e5822
--- /dev/null
+++ b/testing/tests/af-alg/alg-camellia/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl pem pkcs1 af-alg gmp random nonce x509 revocation stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/af-alg/alg-camellia/posttest.dat b/testing/tests/af-alg/alg-camellia/posttest.dat
new file mode 100644
index 000000000..046d4cfdc
--- /dev/null
+++ b/testing/tests/af-alg/alg-camellia/posttest.dat
@@ -0,0 +1,4 @@
+moon::ipsec stop
+carol::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/af-alg/alg-camellia/pretest.dat b/testing/tests/af-alg/alg-camellia/pretest.dat
new file mode 100644
index 000000000..886fdf55c
--- /dev/null
+++ b/testing/tests/af-alg/alg-camellia/pretest.dat
@@ -0,0 +1,7 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+moon::ipsec start
+carol::ipsec start
+carol::sleep 1 
+carol::ipsec up home
+carol::sleep 1
diff --git a/testing/tests/af-alg/alg-camellia/test.conf b/testing/tests/af-alg/alg-camellia/test.conf
new file mode 100644
index 000000000..4a5fc470f
--- /dev/null
+++ b/testing/tests/af-alg/alg-camellia/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/af-alg-ikev1/rw-cert/description.txt b/testing/tests/af-alg/rw-cert/description.txt
index d0c5e9200..d0c5e9200 100644
--- a/testing/tests/af-alg-ikev1/rw-cert/description.txt
+++ b/testing/tests/af-alg/rw-cert/description.txt
diff --git a/testing/tests/af-alg/rw-cert/evaltest.dat b/testing/tests/af-alg/rw-cert/evaltest.dat
new file mode 100644
index 000000000..ba661975b
--- /dev/null
+++ b/testing/tests/af-alg/rw-cert/evaltest.dat
@@ -0,0 +1,15 @@
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+
diff --git a/testing/tests/af-alg-ikev2/rw-cert/hosts/carol/etc/ipsec.conf b/testing/tests/af-alg/rw-cert/hosts/carol/etc/ipsec.conf
index 4a8baa3ae..214a8de28 100755..100644
--- a/testing/tests/af-alg-ikev2/rw-cert/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/af-alg/rw-cert/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
@@ -12,6 +9,7 @@ conn %default
 	keyingtries=1
 	keyexchange=ikev2
 	ike=3des-sha1-modp1536!
+	esp=3des-sha1!
 
 conn home
 	left=PH_IP_CAROL
diff --git a/testing/tests/af-alg-ikev2/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/af-alg/rw-cert/hosts/carol/etc/strongswan.conf
index 1c71b885f..e27685447 100644
--- a/testing/tests/af-alg-ikev2/rw-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/af-alg/rw-cert/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl test-vectors pem pkcs1 af-alg gmp random x509 revocation ctr ccm gcm stroke kernel-netlink socket-default updown
+  load = curl test-vectors pem pkcs1 af-alg gmp random nonce x509 revocation ctr ccm gcm stroke kernel-netlink socket-default updown
 }
 
 libstrongswan {
diff --git a/testing/tests/af-alg-ikev2/rw-cert/hosts/dave/etc/ipsec.conf b/testing/tests/af-alg/rw-cert/hosts/dave/etc/ipsec.conf
index 42f03aab3..7fa2966d2 100755..100644
--- a/testing/tests/af-alg-ikev2/rw-cert/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/af-alg/rw-cert/hosts/dave/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
@@ -11,7 +8,8 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev2
-	ike=aes256-sha256-modp2048!
+	ike=aes128-sha256-modp2048!
+	esp=aes128-sha256!
 
 conn home
 	left=PH_IP_DAVE
diff --git a/testing/tests/af-alg-ikev2/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/af-alg/rw-cert/hosts/dave/etc/strongswan.conf
index e483eba9d..3ddd02fe7 100644
--- a/testing/tests/af-alg-ikev2/rw-cert/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/af-alg/rw-cert/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
+  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
 }
 
 libstrongswan {
diff --git a/testing/tests/af-alg-ikev2/rw-cert/hosts/moon/etc/ipsec.conf b/testing/tests/af-alg/rw-cert/hosts/moon/etc/ipsec.conf
index 2e84f2e6a..fc3eea283 100755..100644
--- a/testing/tests/af-alg-ikev2/rw-cert/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/af-alg/rw-cert/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
@@ -11,7 +8,8 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev2
-	ike=aes256-sha256-modp2048,3des-sha1-modp1536!
+	ike=aes128-sha256-modp2048,3des-sha1-modp1536!
+	esp=aes128-sha256,3des-sha1!
 
 conn rw
 	left=PH_IP_MOON
diff --git a/testing/tests/af-alg-ikev2/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/af-alg/rw-cert/hosts/moon/etc/strongswan.conf
index 1c71b885f..e27685447 100644
--- a/testing/tests/af-alg-ikev2/rw-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/af-alg/rw-cert/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl test-vectors pem pkcs1 af-alg gmp random x509 revocation ctr ccm gcm stroke kernel-netlink socket-default updown
+  load = curl test-vectors pem pkcs1 af-alg gmp random nonce x509 revocation ctr ccm gcm stroke kernel-netlink socket-default updown
 }
 
 libstrongswan {
diff --git a/testing/tests/af-alg/rw-cert/posttest.dat b/testing/tests/af-alg/rw-cert/posttest.dat
new file mode 100644
index 000000000..1865a1c60
--- /dev/null
+++ b/testing/tests/af-alg/rw-cert/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/af-alg/rw-cert/pretest.dat b/testing/tests/af-alg/rw-cert/pretest.dat
new file mode 100644
index 000000000..8bbea1412
--- /dev/null
+++ b/testing/tests/af-alg/rw-cert/pretest.dat
@@ -0,0 +1,9 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+carol::ipsec up home
+dave::ipsec up home
diff --git a/testing/tests/af-alg/rw-cert/test.conf b/testing/tests/af-alg/rw-cert/test.conf
new file mode 100644
index 000000000..f29298850
--- /dev/null
+++ b/testing/tests/af-alg/rw-cert/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/gcrypt-ikev1/alg-camellia/description.txt b/testing/tests/gcrypt-ikev1/alg-camellia/description.txt
deleted file mode 100644
index a9633ee84..000000000
--- a/testing/tests/gcrypt-ikev1/alg-camellia/description.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Roadwarrior <b>carol</b> proposes  to gateway <b>moon</b> the cipher suite
-<b>CAMELLIA_CBC_128 / HMAC_SHA2_256 / MODP_2048</b> for the IKE protocol and 
-<b>CAMELLIA_CBC_128 / HMAC_SHA2_256_128 </b> for ESP packets. A ping from <b>carol</b> to
-<b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/gcrypt-ikev1/alg-camellia/evaltest.dat b/testing/tests/gcrypt-ikev1/alg-camellia/evaltest.dat
deleted file mode 100644
index 93f82906e..000000000
--- a/testing/tests/gcrypt-ikev1/alg-camellia/evaltest.dat
+++ /dev/null
@@ -1,11 +0,0 @@
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ipsec statusall::IKE proposal: CAMELLIA_CBC_128/HMAC_SHA2_256/MODP_2048::YES
-moon::ipsec statusall::IKE proposal: CAMELLIA_CBC_128/HMAC_SHA2_256/MODP_2048::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
-carol::ipsec statusall::ESP proposal: CAMELLIA_CBC_128/HMAC_SHA2_256::YES
-moon::ipsec statusall::ESP proposal: CAMELLIA_CBC_128/HMAC_SHA2_256::YES
-carol::ip xfrm state::enc cbc(camellia)::YES
-moon::ip xfrm state::enc cbc(camellia)::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 200::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 200::YES
diff --git a/testing/tests/gcrypt-ikev1/alg-camellia/hosts/carol/etc/ipsec.conf b/testing/tests/gcrypt-ikev1/alg-camellia/hosts/carol/etc/ipsec.conf
deleted file mode 100755
index cf51269a5..000000000
--- a/testing/tests/gcrypt-ikev1/alg-camellia/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug="control crypt"
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	ike=camellia128-sha256-modp2048!
-	esp=camellia128-sha256!
-
-conn home
-	left=PH_IP_CAROL
-	leftcert=carolCert.pem
-	leftid=carol@strongswan.org
-	right=PH_IP_MOON
-	rightsubnet=10.1.0.0/16
-	rightid=@moon.strongswan.org
-	auto=add
diff --git a/testing/tests/gcrypt-ikev1/alg-camellia/hosts/carol/etc/strongswan.conf b/testing/tests/gcrypt-ikev1/alg-camellia/hosts/carol/etc/strongswan.conf
deleted file mode 100644
index 5e09a3a1d..000000000
--- a/testing/tests/gcrypt-ikev1/alg-camellia/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = pem pkcs1 x509 gcrypt hmac curl kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-}
diff --git a/testing/tests/gcrypt-ikev1/alg-camellia/hosts/moon/etc/ipsec.conf b/testing/tests/gcrypt-ikev1/alg-camellia/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index 5571dc086..000000000
--- a/testing/tests/gcrypt-ikev1/alg-camellia/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug="control crypt"
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-       
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	ike=camellia128-sha256-modp2048!
-	esp=camellia128-sha256!
-
-conn rw
-	left=PH_IP_MOON
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-	leftsubnet=10.1.0.0/16
-	right=%any
-	rightid=carol@strongswan.org
-	auto=add
diff --git a/testing/tests/gcrypt-ikev1/alg-camellia/hosts/moon/etc/strongswan.conf b/testing/tests/gcrypt-ikev1/alg-camellia/hosts/moon/etc/strongswan.conf
deleted file mode 100644
index 5e09a3a1d..000000000
--- a/testing/tests/gcrypt-ikev1/alg-camellia/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = pem pkcs1 x509 gcrypt hmac curl kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-}
diff --git a/testing/tests/gcrypt-ikev1/alg-camellia/pretest.dat b/testing/tests/gcrypt-ikev1/alg-camellia/pretest.dat
deleted file mode 100644
index 6d2eeb5f9..000000000
--- a/testing/tests/gcrypt-ikev1/alg-camellia/pretest.dat
+++ /dev/null
@@ -1,5 +0,0 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
-carol::ipsec start
-moon::ipsec start
-carol::sleep 2 
-carol::ipsec up home
diff --git a/testing/tests/gcrypt-ikev1/alg-camellia/test.conf b/testing/tests/gcrypt-ikev1/alg-camellia/test.conf
deleted file mode 100644
index 6abbb89a9..000000000
--- a/testing/tests/gcrypt-ikev1/alg-camellia/test.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
-
diff --git a/testing/tests/gcrypt-ikev1/alg-serpent/evaltest.dat b/testing/tests/gcrypt-ikev1/alg-serpent/evaltest.dat
index d9964314b..db5a76204 100644
--- a/testing/tests/gcrypt-ikev1/alg-serpent/evaltest.dat
+++ b/testing/tests/gcrypt-ikev1/alg-serpent/evaltest.dat
@@ -1,11 +1,13 @@
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ipsec statusall::IKE proposal: SERPENT_CBC_256/HMAC_SHA2_512/MODP_4096::YES
-moon::ipsec statusall::IKE proposal: SERPENT_CBC_256/HMAC_SHA2_512/MODP_4096::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
-carol::ipsec statusall::ESP proposal: SERPENT_CBC_256/HMAC_SHA2_512::YES
-moon::ipsec statusall::ESP proposal: SERPENT_CBC_256/HMAC_SHA2_512::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
+carol::ipsec statusall 2> /dev/null::IKE proposal: SERPENT_CBC_256/HMAC_SHA2_512_256::YES
+moon:: ipsec statusall 2> /dev/null::IKE proposal: SERPENT_CBC_256/HMAC_SHA2_512_256::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
+carol::ipsec statusall 2> /dev/null::SERPENT_CBC_256/HMAC_SHA2_512_256,::YES
+moon:: ipsec statusall 2> /dev/null::SERPENT_CBC_256/HMAC_SHA2_512_256,::YES
 carol::ip xfrm state::enc cbc(serpent)::YES
-moon::ip xfrm state::enc cbc(serpent)::YES
+moon:: ip xfrm state::enc cbc(serpent)::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 216::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 216::YES
diff --git a/testing/tests/gcrypt-ikev1/alg-serpent/hosts/carol/etc/ipsec.conf b/testing/tests/gcrypt-ikev1/alg-serpent/hosts/carol/etc/ipsec.conf
index 462427a8c..ce9e54fec 100755..100644
--- a/testing/tests/gcrypt-ikev1/alg-serpent/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/gcrypt-ikev1/alg-serpent/hosts/carol/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug="control crypt"
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -12,8 +8,8 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev1
-	ike=serpent256-sha2_512-modp4096!
-	esp=serpent256-sha2_512!
+	ike=serpent256-sha512-modp4096!
+	esp=serpent256-sha512!
 
 conn home
 	left=PH_IP_CAROL
diff --git a/testing/tests/gcrypt-ikev1/alg-serpent/hosts/carol/etc/strongswan.conf b/testing/tests/gcrypt-ikev1/alg-serpent/hosts/carol/etc/strongswan.conf
index 5e09a3a1d..969a5f5aa 100644
--- a/testing/tests/gcrypt-ikev1/alg-serpent/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/gcrypt-ikev1/alg-serpent/hosts/carol/etc/strongswan.conf
@@ -1,11 +1,10 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
-pluto {
-  load = pem pkcs1 x509 gcrypt hmac curl kernel-netlink
+charon {
+  load = curl pem pkcs1 gcrypt nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  send_vendor_id = yes
 }
 
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
 libstrongswan {
   dh_exponent_ansi_x9_42 = no
 }
diff --git a/testing/tests/gcrypt-ikev1/alg-serpent/hosts/moon/etc/ipsec.conf b/testing/tests/gcrypt-ikev1/alg-serpent/hosts/moon/etc/ipsec.conf
index de3c1d1c7..46dc368c4 100755..100644
--- a/testing/tests/gcrypt-ikev1/alg-serpent/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/gcrypt-ikev1/alg-serpent/hosts/moon/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug="control crypt"
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
        
 conn %default
 	ikelifetime=60m
@@ -12,8 +8,8 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev1
-	ike=serpent256-sha2_512-modp4096!
-	esp=serpent256-sha2_512!
+	ike=serpent256-sha512-modp4096!
+	esp=serpent256-sha512!
 
 conn rw
 	left=PH_IP_MOON
diff --git a/testing/tests/gcrypt-ikev1/alg-serpent/hosts/moon/etc/strongswan.conf b/testing/tests/gcrypt-ikev1/alg-serpent/hosts/moon/etc/strongswan.conf
index 5e09a3a1d..969a5f5aa 100644
--- a/testing/tests/gcrypt-ikev1/alg-serpent/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/gcrypt-ikev1/alg-serpent/hosts/moon/etc/strongswan.conf
@@ -1,11 +1,10 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
-pluto {
-  load = pem pkcs1 x509 gcrypt hmac curl kernel-netlink
+charon {
+  load = curl pem pkcs1 gcrypt nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  send_vendor_id = yes
 }
 
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
 libstrongswan {
   dh_exponent_ansi_x9_42 = no
 }
diff --git a/testing/tests/gcrypt-ikev1/alg-serpent/pretest.dat b/testing/tests/gcrypt-ikev1/alg-serpent/pretest.dat
index 6d2eeb5f9..1b8fc3b79 100644
--- a/testing/tests/gcrypt-ikev1/alg-serpent/pretest.dat
+++ b/testing/tests/gcrypt-ikev1/alg-serpent/pretest.dat
@@ -1,4 +1,3 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
 carol::ipsec start
 moon::ipsec start
 carol::sleep 2 
diff --git a/testing/tests/gcrypt-ikev1/alg-serpent/test.conf b/testing/tests/gcrypt-ikev1/alg-serpent/test.conf
index 6abbb89a9..d7b71426c 100644
--- a/testing/tests/gcrypt-ikev1/alg-serpent/test.conf
+++ b/testing/tests/gcrypt-ikev1/alg-serpent/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/gcrypt-ikev1/alg-twofish/description.txt b/testing/tests/gcrypt-ikev1/alg-twofish/description.txt
index f3fc61fe6..e1a7403e3 100644
--- a/testing/tests/gcrypt-ikev1/alg-twofish/description.txt
+++ b/testing/tests/gcrypt-ikev1/alg-twofish/description.txt
@@ -1,4 +1,4 @@
 Roadwarrior <b>carol</b> proposes  to gateway <b>moon</b> the strong cipher suite
 <b>TWOFISH_CBC_256 / HMAC_SHA2_512 / MODP_4096</b> for the IKE protocol and 
-<b>TWOFISH_CBC_256 / HMAC_SHA2_512_256</b> for ESP packets. A ping from <b>carol</b> to
+<b>TWOFISH_CBC_256 / HMAC_SHA2_512_256 </b> for ESP packets. A ping from <b>carol</b> to
 <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/gcrypt-ikev1/alg-twofish/evaltest.dat b/testing/tests/gcrypt-ikev1/alg-twofish/evaltest.dat
index c69355b81..ac3b5e0b0 100644
--- a/testing/tests/gcrypt-ikev1/alg-twofish/evaltest.dat
+++ b/testing/tests/gcrypt-ikev1/alg-twofish/evaltest.dat
@@ -1,11 +1,13 @@
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ipsec statusall::IKE proposal: TWOFISH_CBC_256/HMAC_SHA2_512/MODP_4096::YES
-moon::ipsec statusall::IKE proposal: TWOFISH_CBC_256/HMAC_SHA2_512/MODP_4096::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
-carol::ipsec statusall::ESP proposal: TWOFISH_CBC_256/HMAC_SHA2_512::YES
-moon::ipsec statusall::ESP proposal: TWOFISH_CBC_256/HMAC_SHA2_512::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
+carol::ipsec statusall 2> /dev/null::IKE proposal: TWOFISH_CBC_256/HMAC_SHA2_512_256::YES
+moon:: ipsec statusall 2> /dev/null::IKE proposal: TWOFISH_CBC_256/HMAC_SHA2_512_256::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
+carol::ipsec statusall 2> /dev/null::TWOFISH_CBC_256/HMAC_SHA2_512_256,::YES
+moon:: ipsec statusall 2> /dev/null::TWOFISH_CBC_256/HMAC_SHA2_512_256,::YES
 carol::ip xfrm state::enc cbc(twofish)::YES
-moon::ip xfrm state::enc cbc(twofish)::YES
+moon:: ip xfrm state::enc cbc(twofish)::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 216::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 216::YES
diff --git a/testing/tests/gcrypt-ikev1/alg-twofish/hosts/carol/etc/ipsec.conf b/testing/tests/gcrypt-ikev1/alg-twofish/hosts/carol/etc/ipsec.conf
index 4c02699b7..fe1a78d62 100755..100644
--- a/testing/tests/gcrypt-ikev1/alg-twofish/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/gcrypt-ikev1/alg-twofish/hosts/carol/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug="control crypt"
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -12,8 +8,8 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev1
-	ike=twofish256-sha2_512-modp4096!
-	esp=twofish256-sha2_512!
+	ike=twofish256-sha512-modp4096!
+	esp=twofish256-sha512!
 
 conn home
 	left=PH_IP_CAROL
diff --git a/testing/tests/gcrypt-ikev1/alg-twofish/hosts/carol/etc/strongswan.conf b/testing/tests/gcrypt-ikev1/alg-twofish/hosts/carol/etc/strongswan.conf
index 5e09a3a1d..969a5f5aa 100644
--- a/testing/tests/gcrypt-ikev1/alg-twofish/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/gcrypt-ikev1/alg-twofish/hosts/carol/etc/strongswan.conf
@@ -1,11 +1,10 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
-pluto {
-  load = pem pkcs1 x509 gcrypt hmac curl kernel-netlink
+charon {
+  load = curl pem pkcs1 gcrypt nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  send_vendor_id = yes
 }
 
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
 libstrongswan {
   dh_exponent_ansi_x9_42 = no
 }
diff --git a/testing/tests/gcrypt-ikev1/alg-twofish/hosts/moon/etc/ipsec.conf b/testing/tests/gcrypt-ikev1/alg-twofish/hosts/moon/etc/ipsec.conf
index d608ac2f6..b4391cd1f 100755..100644
--- a/testing/tests/gcrypt-ikev1/alg-twofish/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/gcrypt-ikev1/alg-twofish/hosts/moon/etc/ipsec.conf
@@ -1,19 +1,15 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug="control crypt"
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
+       
 conn %default
 	ikelifetime=60m
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev1
-	ike=twofish256-sha2_512-modp4096!
-	esp=twofish256-sha2_512!
+	ike=twofish256-sha512-modp4096!
+	esp=twofish256-sha512!
 
 conn rw
 	left=PH_IP_MOON
diff --git a/testing/tests/gcrypt-ikev1/alg-twofish/hosts/moon/etc/strongswan.conf b/testing/tests/gcrypt-ikev1/alg-twofish/hosts/moon/etc/strongswan.conf
index 5e09a3a1d..969a5f5aa 100644
--- a/testing/tests/gcrypt-ikev1/alg-twofish/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/gcrypt-ikev1/alg-twofish/hosts/moon/etc/strongswan.conf
@@ -1,11 +1,10 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
-pluto {
-  load = pem pkcs1 x509 gcrypt hmac curl kernel-netlink
+charon {
+  load = curl pem pkcs1 gcrypt nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  send_vendor_id = yes
 }
 
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
 libstrongswan {
   dh_exponent_ansi_x9_42 = no
 }
diff --git a/testing/tests/gcrypt-ikev1/alg-twofish/pretest.dat b/testing/tests/gcrypt-ikev1/alg-twofish/pretest.dat
index 7d077c126..1b8fc3b79 100644
--- a/testing/tests/gcrypt-ikev1/alg-twofish/pretest.dat
+++ b/testing/tests/gcrypt-ikev1/alg-twofish/pretest.dat
@@ -1,5 +1,4 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
 carol::ipsec start
 moon::ipsec start
-carol::sleep 2
+carol::sleep 2 
 carol::ipsec up home
diff --git a/testing/tests/gcrypt-ikev1/alg-twofish/test.conf b/testing/tests/gcrypt-ikev1/alg-twofish/test.conf
index 6abbb89a9..d7b71426c 100644
--- a/testing/tests/gcrypt-ikev1/alg-twofish/test.conf
+++ b/testing/tests/gcrypt-ikev1/alg-twofish/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/gcrypt-ikev1/rw-cert/description.txt b/testing/tests/gcrypt-ikev1/rw-cert/description.txt
deleted file mode 100644
index f60f5b1ad..000000000
--- a/testing/tests/gcrypt-ikev1/rw-cert/description.txt
+++ /dev/null
@@ -1,12 +0,0 @@
-The roadwarrior <b>carol</b> and the gateway <b>moon</b> use the <b>gcrypt</b>
-plugin based on the <b>GNU Libgcrypt</b> library for all cryptographical functions
-whereas roadwarrior <b>dave</b> uses the default <b>strongSwan</b> cryptographical
-plugins <b>aes des sha1 sha2 md5 gmp</b>.
-<p>
-The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each 
-to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>.
-Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
-automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
-In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping
-the client <b>alice</b> behind the gateway <b>moon</b>.
-
diff --git a/testing/tests/gcrypt-ikev1/rw-cert/evaltest.dat b/testing/tests/gcrypt-ikev1/rw-cert/evaltest.dat
deleted file mode 100644
index 1a9b9159f..000000000
--- a/testing/tests/gcrypt-ikev1/rw-cert/evaltest.dat
+++ /dev/null
@@ -1,10 +0,0 @@
-moon::ipsec statusall::IPsec SA established::YES
-carol::ipsec statusall::IPsec SA established::YES
-dave::ipsec statusall::IPsec SA established::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
-
diff --git a/testing/tests/gcrypt-ikev1/rw-cert/hosts/carol/etc/ipsec.conf b/testing/tests/gcrypt-ikev1/rw-cert/hosts/carol/etc/ipsec.conf
deleted file mode 100755
index 80dae3719..000000000
--- a/testing/tests/gcrypt-ikev1/rw-cert/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-	plutodebug=control
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	ike=3des-sha1-modp1536!
-
-conn home
-	left=PH_IP_CAROL
-	leftcert=carolCert.pem
-	leftid=carol@strongswan.org
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-	rightsubnet=10.1.0.0/16
-	auto=add
diff --git a/testing/tests/gcrypt-ikev1/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/gcrypt-ikev1/rw-cert/hosts/carol/etc/strongswan.conf
deleted file mode 100644
index 697565a38..000000000
--- a/testing/tests/gcrypt-ikev1/rw-cert/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,15 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = test-vectors pem pkcs1 x509 gcrypt hmac curl kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-  integrity_test = yes
-  crypto_test {
-    on_add = yes
-  }
-}
diff --git a/testing/tests/gcrypt-ikev1/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/gcrypt-ikev1/rw-cert/hosts/dave/etc/strongswan.conf
deleted file mode 100644
index 5cc54b24f..000000000
--- a/testing/tests/gcrypt-ikev1/rw-cert/hosts/dave/etc/strongswan.conf
+++ /dev/null
@@ -1,16 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = test-vectors aes des sha1 sha2 md5 pem pkcs1 x509 gmp random hmac curl kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-  integrity_test = yes
-  crypto_test {
-    required = yes
-    on_add = yes
-  } 
-}
diff --git a/testing/tests/gcrypt-ikev1/rw-cert/hosts/moon/etc/ipsec.conf b/testing/tests/gcrypt-ikev1/rw-cert/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index f365b07da..000000000
--- a/testing/tests/gcrypt-ikev1/rw-cert/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,24 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-	plutodebug=control
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	ike=aes256-sha256-modp2048,3des-sha1-modp1536!
-
-conn rw
-	left=PH_IP_MOON
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-	leftsubnet=10.1.0.0/16
-	leftfirewall=yes
-	right=%any
-	auto=add
diff --git a/testing/tests/gcrypt-ikev1/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/gcrypt-ikev1/rw-cert/hosts/moon/etc/strongswan.conf
deleted file mode 100644
index 697565a38..000000000
--- a/testing/tests/gcrypt-ikev1/rw-cert/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,15 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = test-vectors pem pkcs1 x509 gcrypt hmac curl kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-  integrity_test = yes
-  crypto_test {
-    on_add = yes
-  }
-}
diff --git a/testing/tests/gcrypt-ikev1/rw-cert/posttest.dat b/testing/tests/gcrypt-ikev1/rw-cert/posttest.dat
deleted file mode 100644
index 7cebd7f25..000000000
--- a/testing/tests/gcrypt-ikev1/rw-cert/posttest.dat
+++ /dev/null
@@ -1,6 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/gcrypt-ikev1/rw-cert/pretest.dat b/testing/tests/gcrypt-ikev1/rw-cert/pretest.dat
deleted file mode 100644
index 42e9d7c24..000000000
--- a/testing/tests/gcrypt-ikev1/rw-cert/pretest.dat
+++ /dev/null
@@ -1,9 +0,0 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
-carol::sleep 1
-carol::ipsec up home
-dave::ipsec up home
diff --git a/testing/tests/gcrypt-ikev1/rw-cert/test.conf b/testing/tests/gcrypt-ikev1/rw-cert/test.conf
deleted file mode 100644
index 70416826e..000000000
--- a/testing/tests/gcrypt-ikev1/rw-cert/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon carol winnetou dave"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w-d.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/gcrypt-ikev2/alg-camellia/evaltest.dat b/testing/tests/gcrypt-ikev2/alg-camellia/evaltest.dat
index d77c4806e..5f0bb3cdc 100644
--- a/testing/tests/gcrypt-ikev2/alg-camellia/evaltest.dat
+++ b/testing/tests/gcrypt-ikev2/alg-camellia/evaltest.dat
@@ -1,11 +1,13 @@
-moon::ipsec statusall::rw.*INSTALLED::YES
-carol::ipsec statusall::home.*INSTALLED::YES
-moon::ipsec statusall::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048::YES
-carol::ipsec statusall::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::ipsec statusall::CAMELLIA_CBC_192/HMAC_SHA1_96::YES
-carol::ipsec statusall::CAMELLIA_CBC_192/HMAC_SHA1_96::YES
-moon::ip xfrm state::enc cbc(camellia)::YES
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048::YES
+carol::ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon:: ipsec statusall 2> /dev/null::CAMELLIA_CBC_192/HMAC_SHA2_384_192::YES
+carol::ipsec statusall 2> /dev/null::CAMELLIA_CBC_192/HMAC_SHA2_384_192::YES
+moon:: ip xfrm state::enc cbc(camellia)::YES
 carol::ip xfrm state::enc cbc(camellia)::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 196::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 196::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 208::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 208::YES
diff --git a/testing/tests/gcrypt-ikev2/alg-camellia/hosts/carol/etc/ipsec.conf b/testing/tests/gcrypt-ikev2/alg-camellia/hosts/carol/etc/ipsec.conf
index 37f8a7ecf..11dece402 100755..100644
--- a/testing/tests/gcrypt-ikev2/alg-camellia/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/gcrypt-ikev2/alg-camellia/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=yes
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
@@ -12,7 +9,7 @@ conn %default
 	keyingtries=1
 	keyexchange=ikev2
 	ike=camellia256-sha512-modp2048!
-	esp=camellia192-sha1!
+	esp=camellia192-sha384!
 
 conn home
 	left=PH_IP_CAROL
diff --git a/testing/tests/gcrypt-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf b/testing/tests/gcrypt-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf
index dafa85bd1..3c094be34 100644
--- a/testing/tests/gcrypt-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/gcrypt-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl pem pkcs1 gcrypt x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl pem pkcs1 gcrypt nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/gcrypt-ikev2/alg-camellia/hosts/moon/etc/ipsec.conf b/testing/tests/gcrypt-ikev2/alg-camellia/hosts/moon/etc/ipsec.conf
index f8d7e3fe9..ecbb94dca 100755..100644
--- a/testing/tests/gcrypt-ikev2/alg-camellia/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/gcrypt-ikev2/alg-camellia/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=yes
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
@@ -12,7 +9,7 @@ conn %default
 	keyingtries=1
 	keyexchange=ikev2
 	ike=camellia256-sha512-modp2048!
-	esp=camellia192-sha1!
+	esp=camellia192-sha384!
 
 conn rw
 	left=PH_IP_MOON
diff --git a/testing/tests/gcrypt-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf b/testing/tests/gcrypt-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf
index dafa85bd1..3c094be34 100644
--- a/testing/tests/gcrypt-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/gcrypt-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl pem pkcs1 gcrypt x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl pem pkcs1 gcrypt nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/gcrypt-ikev2/alg-camellia/posttest.dat b/testing/tests/gcrypt-ikev2/alg-camellia/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/gcrypt-ikev2/alg-camellia/posttest.dat
+++ b/testing/tests/gcrypt-ikev2/alg-camellia/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/gcrypt-ikev2/alg-camellia/pretest.dat b/testing/tests/gcrypt-ikev2/alg-camellia/pretest.dat
index 3c3df0196..886fdf55c 100644
--- a/testing/tests/gcrypt-ikev2/alg-camellia/pretest.dat
+++ b/testing/tests/gcrypt-ikev2/alg-camellia/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1 
diff --git a/testing/tests/gcrypt-ikev2/alg-camellia/test.conf b/testing/tests/gcrypt-ikev2/alg-camellia/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/gcrypt-ikev2/alg-camellia/test.conf
+++ b/testing/tests/gcrypt-ikev2/alg-camellia/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/gcrypt-ikev2/rw-cert/evaltest.dat b/testing/tests/gcrypt-ikev2/rw-cert/evaltest.dat
index 06a0f8cda..2342d024b 100644
--- a/testing/tests/gcrypt-ikev2/rw-cert/evaltest.dat
+++ b/testing/tests/gcrypt-ikev2/rw-cert/evaltest.dat
@@ -1,10 +1,14 @@
-moon::ipsec statusall::rw.*ESTABLISHED::YES
-carol::ipsec statusall::home.*ESTABLISHED::YES
-dave::ipsec statusall::home.*ESTABLISHED::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
-
diff --git a/testing/tests/gcrypt-ikev2/rw-cert/hosts/carol/etc/ipsec.conf b/testing/tests/gcrypt-ikev2/rw-cert/hosts/carol/etc/ipsec.conf
index 4a8baa3ae..214a8de28 100755..100644
--- a/testing/tests/gcrypt-ikev2/rw-cert/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/gcrypt-ikev2/rw-cert/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
@@ -12,6 +9,7 @@ conn %default
 	keyingtries=1
 	keyexchange=ikev2
 	ike=3des-sha1-modp1536!
+	esp=3des-sha1!
 
 conn home
 	left=PH_IP_CAROL
diff --git a/testing/tests/gcrypt-ikev2/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/gcrypt-ikev2/rw-cert/hosts/carol/etc/strongswan.conf
index 92fcbd641..671d97342 100644
--- a/testing/tests/gcrypt-ikev2/rw-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/gcrypt-ikev2/rw-cert/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl test-vectors pem pkcs1 gcrypt x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
+  load = curl test-vectors pem pkcs1 gcrypt nonce x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
 }
 
 libstrongswan {
diff --git a/testing/tests/gcrypt-ikev2/rw-cert/hosts/dave/etc/ipsec.conf b/testing/tests/gcrypt-ikev2/rw-cert/hosts/dave/etc/ipsec.conf
index 42f03aab3..603651a43 100755..100644
--- a/testing/tests/gcrypt-ikev2/rw-cert/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/gcrypt-ikev2/rw-cert/hosts/dave/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
@@ -11,7 +8,8 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev2
-	ike=aes256-sha256-modp2048!
+	ike=aes256-sha512-modp2048!
+	esp=aes256-sha512!
 
 conn home
 	left=PH_IP_DAVE
diff --git a/testing/tests/gcrypt-ikev2/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/gcrypt-ikev2/rw-cert/hosts/dave/etc/strongswan.conf
index e483eba9d..3ddd02fe7 100644
--- a/testing/tests/gcrypt-ikev2/rw-cert/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/gcrypt-ikev2/rw-cert/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
+  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
 }
 
 libstrongswan {
diff --git a/testing/tests/gcrypt-ikev2/rw-cert/hosts/moon/etc/ipsec.conf b/testing/tests/gcrypt-ikev2/rw-cert/hosts/moon/etc/ipsec.conf
index 2e84f2e6a..ce4c0decb 100755..100644
--- a/testing/tests/gcrypt-ikev2/rw-cert/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/gcrypt-ikev2/rw-cert/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
@@ -11,7 +8,8 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev2
-	ike=aes256-sha256-modp2048,3des-sha1-modp1536!
+	ike=aes256-sha512-modp2048,3des-sha1-modp1536!
+	esp=aes256-sha512,3des-sha1!
 
 conn rw
 	left=PH_IP_MOON
diff --git a/testing/tests/gcrypt-ikev2/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/gcrypt-ikev2/rw-cert/hosts/moon/etc/strongswan.conf
index 92fcbd641..671d97342 100644
--- a/testing/tests/gcrypt-ikev2/rw-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/gcrypt-ikev2/rw-cert/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl test-vectors pem pkcs1 gcrypt x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
+  load = curl test-vectors pem pkcs1 gcrypt nonce x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
 }
 
 libstrongswan {
diff --git a/testing/tests/gcrypt-ikev2/rw-cert/posttest.dat b/testing/tests/gcrypt-ikev2/rw-cert/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/gcrypt-ikev2/rw-cert/posttest.dat
+++ b/testing/tests/gcrypt-ikev2/rw-cert/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/gcrypt-ikev2/rw-cert/pretest.dat b/testing/tests/gcrypt-ikev2/rw-cert/pretest.dat
index 42e9d7c24..8bbea1412 100644
--- a/testing/tests/gcrypt-ikev2/rw-cert/pretest.dat
+++ b/testing/tests/gcrypt-ikev2/rw-cert/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/gcrypt-ikev2/rw-cert/test.conf b/testing/tests/gcrypt-ikev2/rw-cert/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/gcrypt-ikev2/rw-cert/test.conf
+++ b/testing/tests/gcrypt-ikev2/rw-cert/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ha/both-active/evaltest.dat b/testing/tests/ha/both-active/evaltest.dat
index a26d8e568..89e5f4b6e 100644
--- a/testing/tests/ha/both-active/evaltest.dat
+++ b/testing/tests/ha/both-active/evaltest.dat
@@ -1,15 +1,15 @@
-alice::ipsec statusall::rw.*ESTABLISHED.*carol@strongswan.org::YES
-alice::ipsec statusall::rw.*ESTABLISHED.*dave@strongswan.org::YES
-moon::ipsec statusall::rw.*PASSIVE.*carol@strongswan.org::YES
-moon::ipsec statusall::rw.*PASSIVE.*dave@strongswan.org::YES
-carol::ipsec statusall::home.*ESTABLISHED::YES
-dave::ipsec statusall::home.*ESTABLISHED::YES
+alice::ipsec status 2> /dev/null::rw\[1].*ESTABLISHED.*mars.strongswan.org.*carol@strongswan.org::YES
+alice::ipsec status 2> /dev/null::rw\[2].*ESTABLISHED.*mars.strongswan.org.*dave@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1].*PASSIVE.*mars.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2].*PASSIVE.*mars.strongswan.org.*dave@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*mars.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*mars.strongswan.org::YES
 alice::cat /var/log/daemon.log::HA segment 1 activated::YES
-moon::cat /var/log/daemon.log::HA segment 2 activated::YES
+moon:: cat /var/log/daemon.log::HA segment 2 activated::YES
 alice::cat /var/log/daemon.log::handling HA CHILD_SA::YES
-moon::cat /var/log/daemon.log::installed HA CHILD_SA::YES
-carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
+moon:: cat /var/log/daemon.log::installed HA CHILD_SA::YES
+carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
 carol::tcpdump::IP carol.strongswan.org > mars.strongswan.org: ESP::YES
 carol::tcpdump::IP mars.strongswan.org > carol.strongswan.org: ESP::YES
 dave::tcpdump::IP dave.strongswan.org > mars.strongswan.org: ESP::YES
diff --git a/testing/tests/ha/both-active/hosts/alice/etc/init.d/iptables b/testing/tests/ha/both-active/hosts/alice/etc/init.d/iptables
deleted file mode 100755
index 95d3b8828..000000000
--- a/testing/tests/ha/both-active/hosts/alice/etc/init.d/iptables
+++ /dev/null
@@ -1,104 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# forward ESP-tunneled traffic
-	iptables -A FORWARD -i eth1 -m policy --dir in  --pol ipsec --proto esp -s PH_IP_CAROL -j ACCEPT
-	iptables -A FORWARD -i eth1 -m policy --dir in  --pol ipsec --proto esp -s PH_IP_DAVE  -j ACCEPT
-	iptables -A FORWARD -o eth1 -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-
-        # clusterip rules
-        iptables -A INPUT -i eth1 -d 192.168.0.5 -j CLUSTERIP --new --hashmode sourceip \
-                          --clustermac 01:00:c0:a8:00:05 --total-nodes 2 --local-node 2 
-        iptables -A INPUT -i eth0 -d 10.1.0.5 -j CLUSTERIP --new --hashmode sourceip \
-                          --clustermac 01:00:0a:01:00:05 --total-nodes 2 --local-node 2 
-
-	# allow esp
-	iptables -A INPUT  -p 50 -j ACCEPT
-	iptables -A OUTPUT -p 50 -d PH_IP_CAROL -j ACCEPT
-	iptables -A OUTPUT -p 50 -d PH_IP_DAVE -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth1 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth1 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth1 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-        # allow heartbeat
-        iptables -A INPUT  -i eth0 -d PH_IP_ALICE -s PH_IP_MOON1 -p udp --dport 4510 --sport 4510 -j ACCEPT
-        iptables -A OUTPUT -o eth0 -s PH_IP_ALICE -d PH_IP_MOON1 -p udp --dport 4510 --sport 4510 -j ACCEPT
-
-	# allow ICMP type 3
-	iptables -A INPUT  -i eth0 -d PH_IP_ALICE -s PH_IP_MOON1 -p icmp --icmp-type 3 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -s PH_IP_ALICE -d PH_IP_MOON1 -p icmp --icmp-type 3 -j ACCEPT
-
-	# allow IGMP multicasts
-	iptables -A INPUT  -d 224.0.0.1 -p igmp -j ACCEPT
-	iptables -A OUTPUT -s 224.0.0.1 -p igmp -j ACCEPT
- 
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ha/both-active/hosts/alice/etc/ipsec.conf b/testing/tests/ha/both-active/hosts/alice/etc/ipsec.conf
index 09a5364f4..363473bdd 100755..100644
--- a/testing/tests/ha/both-active/hosts/alice/etc/ipsec.conf
+++ b/testing/tests/ha/both-active/hosts/alice/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ha/both-active/hosts/alice/etc/iptables.rules b/testing/tests/ha/both-active/hosts/alice/etc/iptables.rules
new file mode 100644
index 000000000..cad1d202a
--- /dev/null
+++ b/testing/tests/ha/both-active/hosts/alice/etc/iptables.rules
@@ -0,0 +1,50 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# forward ESP-tunneled traffic
+-A FORWARD -i eth1 -m policy --dir in  --pol ipsec --proto esp -s PH_IP_CAROL -j ACCEPT
+-A FORWARD -i eth1 -m policy --dir in  --pol ipsec --proto esp -s PH_IP_DAVE  -j ACCEPT
+-A FORWARD -o eth1 -m policy --dir out --pol ipsec --proto esp -j ACCEPT
+
+# clusterip rules
+-A INPUT -i eth1 -d 192.168.0.5 -j CLUSTERIP --new --hashmode sourceip --clustermac 01:00:c0:a8:00:05 --total-nodes 2 --local-node 2 
+-A INPUT -i eth0 -d 10.1.0.5    -j CLUSTERIP --new --hashmode sourceip --clustermac 01:00:0a:01:00:05 --total-nodes 2 --local-node 2 
+
+# allow esp
+-A INPUT  -p 50 -j ACCEPT
+-A OUTPUT -p 50 -d PH_IP_CAROL -j ACCEPT
+-A OUTPUT -p 50 -d PH_IP_DAVE -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth1 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth1 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth1 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth1 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# allow heartbeat
+-A INPUT  -i eth0 -d PH_IP_ALICE -s PH_IP_MOON1 -p udp --dport 4510 --sport 4510 -j ACCEPT
+-A OUTPUT -o eth0 -s PH_IP_ALICE -d PH_IP_MOON1 -p udp --dport 4510 --sport 4510 -j ACCEPT
+
+# allow ICMP type 3
+-A INPUT  -i eth0 -d PH_IP_ALICE -s PH_IP_MOON1 -p icmp --icmp-type 3 -j ACCEPT
+-A OUTPUT -o eth0 -s PH_IP_ALICE -d PH_IP_MOON1 -p icmp --icmp-type 3 -j ACCEPT
+
+# allow IGMP multicasts
+-A INPUT  -d 224.0.0.1 -p igmp -j ACCEPT
+-A OUTPUT -s 224.0.0.1 -p igmp -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ha/both-active/hosts/alice/etc/strongswan.conf b/testing/tests/ha/both-active/hosts/alice/etc/strongswan.conf
index c1745ec29..2f527cf43 100644
--- a/testing/tests/ha/both-active/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/ha/both-active/hosts/alice/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default ha 
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default ha 
   plugins {
     ha {
       local = PH_IP_ALICE
diff --git a/testing/tests/ha/both-active/hosts/carol/etc/ipsec.conf b/testing/tests/ha/both-active/hosts/carol/etc/ipsec.conf
index 79e06d4de..3040f6afa 100755..100644
--- a/testing/tests/ha/both-active/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ha/both-active/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ha/both-active/hosts/carol/etc/strongswan.conf b/testing/tests/ha/both-active/hosts/carol/etc/strongswan.conf
index af91a172a..dcafe679f 100644
--- a/testing/tests/ha/both-active/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ha/both-active/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ha/both-active/hosts/dave/etc/ipsec.conf b/testing/tests/ha/both-active/hosts/dave/etc/ipsec.conf
index f75e13d2e..27d6b8d99 100755..100644
--- a/testing/tests/ha/both-active/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ha/both-active/hosts/dave/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ha/both-active/hosts/dave/etc/strongswan.conf b/testing/tests/ha/both-active/hosts/dave/etc/strongswan.conf
index 60dbb5ba2..825cfdc27 100644
--- a/testing/tests/ha/both-active/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ha/both-active/hosts/dave/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
 }
 
diff --git a/testing/tests/ha/both-active/hosts/moon/etc/init.d/iptables b/testing/tests/ha/both-active/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 6f7a0316b..000000000
--- a/testing/tests/ha/both-active/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,104 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# forward ESP-tunneled traffic
-	iptables -A FORWARD -m policy -i eth0 --dir in  --pol ipsec --proto esp -s PH_IP_CAROL -j ACCEPT
-	iptables -A FORWARD -m policy -i eth0 --dir in  --pol ipsec --proto esp -s PH_IP_DAVE  -j ACCEPT
-	iptables -A FORWARD -m policy -o eth0 --dir out --pol ipsec --proto esp -j ACCEPT
-
-        # clusterip rules
-        iptables -A INPUT -i eth0 -d 192.168.0.5 -j CLUSTERIP --new --hashmode sourceip \
-                          --clustermac 01:00:c0:a8:00:05 --total-nodes 2 --local-node 1
-        iptables -A INPUT -i eth1 -d 10.1.0.5 -j CLUSTERIP --new --hashmode sourceip \
-                          --clustermac 01:00:0a:01:00:05 --total-nodes 2 --local-node 1
-
-	# allow esp
-	iptables -A INPUT  -p 50 -j ACCEPT
-	iptables -A OUTPUT -p 50 -d PH_IP_CAROL -j ACCEPT
-	iptables -A OUTPUT -p 50 -d PH_IP_DAVE  -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# allow heartbeat
-	iptables -A INPUT  -i eth1 -d PH_IP_MOON1 -s PH_IP_ALICE -p udp --dport 4510 --sport 4510 -j ACCEPT
-	iptables -A OUTPUT -o eth1 -s PH_IP_MOON1 -d PH_IP_ALICE -p udp --dport 4510 --sport 4510 -j ACCEPT
-
-	# allow ICMP type 3
-        iptables -A INPUT  -i eth1 -d PH_IP_MOON1 -s PH_IP_ALICE -p icmp --icmp-type 3 -j ACCEPT
-        iptables -A OUTPUT -o eth1 -s PH_IP_MOON1 -d PH_IP_ALICE -p icmp --icmp-type 3 -j ACCEPT
-
-	# allow IGMP multicasts
-	iptables -A INPUT  -d 224.0.0.1 -p igmp -j ACCEPT
-	iptables -A OUTPUT -s 224.0.0.1 -p igmp -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ha/both-active/hosts/moon/etc/ipsec.conf b/testing/tests/ha/both-active/hosts/moon/etc/ipsec.conf
index 09a5364f4..363473bdd 100755..100644
--- a/testing/tests/ha/both-active/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ha/both-active/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ha/both-active/hosts/moon/etc/iptables.rules b/testing/tests/ha/both-active/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..ab7fd7fcb
--- /dev/null
+++ b/testing/tests/ha/both-active/hosts/moon/etc/iptables.rules
@@ -0,0 +1,50 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# forward ESP-tunneled traffic
+-A FORWARD -m policy -i eth0 --dir in  --pol ipsec --proto esp -s PH_IP_CAROL -j ACCEPT
+-A FORWARD -m policy -i eth0 --dir in  --pol ipsec --proto esp -s PH_IP_DAVE  -j ACCEPT
+-A FORWARD -m policy -o eth0 --dir out --pol ipsec --proto esp -j ACCEPT
+
+# clusterip rules
+-A INPUT -i eth0 -d 192.168.0.5 -j CLUSTERIP --new --hashmode sourceip --clustermac 01:00:c0:a8:00:05 --total-nodes 2 --local-node 1
+-A INPUT -i eth1 -d 10.1.0.5    -j CLUSTERIP --new --hashmode sourceip --clustermac 01:00:0a:01:00:05 --total-nodes 2 --local-node 1
+
+# allow esp
+-A INPUT  -p 50 -j ACCEPT
+-A OUTPUT -p 50 -d PH_IP_CAROL -j ACCEPT
+-A OUTPUT -p 50 -d PH_IP_DAVE  -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# allow heartbeat
+-A INPUT  -i eth1 -d PH_IP_MOON1 -s PH_IP_ALICE -p udp --dport 4510 --sport 4510 -j ACCEPT
+-A OUTPUT -o eth1 -s PH_IP_MOON1 -d PH_IP_ALICE -p udp --dport 4510 --sport 4510 -j ACCEPT
+
+# allow ICMP type 3
+-A INPUT  -i eth1 -d PH_IP_MOON1 -s PH_IP_ALICE -p icmp --icmp-type 3 -j ACCEPT
+-A OUTPUT -o eth1 -s PH_IP_MOON1 -d PH_IP_ALICE -p icmp --icmp-type 3 -j ACCEPT
+
+# allow IGMP multicasts
+-A INPUT  -d 224.0.0.1 -p igmp -j ACCEPT
+-A OUTPUT -s 224.0.0.1 -p igmp -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ha/both-active/hosts/moon/etc/strongswan.conf b/testing/tests/ha/both-active/hosts/moon/etc/strongswan.conf
index 1cece26d2..2693cf198 100644
--- a/testing/tests/ha/both-active/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ha/both-active/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default ha
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default ha
   plugins {
     ha {
       local = PH_IP_MOON1
diff --git a/testing/tests/ha/both-active/posttest.dat b/testing/tests/ha/both-active/posttest.dat
index 49bf76055..e4ffe8eef 100644
--- a/testing/tests/ha/both-active/posttest.dat
+++ b/testing/tests/ha/both-active/posttest.dat
@@ -2,15 +2,15 @@ carol::ipsec stop
 dave::ipsec stop
 moon::ipsec stop
 alice::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-alice::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+alice::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
 moon::ip addr del 192.168.0.5/24 dev eth0
 moon::ip addr del 10.1.0.5/16 dev eth1
 alice::ip addr del 192.168.0.5/24 dev eth1
 alice::ip addr del 10.1.0.5/16 dev eth0
-alice::/etc/init.d/net.eth1 stop
+alice::ifdown eth1
 venus::ip route del default via 10.1.0.5 dev eth0
 venus::ip route add default via 10.1.0.1 dev eth0
 moon::conntrack -F
diff --git a/testing/tests/ha/both-active/pretest.dat b/testing/tests/ha/both-active/pretest.dat
index e2e509855..af4d66cfc 100644
--- a/testing/tests/ha/both-active/pretest.dat
+++ b/testing/tests/ha/both-active/pretest.dat
@@ -1,14 +1,14 @@
 moon::ip addr add 192.168.0.5/24 dev eth0
 moon::ip addr add 10.1.0.5/16 dev eth1
-alice::/etc/init.d/net.eth1 start
+alice::ifup eth1
 alice::ip addr add 192.168.0.5/24 dev eth1
 alice::ip addr add 10.1.0.5/16 dev eth0
 venus::ip route del default via 10.1.0.1 dev eth0
 venus::ip route add default via 10.1.0.5 dev eth0
-moon::/etc/init.d/iptables start 2> /dev/null
-alice::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+alice::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 alice::ipsec start
 carol::ipsec start
diff --git a/testing/tests/ha/both-active/test.conf b/testing/tests/ha/both-active/test.conf
index 0473013e1..8056d9ce4 100644
--- a/testing/tests/ha/both-active/test.conf
+++ b/testing/tests/ha/both-active/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon carol winnetou dave"
+VIRTHOSTS="alice venus moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="venus carol dave"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="alice moon carol dave"
diff --git a/testing/tests/ike/rw-cert/evaltest.dat b/testing/tests/ike/rw-cert/evaltest.dat
index 71496d2f2..e431ce533 100644
--- a/testing/tests/ike/rw-cert/evaltest.dat
+++ b/testing/tests/ike/rw-cert/evaltest.dat
@@ -1,9 +1,17 @@
-moon::ipsec statusall::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-moon::ipsec statusall::rw.*ESTABLISHED::YES
-carol::ipsec statusall::home.*STATE_QUICK_I2.*IPsec SA established::YES
-dave::ipsec statusall::home.*ESTABLISHED::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+carol::ipsec statusall 2> /dev/null::home.*IKEv1::YES
+dave:: ipsec statusall 2> /dev/null::home.*IKEv2::YES
+moon:: ipsec statusall 2> /dev/null::rw\[1]: IKEv1::YES
+moon:: ipsec statusall 2> /dev/null::rw\[2]: IKEv2::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/crl-to-cache/hosts/carol/etc/ipsec.conf b/testing/tests/ike/rw-cert/hosts/carol/etc/ipsec.conf
index 3fbad9070..06cb94146 100755..100644
--- a/testing/tests/ikev1/crl-to-cache/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ike/rw-cert/hosts/carol/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	crlcheckinterval=180
-	cachecrls=yes
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -12,12 +8,12 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev1
+
+conn home
 	left=PH_IP_CAROL
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
-
-conn home
 	right=PH_IP_MOON
-	rightsubnet=10.1.0.0/16
 	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
 	auto=add
diff --git a/testing/tests/ike/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ike/rw-cert/hosts/carol/etc/strongswan.conf
index 83c10cfdc..0fe8bd9c7 100644
--- a/testing/tests/ike/rw-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ike/rw-cert/hosts/carol/etc/strongswan.conf
@@ -1,15 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
-pluto {
-  load = test-vectors sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-  integrity_test = yes
-  crypto_test {
-    on_add = yes
-  }
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ike/rw-cert/hosts/dave/etc/ipsec.conf b/testing/tests/ike/rw-cert/hosts/dave/etc/ipsec.conf
index 3be21d055..b28076511 100755..100644
--- a/testing/tests/ike/rw-cert/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ike/rw-cert/hosts/dave/etc/ipsec.conf
@@ -1,8 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ike/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/ike/rw-cert/hosts/dave/etc/strongswan.conf
index 3545a5734..0fe8bd9c7 100644
--- a/testing/tests/ike/rw-cert/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ike/rw-cert/hosts/dave/etc/strongswan.conf
@@ -1,12 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
-}
-
-libstrongswan {
-  integrity_test = yes
-  crypto_test {
-    on_add = yes
-  }
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ike/rw-cert/hosts/moon/etc/ipsec.conf b/testing/tests/ike/rw-cert/hosts/moon/etc/ipsec.conf
index d90ab485c..b5e161893 100755..100644
--- a/testing/tests/ike/rw-cert/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ike/rw-cert/hosts/moon/etc/ipsec.conf
@@ -1,15 +1,12 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	crlcheckinterval=180
 
 conn %default
 	ikelifetime=60m
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
-	keyexchange=ikev1 
 
 conn rw
 	left=PH_IP_MOON
diff --git a/testing/tests/ike/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ike/rw-cert/hosts/moon/etc/strongswan.conf
index 7a066e53e..0fe8bd9c7 100644
--- a/testing/tests/ike/rw-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ike/rw-cert/hosts/moon/etc/strongswan.conf
@@ -1,16 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random hmac x509 revocation xcbc stroke kernel-netlink socket-raw
-}
-
-pluto {
-  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 x509 gmp random hmac kernel-netlink
-}
-
-libstrongswan {
-  integrity_test = yes
-  crypto_test {
-    on_add = yes
-  }
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ike/rw-cert/pretest.dat b/testing/tests/ike/rw-cert/pretest.dat
index 587b6aeed..e50793830 100644
--- a/testing/tests/ike/rw-cert/pretest.dat
+++ b/testing/tests/ike/rw-cert/pretest.dat
@@ -1,4 +1,3 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/ike/rw-cert/test.conf b/testing/tests/ike/rw-cert/test.conf
index 845a6dcd7..51bf2b7f2 100644
--- a/testing/tests/ike/rw-cert/test.conf
+++ b/testing/tests/ike/rw-cert/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
  
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ike/rw_v1-net_v2/evaltest.dat b/testing/tests/ike/rw_v1-net_v2/evaltest.dat
index 4eace50b7..847a2d92d 100644
--- a/testing/tests/ike/rw_v1-net_v2/evaltest.dat
+++ b/testing/tests/ike/rw_v1-net_v2/evaltest.dat
@@ -1,10 +1,14 @@
-moon::ipsec statusall::net-net.*ESTABLISHED::YES
-sun::ipsec statusall::net-net.*ESTABLISHED::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun::  ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+sun::  ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES 
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/crl-strict/hosts/carol/etc/ipsec.conf b/testing/tests/ike/rw_v1-net_v2/hosts/carol/etc/ipsec.conf
index b4bc2101c..06cb94146 100755..100644
--- a/testing/tests/ikev1/crl-strict/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ike/rw_v1-net_v2/hosts/carol/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=yes
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -12,12 +8,12 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev1
+
+conn home
 	left=PH_IP_CAROL
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
-
-conn home
 	right=PH_IP_MOON
-	rightsubnet=10.1.0.0/16
 	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
 	auto=add
diff --git a/testing/tests/ike/rw_v1-net_v2/hosts/carol/etc/strongswan.conf b/testing/tests/ike/rw_v1-net_v2/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..5ea53fde9
--- /dev/null
+++ b/testing/tests/ike/rw_v1-net_v2/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce hmac x509 revocation stroke kernel-netlink socket-default
+}
diff --git a/testing/tests/ike/rw_v1-net_v2/hosts/moon/etc/ipsec.conf b/testing/tests/ike/rw_v1-net_v2/hosts/moon/etc/ipsec.conf
index 57c41b521..50d38564a 100755..100644
--- a/testing/tests/ike/rw_v1-net_v2/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ike/rw_v1-net_v2/hosts/moon/etc/ipsec.conf
@@ -1,8 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	crlcheckinterval=180
 
 conn %default
 	ikelifetime=60m
@@ -24,4 +22,3 @@ conn rw
 	rightid=carol@strongswan.org
 	keyexchange=ikev1
 	auto=add
-
diff --git a/testing/tests/ike/rw_v1-net_v2/hosts/moon/etc/strongswan.conf b/testing/tests/ike/rw_v1-net_v2/hosts/moon/etc/strongswan.conf
index 8cb117c7b..ce2265a39 100644
--- a/testing/tests/ike/rw_v1-net_v2/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ike/rw_v1-net_v2/hosts/moon/etc/strongswan.conf
@@ -1,9 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random hmac x509 revocation xcbc stroke kernel-netlink socket-raw
-}
-
-pluto {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 x509 gmp random hmac kernel-netlink
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce hmac x509 revocation stroke kernel-netlink socket-default 
 }
diff --git a/testing/tests/ike/rw_v1-net_v2/hosts/sun/etc/ipsec.conf b/testing/tests/ike/rw_v1-net_v2/hosts/sun/etc/ipsec.conf
index e5a9fe396..c6bfaf8f1 100755..100644
--- a/testing/tests/ike/rw_v1-net_v2/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ike/rw_v1-net_v2/hosts/sun/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 
 conn net-net 
 	left=PH_IP_SUN
diff --git a/testing/tests/ike/rw_v1-net_v2/hosts/sun/etc/strongswan.conf b/testing/tests/ike/rw_v1-net_v2/hosts/sun/etc/strongswan.conf
index 88f162098..5ea53fde9 100644
--- a/testing/tests/ike/rw_v1-net_v2/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ike/rw_v1-net_v2/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce hmac x509 revocation stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ike/rw_v1-net_v2/pretest.dat b/testing/tests/ike/rw_v1-net_v2/pretest.dat
index 03b8dc218..f61a4cb51 100644
--- a/testing/tests/ike/rw_v1-net_v2/pretest.dat
+++ b/testing/tests/ike/rw_v1-net_v2/pretest.dat
@@ -1,5 +1,3 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
-sun::echo 1 > /proc/sys/net/ipv4/ip_forward
 moon::ipsec start
 sun::ipsec start
 carol::ipsec start
diff --git a/testing/tests/ike/rw_v1-net_v2/test.conf b/testing/tests/ike/rw_v1-net_v2/test.conf
index 983881e5d..864f944d7 100644
--- a/testing/tests/ike/rw_v1-net_v2/test.conf
+++ b/testing/tests/ike/rw_v1-net_v2/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b.png"
  
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="carol moon sun"
diff --git a/testing/tests/ikev1/after-2038-certs/description.txt b/testing/tests/ikev1/after-2038-certs/description.txt
deleted file mode 100644
index fb622dc15..000000000
--- a/testing/tests/ikev1/after-2038-certs/description.txt
+++ /dev/null
@@ -1,13 +0,0 @@
-The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
-The authentication is based on <b>X.509 certificates</b> that are valid until
-the year 2039 and are issued by a certification authority with a root ca 
-certificate valid until the year 2059. On 32-bit platforms, dates after
-Jan 19 03:14:07 UTC 2038 cannot by represented by the time_t data type.
-Thus if a time wrap-around occurs during ASN.1 to time_t conversions,
-dates contained in the certificates are set to the maximum value,
-i.e. to Jan 19 03:14:07 UTC 2038.
-
-Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
-automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
-In order to test both tunnel and firewall, <b>carol</b> ping the client <b>alice</b>
-behind the gateway <b>moon</b>.
diff --git a/testing/tests/ikev1/after-2038-certs/evaltest.dat b/testing/tests/ikev1/after-2038-certs/evaltest.dat
deleted file mode 100644
index 790811a61..000000000
--- a/testing/tests/ikev1/after-2038-certs/evaltest.dat
+++ /dev/null
@@ -1,6 +0,0 @@
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-
diff --git a/testing/tests/ikev1/after-2038-certs/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/ikev1/after-2038-certs/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem
deleted file mode 100644
index 03b57243b..000000000
--- a/testing/tests/ikev1/after-2038-certs/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem
+++ /dev/null
@@ -1,55 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIJ0DCCBbigAwIBAgIJAIORWNruS4GuMA0GCSqGSIb3DQEBDQUAMEgxCzAJBgNV
-BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJv
-bmdTd2FuIE1vbnN0ZXIgQ0EwIBcNMDkwMzI4MDgwMDUzWhgPMjA1OTAzMTYwODAw
-NTNaMEgxCzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4w
-HAYDVQQDExVzdHJvbmdTd2FuIE1vbnN0ZXIgQ0EwggQiMA0GCSqGSIb3DQEBAQUA
-A4IEDwAwggQKAoIEAQDL3Cy8fYlD/Lqc6vXnWakywyvB7rouV7CIdxZMGHz/6zO4
-4sZaeqWy4Fmp6zPuLI8RtxsIyrZAJzqnTDNRb6FhosdluTy/QL2N+M2U0fKeRjAd
-2IInFOabqSSheB8Np53xK28oZ3xe75vbpSRiqGItmqZHioFPpNV+gRv2NC2NSUqr
-ta9aRo35m2ZyQuav4+oOYalayApZWr44w8qQJRILvFo6jc7x5bE+LgFNRfe15/MY
-dyrabatILkOucP61VE7QqftLj465w1GG3kzyt4PsX5FKkSkhs3wMnQKLJyvxUIlk
-sC7m/NzABRAEAfLAODJJ9indUCVjcLDC81avQPoHOSD736hkYpWRnlrgvu14q+5d
-kBRvyCQu+SoBPj0oMtEEdaPk7aBGjXDvKkeJAZYEcOP8h9oKUQjwYUQhQ7Np0f33
-YBaQSCv/6kfl+260XXMWQrQd4iDY17x5H8wA6mncTQ01JHIJy5pixXt09dPmWaAh
-qZWaDbkSLslO05zai45QpTFQ2Qtw3d6w5BY3u2bREB7HnyFfZF8n43pvsInNv5pQ
-HLVHN5/TP/YVwbZj4UXXgAjkL/4t6DGELk62VkrxB1dQDopimFRmaGctAGWbo8ro
-UVpGDXnSHCn9SPmEqeetK1fJHcCeQskVFakIB3qdRJM+rsWcOFA4c40D6uKyvLHe
-xZbqaOjpL2r9vfuzMtbUMUinZNBqVf7dCkxY02gdi1HpTB5p1VBSRbXdaC1Zow4O
-Rn2Ekd6/lr5G45S8ljr7EeGnAUKFOoyU8F6dYmvgwBTgNwQsGa+MbWkuaaxuIq0f
-/e3J3PYkdQ+7tNXPsqoDXcOtc0ZPlBRwDx9Js+qh86e5HKh85DzBjjl97giv/3PC
-Ek6imgHhx0QsulWUfGzls+sd3SXf8azBFt6Jh7lUJQafNH++fLZvryGYa2gjEn4V
-Cwr8PTaWLm5TwgHlyJTH8Zkk7yEVZvzJfs6UC8tEaYitmAb8e9cYTztA0e4gPeY/
-9UTyb0XAnol368DGKi5T5L1x1NVHkPc5zVXcGUvUFpEd4q4aJWj9xUyskt13fl8V
-9BOKc1BJZUdCkxRSt1wF4tlcFs9EVbOoYOT2+KJiaWB59ke+O7HUxnjFzNfPFLO9
-ItgNHhahXrhX22e//B9QhzQ5O29UhXpX0y624DK/e/bj96c6ve5NqDIcZdOyVduT
-XiEyfUpP0ZjvwRbS42A1VYs34ELBt5ntUhRvgivXAbBnC19pv/WFurMzaxueQgjh
-e/TUX1FWXh8zq5qPvASxkupdo5GOrcjn6a8zTmRPS6V8jVLQmUHMsCsyFcVUECsL
-99wet1nlFAloL59Z6Cjj3LkyLpeIG/o4ItGEdw5bAgMBAAGjgbowgbcwDwYDVR0T
-AQH/BAUwAwEB/zALBgNVHQ8EBAMCAQYwHQYDVR0OBBYEFBlirZarxvvXjxDEVv9A
-YyJCcHYOMHgGA1UdIwRxMG+AFBlirZarxvvXjxDEVv9AYyJCcHYOoUykSjBIMQsw
-CQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMV
-c3Ryb25nU3dhbiBNb25zdGVyIENBggkAg5FY2u5Lga4wDQYJKoZIhvcNAQENBQAD
-ggQBAHcfJo343EP+u0T1DTa3oJbYtqON1F7UdkJcOUxRhp4HFlPEOFxSnHU5Qi2f
-hzxWZTQEKI2q62AXdyHDygI44dCpSFZNPcZHdwBl26maMHubv7JXFl7TWupvki57
-71ttz+0wc5iU38g3ktVkrcjzUiqKU2BXnvIuLteOHfnSMGR+JG0v94nYl60EEtZr
-/Ru0Orcq93mrQyih4MZMrcssNBI+2HSFmjITBSGAz9G81d/kojtCEsmY37dqpkqO
-lOo57HLTUzuMHW1W+c7wCLAl2rhy0xIJ/t5XpNBvPzc7xKZex01A7kKIcUV5vlvj
-8+NTuMF4NAZjgtODj0Z3kKsxaIlq0O1+SfubdnHE9pNZPXWm4SSW8w1C+n1+MAA2
-RpK7T1T7BiOQD2fSKsCPvocefiWFOUuHkyRPG5vE0Ob5XH5qT5R3xTq1ta1cpxsA
-Rq0s4QHYePZ+gU/7edI7LvZtueOGL4BeR1TSIcbij5+LfFlIjz9ETp3cWc5rxjsm
-xBGeHyCslH2EKuufzg5czqmnTdwC4zGNVUyn8c5YUVpOxEZOpnrrGpR7xCHG6n0s
-PFpXRuSp6JHSDVCFkJLLrIH0MNmXirgsNLQEOX3WBPeK2hj9X3kzV+iRd5YXqBld
-6x1Jnx66iNhJyKHDXfZ84PIZzxaKrDrR35PK3DsZUATx0l56uBWAY3n1Zl5ZrWkd
-c66yvP8/WXqO1IctddURFn1ohkkbCVd8ke45ZQoyHIb+cC2gTU53aYNNAZDHh/C/
-MrU7+d5yH29dLjtv+J3JrDwdtBLMZa4RcIOZxhk7MhheNW3K+Q5xpKrdsqourQ2T
-vBwEmrfiLHRb+Hk8UbPpDW5m3yaXYmn8bQinkD1BP2ru/f6r4Rj+aAtNvz8ofgAg
-RcUcD+jeIDAEWnFCKtHxtp+fLYm5npnwfyCyOID2Lr3K1Z7SpqzoYYq9bfc3AdtL
-uHr9RSjdfsuG0l44xESwC2+Pp6rHwvAIPfPgcZiOX1GObytxXexWYCy9g/DKmUVv
-inTJNjHpH48ffPmCBE2LoylgBv/dSmf6hQSf5lqsKQ3tKApJv8t0oO6jqyvn+aqs
-CTi4WALKhZn9YRKRzcwzYVav1g0fHkrwRQxv8TRM0tYWZ5V01qgumxD3L/37vqDR
-8bx9KvgiF3DbP2q8IbVuVMLwjU6xPH+5sWJCS0Cx2haW1oVw7ppd9sgAkj/wxzt8
-9jl/bx3rD3YwoobFvqry0Rhe4J1LidAAKX+E69c4GwoTIe3eqL/TYkis7YIFLjea
-cm2lumjrrFcnbZLvDK5S/+kfZ2Flt2QoUznNeTTNY1nAnJSgqOgOocvyYDA9vx6H
-d/Fp6btmZH31IEyJrRNVOpCwZPI=
------END CERTIFICATE-----
diff --git a/testing/tests/ikev1/after-2038-certs/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/ikev1/after-2038-certs/hosts/carol/etc/ipsec.d/certs/carolCert.pem
deleted file mode 100644
index 2ce2ce3c9..000000000
--- a/testing/tests/ikev1/after-2038-certs/hosts/carol/etc/ipsec.d/certs/carolCert.pem
+++ /dev/null
@@ -1,46 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIINzCCBB+gAwIBAgIBATANBgkqhkiG9w0BAQ0FADBIMQswCQYDVQQGEwJDSDEZ
-MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBN
-b25zdGVyIENBMB4XDTA5MDMyODE0MDYwOFoXDTM5MDMyMTE0MDYwOFowWTELMAkG
-A1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xEDAOBgNVBAsTB01v
-bnN0ZXIxHTAbBgNVBAMUFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMIICIjANBgkqhkiG
-9w0BAQEFAAOCAg8AMIICCgKCAgEAqYq89COSvnLQplrjtSrDyvqvJqXN7mfmgfgR
-yGVG6HVoA3DU/vJPo8xHT43eTIBkT9wxernYxGw7UZwG6iiY3Me7Q82f+2TmX8mp
-dYtP53SWASOHBiLk7d3yJJjCY2GGP8Vb0avJa8GEOy9ZHTOf5HWwMDt9EQKxOzkw
-BebpMLCf2Mi1robNUj/lEgE+3AGfikF39E3JaXhna3mm+7PwO5J5udpxC/rVa+bO
-FPoBoBOY7v4fuq0CV5x5q/bXn9oVWteF/U1fnnOf5Dhe3P057oj7kARsmGk8e0DW
-kk1vTt4jplSg6jhH7izy4OhiqWkR7QV/BMOQBqBd6bw9Ojk12LFZBQulM0Lmtou5
-mGabckTMvtI591UCGNqGMcVDsxFIX2ZMvfScMahS6pUq+hjiR95mwez2Z1Sg014l
-cFg11mzjXGGBFuTCl3smJqRT7UaI6JfjNz1f6p/7z8QhjKChVA/xnJ5yoJWNPest
-2X0psHe3AlocUFRxqnD2ZmNO6IuKN5bmN0O4Lfc50rl2hPATXdh0HC8HvcYbRK9C
-uezkuM1QEvkev5SFbzgivXb1A2hdRCc1/XRND7Pm9sCjjh3tn5otCMnalc1mk5v+
-t8GhCKV6B7RTzFqu+ry0pe6OlqqzU0yNdqYFK1hoCDXUQzEMJzmI9mIw+n6EE3Hh
-fTZstGECAwEAAaOCARkwggEVMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1Ud
-DgQWBBTy8LU5yQdnV8pfwhCPY7q/CiNyzjB4BgNVHSMEcTBvgBQZYq2Wq8b7148Q
-xFb/QGMiQnB2DqFMpEowSDELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0
-cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9uZ1N3YW4gTW9uc3RlciBDQYIJAIORWNru
-S4GuMB8GA1UdEQQYMBaBFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMEEGA1UdHwQ6MDgw
-NqA0oDKGMGh0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dhbi1tb25z
-dGVyLmNybDANBgkqhkiG9w0BAQ0FAAOCBAEAi39l78OCI9S0I3X62HbkxiLguvnc
-CbXY6Tqmz0Ms8xqZgYzJOk7FLB/4v/zJohOH5nd7KxJ81KbcERyASpybaLM0/V+V
-oGT0rDGGH5cS4H2uYfs9HsKFKKPbZeCnExFyCamXjBZkl5IZNjdpS9TLyXRJSyFN
-OIRNhILPSriqdtzgRuGOeX798U8o0ObizGQRVlT0p0lI4t64dzZbIh3jSXjCf1Tz
-cmVOC8qhhGvxLlorSy5K98t2zNY7DvzwtvoQrNFGtso1kvfmaO4XRCvSZsmqPpC5
-mmWJjNEG2qcbmfpt8TotyUHgEJTZXwXlPVVb5OXHTW6jXk/MN0UiMTLJYcvJ1gji
-kSnGNHzRH2rKlYRED+jlzzHAWSv0mBGcOTdmfBV6+TJ7QhWhLZBzAUfwqXpAy9Vk
-idtyB0eSWBTIvhZY6SzB0Rvkdj0FtZ+tNURT4dPtiO0D+LXm/ojpdKKI2tFNOgwY
-n8df2u3xnCRvHqcF6lvu+ptnwUkUDDGDuiM20+sm0HHhLIj51v8tTm3Q/MzI0BAb
-G4HOSQNDzymWDgzIE67UTxBwXVDbSLkzH1vhFXtZQlD1UHqOUT/4FQm5ZlVMF8na
-FKxHakqoh1CdI8TAmM64h3hp1zp+G9Zn0lfcHRhvWBvpU8mgF1cbEvgbzjd9+xLe
-q45/8xuZPnU7XIBvDcZTUk8LRIThcTxQRlQdI1UJnvPOBYG3mUrLs2UdEZGwsooG
-zMOj3EQwqrR67rQiuGo65IMPDix4mwHjcZ8Gr4eqLDwSUS5yoPX1qI2qNLQbI1Ni
-8PEYMXQ0Xm+9Z86ZkI0dAIBWLkEGkz5Ngqk4O3JLzF1O/XPG4E9hGJ8WsHQW6pk9
-+quv5nVNCAO0z6FYfQoYprdbDBur+N/no+BYIcSFSpLcNgafLXgj3I65iJ2VmRi0
-V0xAfxcRiQN2+/7aao2zLrrSPHU8YsW48ISw9ibQ9EckZMVtnhuYpBJuX8+auZ8f
-OgBmgRi7fCtEcMlXsiisQehymMs470eDRfWFUMzgJC8tMOQIWNdYM0Bo29wYUJPN
-jD+NO0n+PisFMilBEyoT2pD1i94+5DWQau/7STb3GbpBsLb7JbIrQEp0oSdsvsNR
-SaJQEqMxepJM0OGp3FMr79s+/a13+TMm+jl65M6sV/YTDdYFlplkWyHDjbL+WjUu
-lvDEURfBJrtT7u673RakCEzl5e53fP01HXFhqgMSloR7j2XNiyCeEUBp+zetXxwb
-8e6IKtbXWU+WcXIdNOHAL+OtD1vUK3gxupJPrRNW6daZKWUDbjRixzXnjeyIw8It
-bRldc5VjyM0G4FMbmIROgRcvjJ74MUwnHpgPl9zQ28HmbxKbANiJJZHIDw==
------END CERTIFICATE-----
diff --git a/testing/tests/ikev1/after-2038-certs/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/ikev1/after-2038-certs/hosts/carol/etc/ipsec.d/private/carolKey.pem
deleted file mode 100644
index f0836ec33..000000000
--- a/testing/tests/ikev1/after-2038-certs/hosts/carol/etc/ipsec.d/private/carolKey.pem
+++ /dev/null
@@ -1,51 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIJKQIBAAKCAgEAqYq89COSvnLQplrjtSrDyvqvJqXN7mfmgfgRyGVG6HVoA3DU
-/vJPo8xHT43eTIBkT9wxernYxGw7UZwG6iiY3Me7Q82f+2TmX8mpdYtP53SWASOH
-BiLk7d3yJJjCY2GGP8Vb0avJa8GEOy9ZHTOf5HWwMDt9EQKxOzkwBebpMLCf2Mi1
-robNUj/lEgE+3AGfikF39E3JaXhna3mm+7PwO5J5udpxC/rVa+bOFPoBoBOY7v4f
-uq0CV5x5q/bXn9oVWteF/U1fnnOf5Dhe3P057oj7kARsmGk8e0DWkk1vTt4jplSg
-6jhH7izy4OhiqWkR7QV/BMOQBqBd6bw9Ojk12LFZBQulM0Lmtou5mGabckTMvtI5
-91UCGNqGMcVDsxFIX2ZMvfScMahS6pUq+hjiR95mwez2Z1Sg014lcFg11mzjXGGB
-FuTCl3smJqRT7UaI6JfjNz1f6p/7z8QhjKChVA/xnJ5yoJWNPest2X0psHe3Aloc
-UFRxqnD2ZmNO6IuKN5bmN0O4Lfc50rl2hPATXdh0HC8HvcYbRK9CuezkuM1QEvke
-v5SFbzgivXb1A2hdRCc1/XRND7Pm9sCjjh3tn5otCMnalc1mk5v+t8GhCKV6B7RT
-zFqu+ry0pe6OlqqzU0yNdqYFK1hoCDXUQzEMJzmI9mIw+n6EE3HhfTZstGECAwEA
-AQKCAgAmHcjpYm4FXy7Fl72F531pTv69w50OslFCexEUaqCMdojR7TYVs0hwXObT
-XePSczMaOTjujIXNcz/K0zdCwanMSSMy1THYhRC+DEqK4K0wLifjTad3m7S4PaPI
-0ocxbKWQBMDl3KdGEJW38KcqR4b1B/h6f4VYo7BQzkSbrxRSHANz63vdJvVWPoMz
-jxAgykSiAqIDTNGxYp5trUX7ZLLn0cCIJjIwLU56GcPPN33SDVXetUdQ4sCaDdXU
-8YP8rj0K1VWMYy7SItCZsIqzSEMT+7wC3tvDUDWGyEb1UW9q3cpKBNDAl7KkO3rH
-UbeMutCK5ydtXMIumzNB704cnuwZ08sdM7BTTMhmu0VK+zjVzhBK+MFcF7pickD3
-SdNzOiqfgiXLGjsiMFJvJ7OUJczEJl2xIoZ+Otb113ep0An0PEuF6aZMaKPNP7xf
-ljnengym1Rq+f1mHBRRfool9zmeisnQSSecKo0htm6oRkQTcTwLj0TjiCugbmISf
-D7sUXWp/QFVdYhHTay1gWUnP1quflKYvEynd0UF0JOnCbpWAczdXf27fm7DVjgLp
-yZ4QyrCtyvtIITgmZOvkAcaflxe2E+cBN2F+hWGzqMJfoMtw008hRW9DcRji35Kn
-lCOj/87n8lL3dicDI0caBZO9tQIakh05XYW8xN+sYF9K/xKauQKCAQEA2txDchqB
-7719R6hBqdNqig2+telNHlN0amPKjqIvP7Tr/JnJx8A7cSasao1Fw0cGPReBT7Tb
-Z5IW7xvWiZYFMDI8q8ZGEIb+MveYs1gHlEaimMtwoVCNeNe3cEPIL7ffNT8y+xFc
-o55AjzgKAOHqmf6OidKqRs/B1sSmOrgugsY8KvYtA/JrieVHKrjNX5XqZNqrfsns
-K4DMcJvIrfBu9iyWenNoBOdEJsP0h3F39Zh2hkEg29eH+/8x6FGlezvSU89Jjs9O
-/2BdlyS82RbhPu2VIrsmpfoSrsFHRe8t/9yrnpY3ud6w2LP9QIEMd8FpWKGnNxJp
-AIZJ6u+NoWVlLwKCAQEAxk/7RSSvf6VJvi1gmOxKd79LkYUEiyZryP/M8kQFMqs5
-pU6BgFLVLZsaXz+1oYS0bEjVGGo5ppCVVUMN6RuFX9zVz9uVZBeiiItqw64UDbt/
-0u78m9ngvSpWaMQU2nS/kHVhKOY+Gfs0v5fBvZE+wxTfMBR+nbx7uJivpXnq6xMP
-fhDz6juap/lEK6HuvQN5xXBNL4wpd099lvy3NUuG0Dohb/+gWf3YzQtjs281iMZB
-G3/gGLcBSdk6PBwXueJ3NPj9FAII73MQNBNYS3zi3IYuulA/rMcvbA+IGeKTzRX5
-E47B8ZAhJxZ3OePalvZyVEaRHDFT+Y2YCv/G9Bw7bwKCAQBs97oE97m2Gcxkfxui
-aIblEY7gl7Yz4S1XQzQ46/tGZtgQPqm+cLGn1q+Fpa0UWyp6BFf3zX5oBM6yYlPg
-0PboVjrq858y32N1EN3QfYXYh4qxNKlxR+AISK8mkDj9uTjDFCJX6v8K3+IY7Lfe
-VJ0v6xQg/uiUtSA3xFVXaxiNOBIA+ezTyEFOuP9EABsQ+l1ntZApYnPZ/RjNAGNc
-Zxd4Lh8F/KvPtS2zd2Eqho5Jk41/rrGjg55LE3ZPy0bvIovH+q8PEZytfddbR4lX
-NRMU98mHL1NA1E+0/rpz0XA/sikonnZEbuHyIzt2gEoq3fuLi4Dr5JivEC2BcaA8
-uXU1AoIBAQDDxUdfXbTmxQxEctVuga2OA0mdkXwHxlkXZvcyntWmzIOu3g5X2O3c
-BMcHCoTKu4/Faiz72jmpZggV0IlV+zYyiXaFqNcUpYRtWXx/SkU/vT6VxBmZ3X/Q
-HpCJAjE365MFD+tnjcv2qBfNoAnBkzYrLVqbQ1AvdVeJxyl2qSGxCPL9V80DCe5G
-LnwOuuBMtbaro45/BtYUk2N+/2H5eeLPguNphigNTtyMpta412s458Z0WEuo+liK
-R6kGmBEQDzHxGG/2JYAeqi9vyT0b4GCwpMJSaVBCx6vX+Ik6TIPuLOfjV8W8K7We
-ub3fZ0FuUEJTUgqEk2m77P0Qtqn4aDp/AoIBAQDXI66F4POHVOPI/j584sSLhW6X
-j5VzFlmOhpyoourPYXsKyIFrLa/gYAe/wNH/5jg3Ap5DbBVZB87gOkaMz2oV+ZQ/
-5IWiFmiUxGrCXmWyI6Eqr2DUtSKispLnQ043bFN+HlhfQYTwD9ijqpwpUt/sC+IJ
-mLIGJs5B3cdcRQuSxh1HpvSJOuItjp0wfcGj3+RPh5cPdjHZW30FHGFomOk//6BO
-nWdoYUGrN9wXylDOHvlkYaP2Uj5rCWm51ZGaxzJR9S+WkHdNBzyygpGtEXdSAIzU
-tHufKwQdDnj22w8KSCvQ+KvwUn9UrIR5LyGKiYGWved9X2EQzIFC4dJ8h30G
------END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev1/after-2038-certs/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/ikev1/after-2038-certs/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem
deleted file mode 100644
index 03b57243b..000000000
--- a/testing/tests/ikev1/after-2038-certs/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem
+++ /dev/null
@@ -1,55 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIJ0DCCBbigAwIBAgIJAIORWNruS4GuMA0GCSqGSIb3DQEBDQUAMEgxCzAJBgNV
-BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJv
-bmdTd2FuIE1vbnN0ZXIgQ0EwIBcNMDkwMzI4MDgwMDUzWhgPMjA1OTAzMTYwODAw
-NTNaMEgxCzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4w
-HAYDVQQDExVzdHJvbmdTd2FuIE1vbnN0ZXIgQ0EwggQiMA0GCSqGSIb3DQEBAQUA
-A4IEDwAwggQKAoIEAQDL3Cy8fYlD/Lqc6vXnWakywyvB7rouV7CIdxZMGHz/6zO4
-4sZaeqWy4Fmp6zPuLI8RtxsIyrZAJzqnTDNRb6FhosdluTy/QL2N+M2U0fKeRjAd
-2IInFOabqSSheB8Np53xK28oZ3xe75vbpSRiqGItmqZHioFPpNV+gRv2NC2NSUqr
-ta9aRo35m2ZyQuav4+oOYalayApZWr44w8qQJRILvFo6jc7x5bE+LgFNRfe15/MY
-dyrabatILkOucP61VE7QqftLj465w1GG3kzyt4PsX5FKkSkhs3wMnQKLJyvxUIlk
-sC7m/NzABRAEAfLAODJJ9indUCVjcLDC81avQPoHOSD736hkYpWRnlrgvu14q+5d
-kBRvyCQu+SoBPj0oMtEEdaPk7aBGjXDvKkeJAZYEcOP8h9oKUQjwYUQhQ7Np0f33
-YBaQSCv/6kfl+260XXMWQrQd4iDY17x5H8wA6mncTQ01JHIJy5pixXt09dPmWaAh
-qZWaDbkSLslO05zai45QpTFQ2Qtw3d6w5BY3u2bREB7HnyFfZF8n43pvsInNv5pQ
-HLVHN5/TP/YVwbZj4UXXgAjkL/4t6DGELk62VkrxB1dQDopimFRmaGctAGWbo8ro
-UVpGDXnSHCn9SPmEqeetK1fJHcCeQskVFakIB3qdRJM+rsWcOFA4c40D6uKyvLHe
-xZbqaOjpL2r9vfuzMtbUMUinZNBqVf7dCkxY02gdi1HpTB5p1VBSRbXdaC1Zow4O
-Rn2Ekd6/lr5G45S8ljr7EeGnAUKFOoyU8F6dYmvgwBTgNwQsGa+MbWkuaaxuIq0f
-/e3J3PYkdQ+7tNXPsqoDXcOtc0ZPlBRwDx9Js+qh86e5HKh85DzBjjl97giv/3PC
-Ek6imgHhx0QsulWUfGzls+sd3SXf8azBFt6Jh7lUJQafNH++fLZvryGYa2gjEn4V
-Cwr8PTaWLm5TwgHlyJTH8Zkk7yEVZvzJfs6UC8tEaYitmAb8e9cYTztA0e4gPeY/
-9UTyb0XAnol368DGKi5T5L1x1NVHkPc5zVXcGUvUFpEd4q4aJWj9xUyskt13fl8V
-9BOKc1BJZUdCkxRSt1wF4tlcFs9EVbOoYOT2+KJiaWB59ke+O7HUxnjFzNfPFLO9
-ItgNHhahXrhX22e//B9QhzQ5O29UhXpX0y624DK/e/bj96c6ve5NqDIcZdOyVduT
-XiEyfUpP0ZjvwRbS42A1VYs34ELBt5ntUhRvgivXAbBnC19pv/WFurMzaxueQgjh
-e/TUX1FWXh8zq5qPvASxkupdo5GOrcjn6a8zTmRPS6V8jVLQmUHMsCsyFcVUECsL
-99wet1nlFAloL59Z6Cjj3LkyLpeIG/o4ItGEdw5bAgMBAAGjgbowgbcwDwYDVR0T
-AQH/BAUwAwEB/zALBgNVHQ8EBAMCAQYwHQYDVR0OBBYEFBlirZarxvvXjxDEVv9A
-YyJCcHYOMHgGA1UdIwRxMG+AFBlirZarxvvXjxDEVv9AYyJCcHYOoUykSjBIMQsw
-CQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMV
-c3Ryb25nU3dhbiBNb25zdGVyIENBggkAg5FY2u5Lga4wDQYJKoZIhvcNAQENBQAD
-ggQBAHcfJo343EP+u0T1DTa3oJbYtqON1F7UdkJcOUxRhp4HFlPEOFxSnHU5Qi2f
-hzxWZTQEKI2q62AXdyHDygI44dCpSFZNPcZHdwBl26maMHubv7JXFl7TWupvki57
-71ttz+0wc5iU38g3ktVkrcjzUiqKU2BXnvIuLteOHfnSMGR+JG0v94nYl60EEtZr
-/Ru0Orcq93mrQyih4MZMrcssNBI+2HSFmjITBSGAz9G81d/kojtCEsmY37dqpkqO
-lOo57HLTUzuMHW1W+c7wCLAl2rhy0xIJ/t5XpNBvPzc7xKZex01A7kKIcUV5vlvj
-8+NTuMF4NAZjgtODj0Z3kKsxaIlq0O1+SfubdnHE9pNZPXWm4SSW8w1C+n1+MAA2
-RpK7T1T7BiOQD2fSKsCPvocefiWFOUuHkyRPG5vE0Ob5XH5qT5R3xTq1ta1cpxsA
-Rq0s4QHYePZ+gU/7edI7LvZtueOGL4BeR1TSIcbij5+LfFlIjz9ETp3cWc5rxjsm
-xBGeHyCslH2EKuufzg5czqmnTdwC4zGNVUyn8c5YUVpOxEZOpnrrGpR7xCHG6n0s
-PFpXRuSp6JHSDVCFkJLLrIH0MNmXirgsNLQEOX3WBPeK2hj9X3kzV+iRd5YXqBld
-6x1Jnx66iNhJyKHDXfZ84PIZzxaKrDrR35PK3DsZUATx0l56uBWAY3n1Zl5ZrWkd
-c66yvP8/WXqO1IctddURFn1ohkkbCVd8ke45ZQoyHIb+cC2gTU53aYNNAZDHh/C/
-MrU7+d5yH29dLjtv+J3JrDwdtBLMZa4RcIOZxhk7MhheNW3K+Q5xpKrdsqourQ2T
-vBwEmrfiLHRb+Hk8UbPpDW5m3yaXYmn8bQinkD1BP2ru/f6r4Rj+aAtNvz8ofgAg
-RcUcD+jeIDAEWnFCKtHxtp+fLYm5npnwfyCyOID2Lr3K1Z7SpqzoYYq9bfc3AdtL
-uHr9RSjdfsuG0l44xESwC2+Pp6rHwvAIPfPgcZiOX1GObytxXexWYCy9g/DKmUVv
-inTJNjHpH48ffPmCBE2LoylgBv/dSmf6hQSf5lqsKQ3tKApJv8t0oO6jqyvn+aqs
-CTi4WALKhZn9YRKRzcwzYVav1g0fHkrwRQxv8TRM0tYWZ5V01qgumxD3L/37vqDR
-8bx9KvgiF3DbP2q8IbVuVMLwjU6xPH+5sWJCS0Cx2haW1oVw7ppd9sgAkj/wxzt8
-9jl/bx3rD3YwoobFvqry0Rhe4J1LidAAKX+E69c4GwoTIe3eqL/TYkis7YIFLjea
-cm2lumjrrFcnbZLvDK5S/+kfZ2Flt2QoUznNeTTNY1nAnJSgqOgOocvyYDA9vx6H
-d/Fp6btmZH31IEyJrRNVOpCwZPI=
------END CERTIFICATE-----
diff --git a/testing/tests/ikev1/after-2038-certs/hosts/moon/etc/ipsec.d/certs/moonCert.pem b/testing/tests/ikev1/after-2038-certs/hosts/moon/etc/ipsec.d/certs/moonCert.pem
deleted file mode 100644
index e83798c07..000000000
--- a/testing/tests/ikev1/after-2038-certs/hosts/moon/etc/ipsec.d/certs/moonCert.pem
+++ /dev/null
@@ -1,46 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIINTCCBB2gAwIBAgIBAjANBgkqhkiG9w0BAQ0FADBIMQswCQYDVQQGEwJDSDEZ
-MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBN
-b25zdGVyIENBMB4XDTA5MDMyODE0MDcxNloXDTM5MDMyMTE0MDcxNlowWDELMAkG
-A1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xEDAOBgNVBAsTB01v
-bnN0ZXIxHDAaBgNVBAMTE21vb24uc3Ryb25nc3dhbi5vcmcwggIiMA0GCSqGSIb3
-DQEBAQUAA4ICDwAwggIKAoICAQC/9647SgAcK/or/Qs/3cRc19po7oex5EBdPR7b
-vInAuzrVMK84+ifneBWscVhBnxcUI37D0SpKx0onrdskMOyv5nmkdcgQf8931eip
-scNsw8bC8MJsbc5Jfn3DKPurbKK2/uFFE8ot7S65HY9tVBsxKsrjS5YFPE+DKKP+
-BgVk/9hL0Kqq2iKuWTq8YTRMu5iskpLIxqvuz362G46BKoW52pFegeDzpz/Bs/7y
-0oWPRcNcuRQR5XFTpF2L3UosniMkr7aYU5Z8s7IqiEx7txGh5SxRB+TYIZwB1ODa
-L+bnclQeMsBiFqlO9UI38UaxEQgk/+UhgpaX/DPrZg8KJmjW3e+x8xcwL3ouRLy2
-2Z99WMnV6TlwpTKj24EQJALmLG+UJG+hbV9P9j6Mkql3FHb4aLZH71CvyCqeg2yh
-FGiuaGEe8vS9+Dj5LKv8hSbBe/MSQDiPhKT1gb84TiQMsWfxLN7oDXunohnhMZfu
-sydB/c/R/ooA5ri+lE5c65bP2Mk+ml61p6z7lJv+DXBDXW/o4v8Imjx2OMsL85LZ
-vYWJppdJrThd/m4OVnCXYfuHMZqedsIvNR5blnldATLBjWWbeoKhOyqZb8hZ6HFR
-dlJ11LhxnGg9itG385L3Espl+EVcakWBZWrOn5/LGNKZH3UedclEBNci6lSadZaP
-/UfRCwIDAQABo4IBGDCCARQwCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYDVR0O
-BBYEFOQpYirU7vrMZUWDkqDijTPuhPQiMHgGA1UdIwRxMG+AFBlirZarxvvXjxDE
-Vv9AYyJCcHYOoUykSjBIMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ry
-b25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBNb25zdGVyIENBggkAg5FY2u5L
-ga4wHgYDVR0RBBcwFYITbW9vbi5zdHJvbmdzd2FuLm9yZzBBBgNVHR8EOjA4MDag
-NKAyhjBodHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW4tbW9uc3Rl
-ci5jcmwwDQYJKoZIhvcNAQENBQADggQBAAEsjsebEspAIANEBVWRjRpowIJlVSLf
-WKzblIPlhClXafHGJbhiamdtS2FmEh/rkzz3Ml+9cJy1KnB1Pn6+4JLSJe5xAywK
-lKTT2iY0KDdOsaK5j+CNJ2tW9NrJPxwtIz+nGGqqyyEUPJE1FYxphbLgmwFNBm2o
-HyeUVYI+gyfmhyHaXHKOmbsDG0o+pUX2tVOs0KdyU6deaAtEf1E6aA5TpCAi1OZs
-pdRDXFUfjdekRkfRr1PZ41Xwk3t6E32YhIE++r7QneQPhXymxVO9nepmpuSoHvlX
-Hb4JN2EQ0zCkkkOfqCuF46zVxsR46/3cfKbRsaVmdfGjvmDSCDI47AreluYiPTGA
-zN4XN91Y5rPZuT9OJYV4UrYv9N1jH5StVmSz19rbYOeozJXX0PBjdCKHEonD1FHY
-xWRpijVUG6NWVLKpvdg3RiFw78wIrNPAeVDvLL+112nbszNDNLSoOJjOUBySHJda
-WYFtg2IoAUis9r/o7uykNcC6KiU4Y1nC8PEIhMi4AMA9UgBCn4ixYtHI9jkfHcrD
-O1kvPRUo3hKzrhftLYtfiBfTEh+3Xab615lt5vNNhdI7d4knqUXvVdURtvlfJLZv
-W0YdvwjJtrVJAiCtX3wyxy72O1ZOG5kHCcK5oHUHg5W172rK9hK4LByk5ESqtc/t
-YDG7TmZLtUceV5yK4gz7pwIwXthA8yayRy+lbk8BFxRMfOEfb6rPdm0vvmPpHHDu
-yHR5SJTgpGo+/I8N1zS6PNeUBh0RAbSnxHJSMLn+GYTs8s6Atnq05SIuVYxvXyAQ
-ULf+ppNN5lngSZHPaOFJNpC1QL1+DdMNueDITVxYx5DV8SkWRPhzS77tsYeUxVGI
-IpUVEqSggGe6Q4YWv2smAjSeqaS5HNGxstE+Ybat/cp9QMbLc7gwKxwRQHhVRZ5O
-0rVq2bZUyly8y4wX8G8WFMNuCoAcHAdMvKh4JtmdDDZlbxdC2mSVbLSuTBfGvKc1
-ScwOBtSqQkm9PsTMitZM31s97WJLQIZbq82g2ns7hfEXMMIgzcFLYlM1SovbDZI5
-ZM63NBVTaKyj+Gxy8FcAPBPtPWwAQT+Gdi8gFwtcEilTOBECL5y0hzlL9aJpsJEq
-4KV5nnM5rutUufiYzQMZqME3g9VWk0kQteVpa4x+4zsKH9lJSSS/y0eCo/jArS8l
-HSmzUDkj2cWmf/azdrcig7g/mHeEbKu1JH1X5lRdZekqcRCW6v1OjP025B/5nSnL
-WYPUI9RLb01fmPjWdrc4+hPnHjePp8w6tuM6U6huMCwstnOel6d2FL5hOWvXNmIH
-I+8zv7SHhIWQmUbC0YQn8BFqvqDC08In5x42YiTe+42YEtafkTkbY8o=
------END CERTIFICATE-----
diff --git a/testing/tests/ikev1/after-2038-certs/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/tests/ikev1/after-2038-certs/hosts/moon/etc/ipsec.d/private/moonKey.pem
deleted file mode 100644
index 6d39ac084..000000000
--- a/testing/tests/ikev1/after-2038-certs/hosts/moon/etc/ipsec.d/private/moonKey.pem
+++ /dev/null
@@ -1,51 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIJKAIBAAKCAgEAv/euO0oAHCv6K/0LP93EXNfaaO6HseRAXT0e27yJwLs61TCv
-OPon53gVrHFYQZ8XFCN+w9EqSsdKJ63bJDDsr+Z5pHXIEH/Pd9XoqbHDbMPGwvDC
-bG3OSX59wyj7q2yitv7hRRPKLe0uuR2PbVQbMSrK40uWBTxPgyij/gYFZP/YS9Cq
-qtoirlk6vGE0TLuYrJKSyMar7s9+thuOgSqFudqRXoHg86c/wbP+8tKFj0XDXLkU
-EeVxU6Rdi91KLJ4jJK+2mFOWfLOyKohMe7cRoeUsUQfk2CGcAdTg2i/m53JUHjLA
-YhapTvVCN/FGsREIJP/lIYKWl/wz62YPCiZo1t3vsfMXMC96LkS8ttmffVjJ1ek5
-cKUyo9uBECQC5ixvlCRvoW1fT/Y+jJKpdxR2+Gi2R+9Qr8gqnoNsoRRormhhHvL0
-vfg4+Syr/IUmwXvzEkA4j4Sk9YG/OE4kDLFn8Sze6A17p6IZ4TGX7rMnQf3P0f6K
-AOa4vpROXOuWz9jJPppetaes+5Sb/g1wQ11v6OL/CJo8djjLC/OS2b2FiaaXSa04
-Xf5uDlZwl2H7hzGannbCLzUeW5Z5XQEywY1lm3qCoTsqmW/IWehxUXZSddS4cZxo
-PYrRt/OS9xLKZfhFXGpFgWVqzp+fyxjSmR91HnXJRATXIupUmnWWj/1H0QsCAwEA
-AQKCAgAn3928CQH+2A+uBXDJwlngYyHF/A4JoHzSITkAsaf3dayhzewHrMaPKP1v
-hVeswcv8becN66uaPs0jctR7LwJrAzevNpvo+XNx0+fxH7CVLhFiOrpX5XMdBv4+
-hIvKLtWZp1XJkHPFmGfFIePB9N91FgtwrSmrSrzFZLKzuDJ0qUQXc2+P76GWj4hI
-yvQfIDR1XDjLJaFfCJCsaQrvv5JpaYIanGXKlqoCpU3GyH3fpcEPyI3nrb4dfp3D
-yKJ4pBxuqWUHPQ2cN4NBnHAunnc2JrFO35HkZw7Nvpc6GwsedjwMzcPyW/ytHvqz
-PhXN/9iuPs0sacC4LzXlppxnIlVSOCoLUpyoe8zXxDJBLsU7d+zDnXZ/1guviHz+
-x4RsEKjlXcvsvnZGAy0pUzOEXIfmWOOSlA7iqkbPNud9nBS4YnOtiZIowLj6893k
-rN1GQ/jw7szBkNh5vjdZT7HAIhlBwyQI3hRJX/h0hdUPNiPW4/j9W94JWcRxk0tO
-vZq7mcTtJ8OFlsNyO12KgFIjT+Gwz7tmNrN+Of98pOt9jRN7hhxY8sQosmW1nePZ
-HuWR52CVShXX/N2d/09hwf48xjYBjF3Mjxc8ySIyERdcWqsWx3j5WaB8rEAAuMcF
-/gY5bb4Oc1MAUtX8aMidvKfVW0Owapj/ApgyOmGbO6YEQCKSIQKCAQEA6hbs2JoD
-8u9sCaabRKNxqnjzXzB7JrR1PKyOjp3Iiku29W1VQ/TMRUpO63LsE3lbv/3RIvi1
-wZN/dFhWC9wOY85iDUci5ZI0QcZA0OIQ/uetrE5/FBOmH9MVIQEXnGHSNPHUWMqk
-EBrykyt+7RMEb7Kldm0V57MesO1FA0y81+UCJP01KZM0D7Nq1Eb6GfNLENah3Fk2
-wHk6g36O1nMAEyjHvS+ht8C0rzNXIqCnkeAuxxAfJde9TYpuW7oCt1JEeh2VAmOO
-7QESq2x0OrPKLCUs00y5k0I9eqvAaQfCC6EcdiX7FyAfX5n5Vf5FbfbWhf9oheno
-CQ0uai4v1uqX2wKCAQEA0e91hlukBO2InB9j+54R3XA0buCr/eQFqJ4sAjgL9GCk
-n09tfytH/nLPw/g/l7snyVmGW3uZfmkOqnTP9Yfbx1dU0pPRN11qM9QG6YH+Odkv
-D+LpRnYRjj7QxQJQbGy+2IZN8cmtpJQziSmQMNZU/YoDpq7wYNVhwnP0Z3ZgUo3d
-GfRPbGw951dOAK0Z6S61+mXSQE9JhZBo49zOrmkgLa1fmLfJoukmz4MTZqoWFffq
-+1Q4vdYgRS8ToT2Rmba+7s4UAmVKyACEw8WEyjH3TXxd6tQy/smzcD0Vgg7Ghvg7
-Vs5ion9HcqDEcQ1YWvMDWPD/x4fyVgu4v2QW/k/KkQKCAQBPb04ZxlG2u1YfBEFG
-DmyA26BCWfJAVRY/a5LIhHRLsZu5NsurTsOOc8PKE+pWRWVEBj5Urq8GrCWg9mTk
-i1z6s0sElHIcEvvWog7WkxAPX9DIWq62wmAqBnfyBivb7jnlq3ZSVxlLOcm89RKS
-IlTsDmQlhqjbQiYVBb7Yes7OODD9GktS+1e8SDblJ9ywt6VuZlbwrfltYPXhLy4L
-SWTqG3mEEki/UQ4/MZ3M61VRpBBbjnXzYn0jdekzCTDowmroQWeSMvSKKkYKk7fx
-P5dIWakXXr7OYLj6CpQ1T+OiDJ7a3NKSq1zaFSbN7oXi5dMwD1aJsrEBeU6Zy2iC
-doLnAoIBAQCzC716J7JNmaCHNqZ5NKkb6NRvNCK72LuSwcPa6J4ZgEsmrAFBElLG
-inj0NEdYSwB102qpn1Kb41HkwteSGpqw+qSXLAalZ4BqT4zNnlaKU9a1f9tggtYa
-MSywuXaJ4n0qAfF8I3t7AAKsGsylOkcmLY1LnavZimNkCq0JiIZCIkfOGPWcDP0G
-zwjxvrB4laQSuMCGpJiZ1z3+CJYlXfdZvaHoh+bqkFrPZIUpbCqF9fls/Lmf/n1r
-Q+lD/VSuepOA7DVYjbcnuHmC1nSYVeELLuSSoQQVFUV6lj4/vAZJmnBRapfo6xCu
-jLq9iJowh031jyU2sZVXGYwpf12066xhAoIBADCtIvqwfy9pcqYs8PQMQTbDuz3G
-ZCe3E5SLJ00gk/PBVJihOYvdKgwoZAyWdWxOPDKzBJAaJBgpmpWKeX3k92HgLxyi
-50zKogbCc49mz2c6kRC13SviPAjO1XuM+FKo50AICenauu21/ZeMYuLt9gxnhEo5
-kkIYhD0irfTw5MMEKITAs71iB74Lxm9gv/+jOwsgoP23k562NHnIvPdbDzbR/ROD
-xb/3DsGbB4kmUXoLlWxradiZGczPddki+bMI4meMs8oH+XP14KyGqWC8LSuBDg8Y
-fADibXSIAHobiN+KhDtWz9Wnhtch9C8Q5+JDjixdspcn4lkMdMK532v/FBM=
------END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev1/after-2038-certs/posttest.dat b/testing/tests/ikev1/after-2038-certs/posttest.dat
deleted file mode 100644
index 94a400606..000000000
--- a/testing/tests/ikev1/after-2038-certs/posttest.dat
+++ /dev/null
@@ -1,4 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev1/after-2038-certs/pretest.dat b/testing/tests/ikev1/after-2038-certs/pretest.dat
deleted file mode 100644
index 4921d5097..000000000
--- a/testing/tests/ikev1/after-2038-certs/pretest.dat
+++ /dev/null
@@ -1,6 +0,0 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-moon::ipsec start
-carol::ipsec start
-carol::sleep 1
-carol::ipsec up home
diff --git a/testing/tests/ikev1/after-2038-certs/test.conf b/testing/tests/ikev1/after-2038-certs/test.conf
deleted file mode 100644
index 9cd583b16..000000000
--- a/testing/tests/ikev1/after-2038-certs/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev1/alg-3des-md5/description.txt b/testing/tests/ikev1/alg-3des-md5/description.txt
new file mode 100644
index 000000000..4c39d0b04
--- /dev/null
+++ b/testing/tests/ikev1/alg-3des-md5/description.txt
@@ -0,0 +1,4 @@
+Roadwarrior <b>carol</b> proposes  to gateway <b>moon</b> the ESP cipher suite
+<b>3DES_CBC / HMAC_MD5_96</b> by defining <b>esp=3des-md5-modp1024!</b>
+in ipsec.conf. The same cipher suite is used for IKE.
+A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev1/alg-3des-md5/evaltest.dat b/testing/tests/ikev1/alg-3des-md5/evaltest.dat
new file mode 100644
index 000000000..abd29e97e
--- /dev/null
+++ b/testing/tests/ikev1/alg-3des-md5/evaltest.dat
@@ -0,0 +1,15 @@
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED::YES
+moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024::YES
+carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon:: ipsec statusall 2> /dev/null::rw.*3DES_CBC/HMAC_MD5_96,::YES
+carol::ipsec statusall 2> /dev/null::home.*3DES_CBC/HMAC_MD5_96,::YES
+moon:: ip xfrm state::enc cbc(des3_ede)::YES
+carol::ip xfrm state::enc cbc(des3_ede)::YES
+moon:: ip xfrm state::auth-trunc hmac(md5)::YES
+carol::ip xfrm state::auth-trunc hmac(md5)::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 180::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 180::YES
diff --git a/testing/tests/ikev1/alg-3des-md5/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/alg-3des-md5/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..11874bbe4
--- /dev/null
+++ b/testing/tests/ikev1/alg-3des-md5/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+	ike=3des-md5-modp1024!
+	esp=3des-md5-modp1024!
+
+conn home
+	left=PH_IP_CAROL
+	leftfirewall=yes
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add 
diff --git a/testing/tests/ikev1/alg-3des-md5/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/alg-3des-md5/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..dc937641c
--- /dev/null
+++ b/testing/tests/ikev1/alg-3des-md5/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev1/crl-to-cache/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/alg-3des-md5/hosts/moon/etc/ipsec.conf
index 0b9f891bd..41fb1f7db 100755..100644
--- a/testing/tests/ikev1/crl-to-cache/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/alg-3des-md5/hosts/moon/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	crlcheckinterval=180
-	cachecrls=yes
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -12,11 +8,14 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev1
+	ike=3des-md5-modp1024!
+	esp=3des-md5-modp1024!
+
+conn rw
 	left=PH_IP_MOON
+	leftfirewall=yes
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
-
-conn rw
 	leftsubnet=10.1.0.0/16
 	right=%any
 	auto=add
diff --git a/testing/tests/ikev1/alg-3des-md5/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/alg-3des-md5/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..dc937641c
--- /dev/null
+++ b/testing/tests/ikev1/alg-3des-md5/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev1/alg-3des-md5/posttest.dat b/testing/tests/ikev1/alg-3des-md5/posttest.dat
new file mode 100644
index 000000000..046d4cfdc
--- /dev/null
+++ b/testing/tests/ikev1/alg-3des-md5/posttest.dat
@@ -0,0 +1,4 @@
+moon::ipsec stop
+carol::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/alg-3des-md5/pretest.dat b/testing/tests/ikev1/alg-3des-md5/pretest.dat
new file mode 100644
index 000000000..4fc25772b
--- /dev/null
+++ b/testing/tests/ikev1/alg-3des-md5/pretest.dat
@@ -0,0 +1,6 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+moon::ipsec start
+carol::ipsec start
+carol::sleep 1 
+carol::ipsec up home
diff --git a/testing/tests/ikev1/alg-3des-md5/test.conf b/testing/tests/ikev1/alg-3des-md5/test.conf
new file mode 100644
index 000000000..4a5fc470f
--- /dev/null
+++ b/testing/tests/ikev1/alg-3des-md5/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev1/alg-blowfish/description.txt b/testing/tests/ikev1/alg-blowfish/description.txt
index 7b14287f7..24b50b909 100644
--- a/testing/tests/ikev1/alg-blowfish/description.txt
+++ b/testing/tests/ikev1/alg-blowfish/description.txt
@@ -1,4 +1,6 @@
-Roadwarrior <b>carol</b> proposes  to gateway <b>moon</b> the strong cipher suite
-<b>BLOWFISH_CBC_256 / HMAC_SHA2_512 / MODP_4096</b> for the IKE protocol and 
-<b>BLOWFISH_CBC_256 / HMAC_SHA2_512</b> for ESP packets. A ping from <b>carol</b> to
-<b>alice</b> successfully checks the established tunnel.
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each 
+to gateway <b>moon</b> using <b>Blowfish</b> for both IKE and ESP
+encryption.  Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
+automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping
+the client <b>alice</b> behind the gateway <b>moon</b>.
diff --git a/testing/tests/ikev1/alg-blowfish/evaltest.dat b/testing/tests/ikev1/alg-blowfish/evaltest.dat
index 4ea613d3d..cd83c56b4 100644
--- a/testing/tests/ikev1/alg-blowfish/evaltest.dat
+++ b/testing/tests/ikev1/alg-blowfish/evaltest.dat
@@ -1,11 +1,17 @@
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ipsec statusall::IKE proposal: BLOWFISH_CBC_256/HMAC_SHA2_512/MODP_4096::YES
-moon::ipsec statusall::IKE proposal: BLOWFISH_CBC_256/HMAC_SHA2_512/MODP_4096::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
-carol::ipsec statusall::ESP proposal: BLOWFISH_CBC_256/HMAC_SHA2_512::YES
-moon::ipsec statusall::ESP proposal: BLOWFISH_CBC_256/HMAC_SHA2_512::YES
-carol::ip xfrm state::enc cbc(blowfish)::YES
-moon::ip xfrm state::enc cbc(blowfish)::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 200::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 200::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+carol::ipsec statusall 2> /dev/null::IKE proposal: BLOWFISH_CBC_256/HMAC_SHA2_512_256::YES
+dave:: ipsec statusall 2> /dev/null::IKE proposal: BLOWFISH_CBC_128/HMAC_SHA2_256_128::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
+carol::ipsec statusall 2> /dev/null::BLOWFISH_CBC_192/HMAC_SHA2_384_192,::YES
+dave:: ipsec statusall 2> /dev/null::BLOWFISH_CBC_128/HMAC_SHA2_256_128,::YES
+carol::ip -s xfrm state::enc cbc(blowfish).*(192 bits)::YES
+dave:: ip -s xfrm state::enc cbc(blowfish).*(128 bits)::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 192::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 192::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP.*length 184::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP.*length 184::YES
+
diff --git a/testing/tests/ikev1/alg-blowfish/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/alg-blowfish/hosts/carol/etc/ipsec.conf
index 57394c27a..db409be43 100755..100644
--- a/testing/tests/ikev1/alg-blowfish/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/alg-blowfish/hosts/carol/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug="control crypt"
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -12,14 +8,15 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev1
-	ike=blowfish256-sha2_512-modp4096!
-	esp=blowfish256-sha2_512!
+	ike=blowfish256-sha512-modp2048!
+	esp=blowfish192-sha384!
 
 conn home
 	left=PH_IP_CAROL
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
+	leftfirewall=yes
 	right=PH_IP_MOON
-	rightsubnet=10.1.0.0/16
 	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
 	auto=add
diff --git a/testing/tests/ikev1/alg-blowfish/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/alg-blowfish/hosts/carol/etc/strongswan.conf
index 4dbdc67b3..1f0fd41a8 100644
--- a/testing/tests/ikev1/alg-blowfish/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/alg-blowfish/hosts/carol/etc/strongswan.conf
@@ -1,11 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
-pluto {
-  load = sha1 sha2 md5 aes des blowfish hmac pem pkcs1 x509 gmp random curl kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
+charon {
   dh_exponent_ansi_x9_42 = no
+  load = aes des blowfish md5 sha1 sha2 pem pkcs1 gmp curl random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev1/starter-includes/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/alg-blowfish/hosts/dave/etc/ipsec.conf
index 726998e19..fd3343c1a 100755..100644
--- a/testing/tests/ikev1/starter-includes/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev1/alg-blowfish/hosts/dave/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -12,18 +8,15 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev1
+	ike=blowfish128-sha256-modp1536!
+	esp=blowfish128-sha256!
 
 conn home
 	left=PH_IP_DAVE
-	leftsourceip=%modeconfig
 	leftcert=daveCert.pem
 	leftid=dave@strongswan.org
 	leftfirewall=yes
 	right=PH_IP_MOON
-	rightsubnet=10.1.0.0/16
 	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
 	auto=add
-
-
-
-
diff --git a/testing/tests/ikev1/alg-blowfish/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/alg-blowfish/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..1f0fd41a8
--- /dev/null
+++ b/testing/tests/ikev1/alg-blowfish/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  dh_exponent_ansi_x9_42 = no
+  load = aes des blowfish md5 sha1 sha2 pem pkcs1 gmp curl random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev1/alg-blowfish/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/alg-blowfish/hosts/moon/etc/ipsec.conf
index 427c5d180..f3c84ece8 100755..100644
--- a/testing/tests/ikev1/alg-blowfish/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/alg-blowfish/hosts/moon/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug="control crypt"
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -12,14 +8,14 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev1
-	ike=blowfish256-sha2_512-modp4096!
-	esp=blowfish256-sha2_512!
+	ike=blowfish256-sha512-modp2048,blowfish128-sha256-modp1536!
+	esp=blowfish192-sha384,blowfish128-sha256!
 
 conn rw
 	left=PH_IP_MOON
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 	leftsubnet=10.1.0.0/16
+	leftfirewall=yes
 	right=%any
-	rightid=carol@strongswan.org
 	auto=add
diff --git a/testing/tests/ikev1/alg-blowfish/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/alg-blowfish/hosts/moon/etc/strongswan.conf
index 4dbdc67b3..1f0fd41a8 100644
--- a/testing/tests/ikev1/alg-blowfish/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/alg-blowfish/hosts/moon/etc/strongswan.conf
@@ -1,11 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
-pluto {
-  load = sha1 sha2 md5 aes des blowfish hmac pem pkcs1 x509 gmp random curl kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
+charon {
   dh_exponent_ansi_x9_42 = no
+  load = aes des blowfish md5 sha1 sha2 pem pkcs1 gmp curl random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev1/alg-blowfish/posttest.dat b/testing/tests/ikev1/alg-blowfish/posttest.dat
index c6d6235f9..1865a1c60 100644
--- a/testing/tests/ikev1/alg-blowfish/posttest.dat
+++ b/testing/tests/ikev1/alg-blowfish/posttest.dat
@@ -1,2 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
+dave::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/alg-blowfish/pretest.dat b/testing/tests/ikev1/alg-blowfish/pretest.dat
index 5e1e80e1d..8bbea1412 100644
--- a/testing/tests/ikev1/alg-blowfish/pretest.dat
+++ b/testing/tests/ikev1/alg-blowfish/pretest.dat
@@ -1,6 +1,9 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
-carol::ipsec start
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
-carol::sleep 2 
-carol::ipsec up home
+carol::ipsec start
+dave::ipsec start
 carol::sleep 1
+carol::ipsec up home
+dave::ipsec up home
diff --git a/testing/tests/ikev1/alg-blowfish/test.conf b/testing/tests/ikev1/alg-blowfish/test.conf
index 6abbb89a9..f29298850 100644
--- a/testing/tests/ikev1/alg-blowfish/test.conf
+++ b/testing/tests/ikev1/alg-blowfish/test.conf
@@ -1,22 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
-DIAGRAM="a-m-c-w.png"
+DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
-IPSECHOSTS="moon carol"
-
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/alg-modp-subgroup/evaltest.dat b/testing/tests/ikev1/alg-modp-subgroup/evaltest.dat
index 0f71ba5f5..8230ee30c 100644
--- a/testing/tests/ikev1/alg-modp-subgroup/evaltest.dat
+++ b/testing/tests/ikev1/alg-modp-subgroup/evaltest.dat
@@ -1,11 +1,15 @@
-moon::cat /var/log/auth.log::MODP_2048_224.*refused due to strict flag::YES
-moon::ipsec statusall::IPsec SA established::YES
-carol::ipsec statusall::IPsec SA established::YES
-carol::ipsec statusall::IKE proposal: AES_CBC_128/HMAC_SHA1/MODP_1024_160::YES
-dave::ipsec statusall::IPsec SA established::YES
-dave::ipsec statusall::IKE proposal: AES_CBC_128/HMAC_SHA2_256/MODP_2048_256::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
+carol::ipsec statusall 2> /dev/null::home.*AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024_160::YES
+dave:: ipsec statusall 2> /dev/null::home.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048_256::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/alg-modp-subgroup/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/alg-modp-subgroup/hosts/carol/etc/ipsec.conf
index 944524020..15b6ec831 100755..100644
--- a/testing/tests/ikev1/alg-modp-subgroup/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/alg-modp-subgroup/hosts/carol/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-	plutodebug=control
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev1/alg-modp-subgroup/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/alg-modp-subgroup/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..dc937641c
--- /dev/null
+++ b/testing/tests/ikev1/alg-modp-subgroup/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev1/alg-modp-subgroup/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/alg-modp-subgroup/hosts/dave/etc/ipsec.conf
index a9de84e91..b3f765477 100755..100644
--- a/testing/tests/ikev1/alg-modp-subgroup/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev1/alg-modp-subgroup/hosts/dave/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-	plutodebug=control
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev1/alg-modp-subgroup/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/alg-modp-subgroup/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..dc937641c
--- /dev/null
+++ b/testing/tests/ikev1/alg-modp-subgroup/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev1/alg-modp-subgroup/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/alg-modp-subgroup/hosts/moon/etc/ipsec.conf
index 424f78bb4..192df5abd 100755..100644
--- a/testing/tests/ikev1/alg-modp-subgroup/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/alg-modp-subgroup/hosts/moon/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-	plutodebug=control
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev1/alg-modp-subgroup/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/alg-modp-subgroup/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..dc937641c
--- /dev/null
+++ b/testing/tests/ikev1/alg-modp-subgroup/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev1/alg-modp-subgroup/posttest.dat b/testing/tests/ikev1/alg-modp-subgroup/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/ikev1/alg-modp-subgroup/posttest.dat
+++ b/testing/tests/ikev1/alg-modp-subgroup/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/alg-modp-subgroup/pretest.dat b/testing/tests/ikev1/alg-modp-subgroup/pretest.dat
index 42e9d7c24..8bbea1412 100644
--- a/testing/tests/ikev1/alg-modp-subgroup/pretest.dat
+++ b/testing/tests/ikev1/alg-modp-subgroup/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/ikev1/alg-modp-subgroup/test.conf b/testing/tests/ikev1/alg-modp-subgroup/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/ikev1/alg-modp-subgroup/test.conf
+++ b/testing/tests/ikev1/alg-modp-subgroup/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/alg-sha256-96/description.txt b/testing/tests/ikev1/alg-sha256-96/description.txt
deleted file mode 100644
index c5ab23e51..000000000
--- a/testing/tests/ikev1/alg-sha256-96/description.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-Roadwarrior <b>carol</b> proposes  to gateway <b>moon</b> the ESP cipher suite
-<b>AES_CBC_128 / HMAC_SHA2_256_96</b> with 96 bit instead of the standard 128 bit
-truncation, allowing compatibility with Linux kernels older than 2.6.33
-by defining <b>esp=aes128-sha256_96!</b> in ipsec.conf.
-A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev1/alg-sha256-96/evaltest.dat b/testing/tests/ikev1/alg-sha256-96/evaltest.dat
deleted file mode 100644
index 6e8715b1f..000000000
--- a/testing/tests/ikev1/alg-sha256-96/evaltest.dat
+++ /dev/null
@@ -1,12 +0,0 @@
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ipsec statusall::IKE proposal: AES_CBC_128/HMAC_SHA2_256/MODP_2048::YES
-moon::ipsec statusall::IKE proposal: AES_CBC_128/HMAC_SHA2_256/MODP_2048::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
-carol::ipsec statusall::ESP proposal: AES_CBC_128/HMAC_SHA2_256::YES
-moon::ipsec statusall::ESP proposal: AES_CBC_128/HMAC_SHA2_256::YES
-carol::ip xfrm state::auth hmac(sha256)::YES
-moon::ip xfrm state::auth hmac(sha256)::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 196::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 196::YES
-
diff --git a/testing/tests/ikev1/alg-sha256-96/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/alg-sha256-96/hosts/carol/etc/ipsec.conf
deleted file mode 100755
index 2d6f87b17..000000000
--- a/testing/tests/ikev1/alg-sha256-96/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug="control crypt"
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	ike=aes128-sha256-modp2048!
-	esp=aes128-sha256_96!
-
-conn home
-	left=PH_IP_CAROL
-	leftcert=carolCert.pem
-	leftid=carol@strongswan.org
-	right=PH_IP_MOON
-	rightsubnet=10.1.0.0/16
-	rightid=@moon.strongswan.org
-	auto=add
diff --git a/testing/tests/ikev1/alg-sha256-96/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/alg-sha256-96/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index b2a686db0..000000000
--- a/testing/tests/ikev1/alg-sha256-96/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug="control crypt"
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	ike=aes128-sha256-modp2048!
-	esp=aes128-sha256_96!
-
-conn rw
-	left=PH_IP_MOON
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-	leftsubnet=10.1.0.0/16
-	right=%any
-	rightid=carol@strongswan.org
-	auto=add
diff --git a/testing/tests/ikev1/alg-sha256-96/posttest.dat b/testing/tests/ikev1/alg-sha256-96/posttest.dat
deleted file mode 100644
index c6d6235f9..000000000
--- a/testing/tests/ikev1/alg-sha256-96/posttest.dat
+++ /dev/null
@@ -1,2 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
diff --git a/testing/tests/ikev1/alg-sha256-96/pretest.dat b/testing/tests/ikev1/alg-sha256-96/pretest.dat
deleted file mode 100644
index 7d077c126..000000000
--- a/testing/tests/ikev1/alg-sha256-96/pretest.dat
+++ /dev/null
@@ -1,5 +0,0 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
-carol::ipsec start
-moon::ipsec start
-carol::sleep 2
-carol::ipsec up home
diff --git a/testing/tests/ikev1/alg-sha256-96/test.conf b/testing/tests/ikev1/alg-sha256-96/test.conf
deleted file mode 100644
index 6abbb89a9..000000000
--- a/testing/tests/ikev1/alg-sha256-96/test.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
-
diff --git a/testing/tests/ikev1/alg-sha256/description.txt b/testing/tests/ikev1/alg-sha256/description.txt
index 628101921..826a8f10b 100644
--- a/testing/tests/ikev1/alg-sha256/description.txt
+++ b/testing/tests/ikev1/alg-sha256/description.txt
@@ -1,4 +1,4 @@
-Roadwarrior <b>carol</b> proposes  to gateway <b>moon</b> the cipher suite
-<b>AES_CBC_128 / HMAC_SHA2_256 / MODP_2048</b> for the IKE protocol and 
-<b>AES_CBC_128 / HMAC_SHA2_256</b> for ESP packets. A ping from <b>carol</b> to
-<b>alice</b> successfully checks the established tunnel.
+Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite
+<b>AES_CBC_128 / HMAC_SHA2_256_128</b> by defining <b>esp=aes128-sha256-modp2048!</b>
+in ipsec.conf. The same cipher suite is used for IKE.
+A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev1/alg-sha256/evaltest.dat b/testing/tests/ikev1/alg-sha256/evaltest.dat
index 00fcb8862..eba856742 100644
--- a/testing/tests/ikev1/alg-sha256/evaltest.dat
+++ b/testing/tests/ikev1/alg-sha256/evaltest.dat
@@ -1,12 +1,13 @@
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ipsec statusall::IKE proposal: AES_CBC_128/HMAC_SHA2_256/MODP_2048::YES
-moon::ipsec statusall::IKE proposal: AES_CBC_128/HMAC_SHA2_256/MODP_2048::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
-carol::ipsec statusall::ESP proposal: AES_CBC_128/HMAC_SHA2_256::YES
-moon::ipsec statusall::ESP proposal: AES_CBC_128/HMAC_SHA2_256::YES
-carol::ip xfrm state::auth hmac(sha256)::YES
-moon::ip xfrm state::auth hmac(sha256)::YES
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048::YES
+carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon:: ipsec statusall 2> /dev/null::rw.*AES_CBC_128/HMAC_SHA2_256_128,::YES
+carol::ipsec statusall 2> /dev/null::home.*AES_CBC_128/HMAC_SHA2_256_128,::YES
+moon:: ip xfrm state::auth-trunc hmac(sha256)::YES
+carol::ip xfrm state::auth-trunc hmac(sha256)::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 200::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 200::YES
-
diff --git a/testing/tests/ikev1/alg-sha256/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/alg-sha256/hosts/carol/etc/ipsec.conf
index 66476b83e..73e25710b 100755..100644
--- a/testing/tests/ikev1/alg-sha256/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/alg-sha256/hosts/carol/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug="control crypt"
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -13,13 +9,14 @@ conn %default
 	keyingtries=1
 	keyexchange=ikev1
 	ike=aes128-sha256-modp2048!
-	esp=aes128-sha256!
+	esp=aes128-sha256-modp2048!
 
 conn home
 	left=PH_IP_CAROL
+	leftfirewall=yes
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 	right=PH_IP_MOON
 	rightsubnet=10.1.0.0/16
 	rightid=@moon.strongswan.org
-	auto=add
+	auto=add 
diff --git a/testing/tests/ikev1/alg-sha256/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/alg-sha256/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..dc937641c
--- /dev/null
+++ b/testing/tests/ikev1/alg-sha256/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev1/alg-sha256/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/alg-sha256/hosts/moon/etc/ipsec.conf
index 2b97ff4f3..0a6f48e69 100755..100644
--- a/testing/tests/ikev1/alg-sha256/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/alg-sha256/hosts/moon/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug="control crypt"
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -13,13 +9,13 @@ conn %default
 	keyingtries=1
 	keyexchange=ikev1
 	ike=aes128-sha256-modp2048!
-	esp=aes128-sha256!
+	esp=aes128-sha256-modp2048!
 
 conn rw
 	left=PH_IP_MOON
+	leftfirewall=yes
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 	leftsubnet=10.1.0.0/16
 	right=%any
-	rightid=carol@strongswan.org
 	auto=add
diff --git a/testing/tests/ikev1/alg-sha256/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/alg-sha256/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..dc937641c
--- /dev/null
+++ b/testing/tests/ikev1/alg-sha256/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev1/alg-sha256/posttest.dat b/testing/tests/ikev1/alg-sha256/posttest.dat
index c6d6235f9..046d4cfdc 100644
--- a/testing/tests/ikev1/alg-sha256/posttest.dat
+++ b/testing/tests/ikev1/alg-sha256/posttest.dat
@@ -1,2 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/alg-sha256/pretest.dat b/testing/tests/ikev1/alg-sha256/pretest.dat
index 7d077c126..4fc25772b 100644
--- a/testing/tests/ikev1/alg-sha256/pretest.dat
+++ b/testing/tests/ikev1/alg-sha256/pretest.dat
@@ -1,5 +1,6 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
-carol::ipsec start
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
-carol::sleep 2
+carol::ipsec start
+carol::sleep 1 
 carol::ipsec up home
diff --git a/testing/tests/ikev1/alg-sha256/test.conf b/testing/tests/ikev1/alg-sha256/test.conf
index 6abbb89a9..4a5fc470f 100644
--- a/testing/tests/ikev1/alg-sha256/test.conf
+++ b/testing/tests/ikev1/alg-sha256/test.conf
@@ -1,22 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
-
diff --git a/testing/tests/ikev1/alg-sha384/description.txt b/testing/tests/ikev1/alg-sha384/description.txt
index 251e2e6a2..2255fe8fb 100644
--- a/testing/tests/ikev1/alg-sha384/description.txt
+++ b/testing/tests/ikev1/alg-sha384/description.txt
@@ -1,4 +1,4 @@
-Roadwarrior <b>carol</b> proposes  to gateway <b>moon</b> the cipher suite
-<b>AES_CBC_192 / HMAC_SHA2_384 / MODP_3072</b> for the IKE protocol and 
-<b>AES_CBC_192 / HMAC_SHA2_384</b> for ESP packets. A ping from <b>carol</b> to
-<b>alice</b> successfully checks the established tunnel.
+Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite
+<b>AES_CBC_192 / HMAC_SHA2_384_192</b> by defining <b>esp=aes192-sha384-modp3072!</b>
+in ipsec.conf. The same cipher suite is used for IKE.
+A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev1/alg-sha384/evaltest.dat b/testing/tests/ikev1/alg-sha384/evaltest.dat
index 4da5ec5e7..3b24217c5 100644
--- a/testing/tests/ikev1/alg-sha384/evaltest.dat
+++ b/testing/tests/ikev1/alg-sha384/evaltest.dat
@@ -1,12 +1,13 @@
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ipsec statusall::IKE proposal: AES_CBC_192/HMAC_SHA2_384/MODP_3072::YES
-moon::ipsec statusall::IKE proposal: AES_CBC_192/HMAC_SHA2_384/MODP_3072::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
-carol::ipsec statusall::ESP proposal: AES_CBC_192/HMAC_SHA2_384::YES
-moon::ipsec statusall::ESP proposal: AES_CBC_192/HMAC_SHA2_384::YES
-carol::ip xfrm state::auth hmac(sha384)::YES
-moon::ip xfrm state::auth hmac(sha384)::YES
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_3072::YES
+carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_3072::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon:: ipsec statusall 2> /dev/null::rw.*AES_CBC_192/HMAC_SHA2_384_192,::YES
+carol::ipsec statusall 2> /dev/null::home.*AES_CBC_192/HMAC_SHA2_384_192,::YES
+moon:: ip xfrm state::auth-trunc hmac(sha384)::YES
+carol::ip xfrm state::auth-trunc hmac(sha384)::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 208::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 208::YES
-
diff --git a/testing/tests/ikev1/alg-sha384/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/alg-sha384/hosts/carol/etc/ipsec.conf
index 42df1dccd..6f1519f2c 100755..100644
--- a/testing/tests/ikev1/alg-sha384/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/alg-sha384/hosts/carol/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug="control crypt"
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -13,13 +9,14 @@ conn %default
 	keyingtries=1
 	keyexchange=ikev1
 	ike=aes192-sha384-modp3072!
-	esp=aes192-sha384!
+	esp=aes192-sha384-modp3072!
 
 conn home
 	left=PH_IP_CAROL
+	leftfirewall=yes
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 	right=PH_IP_MOON
 	rightsubnet=10.1.0.0/16
 	rightid=@moon.strongswan.org
-	auto=add
+	auto=add 
diff --git a/testing/tests/ikev1/alg-sha384/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/alg-sha384/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..dc937641c
--- /dev/null
+++ b/testing/tests/ikev1/alg-sha384/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev1/alg-sha384/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/alg-sha384/hosts/moon/etc/ipsec.conf
index a75d370aa..919ee9b09 100755..100644
--- a/testing/tests/ikev1/alg-sha384/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/alg-sha384/hosts/moon/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug="control crypt"
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -13,13 +9,13 @@ conn %default
 	keyingtries=1
 	keyexchange=ikev1
 	ike=aes192-sha384-modp3072!
-	esp=aes192-sha384!
+	esp=aes192-sha384-modp3072!
 
 conn rw
 	left=PH_IP_MOON
+	leftfirewall=yes
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 	leftsubnet=10.1.0.0/16
 	right=%any
-	rightid=carol@strongswan.org
 	auto=add
diff --git a/testing/tests/ikev1/alg-sha384/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/alg-sha384/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..dc937641c
--- /dev/null
+++ b/testing/tests/ikev1/alg-sha384/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev1/alg-sha384/posttest.dat b/testing/tests/ikev1/alg-sha384/posttest.dat
index c6d6235f9..046d4cfdc 100644
--- a/testing/tests/ikev1/alg-sha384/posttest.dat
+++ b/testing/tests/ikev1/alg-sha384/posttest.dat
@@ -1,2 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/alg-sha384/pretest.dat b/testing/tests/ikev1/alg-sha384/pretest.dat
index 7d077c126..4fc25772b 100644
--- a/testing/tests/ikev1/alg-sha384/pretest.dat
+++ b/testing/tests/ikev1/alg-sha384/pretest.dat
@@ -1,5 +1,6 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
-carol::ipsec start
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
-carol::sleep 2
+carol::ipsec start
+carol::sleep 1 
 carol::ipsec up home
diff --git a/testing/tests/ikev1/alg-sha384/test.conf b/testing/tests/ikev1/alg-sha384/test.conf
index 6abbb89a9..4a5fc470f 100644
--- a/testing/tests/ikev1/alg-sha384/test.conf
+++ b/testing/tests/ikev1/alg-sha384/test.conf
@@ -1,22 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
-
diff --git a/testing/tests/ikev1/alg-sha512/description.txt b/testing/tests/ikev1/alg-sha512/description.txt
index adfc548b8..bf79a3bff 100644
--- a/testing/tests/ikev1/alg-sha512/description.txt
+++ b/testing/tests/ikev1/alg-sha512/description.txt
@@ -1,4 +1,4 @@
-Roadwarrior <b>carol</b> proposes  to gateway <b>moon</b> the cipher suite
-<b>AES_CBC_256 / HMAC_SHA2_512 / MODP_4096</b> for the IKE protocol and 
-<b>AES_CBC_256 / HMAC_SHA2_512</b> for ESP packets. A ping from <b>carol</b> to
-<b>alice</b> successfully checks the established tunnel.
+Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite
+<b>AES_CBC_256 / HMAC_SHA2_512_256</b> by defining <b>esp=aes256-sha512-modp4096!</b>
+in ipsec.conf. The same cipher suite is used for IKE.
+A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev1/alg-sha512/evaltest.dat b/testing/tests/ikev1/alg-sha512/evaltest.dat
index 7e928d30b..6bdceeb44 100644
--- a/testing/tests/ikev1/alg-sha512/evaltest.dat
+++ b/testing/tests/ikev1/alg-sha512/evaltest.dat
@@ -1,12 +1,13 @@
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ipsec statusall::IKE proposal: AES_CBC_256/HMAC_SHA2_512/MODP_4096::YES
-moon::ipsec statusall::IKE proposal: AES_CBC_256/HMAC_SHA2_512/MODP_4096::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
-carol::ipsec statusall::ESP proposal: AES_CBC_256/HMAC_SHA2_512::YES
-moon::ipsec statusall::ESP proposal: AES_CBC_256/HMAC_SHA2_512::YES
-carol::ip xfrm state::auth hmac(sha512)::YES
-moon::ip xfrm state::auth hmac(sha512)::YES
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_4096::YES
+carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_4096::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon:: ipsec statusall 2> /dev/null::rw.*AES_CBC_256/HMAC_SHA2_512_256,::YES
+carol::ipsec statusall 2> /dev/null::home.*AES_CBC_256/HMAC_SHA2_512_256,::YES
+moon:: ip xfrm state::auth-trunc hmac(sha512)::YES
+carol::ip xfrm state::auth-trunc hmac(sha512)::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 216::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 216::YES
-
diff --git a/testing/tests/ikev1/alg-sha512/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/alg-sha512/hosts/carol/etc/ipsec.conf
index 329de395c..79272111c 100755..100644
--- a/testing/tests/ikev1/alg-sha512/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/alg-sha512/hosts/carol/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug="control crypt"
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -13,13 +9,14 @@ conn %default
 	keyingtries=1
 	keyexchange=ikev1
 	ike=aes256-sha512-modp4096!
-	esp=aes256-sha512!
+	esp=aes256-sha512-modp4096!
 
 conn home
 	left=PH_IP_CAROL
+	leftfirewall=yes
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 	right=PH_IP_MOON
 	rightsubnet=10.1.0.0/16
 	rightid=@moon.strongswan.org
-	auto=add
+	auto=add 
diff --git a/testing/tests/ikev1/alg-sha512/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/alg-sha512/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..dc937641c
--- /dev/null
+++ b/testing/tests/ikev1/alg-sha512/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev1/alg-sha512/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/alg-sha512/hosts/moon/etc/ipsec.conf
index 8da459a8a..bdfcb4e4d 100755..100644
--- a/testing/tests/ikev1/alg-sha512/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/alg-sha512/hosts/moon/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug="control crypt"
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -13,13 +9,13 @@ conn %default
 	keyingtries=1
 	keyexchange=ikev1
 	ike=aes256-sha512-modp4096!
-	esp=aes256-sha512!
+	esp=aes256-sha512-modp4096!
 
 conn rw
 	left=PH_IP_MOON
+	leftfirewall=yes
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 	leftsubnet=10.1.0.0/16
 	right=%any
-	rightid=carol@strongswan.org
 	auto=add
diff --git a/testing/tests/ikev1/alg-sha512/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/alg-sha512/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..dc937641c
--- /dev/null
+++ b/testing/tests/ikev1/alg-sha512/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev1/alg-sha512/posttest.dat b/testing/tests/ikev1/alg-sha512/posttest.dat
index c6d6235f9..046d4cfdc 100644
--- a/testing/tests/ikev1/alg-sha512/posttest.dat
+++ b/testing/tests/ikev1/alg-sha512/posttest.dat
@@ -1,2 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/alg-sha512/pretest.dat b/testing/tests/ikev1/alg-sha512/pretest.dat
index 7d077c126..4fc25772b 100644
--- a/testing/tests/ikev1/alg-sha512/pretest.dat
+++ b/testing/tests/ikev1/alg-sha512/pretest.dat
@@ -1,5 +1,6 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
-carol::ipsec start
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
-carol::sleep 2
+carol::ipsec start
+carol::sleep 1 
 carol::ipsec up home
diff --git a/testing/tests/ikev1/alg-sha512/test.conf b/testing/tests/ikev1/alg-sha512/test.conf
index 6abbb89a9..4a5fc470f 100644
--- a/testing/tests/ikev1/alg-sha512/test.conf
+++ b/testing/tests/ikev1/alg-sha512/test.conf
@@ -1,22 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
-
diff --git a/testing/tests/ikev1/attr-cert/description.txt b/testing/tests/ikev1/attr-cert/description.txt
deleted file mode 100644
index b7f809c36..000000000
--- a/testing/tests/ikev1/attr-cert/description.txt
+++ /dev/null
@@ -1,7 +0,0 @@
-The VPN gateway <b>moon</b> controls the access to the hosts <b>alice</b> and
-<b>venus</b> by means of <b>X.509 Attribute Certificates</b>. Access to <b>alice</b>
-is granted to members of the group 'Research' whereas <b>venus</b> can only
-be reached by members of the groups 'Accounting' and 'Sales'. The roadwarriors
-<b>carol</b> and <b>dave</b> belong to the groups 'Research' and 'Accounting',
-respectively. Therefore <b>carol</b> can access <b>alice</b> and <b>dave</b>
-can reach <b>venus</b>.
-\ No newline at end of file
diff --git a/testing/tests/ikev1/attr-cert/evaltest.dat b/testing/tests/ikev1/attr-cert/evaltest.dat
deleted file mode 100644
index c6c3c66c3..000000000
--- a/testing/tests/ikev1/attr-cert/evaltest.dat
+++ /dev/null
@@ -1,12 +0,0 @@
-carol::ipsec status::alice.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::cat /var/log/auth.log::alice.*peer with attributes .*Research.* is a member of the groups .*Research::YES
-moon::ipsec status::alice.*PH_IP_CAROL.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ipsec status::venus.*STATE_QUICK_I2.*IPsec SA established::NO
-moon::cat /var/log/auth.log::venus.*peer with attributes .*Research.* is not a member of the groups .*Accounting::YES
-moon::ipsec status::venus.*PH_IP_CAROL.*STATE_QUICK_R2.*IPsec SA established::NO
-dave::ipsec status::venus.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::cat /var/log/auth.log::venus.*peer with attributes .*Accounting.* is a member of the groups .*Accounting::YES
-moon::ipsec status::venus.*PH_IP_DAVE.*STATE_QUICK_R2.*IPsec SA established::YES
-dave::ipsec status::alice.*STATE_QUICK_I2.*IPsec SA established::NO
-moon::cat /var/log/auth.log::alice.*peer with attributes .*Accounting.* is not a member of the groups .*Research::YES
-moon::ipsec status::alice.*PH_IP_DAVE.*STATE_QUICK_R2.*IPsec SA established::NO
diff --git a/testing/tests/ikev1/attr-cert/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/attr-cert/hosts/carol/etc/ipsec.conf
deleted file mode 100755
index a84b3a6b2..000000000
--- a/testing/tests/ikev1/attr-cert/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,32 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	left=PH_IP_CAROL
-	leftcert=carolCert.pem
-	leftid=carol@strongswan.org
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-
-conn alice
-	rightsubnet=PH_IP_ALICE/32
-	auto=add
-	
-conn venus
-	rightsubnet=PH_IP_VENUS/32
-	auto=add
-
-
-
-
-
diff --git a/testing/tests/ikev1/attr-cert/hosts/moon/etc/ipsec.d/aacerts/aaCert.pem b/testing/tests/ikev1/attr-cert/hosts/moon/etc/ipsec.d/aacerts/aaCert.pem
deleted file mode 100644
index 61d1c34e2..000000000
--- a/testing/tests/ikev1/attr-cert/hosts/moon/etc/ipsec.d/aacerts/aaCert.pem
+++ /dev/null
@@ -1,25 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIEKjCCAxKgAwIBAgIBHzANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
-MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
-b290IENBMB4XDTEwMDIyNzIxMDUzMFoXDTE1MDIyNjIxMDUzMFowZjELMAkGA1UE
-BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xIDAeBgNVBAsTF0F1dGhv
-cml6YXRpb24gQXV0aG9yaXR5MRowGAYDVQQDFBFhYUBzdHJvbmdzd2FuLm9yZzCC
-ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKw0NWg8FpkrWoItNzexEiaS
-dESF+blw2+2y51vVmbDk9edfJcjkzBNIEvY/0GXODmcthjExiTNgmNuCdQwapCHx
-p39HaD902rzmvflI40dZTmlFcn0Pp41wNbvjVaOpn7f6Mov68YmsoLQr47+OU6sn
-d3c8rx+BXO4g6YyRB0xpwB2kfO34FZh7FwOe4sVAJu5E7urK0hij2W1+adZNFg7K
-SP2i7llfooxWpS+6Vi6ZjuJ/dcGyvXpXnr0H2x58sZeaB5n8Ay+mhPDX72xXfwEm
-s7fztkhqmmix2TVEH96dR99ouCENF1Cm8OCbR1kkhWReL6P0tCbirbwFbZxKtOUC
-AwEAAaOCAQIwgf8wCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYEFEvO
-LmT1B7kU0IJsJtK+0nZMwxXgMG0GA1UdIwRmMGSAFF2n3XAGUTJ+57Zts7Xl4GDq
-Lk3voUmkRzBFMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dh
-bjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBSb290IENBggEAMBwGA1UdEQQVMBOBEWFh
-QHN0cm9uZ3N3YW4ub3JnMDkGA1UdHwQyMDAwLqAsoCqGKGh0dHA6Ly9jcmwuc3Ry
-b25nc3dhbi5vcmcvc3Ryb25nc3dhbi5jcmwwDQYJKoZIhvcNAQELBQADggEBAI2K
-atqWeSWcxmcylrBJXkXDOsZtFZAE/kGWD5+T/lDFzE5D0GeDWfHehojtooWGpnL3
-u7xo3h3+qVliYcCFy1zKtPE0lwkBWKFPSw4UNfOmaF4De6Tp1V6FSQE9JPNpcTL/
-aPWFkX69Py8elR8OIsXPlFtOfTbtjZxoGuLNn7BX1XjctG5iIhKs/3TVMdzcyjVL
-wKiDE1xq8/Es2pPTgvF8jk7VcNyIGhrlj1IYq35h0RKTSXTCRlczf+lzoPo6Duov
-G0r/8VLpI4bBmKN4cIvaRCa4zew8SWpJzg/06zm2QT8eEJVVB499usVf9OVS3Qa5
-8mcNXcKmqcyP2Tlnvbo=
------END CERTIFICATE-----
diff --git a/testing/tests/ikev1/attr-cert/hosts/moon/etc/openac/aaKey.pem b/testing/tests/ikev1/attr-cert/hosts/moon/etc/openac/aaKey.pem
deleted file mode 100644
index 250441ad0..000000000
--- a/testing/tests/ikev1/attr-cert/hosts/moon/etc/openac/aaKey.pem
+++ /dev/null
@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEowIBAAKCAQEArDQ1aDwWmStagi03N7ESJpJ0RIX5uXDb7bLnW9WZsOT1518l
-yOTME0gS9j/QZc4OZy2GMTGJM2CY24J1DBqkIfGnf0doP3TavOa9+UjjR1lOaUVy
-fQ+njXA1u+NVo6mft/oyi/rxiaygtCvjv45Tqyd3dzyvH4Fc7iDpjJEHTGnAHaR8
-7fgVmHsXA57ixUAm7kTu6srSGKPZbX5p1k0WDspI/aLuWV+ijFalL7pWLpmO4n91
-wbK9eleevQfbHnyxl5oHmfwDL6aE8NfvbFd/ASazt/O2SGqaaLHZNUQf3p1H32i4
-IQ0XUKbw4JtHWSSFZF4vo/S0JuKtvAVtnEq05QIDAQABAoIBAQCbfhUPhtp8+imi
-zANFFW2nSK0VxsgEi4T7MIU6Zjh+A3CLuF2c9gPUEUuV8W9SzeoxfmjieLFDpCDC
-bR0VjeTRBazR//+A9RoiYlP+CbO4FEr6QYwsovsPetf6TT9iJeMjtBb6UODTCP6f
-UdY3fOPN8zgrga87yorINw3MMJSfiI21zSzCkueOQloktBgih5Wueu8FDFUB2fVa
-uLTUa+wOhXUBPyF5OXLox5TxE6gBPkiUsnNXP8X/kHLPk2iBQmdxz+uwG/Pz6pS2
-JsmX2WzFJ0+Rj4cJpoa4Ev5uAx79kcXnQT3d5/HIwuh7ZEMKorb1m8w8lhAW4ARU
-ddjhLkWhAoGBAOCpDGfLwQHWVejOcjEwfWts0hHLdlNfZEgsLSex2k/U6Mk1TjCo
-tAHQOvmqxZDxypJEem3RPaWZh+gttTpHvGkS9fsvTpyARcDp0FXI40hwARPsnMbI
-0fDmpVfOOLZdQKMDg42TrZC/mipU68gFP/rYC7xalJs0pe0LL3ffsSC5AoGBAMQ5
-3V6nuucpL87I0fKg56z0/3lcRxI46KuIXhHSAjxNb76cQuxiK8s5TPCot3Unq6GQ
-R7Y+dYd1FVEh2i3Q7/Yh/BSeYiDcDf5aELCwY32O/OnSSoNTbgGR5FT+/SHJK5bg
-j/O5S7+dajqtC2JZJl8smOeB5c187bc4FU72+6eNAoGAZUiRSTI434Ur0ftQzBBa
-WtYClvctb0TwRwFzkhPCon8QO7YGfDVygebIz8pHq6L2ep7Yuy28Jy5icTA6Jf41
-WQGtWALp4/CIggJnZGVe4kdslPj1bUEYNQ0mucFFHCJKg7OP2YIcm8dlz3PdoJ2N
-TJ+eGtqTaK2BqK6ERfzZNDECgYBbVTOcYyWzgpAmB4LxE8PB1Sc0LadG7AYgERD3
-6m/v8XsZlVHxBKCtrrYJLf52IUjZonY+dUPvEKgjY0ZSHPYT8i2Ky02RTduVkAZE
-t1UXk/5UNvVHuwVw5Z8JkMXxe9k2GL/oCU8gmPxg4zpxRF1/3xosZ2G3C3b52LjS
-UFNB4QKBgDX2UmLgRHAXDsmksNZaMUSNk+xws0B1M/EDd9h7e79ilENkOPDLo5+E
-z22WPNrgzKEUz44FZZOsislfPE7ffgQcRTxtNWqoElwxuHLuy46jaReL7zJSDtpv
-wtn4YoOpH0DnC994nziTQif33FBF/2o8hWoq4vcXKNSMGTwGzi/a
------END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev1/attr-cert/hosts/moon/etc/openac/daveCert.pem b/testing/tests/ikev1/attr-cert/hosts/moon/etc/openac/daveCert.pem
deleted file mode 100644
index f212e19cf..000000000
--- a/testing/tests/ikev1/attr-cert/hosts/moon/etc/openac/daveCert.pem
+++ /dev/null
@@ -1,25 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIEIjCCAwqgAwIBAgIBHDANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
-MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
-b290IENBMB4XDTA5MDgyNzEwMzczOVoXDTE0MDgyNjEwMzczOVowWzELMAkGA1UE
-BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xEzARBgNVBAsTCkFjY291
-bnRpbmcxHDAaBgNVBAMUE2RhdmVAc3Ryb25nc3dhbi5vcmcwggEiMA0GCSqGSIb3
-DQEBAQUAA4IBDwAwggEKAoIBAQDAB/JTbwVY5oNF0+8Behdbc0NOeX+bl0SOcgpZ
-ha6nbMBQO41jtOI5r5Xbg9sK9l+DYOnZQZEsEhIVZDoK8yGI/FIEE+gWRf+OLmI8
-k2K+G1dklTC/VP2tZWMQYQWs6UnX3iiVpHccI3CQqqJWe9fZsIsq0J9j9hu6h9dG
-IEbon6RXDLPI5DIiIKc3r0jDHNDsIUDzcjuUdCxKFCMuHUCfa1PBiqpj5pP6XT0G
-gI6UjbgnNWPTPb2axE7P1x5gQmVwiFiYs+VTh2fq9O9xNxnn/YmzLk4/YNly7xYX
-Q31NuhSvRpH7jsJ1p4VSuunYqvccPUKsp5PvCtCeGvNT2qt1AgMBAAGjggEFMIIB
-ATAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNVHQ4EFgQU7n842u6huBpBd394
-8mdL6EOdjg4wbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUx
-CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQD
-ExJzdHJvbmdTd2FuIFJvb3QgQ0GCAQAwHgYDVR0RBBcwFYETZGF2ZUBzdHJvbmdz
-d2FuLm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4u
-b3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQAyAbxrpMtTARw3
-jvBwuapaHXnTppz+TkWyfXVpgTwtPlf3rbhPk4DjhT2ygyMTI1azoqProf2aBbDr
-DldCSQPsZAcuzOdruKKMo2CQwgLuBFXL+JUX0hiIpFS1ZZHA2aDKyUw4OyADOvDU
-8r1/WiwRb91TdYP9nEu9qP30k0vkUg8DCbCmPI1/MVaxVzh9LRAFyOHrnKSCXG7o
-StmVFm2Yf3pE4HS1W6DtommyPs7aUD5XAaQdr3DYKI/TazoU6t5g2aEqigu+pj2M
-qk5idJkx5VCFvUU1hlChyX6NNNjJNnV6u5YiuatcdYQhpCTBsxnBoM+w0BvNOCl+
-1PdgEy1K
------END CERTIFICATE-----
diff --git a/testing/tests/ikev1/attr-cert/hosts/moon/etc/openac/default.conf b/testing/tests/ikev1/attr-cert/hosts/moon/etc/openac/default.conf
deleted file mode 100644
index 134218eec..000000000
--- a/testing/tests/ikev1/attr-cert/hosts/moon/etc/openac/default.conf
+++ /dev/null
@@ -1,4 +0,0 @@
---cert /etc/ipsec.d/aacerts/aaCert.pem
---key /etc/openac/aaKey.pem
---quiet
---hours 8
diff --git a/testing/tests/ikev1/attr-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/attr-cert/hosts/moon/etc/strongswan.conf
deleted file mode 100644
index 1a47aeb7d..000000000
--- a/testing/tests/ikev1/attr-cert/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,13 +0,0 @@
-pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink
-}
-
-openac {
-  load = sha1 sha2 md5 pem pkcs1 x509 gmp random x509
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-}
diff --git a/testing/tests/ikev1/attr-cert/posttest.dat b/testing/tests/ikev1/attr-cert/posttest.dat
deleted file mode 100644
index a59c3ff63..000000000
--- a/testing/tests/ikev1/attr-cert/posttest.dat
+++ /dev/null
@@ -1,6 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
-moon::rm /etc/openac/*
-moon::rm /etc/ipsec.d/aacerts/aaCert.pem
-moon::rm /etc/ipsec.d/acerts/*
diff --git a/testing/tests/ikev1/attr-cert/pretest.dat b/testing/tests/ikev1/attr-cert/pretest.dat
deleted file mode 100644
index 3c7fb5dc6..000000000
--- a/testing/tests/ikev1/attr-cert/pretest.dat
+++ /dev/null
@@ -1,12 +0,0 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
-moon::cat /etc/openac/default.conf
-moon::ipsec openac --optionsfrom default.conf --usercert /etc/openac/carolCert.pem --groups Research --out /etc/ipsec.d/acerts/carolAC.pem 2> /dev/null
-moon::ipsec openac --optionsfrom default.conf --usercert /etc/openac/daveCert.pem --groups Accounting --out /etc/ipsec.d/acerts/daveAC.pem 2> /dev/null
-carol::ipsec start
-dave::ipsec start
-moon::ipsec start
-carol::sleep 2
-carol::ipsec up alice
-carol::ipsec up venus
-dave::ipsec up venus
-dave::ipsec up alice
diff --git a/testing/tests/ikev1/attr-cert/test.conf b/testing/tests/ikev1/attr-cert/test.conf
deleted file mode 100644
index 08e5cc145..000000000
--- a/testing/tests/ikev1/attr-cert/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice venus moon carol winnetou dave"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-v-m-c-w-d.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS=""
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/compress/evaltest.dat b/testing/tests/ikev1/compress/evaltest.dat
index ff72e1762..2ec840c68 100644
--- a/testing/tests/ikev1/compress/evaltest.dat
+++ b/testing/tests/ikev1/compress/evaltest.dat
@@ -1,10 +1,9 @@
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-moon::ipsec statusall::policy.*COMPRESS::YES
-carol::ipsec statusall::policy.*COMPRESS::YES
-moon::ipsec statusall::comp.::YES
-carol::ipsec statusall::comp.::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL.*IPCOMP::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL.*IPCOMP::YES
+moon:: ip xfrm state::proto comp spi::YES
+carol::ip xfrm state::proto comp spi::YES
 carol::ping -n -c 2 -s 8184 -p deadbeef PH_IP_ALICE::8192 bytes from PH_IP_ALICE::YES
 moon::tcpdump::carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::moon.strongswan.org >  carol.strongswan.org: ESP::YES
-
diff --git a/testing/tests/ikev1/compress/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/compress/hosts/carol/etc/ipsec.conf
index f5050fef1..291b8cc93 100755..100644
--- a/testing/tests/ikev1/compress/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/compress/hosts/carol/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug="control crypt"
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev1/compress/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/compress/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..85d8c191f
--- /dev/null
+++ b/testing/tests/ikev1/compress/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
+}
diff --git a/testing/tests/ikev1/compress/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/compress/hosts/moon/etc/ipsec.conf
index aaf13f5fc..28cf2d1c0 100755..100644
--- a/testing/tests/ikev1/compress/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/compress/hosts/moon/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug="control crypt"
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev1/compress/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/compress/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..85d8c191f
--- /dev/null
+++ b/testing/tests/ikev1/compress/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
+}
diff --git a/testing/tests/ikev1/compress/pretest.dat b/testing/tests/ikev1/compress/pretest.dat
index 7d077c126..f5aa989fe 100644
--- a/testing/tests/ikev1/compress/pretest.dat
+++ b/testing/tests/ikev1/compress/pretest.dat
@@ -1,4 +1,3 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
 carol::ipsec start
 moon::ipsec start
 carol::sleep 2
diff --git a/testing/tests/ikev1/compress/test.conf b/testing/tests/ikev1/compress/test.conf
index 6abbb89a9..d7b71426c 100644
--- a/testing/tests/ikev1/compress/test.conf
+++ b/testing/tests/ikev1/compress/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev1/mode-config/description.txt b/testing/tests/ikev1/config-payload/description.txt
index 3e67f83f1..ff6928e89 100644
--- a/testing/tests/ikev1/mode-config/description.txt
+++ b/testing/tests/ikev1/config-payload/description.txt
@@ -1,6 +1,6 @@
 The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
 Both <b>carol</b> and <b>dave</b> request a <b>virtual IP</b> via the IKE Mode Config protocol
-by using the <b>leftsourceip=%modeconfig</b> parameter. <b>leftfirewall=yes</b> automatically
+by using the <b>leftsourceip=%config</b> parameter. <b>leftfirewall=yes</b> automatically
 inserts iptables-based firewall rules that let pass the tunneled traffic. In order to test the
 tunnels, <b>carol</b> and <b>dave</b> then ping the client <b>alice</b> behind the gateway
 <b>moon</b>. The source IP addresses of the two pings will be the virtual IPs <b>carol1</b>
diff --git a/testing/tests/ikev1/config-payload/evaltest.dat b/testing/tests/ikev1/config-payload/evaltest.dat
new file mode 100644
index 000000000..b46dfddf6
--- /dev/null
+++ b/testing/tests/ikev1/config-payload/evaltest.dat
@@ -0,0 +1,26 @@
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+carol::cat /var/log/daemon.log::installing new virtual IP PH_IP_CAROL1::YES
+carol::ip addr list dev eth0::PH_IP_CAROL1::YES
+carol::ip route list table 220::10.1.0.0/16.*src PH_IP_CAROL1::YES
+carol::cat /etc/resolv.conf::nameserver PH_IP_WINNETOU .*from moon.strongswan.org::YES
+carol::cat /etc/resolv.conf::nameserver PH_IP_VENUS .*from moon.strongswan.org::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES
+dave:: ip addr list dev eth0::PH_IP_DAVE1::YES
+dave:: ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon:: ipsec status 2> /dev/null::rw-carol.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw-dave.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw-carol.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw-dave.*INSTALLED, TUNNEL::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
+alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES
diff --git a/testing/tests/ikev1/after-2038-certs/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/config-payload/hosts/carol/etc/ipsec.conf
index 528e3f1b3..5a77f8707 100755..100644
--- a/testing/tests/ikev1/after-2038-certs/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/config-payload/hosts/carol/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -15,10 +11,11 @@ conn %default
 
 conn home
 	left=PH_IP_CAROL
+	leftsourceip=%config
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 	leftfirewall=yes
 	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
 	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
 	auto=add
diff --git a/testing/tests/ikev1/config-payload/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/config-payload/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..0e4e57729
--- /dev/null
+++ b/testing/tests/ikev1/config-payload/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown resolve
+}
diff --git a/testing/tests/ikev1/ip-pool-db-push/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/config-payload/hosts/dave/etc/ipsec.conf
index e1c864e58..6ea2d2bb1 100755..100644
--- a/testing/tests/ikev1/ip-pool-db-push/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev1/config-payload/hosts/dave/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-	plutodebug=control
 
 conn %default
 	ikelifetime=60m
@@ -12,7 +8,6 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev1
-	modeconfig=push
 
 conn home
 	left=PH_IP_DAVE
diff --git a/testing/tests/ikev1/config-payload/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/config-payload/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..0e4e57729
--- /dev/null
+++ b/testing/tests/ikev1/config-payload/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown resolve
+}
diff --git a/testing/tests/ikev1/mode-config/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/config-payload/hosts/moon/etc/ipsec.conf
index 37278081e..819a25437 100755..100644
--- a/testing/tests/ikev1/mode-config/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/config-payload/hosts/moon/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -12,10 +8,8 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev1
-	rekey=no
 	left=PH_IP_MOON
 	leftsubnet=10.1.0.0/16
-	leftsourceip=PH_IP_MOON1
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 	leftfirewall=yes
diff --git a/testing/tests/ikev1/config-payload/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/config-payload/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..002166a54
--- /dev/null
+++ b/testing/tests/ikev1/config-payload/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,8 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown attr
+
+  dns1 = PH_IP_WINNETOU
+  dns2 = PH_IP_VENUS
+}
diff --git a/testing/tests/ikev1/config-payload/posttest.dat b/testing/tests/ikev1/config-payload/posttest.dat
new file mode 100644
index 000000000..1865a1c60
--- /dev/null
+++ b/testing/tests/ikev1/config-payload/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/config-payload/pretest.dat b/testing/tests/ikev1/config-payload/pretest.dat
new file mode 100644
index 000000000..3864bdac3
--- /dev/null
+++ b/testing/tests/ikev1/config-payload/pretest.dat
@@ -0,0 +1,10 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+carol::ipsec start
+dave::ipsec start
+moon::ipsec start
+carol::sleep 2 
+carol::ipsec up home
+dave::ipsec up home
+carol::sleep 1
diff --git a/testing/tests/ikev1/config-payload/test.conf b/testing/tests/ikev1/config-payload/test.conf
new file mode 100644
index 000000000..164b07ff9
--- /dev/null
+++ b/testing/tests/ikev1/config-payload/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon alice"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/crl-from-cache/description.txt b/testing/tests/ikev1/crl-from-cache/description.txt
deleted file mode 100644
index 17866f572..000000000
--- a/testing/tests/ikev1/crl-from-cache/description.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-By setting <b>strictcrlpolicy=yes</b> a <b>strict CRL policy</b> is enforced on
-both roadwarrior <b>carol</b> and gateway <b>moon</b>. When <b>carol</b> initiates
-an IPsec connection to <b>moon</b>, both VPN endpoints find a cached CRL in
-their <b>/etc/ipsec.d/crls/</b> directories which allows them to immediately verify
-the certificate received from their peer.
diff --git a/testing/tests/ikev1/crl-from-cache/evaltest.dat b/testing/tests/ikev1/crl-from-cache/evaltest.dat
deleted file mode 100644
index bdceddb79..000000000
--- a/testing/tests/ikev1/crl-from-cache/evaltest.dat
+++ /dev/null
@@ -1,10 +0,0 @@
-moon::cat /var/log/auth.log::loaded crl from::YES
-carol::cat /var/log/auth.log::loaded crl from::YES
-moon::cat /var/log/auth.log::X.509 certificate rejected::NO
-carol::cat /var/log/auth.log::X.509 certificate rejected::NO
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::cat /var/log/auth.log::written crl file::NO
-carol::cat /var/log/auth.log::written crl file::NO
-moon::ipsec listcrls:: ok::YES
-carol::ipsec listcrls:: ok::YES
diff --git a/testing/tests/ikev1/crl-from-cache/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/crl-from-cache/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index ec0bc2e88..000000000
--- a/testing/tests/ikev1/crl-from-cache/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,35 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=yes
-	cachecrls=yes
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	left=PH_IP_MOON
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-
-conn net-net
-	leftsubnet=10.1.0.0/16
-	right=PH_IP_SUN
-	rightsubnet=10.2.0.0/16
-	rightid=@sun.strongswan.org
-	auto=add
-        
-conn host-host
-	right=PH_IP_SUN
-	rightid=@sun.strongswan.org
-	auto=add
-
-conn rw
-	leftsubnet=10.1.0.0/16
-	right=%any
-	auto=add
diff --git a/testing/tests/ikev1/crl-from-cache/posttest.dat b/testing/tests/ikev1/crl-from-cache/posttest.dat
deleted file mode 100644
index be17847c1..000000000
--- a/testing/tests/ikev1/crl-from-cache/posttest.dat
+++ /dev/null
@@ -1,4 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-moon::rm /etc/ipsec.d/crls/*
-carol::rm /etc/ipsec.d/crls/*
diff --git a/testing/tests/ikev1/crl-from-cache/pretest.dat b/testing/tests/ikev1/crl-from-cache/pretest.dat
deleted file mode 100644
index acdb265ed..000000000
--- a/testing/tests/ikev1/crl-from-cache/pretest.dat
+++ /dev/null
@@ -1,8 +0,0 @@
-moon::wget -q http://crl.strongswan.org/strongswan.crl
-moon::mv strongswan.crl /etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl
-carol::wget -q http://crl.strongswan.org/strongswan.crl
-carol::mv strongswan.crl /etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl
-moon::ipsec start
-carol::ipsec start
-carol::sleep 2
-carol::ipsec up home
diff --git a/testing/tests/ikev1/crl-from-cache/test.conf b/testing/tests/ikev1/crl-from-cache/test.conf
deleted file mode 100644
index 2b240d895..000000000
--- a/testing/tests/ikev1/crl-from-cache/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="m-c-w.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS=""
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev1/crl-ldap/description.txt b/testing/tests/ikev1/crl-ldap/description.txt
deleted file mode 100644
index 02dc0cbbe..000000000
--- a/testing/tests/ikev1/crl-ldap/description.txt
+++ /dev/null
@@ -1,9 +0,0 @@
-By setting <b>strictcrlpolicy=yes</b> a <b>strict CRL policy</b> is enforced on
-both roadwarrior <b>carol</b> and gateway <b>moon</b>. Thus when <b>carol</b> initiates
-the connection and only an expired CRL cache file in <b>/etc/ipsec.d/crls</b> is
-available, the Main Mode negotiation fails. A http fetch for an updated CRL fails
-because the web server is currently not reachable. Thus the second Main Mode negotiation
-fails, too. Finally an ldap fetch to get the CRL from the LDAP server <b>winnetou</b>
-is triggered. When the third Main Mode trial comes around, the fetched CRL has become
-available and the IKE negotiation completes. The new CRL is again cached locally as a
-file in <b>/etc/ipsec.d/crls</b> due to the <b>cachecrls=yes</b> option.
diff --git a/testing/tests/ikev1/crl-ldap/evaltest.dat b/testing/tests/ikev1/crl-ldap/evaltest.dat
deleted file mode 100644
index 80a84e1ef..000000000
--- a/testing/tests/ikev1/crl-ldap/evaltest.dat
+++ /dev/null
@@ -1,16 +0,0 @@
-moon::cat /var/log/auth.log::loaded crl from::YES
-carol::cat /var/log/auth.log::loaded crl from::YES
-moon::cat /var/log/auth.log::crl is stale::YES
-carol::cat /var/log/auth.log::crl is stale::YES
-moon::cat /var/log/auth.log::X.509 certificate rejected::YES
-carol::cat /var/log/auth.log::X.509 certificate rejected::YES
-moon::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES
-carol::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES
-moon::cat /var/log/auth.log::fetching crl from .*ldap://ldap.strongswan.org::YES
-carol::cat /var/log/auth.log::fetching crl from .*ldap://ldap.strongswan.org::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::cat /var/log/auth.log::written crl file::YES
-carol::cat /var/log/auth.log::written crl file::YES
-moon::ipsec listcrls:: ok::YES
-carol::ipsec listcrls:: ok::YES
diff --git a/testing/tests/ikev1/crl-ldap/hosts/carol/etc/init.d/iptables b/testing/tests/ikev1/crl-ldap/hosts/carol/etc/init.d/iptables
deleted file mode 100755
index 571459bae..000000000
--- a/testing/tests/ikev1/crl-ldap/hosts/carol/etc/init.d/iptables
+++ /dev/null
@@ -1,73 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow ldap crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 389 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 389 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev1/crl-ldap/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/crl-ldap/hosts/carol/etc/ipsec.conf
deleted file mode 100755
index 5a7668c64..000000000
--- a/testing/tests/ikev1/crl-ldap/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,30 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=yes
-	cachecrls=yes
-	charonstart=no
-
-ca strongswan
-	cacert=strongswanCert.pem
-	crluri="ldap://ldap.strongswan.org/cn=strongSwan Root CA, o=Linux strongSwan, c=CH?certificateRevocationList"
-	auto=add
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=2
-	keyexchange=ikev1
-
-conn home
-	left=PH_IP_CAROL
-	leftcert=carolCert.pem
-	leftid=carol@strongswan.org
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightsubnet=10.1.0.0/16
-	rightid=@moon.strongswan.org
-	auto=add
diff --git a/testing/tests/ikev1/crl-ldap/hosts/carol/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl b/testing/tests/ikev1/crl-ldap/hosts/carol/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl
deleted file mode 100644
index 75e8b0959..000000000
--- a/testing/tests/ikev1/crl-ldap/hosts/carol/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl
+++ /dev/null
diff --git a/testing/tests/ikev1/crl-ldap/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/crl-ldap/hosts/carol/etc/strongswan.conf
deleted file mode 100644
index 71358d6c6..000000000
--- a/testing/tests/ikev1/crl-ldap/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl ldap kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-}
diff --git a/testing/tests/ikev1/crl-ldap/hosts/moon/etc/init.d/iptables b/testing/tests/ikev1/crl-ldap/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 8de514a2e..000000000
--- a/testing/tests/ikev1/crl-ldap/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,76 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow ldap crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 389 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 389 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev1/crl-ldap/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/crl-ldap/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index 1b80c0ddd..000000000
--- a/testing/tests/ikev1/crl-ldap/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,41 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=yes
-	cachecrls=yes
-	charonstart=no
-
-ca strongswan
-	cacert=strongswanCert.pem
-	crluri="ldap://ldap.strongswan.org/cn=strongSwan Root CA, o=Linux strongSwan, c=CH?certificateRevocationList"
-	auto=add
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=2
-	keyexchange=ikev1
-	left=PH_IP_MOON
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-	leftfirewall=yes
-
-conn net-net
-	leftsubnet=10.1.0.0/16
-	right=PH_IP_SUN
-	rightsubnet=10.2.0.0/16
-	rightid=@sun.strongswan.org
-	auto=add
-        
-conn host-host
-	right=PH_IP_SUN
-	rightid=@sun.strongswan.org
-	auto=add
-
-conn rw
-	leftsubnet=10.1.0.0/16
-	right=%any
-	auto=add
diff --git a/testing/tests/ikev1/crl-ldap/hosts/moon/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl b/testing/tests/ikev1/crl-ldap/hosts/moon/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl
deleted file mode 100644
index 75e8b0959..000000000
--- a/testing/tests/ikev1/crl-ldap/hosts/moon/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl
+++ /dev/null
diff --git a/testing/tests/ikev1/crl-ldap/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/crl-ldap/hosts/moon/etc/strongswan.conf
deleted file mode 100644
index 71358d6c6..000000000
--- a/testing/tests/ikev1/crl-ldap/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl ldap kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-}
diff --git a/testing/tests/ikev1/crl-ldap/posttest.dat b/testing/tests/ikev1/crl-ldap/posttest.dat
deleted file mode 100644
index bddd87424..000000000
--- a/testing/tests/ikev1/crl-ldap/posttest.dat
+++ /dev/null
@@ -1,7 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-winnetou::/etc/init.d/slapd stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-moon::rm /etc/ipsec.d/crls/*
-carol::rm /etc/ipsec.d/crls/*
diff --git a/testing/tests/ikev1/crl-ldap/pretest.dat b/testing/tests/ikev1/crl-ldap/pretest.dat
deleted file mode 100644
index 64fa8116b..000000000
--- a/testing/tests/ikev1/crl-ldap/pretest.dat
+++ /dev/null
@@ -1,8 +0,0 @@
-winnetou::/etc/init.d/slapd start
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-moon::ipsec start
-carol::ipsec start
-carol::sleep 2
-carol::ipsec up home
-carol::sleep 3 
diff --git a/testing/tests/ikev1/crl-ldap/test.conf b/testing/tests/ikev1/crl-ldap/test.conf
deleted file mode 100644
index 2b240d895..000000000
--- a/testing/tests/ikev1/crl-ldap/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="m-c-w.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS=""
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev1/crl-revoked/description.txt b/testing/tests/ikev1/crl-revoked/description.txt
deleted file mode 100644
index 780068ce6..000000000
--- a/testing/tests/ikev1/crl-revoked/description.txt
+++ /dev/null
@@ -1,7 +0,0 @@
-By setting <b>strictcrlpolicy=yes</b> a <b>strict CRL policy</b> is enforced on
-both roadwarrior <b>carol</b> and gateway <b>moon</b>. Thus when <b>carol</b> initiates
-the connection and no current CRL is available, the Main Mode negotiation fails
-and a http fetch to get the CRL from the web server <b>winnetou</b> is triggered.
-When the second Main Mode trial comes around the fetched CRL will be available
-but because the certificate presented by carol has been revoked,
-the IKE negotatiation will fail.
diff --git a/testing/tests/ikev1/crl-revoked/evaltest.dat b/testing/tests/ikev1/crl-revoked/evaltest.dat
deleted file mode 100644
index 0fd1cae8c..000000000
--- a/testing/tests/ikev1/crl-revoked/evaltest.dat
+++ /dev/null
@@ -1,6 +0,0 @@
-moon::cat /var/log/auth.log::X.509 certificate rejected::YES
-moon::cat /var/log/auth.log::certificate was revoked::YES
-carol::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES
-moon::ipsec listcrls:: ok::YES
-moon::ipsec status::rw.*STATE_MAIN_R3.*ISAKMP SA established::NO
-carol::ipsec status::home.*STATE_MAIN_I4.*ISAKMP SA established::NO
diff --git a/testing/tests/ikev1/crl-revoked/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/crl-revoked/hosts/carol/etc/ipsec.conf
deleted file mode 100755
index 77f6cfcb0..000000000
--- a/testing/tests/ikev1/crl-revoked/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,23 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=yes
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	left=PH_IP_CAROL
-	leftcert=carolRevokedCert.pem
-	leftid=carol@strongswan.org
-
-conn home
-	right=PH_IP_MOON
-	rightsubnet=10.1.0.0/16
-	rightid=@moon.strongswan.org
-	auto=add
diff --git a/testing/tests/ikev1/crl-revoked/hosts/carol/etc/ipsec.d/certs/carolRevokedCert.pem b/testing/tests/ikev1/crl-revoked/hosts/carol/etc/ipsec.d/certs/carolRevokedCert.pem
deleted file mode 100644
index a92610c4f..000000000
--- a/testing/tests/ikev1/crl-revoked/hosts/carol/etc/ipsec.d/certs/carolRevokedCert.pem
+++ /dev/null
@@ -1,25 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIEIjCCAwqgAwIBAgIBGzANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
-MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
-b290IENBMB4XDTA5MDgyNzEwMzEwNloXDTE0MDgyNjEwMzEwNlowWjELMAkGA1UE
-BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh
-cmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcN
-AQEBBQADggEPADCCAQoCggEBAOHh/BBf9VwUbx3IU2ZvKJylwCUP2Gr40Velcexr
-lR1PoK3nwZrJxxfhhxrxdx7Wnt/PDiF2eyzA9U4cOyS1zPpWuRt69PEOWfzQJZkD
-e5C6bXZMHwJGaCM0h8EugnwI7/XgbEq8U/1PBwIeFh8xSyIwyn8NqyHWm+6haFZG
-Urz7y0ZOAYcX5ZldP8vjm2SyAl0hPlod0ypk2K1igmO8w3cRRFqD27XhztgIJyoi
-+BO3umc+BXcpPGoZ7IFaXvHcMVECrxbkrvRdpKiz/4+u8FakQJtBmYuqP2TLodRJ
-TKSJ4UvIPXZ8DTEYC/Ja/wrm1hNfH4T3YjWGT++lVbYF7qECAwEAAaOCAQYwggEC
-MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBQRnt9aYXsi/fgMXGVh
-ZpTfg8kSYjBtBgNVHSMEZjBkgBRdp91wBlEyfue2bbO15eBg6i5N76FJpEcwRTEL
-MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMT
-EnN0cm9uZ1N3YW4gUm9vdCBDQYIBADAfBgNVHREEGDAWgRRjYXJvbEBzdHJvbmdz
-d2FuLm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4u
-b3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBBAUAA4IBAQCY2EMqkuhtAls/
-jkjXm+sI5YVglE62itSYgJxKZhxoFn3l4Afc6+XBeftK8Y1IjXdeyQUg8qHhkctl
-nBiEzRCClporCOXl5hOzWi+ft2hyKgcx8mFB8Qw5ZE9z8dvY70jdPCB4cH5EVaiC
-6ElGcI02iO073iCe38b3rmpwfnkIWZ0FVjSFSsTiNPLXWH6m6tt9Gux/PFuLff4a
-cdGfEGs01DEp9t0bHqZd6ESf2rEUljT57i9wSBfT5ULj78VTgudw/WhB0CgiXD+f
-q2dZC/19B8Xmk6XmEpRQjFK6wFmfBiQdelJo17/8M4LdT/RfvTHJOxr2OAtvCm2Z
-0xafBd5x
------END CERTIFICATE-----
diff --git a/testing/tests/ikev1/crl-revoked/hosts/carol/etc/ipsec.d/private/carolRevokedKey.pem b/testing/tests/ikev1/crl-revoked/hosts/carol/etc/ipsec.d/private/carolRevokedKey.pem
deleted file mode 100644
index 60e7fdfa9..000000000
--- a/testing/tests/ikev1/crl-revoked/hosts/carol/etc/ipsec.d/private/carolRevokedKey.pem
+++ /dev/null
@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEpQIBAAKCAQEA4eH8EF/1XBRvHchTZm8onKXAJQ/YavjRV6Vx7GuVHU+grefB
-msnHF+GHGvF3Htae388OIXZ7LMD1Thw7JLXM+la5G3r08Q5Z/NAlmQN7kLptdkwf
-AkZoIzSHwS6CfAjv9eBsSrxT/U8HAh4WHzFLIjDKfw2rIdab7qFoVkZSvPvLRk4B
-hxflmV0/y+ObZLICXSE+Wh3TKmTYrWKCY7zDdxFEWoPbteHO2AgnKiL4E7e6Zz4F
-dyk8ahnsgVpe8dwxUQKvFuSu9F2kqLP/j67wVqRAm0GZi6o/ZMuh1ElMpInhS8g9
-dnwNMRgL8lr/CubWE18fhPdiNYZP76VVtgXuoQIDAQABAoIBAQCbF5UAkUJgdM9O
-fat128DgvZXOXLDV0f261igAkmWR+Ih0n3n5E64VoY4oW77Ud7wiI4KqSzWLpvlH
-Jm8dZ45UHJOAYM4pbRcwVKJcC14eI0LhRKbN4xXBhmHnrE1/aIuKIQt5zRFGDarc
-M1gxFqFl2mZPEk18MGRkVoLTKfnJMzdHI1m0IAMwg3Rl9cmuVdkhTS+IAoULVNnI
-0iAOsFN8SdDaKBqRcPkypT5s4wjGH4s7zjW4PmEDwDhhfeHkVccCuH8n3un1bPT2
-oc73RSXdCYMgDTD3waXC+4cCQGPZmUCl6Mfq7YCECkUpUg6rHlaCYRSZZoQPf5vH
-VsBUvjABAoGBAPHSnJOL6tcqJCCZ27E3zIsmZ+d6dX4B/YN1Xk3vKHhavN5Ks6Gx
-ZCsaluMuB2qyBRrpKnSAz6lUQ1TOxzuphlVIX1EnLW+JvNgFyem9PARsP2SMsKqm
-VaqnId6pprdbP53NpL9Z7AsbS/i/Ab6WpVPyYHdqVsimCdRGK9/JlOnBAoGBAO8g
-I4a4dJKiwHBHyP6wkYrhWdYwmjTJlskNNjrvtn7bCJ/Lm0SaGFXKIHCExnenZji0
-bBp3XiFNPlPfjTaXG++3IH6fxYdHonsrkxbUHvGAVETmHVLzeFiAKuUBvrWuKecD
-yoywVenugORQIPal3AcLwPsVRfDU89tTQhiFq3zhAoGBAIqmfy/54URM3Tnz/Yq2
-u4htFNYb2JHPAlQFT3TP0xxuqiuqGSR0WUJ9lFXdZlM+jr7HQZha4rXrok9V39XN
-dUAgpsYY+GwjRSt25jYmUesXRaGZKRIvHJ8kBL9t9jDbGLaZ2gP8wuH7XKvamF12
-coSXS8gsKGYTDT+wnCdLpR4BAoGAFwuV4Ont8iPVP/zrFgCWRjgpnEba1bOH4KBx
-VYS8pcUeM6g/soDXT41HSxDAv89WPqjEslhGrhbvps2oolY1zwhrDUkAlGUG96/f
-YRfYU5X2iR1UPiZQttbDS4a7hm7egvEOmDh2TzE5IsfGJX8ekV9Ene4S637acYy4
-lfxr5oECgYEAzRuvh6aG7UmKwNTfatEKav7/gUH3QBGK+Pp3TPSmR5PKh/Pk4py6
-95bT4mHrKCBIfSv/8h+6baYZr9Ha1Oj++J94RXEi8wdjjl1w3LGQrM/X+0AVqn5P
-b5w1nvRK7bMikIXbZmPJmivrfChcjD21gvWeF6Osq8McWF8jW2HzrZw=
------END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev1/crl-revoked/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/crl-revoked/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index 1c011dccb..000000000
--- a/testing/tests/ikev1/crl-revoked/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,34 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=yes
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	left=PH_IP_MOON
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-
-conn net-net
-	leftsubnet=10.1.0.0/16
-	right=PH_IP_SUN
-	rightsubnet=10.2.0.0/16
-	rightid=@sun.strongswan.org
-	auto=add
-        
-conn host-host
-	right=PH_IP_SUN
-	rightid=@sun.strongswan.org
-	auto=add
-
-conn rw
-	leftsubnet=10.1.0.0/16
-	right=%any
-	auto=add
diff --git a/testing/tests/ikev1/crl-revoked/posttest.dat b/testing/tests/ikev1/crl-revoked/posttest.dat
deleted file mode 100644
index d742e8410..000000000
--- a/testing/tests/ikev1/crl-revoked/posttest.dat
+++ /dev/null
@@ -1,4 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-carol::rm /etc/ipsec.d/private/*
-carol::rm /etc/ipsec.d/certs/*
diff --git a/testing/tests/ikev1/crl-revoked/pretest.dat b/testing/tests/ikev1/crl-revoked/pretest.dat
deleted file mode 100644
index d92333d86..000000000
--- a/testing/tests/ikev1/crl-revoked/pretest.dat
+++ /dev/null
@@ -1,4 +0,0 @@
-moon::ipsec start
-carol::ipsec start
-carol::sleep 2
-carol::ipsec up home
diff --git a/testing/tests/ikev1/crl-revoked/test.conf b/testing/tests/ikev1/crl-revoked/test.conf
deleted file mode 100644
index 2b240d895..000000000
--- a/testing/tests/ikev1/crl-revoked/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="m-c-w.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS=""
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev1/crl-strict/description.txt b/testing/tests/ikev1/crl-strict/description.txt
deleted file mode 100644
index 97011482e..000000000
--- a/testing/tests/ikev1/crl-strict/description.txt
+++ /dev/null
@@ -1,6 +0,0 @@
-By setting <b>strictcrlpolicy=yes</b> a <b>strict CRL policy</b> is enforced on
-both roadwarrior <b>carol</b> and gateway <b>moon</b>. Thus when <b>carol</b> initiates
-the connection and no current CRL is available, the Main Mode negotiation fails
-but a http fetch to get the CRL from the web server <b>winnetou</b> is triggered.
-When the second Main Mode trial comes around, the fetched CRL will be available
-and the IKE negotiation completes.
diff --git a/testing/tests/ikev1/crl-strict/evaltest.dat b/testing/tests/ikev1/crl-strict/evaltest.dat
deleted file mode 100644
index 1d7adb05e..000000000
--- a/testing/tests/ikev1/crl-strict/evaltest.dat
+++ /dev/null
@@ -1,8 +0,0 @@
-moon::cat /var/log/auth.log::X.509 certificate rejected::YES
-carol::cat /var/log/auth.log::X.509 certificate rejected::YES
-moon::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES
-carol::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec listcrls:: ok::YES
-carol::ipsec listcrls:: ok::YES
diff --git a/testing/tests/ikev1/crl-strict/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/crl-strict/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index 1c011dccb..000000000
--- a/testing/tests/ikev1/crl-strict/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,34 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=yes
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	left=PH_IP_MOON
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-
-conn net-net
-	leftsubnet=10.1.0.0/16
-	right=PH_IP_SUN
-	rightsubnet=10.2.0.0/16
-	rightid=@sun.strongswan.org
-	auto=add
-        
-conn host-host
-	right=PH_IP_SUN
-	rightid=@sun.strongswan.org
-	auto=add
-
-conn rw
-	leftsubnet=10.1.0.0/16
-	right=%any
-	auto=add
diff --git a/testing/tests/ikev1/crl-strict/posttest.dat b/testing/tests/ikev1/crl-strict/posttest.dat
deleted file mode 100644
index c6d6235f9..000000000
--- a/testing/tests/ikev1/crl-strict/posttest.dat
+++ /dev/null
@@ -1,2 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
diff --git a/testing/tests/ikev1/crl-strict/test.conf b/testing/tests/ikev1/crl-strict/test.conf
deleted file mode 100644
index 2b240d895..000000000
--- a/testing/tests/ikev1/crl-strict/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="m-c-w.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS=""
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev1/crl-to-cache/description.txt b/testing/tests/ikev1/crl-to-cache/description.txt
deleted file mode 100644
index 9f542e73d..000000000
--- a/testing/tests/ikev1/crl-to-cache/description.txt
+++ /dev/null
@@ -1,6 +0,0 @@
-By setting <b>cachecrls=yes</b> in ipsec.conf, a copy of the CRL fetched
-via http from the web server <b>winnetou</b> is saved locally in the
-directory <b>/etc/ipsec.d/crls</b> on both the roadwarrior <b>carol</b>
-and the gateway <b>moon</b> when the IPsec connection is set up. The
-<b>subjectKeyIdentifier</b> of the issuing CA plus the suffix <b>.crl</b>
-is used as a unique filename for the cached CRL. 
diff --git a/testing/tests/ikev1/crl-to-cache/evaltest.dat b/testing/tests/ikev1/crl-to-cache/evaltest.dat
deleted file mode 100644
index be7737185..000000000
--- a/testing/tests/ikev1/crl-to-cache/evaltest.dat
+++ /dev/null
@@ -1,4 +0,0 @@
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::cat /var/log/auth.log::written crl file.*/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl::YES
-carol::cat /var/log/auth.log::written crl file.*/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl::YES
diff --git a/testing/tests/ikev1/crl-to-cache/posttest.dat b/testing/tests/ikev1/crl-to-cache/posttest.dat
deleted file mode 100644
index be17847c1..000000000
--- a/testing/tests/ikev1/crl-to-cache/posttest.dat
+++ /dev/null
@@ -1,4 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-moon::rm /etc/ipsec.d/crls/*
-carol::rm /etc/ipsec.d/crls/*
diff --git a/testing/tests/ikev1/crl-to-cache/pretest.dat b/testing/tests/ikev1/crl-to-cache/pretest.dat
deleted file mode 100644
index d92333d86..000000000
--- a/testing/tests/ikev1/crl-to-cache/pretest.dat
+++ /dev/null
@@ -1,4 +0,0 @@
-moon::ipsec start
-carol::ipsec start
-carol::sleep 2
-carol::ipsec up home
diff --git a/testing/tests/ikev1/crl-to-cache/test.conf b/testing/tests/ikev1/crl-to-cache/test.conf
deleted file mode 100644
index 2b240d895..000000000
--- a/testing/tests/ikev1/crl-to-cache/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="m-c-w.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS=""
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev1/default-keys/description.txt b/testing/tests/ikev1/default-keys/description.txt
deleted file mode 100644
index 639e909da..000000000
--- a/testing/tests/ikev1/default-keys/description.txt
+++ /dev/null
@@ -1,8 +0,0 @@
-Because of the missing <b>/etc/ipsec.secrets</b> file, roadwarrior <b>carol</b>
-and gateway <b>moon</b> each automatically generate a PKCS#1 RSA private key
-and a self-signed X.509 certificate. Because the UML testing environment does
-not offer enough entropy, the non-blocking /dev/urandom device is used in place
-of /dev/random for generating the random primes.
-<p>
-The self-signed certificates are then distributed to the peers via scp
-and are used to set up a road warrior connection initiated by <b>carol</b> 
diff --git a/testing/tests/ikev1/default-keys/evaltest.dat b/testing/tests/ikev1/default-keys/evaltest.dat
deleted file mode 100644
index a18e3997e..000000000
--- a/testing/tests/ikev1/default-keys/evaltest.dat
+++ /dev/null
@@ -1,9 +0,0 @@
-carol::cat /var/log/auth.log::scepclient::YES
-moon::cat /var/log/auth.log::scepclient::YES
-carol::cat /var/log/auth.log::we have a cert but are not sending it::YES
-moon::cat /var/log/auth.log::we have a cert but are not sending it::YES
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::carol.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/default-keys/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/default-keys/hosts/carol/etc/ipsec.conf
deleted file mode 100755
index 4d5bff62c..000000000
--- a/testing/tests/ikev1/default-keys/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=0
-	strictcrlpolicy=no
-	nocrsend=yes
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-
-conn home
-	left=PH_IP_CAROL
-	leftcert=selfCert.der
-	leftsendcert=never
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightsubnet=10.1.0.0/16
-	rightcert=peerCert.der
-	auto=add
diff --git a/testing/tests/ikev1/default-keys/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/default-keys/hosts/carol/etc/strongswan.conf
deleted file mode 100644
index e589a9425..000000000
--- a/testing/tests/ikev1/default-keys/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,15 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink
-}
-
-scepclient {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-}
diff --git a/testing/tests/ikev1/default-keys/hosts/moon/etc/init.d/iptables b/testing/tests/ikev1/default-keys/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 13ad3063f..000000000
--- a/testing/tests/ikev1/default-keys/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,78 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A INPUT  -p tcp --sport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev1/default-keys/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/default-keys/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index dd7ae0b20..000000000
--- a/testing/tests/ikev1/default-keys/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,26 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=0
-	strictcrlpolicy=no
-	nocrsend=yes
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-
-conn carol
-	left=PH_IP_MOON
-	leftcert=selfCert.der
-	leftsendcert=never
-	leftfirewall=yes
-	leftsubnet=10.1.0.0/16
-	right=%any
-	rightcert=peerCert.der
-	auto=add
-
diff --git a/testing/tests/ikev1/default-keys/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/default-keys/hosts/moon/etc/strongswan.conf
deleted file mode 100644
index e589a9425..000000000
--- a/testing/tests/ikev1/default-keys/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,15 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink
-}
-
-scepclient {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-}
diff --git a/testing/tests/ikev1/default-keys/posttest.dat b/testing/tests/ikev1/default-keys/posttest.dat
deleted file mode 100644
index 8cada5e7e..000000000
--- a/testing/tests/ikev1/default-keys/posttest.dat
+++ /dev/null
@@ -1,8 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-carol::rm /etc/ipsec.d/private/*
-carol::rm /etc/ipsec.d/certs/*
-moon::rm /etc/ipsec.d/private/*
-moon::rm /etc/ipsec.d/certs/*
diff --git a/testing/tests/ikev1/default-keys/pretest.dat b/testing/tests/ikev1/default-keys/pretest.dat
deleted file mode 100644
index 88f9a2ca9..000000000
--- a/testing/tests/ikev1/default-keys/pretest.dat
+++ /dev/null
@@ -1,18 +0,0 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-carol::rm /etc/ipsec.secrets
-carol::rm /etc/ipsec.d/private/*
-carol::rm /etc/ipsec.d/certs/*
-carol::rm /etc/ipsec.d/cacerts/*
-carol::ipsec start
-moon::rm /etc/ipsec.secrets
-moon::rm /etc/ipsec.d/private/*
-moon::rm /etc/ipsec.d/certs/*
-moon::rm /etc/ipsec.d/cacerts/*
-moon::ipsec start
-moon::sleep 5 
-moon::scp /etc/ipsec.d/certs/selfCert.der carol:/etc/ipsec.d/certs/peerCert.der
-moon::scp carol:/etc/ipsec.d/certs/selfCert.der /etc/ipsec.d/certs/peerCert.der
-moon::ipsec reload 
-carol::ipsec reload 
-carol::ipsec up home
diff --git a/testing/tests/ikev1/default-keys/test.conf b/testing/tests/ikev1/default-keys/test.conf
deleted file mode 100644
index 0baa48d90..000000000
--- a/testing/tests/ikev1/default-keys/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon carol"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev1/double-nat-net/evaltest.dat b/testing/tests/ikev1/double-nat-net/evaltest.dat
index d00613c07..52c561964 100644
--- a/testing/tests/ikev1/double-nat-net/evaltest.dat
+++ b/testing/tests/ikev1/double-nat-net/evaltest.dat
@@ -1,5 +1,7 @@
-alice::ipsec status::nat-t.*STATE_QUICK_I2.*IPsec SA established::YES
-bob::ipsec status::nat-t.*STATE_QUICK_R2.*IPsec SA established::YES
-alice::ping -c 1 PH_IP_SUN1::64 bytes from PH_IP_SUN1: icmp_seq=1::YES
-moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.ipsec-nat-t: UDP::YES
-moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.*: UDP::YES
+alice::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*alice@strongswan.org.*bob@strongswan.org::YES
+bob::  ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*bob@strongswan.org.*alice@strongswan.org::YES
+alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES
+bob::  ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES
+alice::ping -c 1 PH_IP_SUN1::64 bytes from PH_IP_SUN1: icmp_req=1::YES
+moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.4500: UDP::YES
+moon::tcpdump::IP sun.strongswan.org.4500 > moon.strongswan.org.*: UDP::YES
diff --git a/testing/tests/ikev1/double-nat-net/hosts/alice/etc/ipsec.conf b/testing/tests/ikev1/double-nat-net/hosts/alice/etc/ipsec.conf
index caad279bb..836a8b322 100755..100644
--- a/testing/tests/ikev1/double-nat-net/hosts/alice/etc/ipsec.conf
+++ b/testing/tests/ikev1/double-nat-net/hosts/alice/etc/ipsec.conf
@@ -1,11 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	nat_traversal=yes
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev1/double-nat-net/hosts/alice/etc/strongswan.conf b/testing/tests/ikev1/double-nat-net/hosts/alice/etc/strongswan.conf
new file mode 100644
index 000000000..dc937641c
--- /dev/null
+++ b/testing/tests/ikev1/double-nat-net/hosts/alice/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev1/double-nat-net/hosts/bob/etc/ipsec.conf b/testing/tests/ikev1/double-nat-net/hosts/bob/etc/ipsec.conf
index 32d2ab0f6..fa1ccacb1 100755..100644
--- a/testing/tests/ikev1/double-nat-net/hosts/bob/etc/ipsec.conf
+++ b/testing/tests/ikev1/double-nat-net/hosts/bob/etc/ipsec.conf
@@ -1,11 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	nat_traversal=yes
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -21,5 +16,5 @@ conn nat-t
 	leftid=bob@strongswan.org
 	leftfirewall=yes
 	right=%any
-	rightsubnetwithin=10.1.0.0/16
+	rightsubnet=10.1.0.0/16
 	auto=add
diff --git a/testing/tests/ikev1/double-nat-net/hosts/bob/etc/iptables.rules b/testing/tests/ikev1/double-nat-net/hosts/bob/etc/iptables.rules
new file mode 100644
index 000000000..ae8f9a61e
--- /dev/null
+++ b/testing/tests/ikev1/double-nat-net/hosts/bob/etc/iptables.rules
@@ -0,0 +1,24 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev1/double-nat-net/hosts/bob/etc/strongswan.conf b/testing/tests/ikev1/double-nat-net/hosts/bob/etc/strongswan.conf
new file mode 100644
index 000000000..dc937641c
--- /dev/null
+++ b/testing/tests/ikev1/double-nat-net/hosts/bob/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev1/double-nat-net/posttest.dat b/testing/tests/ikev1/double-nat-net/posttest.dat
index 484297418..63d4f98e7 100644
--- a/testing/tests/ikev1/double-nat-net/posttest.dat
+++ b/testing/tests/ikev1/double-nat-net/posttest.dat
@@ -1,7 +1,7 @@
 bob::ipsec stop
 alice::ipsec stop
-alice::/etc/init.d/iptables stop 2> /dev/null
-bob::/etc/init.d/iptables stop 2> /dev/null
+alice::iptables-restore < /etc/iptables.flush
+bob::iptables-restore < /etc/iptables.flush
 moon::iptables -t nat -F
 sun::iptables -t nat -F
 moon::conntrack -F
diff --git a/testing/tests/ikev1/double-nat-net/pretest.dat b/testing/tests/ikev1/double-nat-net/pretest.dat
index 84bc15092..17a4fe5eb 100644
--- a/testing/tests/ikev1/double-nat-net/pretest.dat
+++ b/testing/tests/ikev1/double-nat-net/pretest.dat
@@ -1,8 +1,5 @@
-alice::/etc/init.d/iptables start 2> /dev/null
-bob::/etc/init.d/iptables start 2> /dev/null
-bob::echo 1 > /proc/sys/net/ipv4/ip_forward
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
-sun::echo 1 > /proc/sys/net/ipv4/ip_forward
+alice::iptables-restore < /etc/iptables.rules
+bob::iptables-restore < /etc/iptables.rules
 moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100
 moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100
 sun::iptables -t nat -A POSTROUTING -o eth0 -s 10.2.0.0/16 -p tcp -j SNAT --to-source PH_IP_SUN:2000-2100
@@ -12,4 +9,4 @@ alice::ipsec start
 bob::ipsec start
 alice::sleep 2
 alice::ipsec up nat-t
-
+alice::sleep 1
diff --git a/testing/tests/ikev1/double-nat-net/test.conf b/testing/tests/ikev1/double-nat-net/test.conf
index 1ca2ffe5a..d2e31d257 100644
--- a/testing/tests/ikev1/double-nat-net/test.conf
+++ b/testing/tests/ikev1/double-nat-net/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="alice bob"
diff --git a/testing/tests/ikev1/double-nat/evaltest.dat b/testing/tests/ikev1/double-nat/evaltest.dat
index 05e751422..9ddad2de5 100644
--- a/testing/tests/ikev1/double-nat/evaltest.dat
+++ b/testing/tests/ikev1/double-nat/evaltest.dat
@@ -1,5 +1,7 @@
-alice::ipsec status::nat-t.*STATE_QUICK_I2.*IPsec SA established::YES
-bob::ipsec status::nat-t.*STATE_QUICK_R2.*IPsec SA established::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.ipsec-nat-t: UDP::YES
-moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.*: UDP::YES
+alice::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*alice@strongswan.org.*bob@strongswan.org::YES
+bob::  ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*bob@strongswan.org.*alice@strongswan.org::YES
+alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES
+bob::  ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.4500: UDP::YES
+moon::tcpdump::IP sun.strongswan.org.4500 > moon.strongswan.org.*: UDP::YES
diff --git a/testing/tests/ikev1/double-nat/hosts/alice/etc/ipsec.conf b/testing/tests/ikev1/double-nat/hosts/alice/etc/ipsec.conf
index 7de7a951e..6b40252cf 100755..100644
--- a/testing/tests/ikev1/double-nat/hosts/alice/etc/ipsec.conf
+++ b/testing/tests/ikev1/double-nat/hosts/alice/etc/ipsec.conf
@@ -1,11 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	nat_traversal=yes
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev1/double-nat/hosts/alice/etc/strongswan.conf b/testing/tests/ikev1/double-nat/hosts/alice/etc/strongswan.conf
new file mode 100644
index 000000000..dc937641c
--- /dev/null
+++ b/testing/tests/ikev1/double-nat/hosts/alice/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev1/nat-two-rw-psk/hosts/alice/etc/ipsec.conf b/testing/tests/ikev1/double-nat/hosts/bob/etc/ipsec.conf
index eee3c45e8..89640564d 100755..100644
--- a/testing/tests/ikev1/nat-two-rw-psk/hosts/alice/etc/ipsec.conf
+++ b/testing/tests/ikev1/double-nat/hosts/bob/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	nat_traversal=yes
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -11,11 +8,12 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev1
-	authby=secret
-		
+
 conn nat-t
 	left=%defaultroute
+	leftcert=bobCert.pem
+	leftid=bob@strongswan.org
 	leftfirewall=yes
-	right=PH_IP_SUN
-	rightsubnet=10.2.0.0/16
+	right=%any
+	rightsubnet=10.1.0.0/16
 	auto=add
diff --git a/testing/tests/ikev1/double-nat/hosts/bob/etc/iptables.rules b/testing/tests/ikev1/double-nat/hosts/bob/etc/iptables.rules
new file mode 100644
index 000000000..ae8f9a61e
--- /dev/null
+++ b/testing/tests/ikev1/double-nat/hosts/bob/etc/iptables.rules
@@ -0,0 +1,24 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev1/double-nat/hosts/bob/etc/strongswan.conf b/testing/tests/ikev1/double-nat/hosts/bob/etc/strongswan.conf
new file mode 100644
index 000000000..dc937641c
--- /dev/null
+++ b/testing/tests/ikev1/double-nat/hosts/bob/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev1/double-nat/posttest.dat b/testing/tests/ikev1/double-nat/posttest.dat
index 5d39e406d..aa806bfc9 100644
--- a/testing/tests/ikev1/double-nat/posttest.dat
+++ b/testing/tests/ikev1/double-nat/posttest.dat
@@ -1,7 +1,7 @@
 bob::ipsec stop
 alice::ipsec stop
-alice::/etc/init.d/iptables stop 2> /dev/null
-bob::/etc/init.d/iptables stop 2> /dev/null
+alice::iptables-restore < /etc/iptables.flush
+bob::iptables-restore < /etc/iptables.flush
 moon::iptables -t nat -F
 sun::iptables -t nat -F
 moon::conntrack -F
diff --git a/testing/tests/ikev1/double-nat/pretest.dat b/testing/tests/ikev1/double-nat/pretest.dat
index cf495b778..65f18b756 100644
--- a/testing/tests/ikev1/double-nat/pretest.dat
+++ b/testing/tests/ikev1/double-nat/pretest.dat
@@ -1,7 +1,5 @@
-alice::/etc/init.d/iptables start 2> /dev/null
-bob::/etc/init.d/iptables start 2> /dev/null
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
-sun::echo 1 > /proc/sys/net/ipv4/ip_forward
+alice::iptables-restore < /etc/iptables.rules
+bob::iptables-restore < /etc/iptables.rules
 moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100
 moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100
 sun::iptables -t nat -A POSTROUTING -o eth0 -s 10.2.0.0/16 -p tcp -j SNAT --to-source PH_IP_SUN:2000-2100
@@ -10,4 +8,4 @@ alice::ipsec start
 bob::ipsec start
 alice::sleep 2
 alice::ipsec up nat-t
-
+alice::sleep 1
diff --git a/testing/tests/ikev1/double-nat/test.conf b/testing/tests/ikev1/double-nat/test.conf
index 1ca2ffe5a..d2e31d257 100644
--- a/testing/tests/ikev1/double-nat/test.conf
+++ b/testing/tests/ikev1/double-nat/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="alice bob"
diff --git a/testing/tests/ikev1/dpd-clear/description.txt b/testing/tests/ikev1/dpd-clear/description.txt
index f76b2d741..7f62dc576 100644
--- a/testing/tests/ikev1/dpd-clear/description.txt
+++ b/testing/tests/ikev1/dpd-clear/description.txt
@@ -1,5 +1,5 @@
 The roadwarrior <b>carol</b> sets up an IPsec tunnel connection to the gateway <b>moon</b>
 which in turn activates <b>Dead Peer Detection</b> (DPD) with a polling interval of 10 s.
 When the network connectivity between <b>carol</b> and <b>moon</b> is forcefully disrupted,
-<b>moon</b> clears the connection after the configured timeout of 30 s.
+<b>moon</b> clears the connection after 4 unsuccessful retransmits.
 
diff --git a/testing/tests/ikev1/dpd-clear/evaltest.dat b/testing/tests/ikev1/dpd-clear/evaltest.dat
index 98d5b146b..f6f18212c 100644
--- a/testing/tests/ikev1/dpd-clear/evaltest.dat
+++ b/testing/tests/ikev1/dpd-clear/evaltest.dat
@@ -1,7 +1,7 @@
-carol::ipsec status::STATE_MAIN_I4 (ISAKMP SA established)::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
 carol::iptables -A INPUT -i eth0 -s PH_IP_MOON -j DROP::no output expected::NO
-moon::sleep 50::no output expected::NO
-moon::cat /var/log/auth.log::inserting event EVENT_DPD::YES
-moon::cat /var/log/auth.log::DPD: No response from peer - declaring peer dead::YES
-moon::cat /var/log/auth.log::DPD: Terminating all SAs using this connection::YES
-moon::cat /var/log/auth.log::DPD: Clearing connection::YES
+moon:: sleep 60::no output expected::NO
+moon:: cat /var/log/daemon.log::sending DPD request::YES
+moon::cat /var/log/daemon.log::DPD check timed out, enforcing DPD action::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED::NO
diff --git a/testing/tests/ikev1/multi-level-ca-revoked/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/dpd-clear/hosts/carol/etc/ipsec.conf
index b4bc2101c..6812907e8 100755..100644
--- a/testing/tests/ikev1/multi-level-ca-revoked/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/dpd-clear/hosts/carol/etc/ipsec.conf
@@ -1,23 +1,20 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=yes
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
-	keyexchange=ikev1
+
+conn home
 	left=PH_IP_CAROL
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
-
-conn home
+	leftfirewall=yes
 	right=PH_IP_MOON
-	rightsubnet=10.1.0.0/16
 	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	keyexchange=ikev1
 	auto=add
diff --git a/testing/tests/ikev1/dpd-clear/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/dpd-clear/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..dc937641c
--- /dev/null
+++ b/testing/tests/ikev1/dpd-clear/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev1/dpd-clear/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/dpd-clear/hosts/moon/etc/ipsec.conf
index 34490a13a..83f2849a4 100755..100644
--- a/testing/tests/ikev1/dpd-clear/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/dpd-clear/hosts/moon/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -14,7 +10,7 @@ conn %default
 	keyexchange=ikev1
 	dpdaction=clear
 	dpddelay=10
-	dpdtimeout=30
+	dpdtimeout=45
 
 conn rw
 	left=PH_IP_MOON
@@ -24,6 +20,3 @@ conn rw
 	right=%any
 	rightid=carol@strongswan.org
 	auto=add
-
-
-
diff --git a/testing/tests/ikev1/dpd-clear/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/dpd-clear/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..85d8c191f
--- /dev/null
+++ b/testing/tests/ikev1/dpd-clear/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
+}
diff --git a/testing/tests/ikev1/dpd-clear/test.conf b/testing/tests/ikev1/dpd-clear/test.conf
index 2b240d895..892f51cd9 100644
--- a/testing/tests/ikev1/dpd-clear/test.conf
+++ b/testing/tests/ikev1/dpd-clear/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+VIRTHOSTS="moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev1/dpd-restart/description.txt b/testing/tests/ikev1/dpd-restart/description.txt
index 0a309cf52..410d3d636 100644
--- a/testing/tests/ikev1/dpd-restart/description.txt
+++ b/testing/tests/ikev1/dpd-restart/description.txt
@@ -1,13 +1,7 @@
-The peer <b>carol</b> and <b>moon</b> both have dynamic IP addresses, so that the remote end
-is defined symbolically by <b>right=%&lt;hostname&gt;</b>. The ipsec starter resolves the
-fully-qualified hostname into the current IP address via a DNS lookup (simulated by an
-/etc/hosts entry). Since the peer IP addresses are expected to change over time, the option
-<b>rightallowany=yes</b> will allow an IKE main mode rekeying to arrive from an arbitrary
-IP address under the condition that the peer identity remains unchanged. When this happens
-the old tunnel is replaced by an IPsec connection to the new origin.
-<p>
-In this scenario <b>moon</b> first initiates a tunnel to <b>carol</b>. After some time
-the responder <b>carol</b> disconnects (simulated by iptables blocking IKE and ESP traffic).
-<b>moon</b> detects via Dead Peer Detection (DPD) that the connection is down and tries to
-reconnect. After a few seconds the firewall is opened again and the connection is 
-reestablished.
+The roadwarrior <b>carol</b> sets up an IPsec tunnel connection to the gateway
+<b>moon</b>. Both end points activate <b>Dead Peer Detection</b> (DPD) with a
+polling interval of 10 s. When the network connectivity between <b>carol</b>
+and <b>moon</b> is forcefully disrupted for a duration of 100 s, <b>moon</b>
+clears the connection after 4 unsuccessful retransmits whereas <b>carol</b>
+also takes down the connection but immediately tries to reconnect which succeeds
+as soon as the connection becomes available again.
diff --git a/testing/tests/ikev1/dpd-restart/evaltest.dat b/testing/tests/ikev1/dpd-restart/evaltest.dat
index 8bc2e8688..6a749b826 100644
--- a/testing/tests/ikev1/dpd-restart/evaltest.dat
+++ b/testing/tests/ikev1/dpd-restart/evaltest.dat
@@ -1,10 +1,13 @@
-moon::ipsec status::STATE_MAIN_I4 (ISAKMP SA established)::YES
-carol::iptables -I INPUT 1 -i eth0 -s PH_IP_MOON -j DROP::no output expected::NO
-carol::sleep 35::no output expected::NO
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
+moon:: iptables -A INPUT -i eth0 -s PH_IP_CAROL -j DROP::no output expected::NO
+carol::iptables -A INPUT -i eth0 -s PH_IP_MOON -j DROP::no output expected::NO
+carol::sleep 60::no output expected::NO
+carol::cat /var/log/daemon.log::sending DPD request::YES
+carol::cat /var/log/daemon.log::DPD check timed out, enforcing DPD action::YES
+carol::cat /var/log/daemon.log::restarting CHILD_SA home::YES
 carol::iptables -D INPUT -i eth0 -s PH_IP_MOON -j DROP::no output expected::NO
-moon::cat /var/log/auth.log::inserting event EVENT_DPD::YES
-moon::cat /var/log/auth.log::DPD: No response from peer - declaring peer dead::YES
-moon::cat /var/log/auth.log::DPD: Terminating all SAs using this connection::YES
-moon::cat /var/log/auth.log::DPD: Restarting connection::YES
-moon::sleep 10::no output expected::NO
-moon::ipsec status::STATE_MAIN_I4 (ISAKMP SA established)::YES
+moon:: iptables -D INPUT -i eth0 -s PH_IP_CAROL -j DROP::no output expected::NO
+carol::sleep 10::no output expected::NO
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
diff --git a/testing/tests/ikev1/dpd-restart/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/dpd-restart/hosts/carol/etc/ipsec.conf
index 3c0b0bf15..d3c105c31 100755..100644
--- a/testing/tests/ikev1/dpd-restart/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/dpd-restart/hosts/carol/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -12,15 +8,16 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev1
+	dpdaction=restart
+        dpddelay=10
+	dpdtimeout=45
 
-conn moon 
-	left=%defaultroute
-	leftnexthop=%direct
-	leftsourceip=PH_IP_CAROL1
+conn home
+	left=PH_IP_CAROL
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 	leftfirewall=yes
-	right=%moon.strongswan.org
-	rightsubnet=10.1.0.0/16
+	right=PH_IP_MOON
 	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
 	auto=add
diff --git a/testing/tests/ikev1/dpd-restart/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/dpd-restart/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..dc937641c
--- /dev/null
+++ b/testing/tests/ikev1/dpd-restart/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev1/dpd-restart/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/dpd-restart/hosts/moon/etc/ipsec.conf
index 9f1aded0f..79db53614 100755..100644
--- a/testing/tests/ikev1/dpd-restart/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/dpd-restart/hosts/moon/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -12,19 +8,14 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev1
-        dpdaction=restart
-        dpddelay=5
-        dpdtimeout=25
-
-conn carol
-	left=%defaultroute
-	leftnexthop=%direct
-	leftsubnet=10.1.0.0/16
-	leftsourceip=PH_IP_MOON1
+	dpdaction=clear
+	dpddelay=10
+	dpdtimeout=45
+conn rw
+	left=PH_IP_MOON
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
-	leftfirewall=yes
-	right=%carol.strongswan.org
+	leftsubnet=10.1.0.0/16
+	right=%any
 	rightid=carol@strongswan.org
-	rightsubnet=PH_IP_CAROL1/32
-	auto=start
+	auto=add
diff --git a/testing/tests/ikev1/dpd-restart/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/dpd-restart/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..85d8c191f
--- /dev/null
+++ b/testing/tests/ikev1/dpd-restart/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
+}
diff --git a/testing/tests/ikev1/dpd-restart/posttest.dat b/testing/tests/ikev1/dpd-restart/posttest.dat
index e092608cb..c6d6235f9 100644
--- a/testing/tests/ikev1/dpd-restart/posttest.dat
+++ b/testing/tests/ikev1/dpd-restart/posttest.dat
@@ -1,5 +1,2 @@
-carol::ipsec stop
 moon::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-carol::ip addr del PH_IP_CAROL1/32 dev eth0
+carol::ipsec stop
diff --git a/testing/tests/ikev1/dpd-restart/pretest.dat b/testing/tests/ikev1/dpd-restart/pretest.dat
index caf89d6c6..14ed95322 100644
--- a/testing/tests/ikev1/dpd-restart/pretest.dat
+++ b/testing/tests/ikev1/dpd-restart/pretest.dat
@@ -1,5 +1,4 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-carol::ipsec start
 moon::ipsec start
-moon::sleep 4
+carol::ipsec start
+carol::sleep 2 
+carol::ipsec up home
diff --git a/testing/tests/ikev1/dpd-restart/test.conf b/testing/tests/ikev1/dpd-restart/test.conf
index 4d648102b..892f51cd9 100644
--- a/testing/tests/ikev1/dpd-restart/test.conf
+++ b/testing/tests/ikev1/dpd-restart/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="moon carol winnetou"
 
 # Corresponding block diagram
 #
-DIAGRAM="a-m-c-w-d.png"
+DIAGRAM="m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
-TCPDUMPHOSTS="moon alice"
+TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev1/dynamic-initiator/evaltest.dat b/testing/tests/ikev1/dynamic-initiator/evaltest.dat
index 3105ae38c..61546f417 100644
--- a/testing/tests/ikev1/dynamic-initiator/evaltest.dat
+++ b/testing/tests/ikev1/dynamic-initiator/evaltest.dat
@@ -1,8 +1,10 @@
-carol::ipsec status::moon.*STATE_QUICK_I2.*IPsec SA established::YES
-dave::ipsec status::moon.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::cat /var/log/auth.log::PH_IP_CAROL.*IPsec SA established::YES
-moon::cat /var/log/auth.log::PH_IP_DAVE.*deleting connection.*with peer PH_IP_CAROL::YES 
-moon::cat /var/log/auth.log::PH_IP_DAVE.*IPsec SA established::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ipsec status 2> /dev/null::moon.*ESTABLISHED.*carol.strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::moon.*ESTABLISHED.*carol.strongswan.org.*moon.strongswan.org::YES
+carol::ipsec status 2> /dev/null::moon.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::moon.*INSTALLED, TUNNEL::YES
+moon:: cat /var/log/auth.log::IKE_SA carol\[1] established.*PH_IP_CAROL::YES
+moon:: cat /var/log/daemon.log::deleting duplicate IKE_SA for.*carol@strongswan.org.*due to uniqueness policy::YES
+moon:: cat /var/log/auth.log::IKE_SA carol\[2] established.*PH_IP_DAVE::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
 alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
diff --git a/testing/tests/ikev1/dynamic-initiator/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/dynamic-initiator/hosts/carol/etc/ipsec.conf
index acf503f8e..ef0d102c0 100755..100644
--- a/testing/tests/ikev1/dynamic-initiator/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/dynamic-initiator/hosts/carol/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -14,18 +10,12 @@ conn %default
 	keyexchange=ikev1
 
 conn moon 
-	left=%defaultroute
-	leftnexthop=%direct
-	leftsourceip=PH_IP_CAROL1
+	left=%any
+	leftsourceip=%config
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 	leftfirewall=yes
-	right=moon.strongswan.org
-	rightallowany=yes
+	right=%moon.strongswan.org
 	rightsubnet=10.1.0.0/16
 	rightid=@moon.strongswan.org
 	auto=add
-
-
-
-
diff --git a/testing/tests/ikev1/dynamic-initiator/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/dynamic-initiator/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..bad10ca43
--- /dev/null
+++ b/testing/tests/ikev1/dynamic-initiator/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+}
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/dynamic-initiator/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/dynamic-initiator/hosts/dave/etc/ipsec.conf
index acf503f8e..ef0d102c0 100755..100644
--- a/testing/tests/ikev1/dynamic-initiator/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev1/dynamic-initiator/hosts/dave/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -14,18 +10,12 @@ conn %default
 	keyexchange=ikev1
 
 conn moon 
-	left=%defaultroute
-	leftnexthop=%direct
-	leftsourceip=PH_IP_CAROL1
+	left=%any
+	leftsourceip=%config
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 	leftfirewall=yes
-	right=moon.strongswan.org
-	rightallowany=yes
+	right=%moon.strongswan.org
 	rightsubnet=10.1.0.0/16
 	rightid=@moon.strongswan.org
 	auto=add
-
-
-
-
diff --git a/testing/tests/ikev1/dynamic-initiator/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/dynamic-initiator/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..bad10ca43
--- /dev/null
+++ b/testing/tests/ikev1/dynamic-initiator/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+}
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/dynamic-initiator/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/dynamic-initiator/hosts/moon/etc/ipsec.conf
index ee28eebf3..6ab0ea5ab 100755..100644
--- a/testing/tests/ikev1/dynamic-initiator/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/dynamic-initiator/hosts/moon/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -12,17 +8,14 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev1
-	left=%defaultroute
-	leftnexthop=%direct
+
+conn carol
+	left=%any
 	leftsubnet=10.1.0.0/16
-	leftsourceip=PH_IP_MOON1
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 	leftfirewall=yes
-
-conn carol
-	right=carol.strongswan.org
-	rightallowany=yes
+	right=%carol.strongswan.org
 	rightid=carol@strongswan.org
-	rightsubnet=PH_IP_CAROL1/32
+	rightsourceip=PH_IP_CAROL1
 	auto=add
diff --git a/testing/tests/ikev1/dynamic-initiator/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/dynamic-initiator/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..bad10ca43
--- /dev/null
+++ b/testing/tests/ikev1/dynamic-initiator/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+}
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/dynamic-initiator/posttest.dat b/testing/tests/ikev1/dynamic-initiator/posttest.dat
index c30a35edd..32ac12ddc 100644
--- a/testing/tests/ikev1/dynamic-initiator/posttest.dat
+++ b/testing/tests/ikev1/dynamic-initiator/posttest.dat
@@ -2,10 +2,6 @@ dave::ipsec stop
 carol::ipsec stop
 dave::sleep 1
 moon::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
-carol::ip addr del PH_IP_CAROL1/32 dev eth0
-dave::ip addr del PH_IP_CAROL1/32 dev eth0
+carol::iptables-restore < /etc/iptables.flush
 dave::rm /etc/ipsec.d/certs/*
 dave::rm /etc/ipsec.d/private/*
diff --git a/testing/tests/ikev1/dynamic-initiator/pretest.dat b/testing/tests/ikev1/dynamic-initiator/pretest.dat
index 92681011f..9aadb2a4c 100644
--- a/testing/tests/ikev1/dynamic-initiator/pretest.dat
+++ b/testing/tests/ikev1/dynamic-initiator/pretest.dat
@@ -1,6 +1,4 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+carol::iptables-restore < /etc/iptables.rules
 carol::ipsec start
 dave::ipsec start
 moon::ipsec start
@@ -10,4 +8,4 @@ carol::sleep 1
 carol::iptables -D INPUT  -i eth0 -p udp --dport 500 --sport 500 -j ACCEPT
 carol::iptables -D OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
 dave::ipsec up moon
-dave::sleep 2 
+dave::sleep 2
diff --git a/testing/tests/ikev1/dynamic-initiator/test.conf b/testing/tests/ikev1/dynamic-initiator/test.conf
index 1a8f2a4e0..164b07ff9 100644
--- a/testing/tests/ikev1/dynamic-initiator/test.conf
+++ b/testing/tests/ikev1/dynamic-initiator/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon alice"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/dynamic-responder/evaltest.dat b/testing/tests/ikev1/dynamic-responder/evaltest.dat
index 391afaa42..61546f417 100644
--- a/testing/tests/ikev1/dynamic-responder/evaltest.dat
+++ b/testing/tests/ikev1/dynamic-responder/evaltest.dat
@@ -1,8 +1,10 @@
-carol::ipsec status::moon.*STATE_QUICK_R2.*IPsec SA established::YES
-dave::ipsec status::moon.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::cat /var/log/auth.log::PH_IP_CAROL.*IPsec SA established::YES
-moon::cat /var/log/auth.log::PH_IP_DAVE.*deleting connection.*with peer PH_IP_CAROL::YES 
-moon::cat /var/log/auth.log::PH_IP_DAVE.*IPsec SA established::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ipsec status 2> /dev/null::moon.*ESTABLISHED.*carol.strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::moon.*ESTABLISHED.*carol.strongswan.org.*moon.strongswan.org::YES
+carol::ipsec status 2> /dev/null::moon.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::moon.*INSTALLED, TUNNEL::YES
+moon:: cat /var/log/auth.log::IKE_SA carol\[1] established.*PH_IP_CAROL::YES
+moon:: cat /var/log/daemon.log::deleting duplicate IKE_SA for.*carol@strongswan.org.*due to uniqueness policy::YES
+moon:: cat /var/log/auth.log::IKE_SA carol\[2] established.*PH_IP_DAVE::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
 alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
diff --git a/testing/tests/ikev1/dynamic-responder/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/dynamic-responder/hosts/carol/etc/ipsec.conf
index acf503f8e..ef0d102c0 100755..100644
--- a/testing/tests/ikev1/dynamic-responder/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/dynamic-responder/hosts/carol/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -14,18 +10,12 @@ conn %default
 	keyexchange=ikev1
 
 conn moon 
-	left=%defaultroute
-	leftnexthop=%direct
-	leftsourceip=PH_IP_CAROL1
+	left=%any
+	leftsourceip=%config
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 	leftfirewall=yes
-	right=moon.strongswan.org
-	rightallowany=yes
+	right=%moon.strongswan.org
 	rightsubnet=10.1.0.0/16
 	rightid=@moon.strongswan.org
 	auto=add
-
-
-
-
diff --git a/testing/tests/ikev1/dynamic-responder/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/dynamic-responder/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..bad10ca43
--- /dev/null
+++ b/testing/tests/ikev1/dynamic-responder/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+}
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/dynamic-responder/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/dynamic-responder/hosts/dave/etc/ipsec.conf
index acf503f8e..ef0d102c0 100755..100644
--- a/testing/tests/ikev1/dynamic-responder/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev1/dynamic-responder/hosts/dave/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -14,18 +10,12 @@ conn %default
 	keyexchange=ikev1
 
 conn moon 
-	left=%defaultroute
-	leftnexthop=%direct
-	leftsourceip=PH_IP_CAROL1
+	left=%any
+	leftsourceip=%config
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 	leftfirewall=yes
-	right=moon.strongswan.org
-	rightallowany=yes
+	right=%moon.strongswan.org
 	rightsubnet=10.1.0.0/16
 	rightid=@moon.strongswan.org
 	auto=add
-
-
-
-
diff --git a/testing/tests/ikev1/dynamic-responder/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/dynamic-responder/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..bad10ca43
--- /dev/null
+++ b/testing/tests/ikev1/dynamic-responder/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+}
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/dynamic-responder/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/dynamic-responder/hosts/moon/etc/ipsec.conf
index ee28eebf3..6ab0ea5ab 100755..100644
--- a/testing/tests/ikev1/dynamic-responder/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/dynamic-responder/hosts/moon/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -12,17 +8,14 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev1
-	left=%defaultroute
-	leftnexthop=%direct
+
+conn carol
+	left=%any
 	leftsubnet=10.1.0.0/16
-	leftsourceip=PH_IP_MOON1
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 	leftfirewall=yes
-
-conn carol
-	right=carol.strongswan.org
-	rightallowany=yes
+	right=%carol.strongswan.org
 	rightid=carol@strongswan.org
-	rightsubnet=PH_IP_CAROL1/32
+	rightsourceip=PH_IP_CAROL1
 	auto=add
diff --git a/testing/tests/ikev1/dynamic-responder/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/dynamic-responder/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..bad10ca43
--- /dev/null
+++ b/testing/tests/ikev1/dynamic-responder/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+}
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/dynamic-responder/posttest.dat b/testing/tests/ikev1/dynamic-responder/posttest.dat
index c30a35edd..32ac12ddc 100644
--- a/testing/tests/ikev1/dynamic-responder/posttest.dat
+++ b/testing/tests/ikev1/dynamic-responder/posttest.dat
@@ -2,10 +2,6 @@ dave::ipsec stop
 carol::ipsec stop
 dave::sleep 1
 moon::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
-carol::ip addr del PH_IP_CAROL1/32 dev eth0
-dave::ip addr del PH_IP_CAROL1/32 dev eth0
+carol::iptables-restore < /etc/iptables.flush
 dave::rm /etc/ipsec.d/certs/*
 dave::rm /etc/ipsec.d/private/*
diff --git a/testing/tests/ikev1/dynamic-responder/pretest.dat b/testing/tests/ikev1/dynamic-responder/pretest.dat
index c0f166ff4..8dc744f9a 100644
--- a/testing/tests/ikev1/dynamic-responder/pretest.dat
+++ b/testing/tests/ikev1/dynamic-responder/pretest.dat
@@ -1,6 +1,4 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+carol::iptables-restore < /etc/iptables.rules
 carol::ipsec start
 dave::ipsec start
 moon::ipsec start
@@ -10,4 +8,4 @@ moon::sleep 1
 carol::iptables -D INPUT  -i eth0 -p udp --dport 500 --sport 500 -j ACCEPT
 carol::iptables -D OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
 dave::ipsec up moon
-dave::sleep 2 
+dave::sleep 2
diff --git a/testing/tests/ikev1/dynamic-responder/test.conf b/testing/tests/ikev1/dynamic-responder/test.conf
index 1a8f2a4e0..164b07ff9 100644
--- a/testing/tests/ikev1/dynamic-responder/test.conf
+++ b/testing/tests/ikev1/dynamic-responder/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon alice"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/dynamic-two-peers/evaltest.dat b/testing/tests/ikev1/dynamic-two-peers/evaltest.dat
index f46a6a20b..82d2e7318 100644
--- a/testing/tests/ikev1/dynamic-two-peers/evaltest.dat
+++ b/testing/tests/ikev1/dynamic-two-peers/evaltest.dat
@@ -1,9 +1,13 @@
-carol::ipsec status::moon.*STATE_QUICK_I2.*IPsec SA established::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::ipsec status::moon.*STATE_QUICK_I2.*IPsec SA established::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::ipsec status::carol.*STATE_QUICK_R2.*IPsec SA established::YES
-moon::ipsec status::dave.*STATE_QUICK_R2.*IPsec SA established::YES
+carol::ipsec status 2> /dev/null::moon.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::moon.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::carol.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::dave.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+carol::ipsec status 2> /dev/null::moon.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::moon.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::carol.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::dave.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
 alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
 alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
diff --git a/testing/tests/ikev1/dynamic-two-peers/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/dynamic-two-peers/hosts/carol/etc/ipsec.conf
index 0f37e6188..ef0d102c0 100755..100644
--- a/testing/tests/ikev1/dynamic-two-peers/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/dynamic-two-peers/hosts/carol/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -14,9 +10,8 @@ conn %default
 	keyexchange=ikev1
 
 conn moon 
-	left=%defaultroute
-	leftnexthop=%direct
-	leftsourceip=PH_IP_CAROL1
+	left=%any
+	leftsourceip=%config
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 	leftfirewall=yes
@@ -24,7 +19,3 @@ conn moon
 	rightsubnet=10.1.0.0/16
 	rightid=@moon.strongswan.org
 	auto=add
-
-
-
-
diff --git a/testing/tests/ikev1/dynamic-two-peers/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/dynamic-two-peers/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..bad10ca43
--- /dev/null
+++ b/testing/tests/ikev1/dynamic-two-peers/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+}
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/dynamic-two-peers/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/dynamic-two-peers/hosts/dave/etc/ipsec.conf
index ec35eac9a..d63566635 100755..100644
--- a/testing/tests/ikev1/dynamic-two-peers/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev1/dynamic-two-peers/hosts/dave/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -14,9 +10,8 @@ conn %default
 	keyexchange=ikev1
 
 conn moon
-	left=%defaultroute
-	leftnexthop=%direct
-	leftsourceip=PH_IP_DAVE1
+	left=%any
+	leftsourceip=%config
 	leftcert=daveCert.pem
 	leftid=dave@strongswan.org
 	leftfirewall=yes
@@ -24,7 +19,3 @@ conn moon
 	rightsubnet=10.1.0.0/16
 	rightid=@moon.strongswan.org
 	auto=add
-
-
-
-
diff --git a/testing/tests/ikev1/dynamic-two-peers/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/dynamic-two-peers/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..bad10ca43
--- /dev/null
+++ b/testing/tests/ikev1/dynamic-two-peers/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+}
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/dynamic-two-peers/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/dynamic-two-peers/hosts/moon/etc/ipsec.conf
index 21848bc1c..07cd49899 100755..100644
--- a/testing/tests/ikev1/dynamic-two-peers/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/dynamic-two-peers/hosts/moon/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -12,10 +8,8 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev1
-	left=%defaultroute
-	leftnexthop=%direct
+	left=%any
 	leftsubnet=10.1.0.0/16
-	leftsourceip=PH_IP_MOON1
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 	leftfirewall=yes
@@ -23,11 +17,11 @@ conn %default
 conn carol
 	right=%carol.strongswan.org
 	rightid=carol@strongswan.org
-	rightsubnet=PH_IP_CAROL1/32
+	rightsourceip=PH_IP_CAROL1
 	auto=add
 
 conn dave
 	right=%dave.strongswan.org
 	rightid=dave@strongswan.org
-	rightsubnet=PH_IP_DAVE1/32
+	rightsourceip=PH_IP_DAVE1
 	auto=add
diff --git a/testing/tests/ikev1/dynamic-two-peers/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/dynamic-two-peers/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..bad10ca43
--- /dev/null
+++ b/testing/tests/ikev1/dynamic-two-peers/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+}
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/dynamic-two-peers/posttest.dat b/testing/tests/ikev1/dynamic-two-peers/posttest.dat
index 65292daae..7b2609846 100644
--- a/testing/tests/ikev1/dynamic-two-peers/posttest.dat
+++ b/testing/tests/ikev1/dynamic-two-peers/posttest.dat
@@ -3,8 +3,6 @@ dave::ipsec stop
 moon::sleep 1
 moon::ipsec stop
 moon::mv /etc/hosts.ori /etc/hosts
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
-carol::ip addr del PH_IP_CAROL1/32 dev eth0
-dave::ip addr del PH_IP_DAVE1/32 dev eth0
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/dynamic-two-peers/pretest.dat b/testing/tests/ikev1/dynamic-two-peers/pretest.dat
index 6596a2527..4bb2a4686 100644
--- a/testing/tests/ikev1/dynamic-two-peers/pretest.dat
+++ b/testing/tests/ikev1/dynamic-two-peers/pretest.dat
@@ -1,8 +1,8 @@
 moon::mv /etc/hosts /etc/hosts.ori
 moon::mv /etc/hosts.stale /etc/hosts
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 carol::ipsec start
 dave::ipsec start
 moon::ipsec start
diff --git a/testing/tests/ikev1/dynamic-two-peers/test.conf b/testing/tests/ikev1/dynamic-two-peers/test.conf
index 1a8f2a4e0..164b07ff9 100644
--- a/testing/tests/ikev1/dynamic-two-peers/test.conf
+++ b/testing/tests/ikev1/dynamic-two-peers/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon alice"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/esp-ah-transport/description.txt b/testing/tests/ikev1/esp-ah-transport/description.txt
deleted file mode 100644
index f8ffce6e6..000000000
--- a/testing/tests/ikev1/esp-ah-transport/description.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-In IKE phase 2 the roadwarrior <b>carol</b> proposes to gateway <b>moon</b>
-the ESP AES 128 bit encryption algorithm combined with AH HMAC_SHA1 authentication.
-In order to accept the AH and ESP encapsulated plaintext packets, the iptables firewall
-marks all incoming AH packets with the ESP mark. The transport mode connection is
-tested by <b>carol</b> sending a ping to gateway <b>moon</b>.
diff --git a/testing/tests/ikev1/esp-ah-transport/evaltest.dat b/testing/tests/ikev1/esp-ah-transport/evaltest.dat
deleted file mode 100644
index 526e0d96e..000000000
--- a/testing/tests/ikev1/esp-ah-transport/evaltest.dat
+++ /dev/null
@@ -1,8 +0,0 @@
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ipsec statusall::ESP/AH proposal: AES_CBC_128/HMAC_SHA1::YES
-moon::ipsec statusall::ESP/AH proposal: AES_CBC_128/HMAC_SHA1::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_MOON::128 bytes from PH_IP_MOON: icmp_seq=1::YES
-carol::ipsec status::ah\..*ah\..*esp\..*ago.*esp\..*ago.*transport::YES
-moon::ipsec status::ah\..*ah\..*esp\..*ago.*esp\..*ago.*transport::YES
-moon::tcpdump::AH.*ESP::YES
diff --git a/testing/tests/ikev1/esp-ah-transport/hosts/carol/etc/init.d/iptables b/testing/tests/ikev1/esp-ah-transport/hosts/carol/etc/init.d/iptables
deleted file mode 100755
index 8c8817539..000000000
--- a/testing/tests/ikev1/esp-ah-transport/hosts/carol/etc/init.d/iptables
+++ /dev/null
@@ -1,73 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-        # allow AH
-	iptables -A INPUT  -i eth0 -p 51 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 51 -j ACCEPT
-			
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev1/esp-ah-transport/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-ah-transport/hosts/carol/etc/ipsec.conf
deleted file mode 100755
index 299b6a831..000000000
--- a/testing/tests/ikev1/esp-ah-transport/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,27 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	auth=ah
-	ike=aes128-sha
-	esp=aes128-sha1
-
-conn home
-	left=PH_IP_CAROL
-	leftcert=carolCert.pem
-	leftid=carol@strongswan.org
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-	type=transport
-	auto=add
diff --git a/testing/tests/ikev1/esp-ah-transport/hosts/moon/etc/init.d/iptables b/testing/tests/ikev1/esp-ah-transport/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 3e8922581..000000000
--- a/testing/tests/ikev1/esp-ah-transport/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,76 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow AH
-	iptables -A INPUT  -i eth0 -p 51 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 51 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev1/esp-ah-transport/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-ah-transport/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index 45ada023f..000000000
--- a/testing/tests/ikev1/esp-ah-transport/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,27 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	auth=ah
-	ike=aes128-sha
-	esp=aes128-sha1
-
-conn rw
-	left=PH_IP_MOON
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-	leftfirewall=yes
-	right=%any
-	rightid=carol@strongswan.org
-	type=transport
-	auto=add
diff --git a/testing/tests/ikev1/esp-ah-transport/posttest.dat b/testing/tests/ikev1/esp-ah-transport/posttest.dat
deleted file mode 100644
index 94a400606..000000000
--- a/testing/tests/ikev1/esp-ah-transport/posttest.dat
+++ /dev/null
@@ -1,4 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev1/esp-ah-transport/pretest.dat b/testing/tests/ikev1/esp-ah-transport/pretest.dat
deleted file mode 100644
index 4fe0ee90b..000000000
--- a/testing/tests/ikev1/esp-ah-transport/pretest.dat
+++ /dev/null
@@ -1,6 +0,0 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-carol::ipsec start
-moon::ipsec start
-carol::sleep 2
-carol::ipsec up home
diff --git a/testing/tests/ikev1/esp-ah-transport/test.conf b/testing/tests/ikev1/esp-ah-transport/test.conf
deleted file mode 100644
index fd33cfb57..000000000
--- a/testing/tests/ikev1/esp-ah-transport/test.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="m-c-w.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
-
diff --git a/testing/tests/ikev1/esp-ah-tunnel/description.txt b/testing/tests/ikev1/esp-ah-tunnel/description.txt
deleted file mode 100644
index 332f8177a..000000000
--- a/testing/tests/ikev1/esp-ah-tunnel/description.txt
+++ /dev/null
@@ -1,6 +0,0 @@
-In IKE phase 2 the roadwarrior <b>carol</b> proposes to gateway <b>moon</b>
-the ESP AES 128 bit encryption algorithm combined with AH HMAC_SHA1 authentication.
-In order to accept the AH and ESP encapsulated plaintext packets, the iptables firewall
-marks all incoming AH packets with the ESP mark. The tunnel mode connection is
-tested by <b>carol</b> sending a ping to client <b>alice</b> hiding behind 
-gateway <b>moon</b>.
diff --git a/testing/tests/ikev1/esp-ah-tunnel/evaltest.dat b/testing/tests/ikev1/esp-ah-tunnel/evaltest.dat
deleted file mode 100644
index 5103a6318..000000000
--- a/testing/tests/ikev1/esp-ah-tunnel/evaltest.dat
+++ /dev/null
@@ -1,8 +0,0 @@
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ipsec statusall::ESP/AH proposal: AES_CBC_128/HMAC_SHA1::YES
-moon::ipsec statusall::ESP/AH proposal: AES_CBC_128/HMAC_SHA1::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
-carol::ipsec status::ah\..*ah\..*esp\..*ago.*esp\..*ago.*tunnel::YES
-moon::ipsec status::ah\..*ah\..*esp\..*ago.*esp\..*ago.*tunnel::YES
-moon::tcpdump::AH.*ESP::YES
diff --git a/testing/tests/ikev1/esp-ah-tunnel/hosts/carol/etc/init.d/iptables b/testing/tests/ikev1/esp-ah-tunnel/hosts/carol/etc/init.d/iptables
deleted file mode 100755
index 8c8817539..000000000
--- a/testing/tests/ikev1/esp-ah-tunnel/hosts/carol/etc/init.d/iptables
+++ /dev/null
@@ -1,73 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-        # allow AH
-	iptables -A INPUT  -i eth0 -p 51 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 51 -j ACCEPT
-			
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev1/esp-ah-tunnel/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-ah-tunnel/hosts/carol/etc/ipsec.conf
deleted file mode 100755
index 168e5d2a8..000000000
--- a/testing/tests/ikev1/esp-ah-tunnel/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,27 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	auth=ah
-	ike=aes128-sha
-	esp=aes128-sha1
-
-conn home
-	left=PH_IP_CAROL
-	leftcert=carolCert.pem
-	leftid=carol@strongswan.org
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightsubnet=10.1.0.0/16
-	rightid=@moon.strongswan.org
-	auto=add
diff --git a/testing/tests/ikev1/esp-ah-tunnel/hosts/moon/etc/init.d/iptables b/testing/tests/ikev1/esp-ah-tunnel/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 3e8922581..000000000
--- a/testing/tests/ikev1/esp-ah-tunnel/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,76 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow AH
-	iptables -A INPUT  -i eth0 -p 51 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 51 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev1/esp-ah-tunnel/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-ah-tunnel/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index b89d8e861..000000000
--- a/testing/tests/ikev1/esp-ah-tunnel/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,27 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	auth=ah
-	ike=aes128-sha
-	esp=aes128-sha1
-
-conn rw
-	left=PH_IP_MOON
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-	leftsubnet=10.1.0.0/16
-	leftfirewall=yes
-	right=%any
-	rightid=carol@strongswan.org
-	auto=add
diff --git a/testing/tests/ikev1/esp-ah-tunnel/posttest.dat b/testing/tests/ikev1/esp-ah-tunnel/posttest.dat
deleted file mode 100644
index 94a400606..000000000
--- a/testing/tests/ikev1/esp-ah-tunnel/posttest.dat
+++ /dev/null
@@ -1,4 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev1/esp-ah-tunnel/pretest.dat b/testing/tests/ikev1/esp-ah-tunnel/pretest.dat
deleted file mode 100644
index 49973a7a5..000000000
--- a/testing/tests/ikev1/esp-ah-tunnel/pretest.dat
+++ /dev/null
@@ -1,6 +0,0 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-carol::ipsec start
-moon::ipsec start
-carol::sleep 2 
-carol::ipsec up home
diff --git a/testing/tests/ikev1/esp-ah-tunnel/test.conf b/testing/tests/ikev1/esp-ah-tunnel/test.conf
deleted file mode 100644
index 6abbb89a9..000000000
--- a/testing/tests/ikev1/esp-ah-tunnel/test.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
-
diff --git a/testing/tests/ikev1/esp-alg-aes-ccm/evaltest.dat b/testing/tests/ikev1/esp-alg-aes-ccm/evaltest.dat
index 9c17ae903..648920105 100644
--- a/testing/tests/ikev1/esp-alg-aes-ccm/evaltest.dat
+++ b/testing/tests/ikev1/esp-alg-aes-ccm/evaltest.dat
@@ -1,9 +1,11 @@
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::ipsec statusall::AES_CCM_12_128::YES
-carol::ipsec statusall::AES_CCM_12_128::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon:: ipsec statusall 2> /dev/null::AES_CCM_12_128::YES
+carol::ipsec statusall 2> /dev/null::AES_CCM_12_128::YES
 carol::ip xfrm state::aead rfc4309(ccm(aes))::YES
-moon::ip xfrm state::aead rfc4309(ccm(aes))::YES
+moon:: ip xfrm state::aead rfc4309(ccm(aes))::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 180::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 180::YES
diff --git a/testing/tests/ikev1/esp-alg-aes-ccm/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-aes-ccm/hosts/carol/etc/ipsec.conf
index f8baa00e1..1cef8f8c5 100755..100644
--- a/testing/tests/ikev1/esp-alg-aes-ccm/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-alg-aes-ccm/hosts/carol/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutodebug="control crypt"
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev1/esp-alg-aes-ccm/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/esp-alg-aes-ccm/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..d70d7b989
--- /dev/null
+++ b/testing/tests/ikev1/esp-alg-aes-ccm/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc ccm stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev1/esp-alg-aes-ccm/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-aes-ccm/hosts/moon/etc/ipsec.conf
index d4f0c3adc..72163aeec 100755..100644
--- a/testing/tests/ikev1/esp-alg-aes-ccm/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-alg-aes-ccm/hosts/moon/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutodebug="control crypt"
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev1/esp-alg-aes-ccm/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/esp-alg-aes-ccm/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..d70d7b989
--- /dev/null
+++ b/testing/tests/ikev1/esp-alg-aes-ccm/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc ccm stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev1/esp-alg-aes-ccm/posttest.dat b/testing/tests/ikev1/esp-alg-aes-ccm/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/ikev1/esp-alg-aes-ccm/posttest.dat
+++ b/testing/tests/ikev1/esp-alg-aes-ccm/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/esp-alg-aes-ccm/pretest.dat b/testing/tests/ikev1/esp-alg-aes-ccm/pretest.dat
index f360351e1..4fc25772b 100644
--- a/testing/tests/ikev1/esp-alg-aes-ccm/pretest.dat
+++ b/testing/tests/ikev1/esp-alg-aes-ccm/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1 
diff --git a/testing/tests/ikev1/esp-alg-aes-ccm/test.conf b/testing/tests/ikev1/esp-alg-aes-ccm/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/ikev1/esp-alg-aes-ccm/test.conf
+++ b/testing/tests/ikev1/esp-alg-aes-ccm/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev1/esp-alg-aes-ctr/evaltest.dat b/testing/tests/ikev1/esp-alg-aes-ctr/evaltest.dat
index c7992fbe4..c86f58081 100644
--- a/testing/tests/ikev1/esp-alg-aes-ctr/evaltest.dat
+++ b/testing/tests/ikev1/esp-alg-aes-ctr/evaltest.dat
@@ -1,9 +1,11 @@
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::ipsec statusall::AES_CTR_256/AES_XCBC_96::YES
-carol::ipsec statusall::AES_CTR_256/AES_XCBC_96::YES
-moon::ip xfrm state::rfc3686(ctr(aes))::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon:: ipsec statusall 2> /dev/null::AES_CTR_256/AES_XCBC_96::YES
+carol::ipsec statusall 2> /dev/null::AES_CTR_256/AES_XCBC_96::YES
+moon:: ip xfrm state::rfc3686(ctr(aes))::YES
 carol::ip xfrm state::rfc3686(ctr(aes))::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 180::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 180::YES
diff --git a/testing/tests/ikev1/esp-alg-aes-ctr/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-aes-ctr/hosts/carol/etc/ipsec.conf
index acb4126cf..08ff7dab2 100755..100644
--- a/testing/tests/ikev1/esp-alg-aes-ctr/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-alg-aes-ctr/hosts/carol/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutodebug="control crypt"
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev1/esp-alg-aes-ctr/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/esp-alg-aes-ctr/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..e607bbae7
--- /dev/null
+++ b/testing/tests/ikev1/esp-alg-aes-ctr/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc ctr stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev1/esp-alg-aes-ctr/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-aes-ctr/hosts/moon/etc/ipsec.conf
index b5baa2b5d..f712ed86d 100755..100644
--- a/testing/tests/ikev1/esp-alg-aes-ctr/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-alg-aes-ctr/hosts/moon/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutodebug="control crypt"
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev1/esp-alg-aes-ctr/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/esp-alg-aes-ctr/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..e607bbae7
--- /dev/null
+++ b/testing/tests/ikev1/esp-alg-aes-ctr/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc ctr stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev1/esp-alg-aes-ctr/posttest.dat b/testing/tests/ikev1/esp-alg-aes-ctr/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/ikev1/esp-alg-aes-ctr/posttest.dat
+++ b/testing/tests/ikev1/esp-alg-aes-ctr/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/esp-alg-aes-ctr/pretest.dat b/testing/tests/ikev1/esp-alg-aes-ctr/pretest.dat
index f360351e1..4fc25772b 100644
--- a/testing/tests/ikev1/esp-alg-aes-ctr/pretest.dat
+++ b/testing/tests/ikev1/esp-alg-aes-ctr/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1 
diff --git a/testing/tests/ikev1/esp-alg-aes-ctr/test.conf b/testing/tests/ikev1/esp-alg-aes-ctr/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/ikev1/esp-alg-aes-ctr/test.conf
+++ b/testing/tests/ikev1/esp-alg-aes-ctr/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev1/esp-alg-aes-gcm/evaltest.dat b/testing/tests/ikev1/esp-alg-aes-gcm/evaltest.dat
index da5d7c604..a7f52c72e 100644
--- a/testing/tests/ikev1/esp-alg-aes-gcm/evaltest.dat
+++ b/testing/tests/ikev1/esp-alg-aes-gcm/evaltest.dat
@@ -1,9 +1,11 @@
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::ipsec statusall::AES_GCM_16_256::YES
-carol::ipsec statusall::AES_GCM_16_256::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon:: ipsec statusall 2> /dev/null::AES_GCM_16_256::YES
+carol::ipsec statusall 2> /dev/null::AES_GCM_16_256::YES
 carol::ip xfrm state::aead rfc4106(gcm(aes))::YES
-moon::ip xfrm state::aead rfc4106(gcm(aes))::YES
+moon:: ip xfrm state::aead rfc4106(gcm(aes))::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 184::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 184::YES
diff --git a/testing/tests/ikev1/esp-alg-aes-gcm/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-aes-gcm/hosts/carol/etc/ipsec.conf
index 5026e0d9e..125ce919e 100755..100644
--- a/testing/tests/ikev1/esp-alg-aes-gcm/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-alg-aes-gcm/hosts/carol/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutodebug="control crypt"
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev1/esp-alg-aes-gcm/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/esp-alg-aes-gcm/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..e063e446a
--- /dev/null
+++ b/testing/tests/ikev1/esp-alg-aes-gcm/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc gcm stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev1/esp-alg-aes-gcm/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-aes-gcm/hosts/moon/etc/ipsec.conf
index 5fa07962e..b5821cd07 100755..100644
--- a/testing/tests/ikev1/esp-alg-aes-gcm/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-alg-aes-gcm/hosts/moon/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutodebug="control crypt"
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev1/esp-alg-aes-gcm/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/esp-alg-aes-gcm/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..e063e446a
--- /dev/null
+++ b/testing/tests/ikev1/esp-alg-aes-gcm/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc gcm stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev1/esp-alg-aes-gcm/posttest.dat b/testing/tests/ikev1/esp-alg-aes-gcm/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/ikev1/esp-alg-aes-gcm/posttest.dat
+++ b/testing/tests/ikev1/esp-alg-aes-gcm/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/esp-alg-aes-gcm/pretest.dat b/testing/tests/ikev1/esp-alg-aes-gcm/pretest.dat
index f360351e1..4fc25772b 100644
--- a/testing/tests/ikev1/esp-alg-aes-gcm/pretest.dat
+++ b/testing/tests/ikev1/esp-alg-aes-gcm/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1 
diff --git a/testing/tests/ikev1/esp-alg-aes-gcm/test.conf b/testing/tests/ikev1/esp-alg-aes-gcm/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/ikev1/esp-alg-aes-gcm/test.conf
+++ b/testing/tests/ikev1/esp-alg-aes-gcm/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev1/esp-alg-aes-gmac/description.txt b/testing/tests/ikev1/esp-alg-aes-gmac/description.txt
index bc9b7c760..823ec253d 100644
--- a/testing/tests/ikev1/esp-alg-aes-gmac/description.txt
+++ b/testing/tests/ikev1/esp-alg-aes-gmac/description.txt
@@ -1,4 +1,4 @@
 Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the authentication-only
-ESP cipher suite <b>NULL_AES_GMAC_256</b> by defining <b>esp=aes256gmac!</b>
+ESP cipher suite <b>NULL_AES_GMAC_256</b> by defining <b>esp=aes256gmac-modp2048!</b>
 in ipsec.conf. A ping from <b>carol</b> to <b>alice</b> successfully checks
 the established tunnel.
diff --git a/testing/tests/ikev1/esp-alg-aes-gmac/evaltest.dat b/testing/tests/ikev1/esp-alg-aes-gmac/evaltest.dat
index 4678155ee..d5d3bc0d3 100644
--- a/testing/tests/ikev1/esp-alg-aes-gmac/evaltest.dat
+++ b/testing/tests/ikev1/esp-alg-aes-gmac/evaltest.dat
@@ -1,9 +1,11 @@
-moon::ipsec statusall::rw.*IPsec SA established::YES
-carol::ipsec statusall::home.*IPsec SA established::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::ipsec statusall::ESP proposal: AES_GMAC_256::YES
-carol::ipsec statusall::ESP proposal: AES_GMAC_256::YES
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon:: ipsec statusall 2> /dev/null::NULL_AES_GMAC_256::YES
+carol::ipsec statusall 2> /dev/null::NULL_AES_GMAC_256::YES
 carol::ip xfrm state::aead rfc4543(gcm(aes))::YES
-moon::ip xfrm state::aead rfc4543(gcm(aes))::YES
+moon:: ip xfrm state::aead rfc4543(gcm(aes))::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 184::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 184::YES
diff --git a/testing/tests/ikev1/esp-alg-aes-gmac/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-aes-gmac/hosts/carol/etc/ipsec.conf
index 69ef8d49d..5ad63657b 100755..100644
--- a/testing/tests/ikev1/esp-alg-aes-gmac/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-alg-aes-gmac/hosts/carol/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-	plutodebug=control
 
 conn %default
 	ikelifetime=60m
@@ -12,8 +8,8 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev1
-	ike=aes256-sha384-modp2048!
-	esp=aes256gmac!
+	ike=aes256-sha256-modp2048!
+	esp=aes256gmac-modp2048!
 
 conn home
 	left=PH_IP_CAROL
diff --git a/testing/tests/ikev1/esp-alg-aes-gmac/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/esp-alg-aes-gmac/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..dc937641c
--- /dev/null
+++ b/testing/tests/ikev1/esp-alg-aes-gmac/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev1/esp-alg-aes-gmac/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-aes-gmac/hosts/moon/etc/ipsec.conf
index 41a583763..fba69aba3 100755..100644
--- a/testing/tests/ikev1/esp-alg-aes-gmac/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-alg-aes-gmac/hosts/moon/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-	plutodebug=control
 
 conn %default
 	ikelifetime=60m
@@ -12,8 +8,8 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev1
-	ike=aes256-sha384-modp2048!
-	esp=aes256gmac!
+	ike=aes256-sha256-modp2048!
+	esp=aes256gmac-modp2048!
 
 conn rw
 	left=PH_IP_MOON
diff --git a/testing/tests/ikev1/esp-alg-aes-gmac/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/esp-alg-aes-gmac/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..dc937641c
--- /dev/null
+++ b/testing/tests/ikev1/esp-alg-aes-gmac/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev1/esp-alg-aes-gmac/posttest.dat b/testing/tests/ikev1/esp-alg-aes-gmac/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/ikev1/esp-alg-aes-gmac/posttest.dat
+++ b/testing/tests/ikev1/esp-alg-aes-gmac/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/esp-alg-aes-gmac/pretest.dat b/testing/tests/ikev1/esp-alg-aes-gmac/pretest.dat
index f360351e1..4fc25772b 100644
--- a/testing/tests/ikev1/esp-alg-aes-gmac/pretest.dat
+++ b/testing/tests/ikev1/esp-alg-aes-gmac/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1 
diff --git a/testing/tests/ikev1/esp-alg-aes-gmac/test.conf b/testing/tests/ikev1/esp-alg-aes-gmac/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/ikev1/esp-alg-aes-gmac/test.conf
+++ b/testing/tests/ikev1/esp-alg-aes-gmac/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev1/esp-alg-aesxcbc/description.txt b/testing/tests/ikev1/esp-alg-aes-xcbc/description.txt
index 0c39352d9..0c39352d9 100644
--- a/testing/tests/ikev1/esp-alg-aesxcbc/description.txt
+++ b/testing/tests/ikev1/esp-alg-aes-xcbc/description.txt
diff --git a/testing/tests/ikev1/esp-alg-aes-xcbc/evaltest.dat b/testing/tests/ikev1/esp-alg-aes-xcbc/evaltest.dat
new file mode 100644
index 000000000..b466813fe
--- /dev/null
+++ b/testing/tests/ikev1/esp-alg-aes-xcbc/evaltest.dat
@@ -0,0 +1,11 @@
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
+carol::ipsec statusall 2> /dev/null::AES_CBC_256/AES_XCBC_96,::YES
+moon:: ipsec statusall 2> /dev/null::AES_CBC_256/AES_XCBC_96,::YES
+carol::ip xfrm state::auth-trunc xcbc(aes)::YES
+moon:: ip xfrm state::auth-trunc xcbc(aes)::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 196::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 196::YES
diff --git a/testing/tests/ikev1/esp-alg-aes-xcbc/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-aes-xcbc/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..94eb96f38
--- /dev/null
+++ b/testing/tests/ikev1/esp-alg-aes-xcbc/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,21 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+	ike=aes256-sha256-modp2048!
+	esp=aes256-aesxcbc!
+
+conn home
+	left=PH_IP_CAROL
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add
diff --git a/testing/tests/ikev1/esp-alg-aes-xcbc/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/esp-alg-aes-xcbc/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..dc937641c
--- /dev/null
+++ b/testing/tests/ikev1/esp-alg-aes-xcbc/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev1/esp-alg-weak/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-aes-xcbc/hosts/moon/etc/ipsec.conf
index e5fed2f06..dbc468571 100755..100644
--- a/testing/tests/ikev1/esp-alg-weak/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-alg-aes-xcbc/hosts/moon/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug="control crypt"
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -12,6 +8,8 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev1
+	ike=aes256-sha256-modp2048!
+	esp=aes256-aesxcbc!
 
 conn rw
 	left=PH_IP_MOON
diff --git a/testing/tests/ikev1/esp-alg-aes-xcbc/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/esp-alg-aes-xcbc/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..dc937641c
--- /dev/null
+++ b/testing/tests/ikev1/esp-alg-aes-xcbc/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/af-alg-ikev1/alg-camellia/posttest.dat b/testing/tests/ikev1/esp-alg-aes-xcbc/posttest.dat
index c6d6235f9..c6d6235f9 100644
--- a/testing/tests/af-alg-ikev1/alg-camellia/posttest.dat
+++ b/testing/tests/ikev1/esp-alg-aes-xcbc/posttest.dat
diff --git a/testing/tests/ikev1/esp-alg-strict-fail/pretest.dat b/testing/tests/ikev1/esp-alg-aes-xcbc/pretest.dat
index f5aa989fe..f5aa989fe 100644
--- a/testing/tests/ikev1/esp-alg-strict-fail/pretest.dat
+++ b/testing/tests/ikev1/esp-alg-aes-xcbc/pretest.dat
diff --git a/testing/tests/ikev1/esp-alg-aes-xcbc/test.conf b/testing/tests/ikev1/esp-alg-aes-xcbc/test.conf
new file mode 100644
index 000000000..d7b71426c
--- /dev/null
+++ b/testing/tests/ikev1/esp-alg-aes-xcbc/test.conf
@@ -0,0 +1,22 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
+
diff --git a/testing/tests/ikev1/esp-alg-aesxcbc/evaltest.dat b/testing/tests/ikev1/esp-alg-aesxcbc/evaltest.dat
deleted file mode 100644
index 5cee96b08..000000000
--- a/testing/tests/ikev1/esp-alg-aesxcbc/evaltest.dat
+++ /dev/null
@@ -1,10 +0,0 @@
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES
-carol::ipsec statusall::ESP proposal: AES_CBC_256/AES_XCBC_96::YES
-moon::ipsec statusall::ESP proposal: AES_CBC_256/AES_XCBC_96::YES
-carol::ip xfrm state::auth xcbc(aes)::YES
-moon::ip xfrm state::auth xcbc(aes)::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 196::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 196::YES
-
diff --git a/testing/tests/ikev1/esp-alg-aesxcbc/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-aesxcbc/hosts/carol/etc/ipsec.conf
deleted file mode 100755
index 75ce0fbbe..000000000
--- a/testing/tests/ikev1/esp-alg-aesxcbc/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	ike=aes256-sha2_256-modp2048!
-	esp=aes256-aesxcbc!
-
-conn home
-	left=PH_IP_CAROL
-	leftcert=carolCert.pem
-	leftid=carol@strongswan.org
-	right=PH_IP_MOON
-	rightsubnet=10.1.0.0/16
-	rightid=@moon.strongswan.org
-	auto=add
diff --git a/testing/tests/ikev1/esp-alg-aesxcbc/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-aesxcbc/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index c2e0a6dde..000000000
--- a/testing/tests/ikev1/esp-alg-aesxcbc/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	ike=aes256-sha2_256-modp2048!
-	esp=aes256-aesxcbc!
-
-conn rw
-	left=PH_IP_MOON
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-	leftsubnet=10.1.0.0/16
-	right=%any
-	rightid=carol@strongswan.org
-	auto=add
diff --git a/testing/tests/ikev1/esp-alg-aesxcbc/posttest.dat b/testing/tests/ikev1/esp-alg-aesxcbc/posttest.dat
deleted file mode 100644
index c6d6235f9..000000000
--- a/testing/tests/ikev1/esp-alg-aesxcbc/posttest.dat
+++ /dev/null
@@ -1,2 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
diff --git a/testing/tests/ikev1/esp-alg-aesxcbc/pretest.dat b/testing/tests/ikev1/esp-alg-aesxcbc/pretest.dat
deleted file mode 100644
index 7d077c126..000000000
--- a/testing/tests/ikev1/esp-alg-aesxcbc/pretest.dat
+++ /dev/null
@@ -1,5 +0,0 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
-carol::ipsec start
-moon::ipsec start
-carol::sleep 2
-carol::ipsec up home
diff --git a/testing/tests/ikev1/esp-alg-aesxcbc/test.conf b/testing/tests/ikev1/esp-alg-aesxcbc/test.conf
deleted file mode 100644
index 6abbb89a9..000000000
--- a/testing/tests/ikev1/esp-alg-aesxcbc/test.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
-
diff --git a/testing/tests/ikev1/esp-alg-des/description.txt b/testing/tests/ikev1/esp-alg-des/description.txt
deleted file mode 100644
index 9546569dd..000000000
--- a/testing/tests/ikev1/esp-alg-des/description.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-In IKE phase 2 the roadwarrior <b>carol</b> proposes to gateway <b>moon</b>
-the ESP 1DES encryption algorithm with MD5 authentication. <b>moon</b> must
-explicitly accept the choice of this insecure algorithm by setting the strict
-flag '!' in <b>esp=des-md5!</b>. The tunnel is tested by <b>carol</b> 
-sending a ping to client <b>alice</b> behind gateway <b>moon</b>.
diff --git a/testing/tests/ikev1/esp-alg-des/evaltest.dat b/testing/tests/ikev1/esp-alg-des/evaltest.dat
deleted file mode 100644
index 8e42707a2..000000000
--- a/testing/tests/ikev1/esp-alg-des/evaltest.dat
+++ /dev/null
@@ -1,9 +0,0 @@
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES
-moon::ipsec statusall::ESP proposal: DES_CBC/HMAC_MD5::YES
-carol::ipsec statusall::ESP proposal: DES_CBC/HMAC_MD5::YES
-moon::ip xfrm state::enc cbc(des)::YES
-carol::ip xfrm state::enc cbc(des)::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 180::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 180::YES
diff --git a/testing/tests/ikev1/esp-alg-des/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-des/hosts/carol/etc/ipsec.conf
deleted file mode 100755
index a5715a7f1..000000000
--- a/testing/tests/ikev1/esp-alg-des/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug="control crypt"
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	ike=3des-md5-modp1024!
-	esp=des-md5!
-
-conn home
-	left=PH_IP_CAROL
-	leftcert=carolCert.pem
-	leftid=carol@strongswan.org
-	right=PH_IP_MOON
-	rightsubnet=10.1.0.0/16
-	rightid=@moon.strongswan.org
-	auto=add
diff --git a/testing/tests/ikev1/esp-alg-des/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-des/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index 0329a533d..000000000
--- a/testing/tests/ikev1/esp-alg-des/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug="control crypt"
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	ike=3des-md5-modp1024!
-	esp=des-md5!
-
-conn rw
-	left=PH_IP_MOON
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-	leftsubnet=10.1.0.0/16
-	right=%any
-	rightid=carol@strongswan.org
-	auto=add
diff --git a/testing/tests/ikev1/esp-alg-des/posttest.dat b/testing/tests/ikev1/esp-alg-des/posttest.dat
deleted file mode 100644
index c6d6235f9..000000000
--- a/testing/tests/ikev1/esp-alg-des/posttest.dat
+++ /dev/null
@@ -1,2 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
diff --git a/testing/tests/ikev1/esp-alg-des/pretest.dat b/testing/tests/ikev1/esp-alg-des/pretest.dat
deleted file mode 100644
index 7d077c126..000000000
--- a/testing/tests/ikev1/esp-alg-des/pretest.dat
+++ /dev/null
@@ -1,5 +0,0 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
-carol::ipsec start
-moon::ipsec start
-carol::sleep 2
-carol::ipsec up home
diff --git a/testing/tests/ikev1/esp-alg-des/test.conf b/testing/tests/ikev1/esp-alg-des/test.conf
deleted file mode 100644
index 6abbb89a9..000000000
--- a/testing/tests/ikev1/esp-alg-des/test.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
-
diff --git a/testing/tests/ikev1/esp-alg-null/description.txt b/testing/tests/ikev1/esp-alg-null/description.txt
index 7880a799c..8fd203098 100644
--- a/testing/tests/ikev1/esp-alg-null/description.txt
+++ b/testing/tests/ikev1/esp-alg-null/description.txt
@@ -1,5 +1,3 @@
-In IKE phase 2 the roadwarrior <b>carol</b> proposes to gateway <b>moon</b>
-the ESP NULL encryption algorithm with SHA-1 authentication. <b>moon</b> must
-explicitly accept the choice of this insecure algorithm by setting the strict
-flag '!' in <b>esp=null-sha1!</b>. The tunnel is tested by <b>carol</b> 
-sending a ping to client <b>alice</b> behind gateway <b>moon</b>.
+Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite
+<b>NULL / HMAC_SHA1_96</b> by defining <b>esp=null-sha1</b> in ipsec.conf.
+A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev1/esp-alg-null/evaltest.dat b/testing/tests/ikev1/esp-alg-null/evaltest.dat
index a259e6d09..1b9c6c27e 100644
--- a/testing/tests/ikev1/esp-alg-null/evaltest.dat
+++ b/testing/tests/ikev1/esp-alg-null/evaltest.dat
@@ -1,9 +1,11 @@
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::ipsec statusall::ESP proposal::NULL/HMAC_SHA1::YES
-carol::ipsec statusall::ESP proposal::NULL/HMAC_SHA1::YES
-moon::ip xfrm state::enc ecb(cipher_null)::YES
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon:: ipsec statusall 2> /dev/null::NULL/HMAC_SHA1_96::YES
+carol::ipsec statusall 2> /dev/null::NULL/HMAC_SHA1_96::YES
+moon:: ip xfrm state::enc ecb(cipher_null)::YES
 carol::ip xfrm state::enc ecb(cipher_null)::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 172::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 172::YES
diff --git a/testing/tests/ikev1/esp-alg-null/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-null/hosts/carol/etc/ipsec.conf
index fe76579ac..cd93d795f 100755..100644
--- a/testing/tests/ikev1/esp-alg-null/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-alg-null/hosts/carol/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -12,14 +8,15 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev1
-	ike=aes-sha1
+	ike=aes128-sha1-modp2048!
 	esp=null-sha1!
 
 conn home
 	left=PH_IP_CAROL
+	leftfirewall=yes
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 	right=PH_IP_MOON
 	rightsubnet=10.1.0.0/16
 	rightid=@moon.strongswan.org
-	auto=add
+	auto=add 
diff --git a/testing/tests/ikev1/esp-alg-null/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/esp-alg-null/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..dc937641c
--- /dev/null
+++ b/testing/tests/ikev1/esp-alg-null/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev1/esp-alg-null/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-null/hosts/moon/etc/ipsec.conf
index b768b8ee4..2e9b8de65 100755..100644
--- a/testing/tests/ikev1/esp-alg-null/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-alg-null/hosts/moon/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -12,14 +8,14 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev1
-	ike=aes-sha1!
+	ike=aes128-sha1-modp2048!
 	esp=null-sha1!
 
 conn rw
 	left=PH_IP_MOON
+	leftfirewall=yes
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 	leftsubnet=10.1.0.0/16
 	right=%any
-	rightid=carol@strongswan.org
 	auto=add
diff --git a/testing/tests/ikev1/esp-alg-null/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/esp-alg-null/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..dc937641c
--- /dev/null
+++ b/testing/tests/ikev1/esp-alg-null/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev1/esp-alg-null/posttest.dat b/testing/tests/ikev1/esp-alg-null/posttest.dat
index c6d6235f9..046d4cfdc 100644
--- a/testing/tests/ikev1/esp-alg-null/posttest.dat
+++ b/testing/tests/ikev1/esp-alg-null/posttest.dat
@@ -1,2 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/esp-alg-null/pretest.dat b/testing/tests/ikev1/esp-alg-null/pretest.dat
index 7d077c126..886fdf55c 100644
--- a/testing/tests/ikev1/esp-alg-null/pretest.dat
+++ b/testing/tests/ikev1/esp-alg-null/pretest.dat
@@ -1,5 +1,7 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
-carol::ipsec start
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
-carol::sleep 2
+carol::ipsec start
+carol::sleep 1 
 carol::ipsec up home
+carol::sleep 1
diff --git a/testing/tests/ikev1/esp-alg-null/test.conf b/testing/tests/ikev1/esp-alg-null/test.conf
index 6abbb89a9..4a5fc470f 100644
--- a/testing/tests/ikev1/esp-alg-null/test.conf
+++ b/testing/tests/ikev1/esp-alg-null/test.conf
@@ -1,22 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
-
diff --git a/testing/tests/ikev1/esp-alg-strict-fail/description.txt b/testing/tests/ikev1/esp-alg-strict-fail/description.txt
deleted file mode 100644
index 252080e80..000000000
--- a/testing/tests/ikev1/esp-alg-strict-fail/description.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-The roadwarrior <b>carol</b> proposes <b>3DES_CBC</b> encryption with HMAC_SHA1 authentication
-as the only cipher suite for both the ISAKMP and IPsec SA. The gateway <b>moon</b> defines
-<b>ike=aes128-sha1</b> only, but will accept any other support algorithm proposed by the peer,
-leading to a successful negotiation of Phase 1. Because for Phase 2 <b>moon</b> enforces
-<b>esp=aes128-sha1!</b> by using the strict flag '!', the ISAKMP SA will fail.
diff --git a/testing/tests/ikev1/esp-alg-strict-fail/evaltest.dat b/testing/tests/ikev1/esp-alg-strict-fail/evaltest.dat
deleted file mode 100644
index 83d99bea1..000000000
--- a/testing/tests/ikev1/esp-alg-strict-fail/evaltest.dat
+++ /dev/null
@@ -1,9 +0,0 @@
-carol::ipsec status::home.*STATE_MAIN_I4.*ISAKMP SA established::YES
-carol::ipsec statusall::IKE proposal: 3DES_CBC/HMAC_SHA1::YES
-moon::ipsec status::rw.*STATE_MAIN_R3.*ISAKMP SA established::YES
-moon::ipsec statusall::IKE proposal: 3DES_CBC/HMAC_SHA1::YES
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::NO
-carol::cat /var/log/auth.log::NO_PROPOSAL_CHOSEN::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*ISAKMP SA established::NO
-moon::cat /var/log/auth.log::IPSec Transform.*3DES_CBC (192), HMAC_SHA1.*refused due to strict flag::YES
-moon::cat /var/log/auth.log::no acceptable Proposal in IPsec SA::YES
diff --git a/testing/tests/ikev1/esp-alg-strict-fail/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-strict-fail/hosts/carol/etc/ipsec.conf
deleted file mode 100755
index 46a619016..000000000
--- a/testing/tests/ikev1/esp-alg-strict-fail/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	ike=3des-sha1
-	esp=3des-sha1
-
-conn home
-	left=PH_IP_CAROL
-	leftcert=carolCert.pem
-	leftid=carol@strongswan.org
-	right=PH_IP_MOON
-	rightsubnet=10.1.0.0/16
-	rightid=@moon.strongswan.org
-	auto=add
diff --git a/testing/tests/ikev1/esp-alg-strict-fail/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-strict-fail/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index 86a15c96d..000000000
--- a/testing/tests/ikev1/esp-alg-strict-fail/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	ike=aes128-sha1
-	esp=aes128-sha1!
-
-conn rw
-	left=PH_IP_MOON
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-	leftsubnet=10.1.0.0/16
-	right=%any
-	rightid=carol@strongswan.org
-	auto=add
diff --git a/testing/tests/ikev1/esp-alg-strict-fail/posttest.dat b/testing/tests/ikev1/esp-alg-strict-fail/posttest.dat
deleted file mode 100644
index c6d6235f9..000000000
--- a/testing/tests/ikev1/esp-alg-strict-fail/posttest.dat
+++ /dev/null
@@ -1,2 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
diff --git a/testing/tests/ikev1/esp-alg-strict-fail/test.conf b/testing/tests/ikev1/esp-alg-strict-fail/test.conf
deleted file mode 100644
index 2b240d895..000000000
--- a/testing/tests/ikev1/esp-alg-strict-fail/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="m-c-w.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS=""
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev1/esp-alg-strict/description.txt b/testing/tests/ikev1/esp-alg-strict/description.txt
deleted file mode 100644
index 149a1e013..000000000
--- a/testing/tests/ikev1/esp-alg-strict/description.txt
+++ /dev/null
@@ -1,7 +0,0 @@
-Roadwarrior <b>carol</b> proposes <b>3DES_CBC</b> encryption (together with
-HMAC_SHA1 authentication) in the first place and <b>AES_CBC_128</b> encryption in
-second place for both the ISAKMP and IPsec SAs. Gateway <b>moon</b> defines
-<b>ike=aes128-sha1</b> but will accept any other supported algorithm proposed
-by the peer during Phase 1. But for ESP encryption <b>moon</b> enforces
-<b>esp=aes128-sha1!</b> by applying the strict flag '!'.
-
diff --git a/testing/tests/ikev1/esp-alg-strict/evaltest.dat b/testing/tests/ikev1/esp-alg-strict/evaltest.dat
deleted file mode 100644
index 912a8d830..000000000
--- a/testing/tests/ikev1/esp-alg-strict/evaltest.dat
+++ /dev/null
@@ -1,7 +0,0 @@
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-moon::cat /var/log/auth.log::IPSec Transform.*3DES_CBC (192), HMAC_SHA1.*refused due to strict flag::YES
-moon::ipsec statusall::IKE proposal: 3DES_CBC/HMAC_SHA1::YES
-moon::ipsec statusall::ESP proposal: AES_CBC_128/HMAC_SHA1::YES
-carol::ipsec statusall::IKE proposal: 3DES_CBC/HMAC_SHA1::YES
-carol::ipsec statusall::ESP proposal: AES_CBC_128/HMAC_SHA1::YES
diff --git a/testing/tests/ikev1/esp-alg-strict/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-strict/hosts/carol/etc/ipsec.conf
deleted file mode 100755
index 052541b21..000000000
--- a/testing/tests/ikev1/esp-alg-strict/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	ike=3des-sha,aes128-sha1
-	esp=3des-sha1,aes128-sha1
-
-conn home
-	left=PH_IP_CAROL
-	leftcert=carolCert.pem
-	leftid=carol@strongswan.org
-	right=PH_IP_MOON
-	rightsubnet=10.1.0.0/16
-	rightid=@moon.strongswan.org
-	auto=add
diff --git a/testing/tests/ikev1/esp-alg-strict/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-strict/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index 86a15c96d..000000000
--- a/testing/tests/ikev1/esp-alg-strict/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	ike=aes128-sha1
-	esp=aes128-sha1!
-
-conn rw
-	left=PH_IP_MOON
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-	leftsubnet=10.1.0.0/16
-	right=%any
-	rightid=carol@strongswan.org
-	auto=add
diff --git a/testing/tests/ikev1/esp-alg-strict/posttest.dat b/testing/tests/ikev1/esp-alg-strict/posttest.dat
deleted file mode 100644
index c6d6235f9..000000000
--- a/testing/tests/ikev1/esp-alg-strict/posttest.dat
+++ /dev/null
@@ -1,2 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
diff --git a/testing/tests/ikev1/esp-alg-strict/pretest.dat b/testing/tests/ikev1/esp-alg-strict/pretest.dat
deleted file mode 100644
index f5aa989fe..000000000
--- a/testing/tests/ikev1/esp-alg-strict/pretest.dat
+++ /dev/null
@@ -1,4 +0,0 @@
-carol::ipsec start
-moon::ipsec start
-carol::sleep 2
-carol::ipsec up home
diff --git a/testing/tests/ikev1/esp-alg-strict/test.conf b/testing/tests/ikev1/esp-alg-strict/test.conf
deleted file mode 100644
index a6c8f026c..000000000
--- a/testing/tests/ikev1/esp-alg-strict/test.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="m-c-w.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS=""
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
-
diff --git a/testing/tests/ikev1/esp-alg-weak/description.txt b/testing/tests/ikev1/esp-alg-weak/description.txt
deleted file mode 100644
index e49b6c620..000000000
--- a/testing/tests/ikev1/esp-alg-weak/description.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-The roadwarrior <b>carol</b> proposes <b>DES_CBC</b> encryption with HMAC_MD5 authentication
-as the only cipher suite for the IPsec SA. Because gateway <b>moon</b> does
-not use an explicit <b>esp</b> statement any strong encryption algorithm will be
-accepted but any weak key length will be rejected by default and thus the ISAKMP SA
-is bound to fail.
diff --git a/testing/tests/ikev1/esp-alg-weak/evaltest.dat b/testing/tests/ikev1/esp-alg-weak/evaltest.dat
deleted file mode 100644
index 72b14e805..000000000
--- a/testing/tests/ikev1/esp-alg-weak/evaltest.dat
+++ /dev/null
@@ -1,5 +0,0 @@
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::NO
-carol::cat /var/log/auth.log::NO_PROPOSAL_CHOSEN::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::NO
-moon::cat /var/log/auth.log::IPSec Transform.*refused due to insecure key_len::YES
-moon::cat /var/log/auth.log::no acceptable Proposal in IPsec SA::YES
diff --git a/testing/tests/ikev1/esp-alg-weak/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-weak/hosts/carol/etc/ipsec.conf
deleted file mode 100755
index a5715a7f1..000000000
--- a/testing/tests/ikev1/esp-alg-weak/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug="control crypt"
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	ike=3des-md5-modp1024!
-	esp=des-md5!
-
-conn home
-	left=PH_IP_CAROL
-	leftcert=carolCert.pem
-	leftid=carol@strongswan.org
-	right=PH_IP_MOON
-	rightsubnet=10.1.0.0/16
-	rightid=@moon.strongswan.org
-	auto=add
diff --git a/testing/tests/ikev1/esp-alg-weak/posttest.dat b/testing/tests/ikev1/esp-alg-weak/posttest.dat
deleted file mode 100644
index c6d6235f9..000000000
--- a/testing/tests/ikev1/esp-alg-weak/posttest.dat
+++ /dev/null
@@ -1,2 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
diff --git a/testing/tests/ikev1/esp-alg-weak/pretest.dat b/testing/tests/ikev1/esp-alg-weak/pretest.dat
deleted file mode 100644
index 7d077c126..000000000
--- a/testing/tests/ikev1/esp-alg-weak/pretest.dat
+++ /dev/null
@@ -1,5 +0,0 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
-carol::ipsec start
-moon::ipsec start
-carol::sleep 2
-carol::ipsec up home
diff --git a/testing/tests/ikev1/esp-alg-weak/test.conf b/testing/tests/ikev1/esp-alg-weak/test.conf
deleted file mode 100644
index a6c8f026c..000000000
--- a/testing/tests/ikev1/esp-alg-weak/test.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="m-c-w.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS=""
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
-
diff --git a/testing/tests/ikev1/host2host-cert/evaltest.dat b/testing/tests/ikev1/host2host-cert/evaltest.dat
index d19f970f2..3305f4558 100644
--- a/testing/tests/ikev1/host2host-cert/evaltest.dat
+++ b/testing/tests/ikev1/host2host-cert/evaltest.dat
@@ -1,5 +1,7 @@
-moon::ipsec status::host-host.*STATE_QUICK_I2.*IPsec SA established::YES
-sun::ipsec status::host-host.*STATE_QUICK_R2.*IPsec SA established::YES
-moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_seq=1::YES
+moon::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun:: ipsec status 2> /dev/null::host-host.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon::ipsec status 2> /dev/null::host-host.*INSTALLED, TUNNEL::YES
+sun:: ipsec status 2> /dev/null::host-host.*INSTALLED, TUNNEL::YES
+moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/host2host-cert/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/host2host-cert/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..1b860a2a9
--- /dev/null
+++ b/testing/tests/ikev1/host2host-cert/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,19 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+
+conn host-host
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftfirewall=yes
+	right=PH_IP_SUN
+	rightid=@sun.strongswan.org
+	auto=add
diff --git a/testing/tests/ikev1/host2host-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/host2host-cert/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..dc937641c
--- /dev/null
+++ b/testing/tests/ikev1/host2host-cert/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev1/host2host-swapped/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/host2host-cert/hosts/sun/etc/ipsec.conf
index 95739fe51..0ee8ea5a3 100755..100644
--- a/testing/tests/ikev1/host2host-swapped/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/host2host-cert/hosts/sun/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -14,10 +10,10 @@ conn %default
 	keyexchange=ikev1
 
 conn host-host
-	right=PH_IP_MOON
-	rightcert=moonCert.pem
-	rightid=@moon.strongswan.org
-	rightfirewall=yes
 	left=PH_IP_SUN
+	leftcert=sunCert.pem
 	leftid=@sun.strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
 	auto=add
diff --git a/testing/tests/ikev1/host2host-cert/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/host2host-cert/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..dc937641c
--- /dev/null
+++ b/testing/tests/ikev1/host2host-cert/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev1/host2host-cert/posttest.dat b/testing/tests/ikev1/host2host-cert/posttest.dat
index 5a9150bc8..1f7aa73a1 100644
--- a/testing/tests/ikev1/host2host-cert/posttest.dat
+++ b/testing/tests/ikev1/host2host-cert/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/host2host-cert/pretest.dat b/testing/tests/ikev1/host2host-cert/pretest.dat
index 3536fd886..3bce9f6e5 100644
--- a/testing/tests/ikev1/host2host-cert/pretest.dat
+++ b/testing/tests/ikev1/host2host-cert/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 sun::ipsec start
-moon::sleep 2 
+moon::sleep 1 
 moon::ipsec up host-host
diff --git a/testing/tests/ikev1/host2host-cert/test.conf b/testing/tests/ikev1/host2host-cert/test.conf
index cf2e704fd..55d6e9fd6 100644
--- a/testing/tests/ikev1/host2host-cert/test.conf
+++ b/testing/tests/ikev1/host2host-cert/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="moon winnetou sun"
- 
+VIRTHOSTS="moon winnetou sun"
+
 # Corresponding block diagram
 #
 DIAGRAM="m-w-s.png"
-
-# UML instances on which tcpdump is to be started
+ 
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev1/host2host-swapped/description.txt b/testing/tests/ikev1/host2host-swapped/description.txt
deleted file mode 100644
index 34cfe43cc..000000000
--- a/testing/tests/ikev1/host2host-swapped/description.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Same scenario as test <a href="../host2host-cert/"><b>host2host-cert</b></a> but with
-swapped end definitions:  <b>right</b> denotes the <b>local</b> side whereas
-<b>left</b> stands for the <b>remote</b> peer.
diff --git a/testing/tests/ikev1/host2host-swapped/evaltest.dat b/testing/tests/ikev1/host2host-swapped/evaltest.dat
deleted file mode 100644
index d19f970f2..000000000
--- a/testing/tests/ikev1/host2host-swapped/evaltest.dat
+++ /dev/null
@@ -1,5 +0,0 @@
-moon::ipsec status::host-host.*STATE_QUICK_I2.*IPsec SA established::YES
-sun::ipsec status::host-host.*STATE_QUICK_R2.*IPsec SA established::YES
-moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_seq=1::YES
-sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
-sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/host2host-swapped/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/host2host-swapped/hosts/sun/etc/ipsec.conf
deleted file mode 100755
index a0d600a6f..000000000
--- a/testing/tests/ikev1/host2host-swapped/hosts/sun/etc/ipsec.conf
+++ /dev/null
@@ -1,24 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	nat_traversal=yes
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-
-conn host-host
-	right=PH_IP_SUN
-	rightcert=sunCert.pem
-	rightfirewall=yes
-	rightid=@sun.strongswan.org
-	left=PH_IP_MOON
-	leftid=@moon.strongswan.org
-	auto=add
diff --git a/testing/tests/ikev1/host2host-swapped/posttest.dat b/testing/tests/ikev1/host2host-swapped/posttest.dat
deleted file mode 100644
index 5a9150bc8..000000000
--- a/testing/tests/ikev1/host2host-swapped/posttest.dat
+++ /dev/null
@@ -1,4 +0,0 @@
-moon::ipsec stop
-sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev1/host2host-swapped/pretest.dat b/testing/tests/ikev1/host2host-swapped/pretest.dat
deleted file mode 100644
index e2d98f2eb..000000000
--- a/testing/tests/ikev1/host2host-swapped/pretest.dat
+++ /dev/null
@@ -1,6 +0,0 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
-moon::ipsec start
-sun::ipsec start
-moon::sleep 2
-moon::ipsec up host-host
diff --git a/testing/tests/ikev1/host2host-swapped/test.conf b/testing/tests/ikev1/host2host-swapped/test.conf
deleted file mode 100644
index cf2e704fd..000000000
--- a/testing/tests/ikev1/host2host-swapped/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="moon winnetou sun"
- 
-# Corresponding block diagram
-#
-DIAGRAM="m-w-s.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="sun"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev1/host2host-transport/evaltest.dat b/testing/tests/ikev1/host2host-transport/evaltest.dat
index 04c0eb3a2..fc49e57d8 100644
--- a/testing/tests/ikev1/host2host-transport/evaltest.dat
+++ b/testing/tests/ikev1/host2host-transport/evaltest.dat
@@ -1,7 +1,7 @@
-moon::ipsec status::host-host.*STATE_QUICK_I2.*IPsec SA established::YES
-sun::ipsec status::host-host.*STATE_QUICK_R2.*IPsec SA established::YES
-moon::ip xfrm state::mode transport::YES
-sun::ip xfrm state::mode transport::YES
-moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_seq=1::YES
+moon::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun:: ipsec status 2> /dev/null::host-host.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon::ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES
+sun:: ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES
+moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/host2host-transport/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/host2host-transport/hosts/moon/etc/ipsec.conf
index b56189c6c..a860a6946 100755..100644
--- a/testing/tests/ikev1/host2host-transport/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/host2host-transport/hosts/moon/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev1/host2host-transport/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/host2host-transport/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..8e685c862
--- /dev/null
+++ b/testing/tests/ikev1/host2host-transport/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  multiple_authentication = no
+}
diff --git a/testing/tests/ikev1/host2host-transport/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/host2host-transport/hosts/sun/etc/ipsec.conf
index 1f2ade20b..cc70f454f 100755..100644
--- a/testing/tests/ikev1/host2host-transport/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev1/host2host-transport/hosts/sun/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -22,4 +18,3 @@ conn host-host
 	rightid=@moon.strongswan.org
 	type=transport
 	auto=add
-
diff --git a/testing/tests/ikev1/host2host-transport/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/host2host-transport/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..8e685c862
--- /dev/null
+++ b/testing/tests/ikev1/host2host-transport/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  multiple_authentication = no
+}
diff --git a/testing/tests/ikev1/host2host-transport/posttest.dat b/testing/tests/ikev1/host2host-transport/posttest.dat
index 5a9150bc8..1f7aa73a1 100644
--- a/testing/tests/ikev1/host2host-transport/posttest.dat
+++ b/testing/tests/ikev1/host2host-transport/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/host2host-transport/pretest.dat b/testing/tests/ikev1/host2host-transport/pretest.dat
index e2d98f2eb..99789b90f 100644
--- a/testing/tests/ikev1/host2host-transport/pretest.dat
+++ b/testing/tests/ikev1/host2host-transport/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 sun::ipsec start
 moon::sleep 2
diff --git a/testing/tests/ikev1/host2host-transport/test.conf b/testing/tests/ikev1/host2host-transport/test.conf
index cf2e704fd..5a286c84f 100644
--- a/testing/tests/ikev1/host2host-transport/test.conf
+++ b/testing/tests/ikev1/host2host-transport/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="moon winnetou sun"
+VIRTHOSTS="moon winnetou sun"
  
 # Corresponding block diagram
 #
 DIAGRAM="m-w-s.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev1/ike-alg-strict-fail/description.txt b/testing/tests/ikev1/ike-alg-strict-fail/description.txt
deleted file mode 100644
index 252080e80..000000000
--- a/testing/tests/ikev1/ike-alg-strict-fail/description.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-The roadwarrior <b>carol</b> proposes <b>3DES_CBC</b> encryption with HMAC_SHA1 authentication
-as the only cipher suite for both the ISAKMP and IPsec SA. The gateway <b>moon</b> defines
-<b>ike=aes128-sha1</b> only, but will accept any other support algorithm proposed by the peer,
-leading to a successful negotiation of Phase 1. Because for Phase 2 <b>moon</b> enforces
-<b>esp=aes128-sha1!</b> by using the strict flag '!', the ISAKMP SA will fail.
diff --git a/testing/tests/ikev1/ike-alg-strict-fail/evaltest.dat b/testing/tests/ikev1/ike-alg-strict-fail/evaltest.dat
deleted file mode 100644
index 0c6bc7f7e..000000000
--- a/testing/tests/ikev1/ike-alg-strict-fail/evaltest.dat
+++ /dev/null
@@ -1,5 +0,0 @@
-carol::ipsec status::home.*STATE_MAIN_I4.*ISAKMP SA established::NO
-moon::ipsec status::rw.*STATE_MAIN_R3.*ISAKMP SA established::NO
-carol::cat /var/log/auth.log::NO_PROPOSAL_CHOSEN::YES
-moon::cat /var/log/auth.log::Oakley Transform.*3DES_CBC (192), HMAC_SHA1.*refused due to strict flag::YES
-moon::cat /var/log/auth.log::no acceptable Oakley Transform::YES
diff --git a/testing/tests/ikev1/ike-alg-strict-fail/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/ike-alg-strict-fail/hosts/carol/etc/ipsec.conf
deleted file mode 100755
index d75a7022e..000000000
--- a/testing/tests/ikev1/ike-alg-strict-fail/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	ike=3des-sha1
-	esp=3des-sha1
-
-conn home
-	left=PH_IP_CAROL
-	leftcert=carolCert.pem
-	leftid=carol@strongswan.org
-	right=PH_IP_MOON
-	rightsubnet=10.1.0.0/16
-	rightid=@moon.strongswan.org
-	auto=add 
diff --git a/testing/tests/ikev1/ike-alg-strict-fail/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/ike-alg-strict-fail/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index 460ff749c..000000000
--- a/testing/tests/ikev1/ike-alg-strict-fail/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	ike=aes128-sha1!
-	esp=aes128-sha1
-
-conn rw
-	left=PH_IP_MOON
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-	leftsubnet=10.1.0.0/16
-	right=%any
-	rightid=carol@strongswan.org
-	auto=add
diff --git a/testing/tests/ikev1/ike-alg-strict-fail/posttest.dat b/testing/tests/ikev1/ike-alg-strict-fail/posttest.dat
deleted file mode 100644
index c6d6235f9..000000000
--- a/testing/tests/ikev1/ike-alg-strict-fail/posttest.dat
+++ /dev/null
@@ -1,2 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
diff --git a/testing/tests/ikev1/ike-alg-strict-fail/pretest.dat b/testing/tests/ikev1/ike-alg-strict-fail/pretest.dat
deleted file mode 100644
index f5aa989fe..000000000
--- a/testing/tests/ikev1/ike-alg-strict-fail/pretest.dat
+++ /dev/null
@@ -1,4 +0,0 @@
-carol::ipsec start
-moon::ipsec start
-carol::sleep 2
-carol::ipsec up home
diff --git a/testing/tests/ikev1/ike-alg-strict-fail/test.conf b/testing/tests/ikev1/ike-alg-strict-fail/test.conf
deleted file mode 100644
index 7e7848831..000000000
--- a/testing/tests/ikev1/ike-alg-strict-fail/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-##!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="m-c-w.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS=""
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev1/ike-alg-strict/description.txt b/testing/tests/ikev1/ike-alg-strict/description.txt
deleted file mode 100644
index af93b95c3..000000000
--- a/testing/tests/ikev1/ike-alg-strict/description.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-The roadwarrior <b>carol</b> proposes <b>3DES_CBC</b> encryption with <b>HMAC_SHA1</b> authentication in the first place
-and <b>AES_CBC_128</b> encryption with <b>HMAC_SHA1</b> authentication in the second place for both the ISAKMP and IPsec SA.
-The gateway <b>moon</b> enforces <b>ike=aes128-sha!</b> for Phase 1 by using the strict flag '!', 
-but will accept any other supported algorithm proposed by the peer for Phase 2 , even though <b>moon</b>
-defines itself <b>esp=aes128-sha1</b> only.
diff --git a/testing/tests/ikev1/ike-alg-strict/evaltest.dat b/testing/tests/ikev1/ike-alg-strict/evaltest.dat
deleted file mode 100644
index 8acd0d039..000000000
--- a/testing/tests/ikev1/ike-alg-strict/evaltest.dat
+++ /dev/null
@@ -1,7 +0,0 @@
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-moon::cat /var/log/auth.log::Oakley Transform.*3DES_CBC (192), HMAC_SHA1.*refused due to strict flag::YES
-moon::ipsec statusall::IKE proposal: AES_CBC_128/HMAC_SHA1::YES
-moon::ipsec statusall::ESP proposal: 3DES_CBC/HMAC_SHA1::YES
-carol::ipsec statusall::IKE proposal: AES_CBC_128/HMAC_SHA::YES
-carol::ipsec statusall::ESP proposal: 3DES_CBC/HMAC_SHA1::YES
diff --git a/testing/tests/ikev1/ike-alg-strict/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/ike-alg-strict/hosts/carol/etc/ipsec.conf
deleted file mode 100755
index 36bdc0fa4..000000000
--- a/testing/tests/ikev1/ike-alg-strict/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,24 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	ike=3des-sha1,aes128-sha1
-	esp=3des-sha1,aes128-sha1
-conn home
-	left=PH_IP_CAROL
-	leftcert=carolCert.pem
-	leftid=carol@strongswan.org
-	right=PH_IP_MOON
-	rightsubnet=10.1.0.0/16
-	rightid=@moon.strongswan.org
-	auto=add
diff --git a/testing/tests/ikev1/ike-alg-strict/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/ike-alg-strict/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index 460ff749c..000000000
--- a/testing/tests/ikev1/ike-alg-strict/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	ike=aes128-sha1!
-	esp=aes128-sha1
-
-conn rw
-	left=PH_IP_MOON
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-	leftsubnet=10.1.0.0/16
-	right=%any
-	rightid=carol@strongswan.org
-	auto=add
diff --git a/testing/tests/ikev1/ike-alg-strict/posttest.dat b/testing/tests/ikev1/ike-alg-strict/posttest.dat
deleted file mode 100644
index c6d6235f9..000000000
--- a/testing/tests/ikev1/ike-alg-strict/posttest.dat
+++ /dev/null
@@ -1,2 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
diff --git a/testing/tests/ikev1/ike-alg-strict/pretest.dat b/testing/tests/ikev1/ike-alg-strict/pretest.dat
deleted file mode 100644
index f5aa989fe..000000000
--- a/testing/tests/ikev1/ike-alg-strict/pretest.dat
+++ /dev/null
@@ -1,4 +0,0 @@
-carol::ipsec start
-moon::ipsec start
-carol::sleep 2
-carol::ipsec up home
diff --git a/testing/tests/ikev1/ike-alg-strict/test.conf b/testing/tests/ikev1/ike-alg-strict/test.conf
deleted file mode 100644
index 2b240d895..000000000
--- a/testing/tests/ikev1/ike-alg-strict/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="m-c-w.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS=""
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev1/ip-pool-db-push/description.txt b/testing/tests/ikev1/ip-pool-db-push/description.txt
deleted file mode 100644
index dc510e21a..000000000
--- a/testing/tests/ikev1/ip-pool-db-push/description.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
-Using Mode Config push mode (<b>modeconfig=push</b>) the gateway <b>moon</b> assigns virtual
-IP addresses from a pool named <b>bigpool</b> that was created in an SQL database by the command
-<b>ipsec pool --name bigpool --start 10.3.0.1 --end 10.3.3.232 --timeout 0</b>.
diff --git a/testing/tests/ikev1/ip-pool-db-push/evaltest.dat b/testing/tests/ikev1/ip-pool-db-push/evaltest.dat
deleted file mode 100644
index 9a5c5c7ee..000000000
--- a/testing/tests/ikev1/ip-pool-db-push/evaltest.dat
+++ /dev/null
@@ -1,30 +0,0 @@
-carol::cat /etc/resolv.conf::nameserver PH_IP_WINNETOU .*from moon.strongswan.org::YES
-carol::cat /etc/resolv.conf::nameserver PH_IP_VENUS .*from moon.strongswan.org::YES
-carol::cat /var/log/auth.log::handling INTERNAL_IP4_NBNS attribute failed::YES
-carol::cat /var/log/auth.log::setting virtual IP source address to PH_IP_CAROL1::YES
-carol::ip addr list dev eth0::PH_IP_CAROL1::YES
-carol::ip route list table 220::10.1.0.0/16.*src PH_IP_CAROL1::YES
-carol::ipsec status::home.*IPsec SA established::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::cat /var/log/auth.log::setting virtual IP source address to PH_IP_DAVE1::YES
-dave::ip addr list dev eth0::PH_IP_DAVE1::YES
-dave::ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES
-dave::ipsec status::home.*IPsec SA established::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::cat /var/log/auth.log::starting ModeCfg server in push mode::YES
-moon::cat /var/log/auth.log::acquired new lease for address.*in pool.*bigpool::YES
-moon::cat /var/log/auth.log::assigning virtual IP::YES
-moon::ipsec pool --status 2> /dev/null::dns servers: PH_IP_WINNETOU PH_IP_VENUS::YES
-moon::ipsec pool --status 2> /dev/null::nbns servers: PH_IP_VENUS::YES
-moon::ipsec pool --status 2> /dev/null::bigpool.*10.3.0.1.*10.3.3.232.*static.*2::YES
-moon::ipsec pool --leases --filter pool=bigpool,addr=10.3.0.1,id=carol@strongswan.org 2> /dev/null::online::YES
-moon::ipsec pool --leases --filter pool=bigpool,addr=10.3.0.2,id=dave@strongswan.org 2> /dev/null::online::YES
-moon::ipsec status::rw.*IPsec SA established::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
-alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
-alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
-alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
-alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES
diff --git a/testing/tests/ikev1/ip-pool-db-push/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/ip-pool-db-push/hosts/carol/etc/strongswan.conf
deleted file mode 100644
index 56f13324a..000000000
--- a/testing/tests/ikev1/ip-pool-db-push/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl resolve kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-}
diff --git a/testing/tests/ikev1/ip-pool-db-push/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/ip-pool-db-push/hosts/dave/etc/strongswan.conf
deleted file mode 100644
index 56f13324a..000000000
--- a/testing/tests/ikev1/ip-pool-db-push/hosts/dave/etc/strongswan.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl resolve kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-}
diff --git a/testing/tests/ikev1/ip-pool-db-push/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/ip-pool-db-push/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index c365004bf..000000000
--- a/testing/tests/ikev1/ip-pool-db-push/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,26 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-	plutodebug=control
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	rekey=no
-	keyexchange=ikev1
-	modeconfig=push
-
-conn rw
-	left=PH_IP_MOON
-	leftsubnet=10.1.0.0/16
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-	leftfirewall=yes
-	right=%any
-	rightsourceip=%bigpool
-	auto=add
diff --git a/testing/tests/ikev1/ip-pool-db-push/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/ip-pool-db-push/hosts/moon/etc/strongswan.conf
deleted file mode 100644
index 630135adc..000000000
--- a/testing/tests/ikev1/ip-pool-db-push/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,17 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl sqlite attr-sql kernel-netlink
-}
-
-libhydra {
-  plugins {
-    attr-sql {
-      database = sqlite:///etc/ipsec.d/ipsec.db
-    }
-  }
-}
-
-pool {
-  load = sqlite
-}
diff --git a/testing/tests/ikev1/ip-pool-db-push/posttest.dat b/testing/tests/ikev1/ip-pool-db-push/posttest.dat
deleted file mode 100644
index 5022c6cf1..000000000
--- a/testing/tests/ikev1/ip-pool-db-push/posttest.dat
+++ /dev/null
@@ -1,12 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
-carol::ip addr del PH_IP_CAROL1/32 dev eth0
-dave::ip addr del PH_IP_DAVE1/32 dev eth0
-moon::ipsec pool --del bigpool 2> /dev/null
-moon::ipsec pool --del dns 2> /dev/null
-moon::ipsec pool --del nbns 2> /dev/null
-moon::rm /etc/ipsec.d/ipsec.*
diff --git a/testing/tests/ikev1/ip-pool-db-push/pretest.dat b/testing/tests/ikev1/ip-pool-db-push/pretest.dat
deleted file mode 100644
index 4a2add194..000000000
--- a/testing/tests/ikev1/ip-pool-db-push/pretest.dat
+++ /dev/null
@@ -1,16 +0,0 @@
-moon::cat /etc/ipsec.d/tables.sql > /etc/ipsec.d/ipsec.sql
-moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
-moon::ipsec pool --add bigpool --start 10.3.0.1 --end 10.3.3.232 --timeout 0 2> /dev/null
-moon::ipsec pool --addattr dns  --server PH_IP_WINNETOU 2> /dev/null
-moon::ipsec pool --addattr dns  --server PH_IP_VENUS 2> /dev/null
-moon::ipsec pool --addattr nbns --server PH_IP_VENUS 2> /dev/null
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
-carol::ipsec start
-dave::ipsec start
-moon::ipsec start
-carol::sleep 2 
-carol::ipsec up home
-dave::ipsec up home
-carol::sleep 1
diff --git a/testing/tests/ikev1/ip-pool-db-push/test.conf b/testing/tests/ikev1/ip-pool-db-push/test.conf
deleted file mode 100644
index 1a8f2a4e0..000000000
--- a/testing/tests/ikev1/ip-pool-db-push/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon carol winnetou dave"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w-d.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon alice"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/ip-pool-db/evaltest.dat b/testing/tests/ikev1/ip-pool-db/evaltest.dat
index 566bab972..42e353084 100644
--- a/testing/tests/ikev1/ip-pool-db/evaltest.dat
+++ b/testing/tests/ikev1/ip-pool-db/evaltest.dat
@@ -1,25 +1,33 @@
-carol::cat /etc/resolv.conf::nameserver PH_IP_WINNETOU .*from moon.strongswan.org::YES
-carol::cat /etc/resolv.conf::nameserver PH_IP_VENUS .*from moon.strongswan.org::YES
-carol::cat /var/log/auth.log::handling INTERNAL_IP4_NBNS attribute failed::YES
-carol::cat /var/log/auth.log::setting virtual IP source address to PH_IP_CAROL1::YES
+carol::cat /var/log/daemon.log::installing new virtual IP PH_IP_CAROL1::YES
+carol::cat /var/log/daemon.log::installing DNS server PH_IP_WINNETOU::YES
+carol::cat /var/log/daemon.log::installing DNS server PH_IP_VENUS::YES
+carol::cat /var/log/daemon.log::handling INTERNAL_IP4_NBNS attribute failed::YES
 carol::ip addr list dev eth0::PH_IP_CAROL1::YES
 carol::ip route list table 220::10.1.0.0/16.*src PH_IP_CAROL1::YES
-carol::ipsec status::home.*IPsec SA established::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::cat /var/log/auth.log::setting virtual IP source address to PH_IP_DAVE1::YES
-dave::ip addr list dev eth0::PH_IP_DAVE1::YES
-dave::ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES
-dave::ipsec status::home.*IPsec SA established::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::cat /var/log/auth.log::peer requested virtual IP %any::YES
-moon::cat /var/log/auth.log::acquired new lease for address.*in pool.*bigpool::YES
-moon::cat /var/log/auth.log::assigning virtual IP::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES
+dave:: cat /var/log/daemon.log::installing DNS server PH_IP_WINNETOU::YES
+dave:: cat /var/log/daemon.log::installing DNS server PH_IP_VENUS::YES
+dave:: cat /var/log/daemon.log::handling INTERNAL_IP4_NBNS attribute failed::YES
+dave:: ip addr list dev eth0::PH_IP_DAVE1::YES
+dave:: ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon:: cat /var/log/daemon.log::peer requested virtual IP %any::YES
+moon:: cat /var/log/daemon.log::acquired new lease for address.*in pool.*bigpool::YES
+moon:: cat /var/log/daemon.log::assigning virtual IP::YES
 moon::ipsec pool --status 2> /dev/null::dns servers: PH_IP_WINNETOU PH_IP_VENUS::YES
 moon::ipsec pool --status 2> /dev/null::nbns servers: PH_IP_VENUS::YES
 moon::ipsec pool --status 2> /dev/null::bigpool.*10.3.0.1.*10.3.3.232.*static.*2::YES
 moon::ipsec pool --leases --filter pool=bigpool,addr=10.3.0.1,id=carol@strongswan.org 2> /dev/null::online::YES
 moon::ipsec pool --leases --filter pool=bigpool,addr=10.3.0.2,id=dave@strongswan.org 2> /dev/null::online::YES
-moon::ipsec status::rw.*IPsec SA established::YES
+moon::ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon::ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+moon::ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon::ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/ip-pool-db/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/ip-pool-db/hosts/carol/etc/ipsec.conf
index 0c770de9f..5a77f8707 100755..100644
--- a/testing/tests/ikev1/ip-pool-db/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/ip-pool-db/hosts/carol/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-	plutodebug=control
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev1/ip-pool-db/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/ip-pool-db/hosts/carol/etc/strongswan.conf
index 56f13324a..bd19ffe3d 100644
--- a/testing/tests/ikev1/ip-pool-db/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/ip-pool-db/hosts/carol/etc/strongswan.conf
@@ -1,11 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
-pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl resolve kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve
 }
diff --git a/testing/tests/ikev1/ip-pool-db/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/ip-pool-db/hosts/dave/etc/ipsec.conf
index 163c19516..6ea2d2bb1 100755..100644
--- a/testing/tests/ikev1/ip-pool-db/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev1/ip-pool-db/hosts/dave/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-	plutodebug=control
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev1/ip-pool-db/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/ip-pool-db/hosts/dave/etc/strongswan.conf
index 56f13324a..bd19ffe3d 100644
--- a/testing/tests/ikev1/ip-pool-db/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev1/ip-pool-db/hosts/dave/etc/strongswan.conf
@@ -1,11 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
-pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl resolve kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve
 }
diff --git a/testing/tests/ikev1/ip-pool-db/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/ip-pool-db/hosts/moon/etc/ipsec.conf
index 0cefb7ab0..47014a869 100755..100644
--- a/testing/tests/ikev1/ip-pool-db/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/ip-pool-db/hosts/moon/etc/ipsec.conf
@@ -1,17 +1,12 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-	plutodebug=control
 
 conn %default
 	ikelifetime=60m
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
-	rekey=no
 	keyexchange=ikev1
 
 conn rw
diff --git a/testing/tests/ikev1/ip-pool-db/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/ip-pool-db/hosts/moon/etc/strongswan.conf
index 630135adc..04ffaf64d 100644
--- a/testing/tests/ikev1/ip-pool-db/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/ip-pool-db/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
-pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl sqlite attr-sql kernel-netlink
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default sqlite attr-sql updown
 }
 
 libhydra {
diff --git a/testing/tests/ikev1/ip-pool-db/posttest.dat b/testing/tests/ikev1/ip-pool-db/posttest.dat
index 5022c6cf1..c99f347e3 100644
--- a/testing/tests/ikev1/ip-pool-db/posttest.dat
+++ b/testing/tests/ikev1/ip-pool-db/posttest.dat
@@ -1,11 +1,9 @@
-moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
-carol::ip addr del PH_IP_CAROL1/32 dev eth0
-dave::ip addr del PH_IP_DAVE1/32 dev eth0
+moon::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
 moon::ipsec pool --del bigpool 2> /dev/null
 moon::ipsec pool --del dns 2> /dev/null
 moon::ipsec pool --del nbns 2> /dev/null
diff --git a/testing/tests/ikev1/ip-pool-db/pretest.dat b/testing/tests/ikev1/ip-pool-db/pretest.dat
index 190672652..fce551c69 100644
--- a/testing/tests/ikev1/ip-pool-db/pretest.dat
+++ b/testing/tests/ikev1/ip-pool-db/pretest.dat
@@ -4,10 +4,9 @@ moon::ipsec pool --add bigpool --start 10.3.0.1 --end 10.3.3.232 --timeout 0 2>
 moon::ipsec pool --addattr dns  --server PH_IP_WINNETOU 2> /dev/null
 moon::ipsec pool --addattr dns  --server PH_IP_VENUS 2> /dev/null
 moon::ipsec pool --addattr nbns --server PH_IP_VENUS 2> /dev/null
-moon::ipsec pool --statusattr
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 carol::ipsec start
 dave::ipsec start
 moon::ipsec start
diff --git a/testing/tests/ikev1/ip-pool-db/test.conf b/testing/tests/ikev1/ip-pool-db/test.conf
index 1a8f2a4e0..164b07ff9 100644
--- a/testing/tests/ikev1/ip-pool-db/test.conf
+++ b/testing/tests/ikev1/ip-pool-db/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon alice"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/ip-pool/evaltest.dat b/testing/tests/ikev1/ip-pool/evaltest.dat
index f67ab321b..1fdc3f087 100644
--- a/testing/tests/ikev1/ip-pool/evaltest.dat
+++ b/testing/tests/ikev1/ip-pool/evaltest.dat
@@ -1,21 +1,25 @@
-carol::cat /var/log/auth.log::setting virtual IP source address to PH_IP_CAROL1::YES
+carol::cat /var/log/daemon.log::installing new virtual IP PH_IP_CAROL1::YES
 carol::ip addr list dev eth0::PH_IP_CAROL1::YES
 carol::ip route list table 220::10.1.0.0/16.*src PH_IP_CAROL1::YES
-carol::ipsec status::home.*IPsec SA established::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::cat /var/log/auth.log::setting virtual IP source address to PH_IP_DAVE1::YES
-dave::ip addr list dev eth0::PH_IP_DAVE1::YES
-dave::ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES
-dave::ipsec status::home.*IPsec SA established::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::cat /var/log/auth.log::adding virtual IP address pool::YES
-moon::cat /var/log/auth.log::peer requested virtual IP %any::YES
-moon::cat /var/log/auth.log::assigning virtual IP::YES
-moon::ipsec leases rw::2/15, 2 online::YES
-moon::ipsec leases rw 10.3.0.1::carol@strongswan.org::YES
-moon::ipsec leases rw 10.3.0.2::dave@strongswan.org::YES
-moon::ipsec statusall::rw.*carol@strongswan.org.*erouted::YES
-moon::ipsec statusall::rw.*dave@strongswan.org.*erouted::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES
+dave:: ip addr list dev eth0::PH_IP_DAVE1::YES
+dave:: ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon:: cat /var/log/daemon.log::adding virtual IP address pool::YES
+moon:: cat /var/log/daemon.log::peer requested virtual IP %any::YES
+moon:: cat /var/log/daemon.log::assigning virtual IP::YES
+moon:: ipsec leases 10.3.0.0/28 2> /dev/null::2/14, 2 online::YES
+moon:: ipsec leases 10.3.0.0/28 10.3.0.1 2> /dev/null::carol@strongswan.org::YES
+moon:: ipsec leases 10.3.0.0/28 10.3.0.2 2> /dev/null::dave@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::ESP
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::ESP
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/ip-pool/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/ip-pool/hosts/carol/etc/ipsec.conf
index 0c770de9f..5a77f8707 100755..100644
--- a/testing/tests/ikev1/ip-pool/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/ip-pool/hosts/carol/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-	plutodebug=control
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev1/ip-pool/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/ip-pool/hosts/carol/etc/strongswan.conf
index 4c40f76cc..dc937641c 100644
--- a/testing/tests/ikev1/ip-pool/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/ip-pool/hosts/carol/etc/strongswan.conf
@@ -1,11 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
-pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev1/ip-pool/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/ip-pool/hosts/dave/etc/ipsec.conf
index 163c19516..6ea2d2bb1 100755..100644
--- a/testing/tests/ikev1/ip-pool/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev1/ip-pool/hosts/dave/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-	plutodebug=control
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev1/ip-pool/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/ip-pool/hosts/dave/etc/strongswan.conf
index 4c40f76cc..dc937641c 100644
--- a/testing/tests/ikev1/ip-pool/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev1/ip-pool/hosts/dave/etc/strongswan.conf
@@ -1,11 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
-pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev1/ip-pool/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/ip-pool/hosts/moon/etc/ipsec.conf
index ddedd7e7b..c48172923 100755..100644
--- a/testing/tests/ikev1/ip-pool/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/ip-pool/hosts/moon/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-	plutodebug=control
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev1/ip-pool/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/ip-pool/hosts/moon/etc/strongswan.conf
index 4c40f76cc..dc937641c 100644
--- a/testing/tests/ikev1/ip-pool/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/ip-pool/hosts/moon/etc/strongswan.conf
@@ -1,11 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
-pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev1/ip-pool/posttest.dat b/testing/tests/ikev1/ip-pool/posttest.dat
index a68e84cbd..b757d8b15 100644
--- a/testing/tests/ikev1/ip-pool/posttest.dat
+++ b/testing/tests/ikev1/ip-pool/posttest.dat
@@ -1,8 +1,6 @@
-moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
-carol::ip addr del 10.3.0.1/32 dev eth0
-dave::ip addr del 10.3.0.2/32 dev eth0
+moon::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/ip-pool/pretest.dat b/testing/tests/ikev1/ip-pool/pretest.dat
index 014e80517..3864bdac3 100644
--- a/testing/tests/ikev1/ip-pool/pretest.dat
+++ b/testing/tests/ikev1/ip-pool/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 carol::ipsec start
 dave::ipsec start
 moon::ipsec start
diff --git a/testing/tests/ikev1/ip-pool/test.conf b/testing/tests/ikev1/ip-pool/test.conf
index 1a8f2a4e0..164b07ff9 100644
--- a/testing/tests/ikev1/ip-pool/test.conf
+++ b/testing/tests/ikev1/ip-pool/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon alice"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/ip-two-pools-mixed/description.txt b/testing/tests/ikev1/ip-two-pools-mixed/description.txt
deleted file mode 100644
index 3869ced0a..000000000
--- a/testing/tests/ikev1/ip-two-pools-mixed/description.txt
+++ /dev/null
@@ -1,9 +0,0 @@
-The hosts <b>alice</b> and <b>carol</b> set up a tunnel connection each to gateway <b>moon</b>.
-Both hosts request a <b>virtual IP</b> via the IKEv1 Mode Config payload by using the
-<b>leftsourceip=%config</b> parameter. Gateway <b>moon</b> assigns virtual IP
-addresses from a simple pool defined by <b>rightsourceip=10.3.0.0/28</b> to hosts connecting
-to the <b>eth0</b> (PH_IP_MOON) interface and virtual IP addresses from an SQLite-based pool
-named <b>intpool</b> [10.4.0.1..10.4.1.244] to hosts connecting to the <b>eth1</b> (PH_IP_MOON1) interface.
-<p>
-Thus <b>carol</b> is assigned <b>PH_IP_CAROL1</b> whereas <b>alice</b> gets <b>10.4.0.1</b> and 
-both ping the gateway <b>moon</b>.
diff --git a/testing/tests/ikev1/ip-two-pools-mixed/evaltest.dat b/testing/tests/ikev1/ip-two-pools-mixed/evaltest.dat
deleted file mode 100644
index f237ce53f..000000000
--- a/testing/tests/ikev1/ip-two-pools-mixed/evaltest.dat
+++ /dev/null
@@ -1,17 +0,0 @@
-carol::ipsec status::home.*IPsec SA established::YES
-alice::ipsec status::home.*IPsec SA established::YES
-moon::ipsec status::ext.*carol@strongswan.org.*erouted::YES
-moon::ipsec status::int.*alice@strongswan.org.*erouted::YES
-moon::cat /var/log/auth.log::adding virtual IP address pool.*ext.*10.3.0.0/28::YES
-moon::ipsec leases ext::1/15, 1 online::YES
-moon::ipsec leases ext 10.3.0.1::carol@strongswan.org::YES
-moon::ipsec pool --status 2> /dev/null::intpool.*10.4.0.1.*10.4.1.244.*static.*1::YES
-moon::ipsec pool --leases --filter pool=intpool,addr=10.4.0.1,id=alice@strongswan.org 2> /dev/null::online::YES
-carol::cat /var/log/auth.log::setting virtual IP source address to 10.3.0.1::YES
-alice::cat /var/log/auth.log::setting virtual IP source address to 10.4.0.1::YES
-carol::ping -c 1 PH_IP_MOON::64 bytes from PH_IP_MOON: icmp_seq=1::YES
-alice::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES
-carol::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-carol::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-alice::tcpdump::IP alice.strongswan.org > moon1.strongswan.org: ESP::YES
-alice::tcpdump::IP moon1.strongswan.org > alice.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/ip-two-pools-mixed/hosts/alice/etc/init.d/iptables b/testing/tests/ikev1/ip-two-pools-mixed/hosts/alice/etc/init.d/iptables
deleted file mode 100755
index 97b773645..000000000
--- a/testing/tests/ikev1/ip-two-pools-mixed/hosts/alice/etc/init.d/iptables
+++ /dev/null
@@ -1,78 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-        # allow ESP 
-        iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-        iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-        iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-        iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-			
-	# allow MOBIKE 
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev1/ip-two-pools-mixed/hosts/alice/etc/ipsec.conf b/testing/tests/ikev1/ip-two-pools-mixed/hosts/alice/etc/ipsec.conf
deleted file mode 100755
index e8077b22a..000000000
--- a/testing/tests/ikev1/ip-two-pools-mixed/hosts/alice/etc/ipsec.conf
+++ /dev/null
@@ -1,24 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-	plutodebug=control
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-		
-conn home 
-	left=%defaultroute
-	leftsourceip=%config
-	leftcert=aliceCert.pem
-	leftid=alice@strongswan.org
-	leftfirewall=yes
-	right=PH_IP_MOON1
-	rightid=@moon.strongswan.org
-	auto=add
diff --git a/testing/tests/ikev1/ip-two-pools-mixed/hosts/alice/etc/strongswan.conf b/testing/tests/ikev1/ip-two-pools-mixed/hosts/alice/etc/strongswan.conf
deleted file mode 100644
index 4c40f76cc..000000000
--- a/testing/tests/ikev1/ip-two-pools-mixed/hosts/alice/etc/strongswan.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-}
diff --git a/testing/tests/ikev1/ip-two-pools-mixed/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/ip-two-pools-mixed/hosts/carol/etc/strongswan.conf
deleted file mode 100644
index 4c40f76cc..000000000
--- a/testing/tests/ikev1/ip-two-pools-mixed/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-}
diff --git a/testing/tests/ikev1/ip-two-pools-mixed/hosts/moon/etc/init.d/iptables b/testing/tests/ikev1/ip-two-pools-mixed/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index bb9d03acd..000000000
--- a/testing/tests/ikev1/ip-two-pools-mixed/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,91 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-        iptables -A INPUT  -i eth1 -p 50 -j ACCEPT
-        iptables -A OUTPUT -o eth1 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-        iptables -A INPUT  -i eth1 -p udp --sport 500 --dport 500 -j ACCEPT
-        iptables -A OUTPUT -o eth1 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-        iptables -A INPUT  -i eth1 -p udp --sport 4500 --dport 4500 -j ACCEPT
-        iptables -A OUTPUT -o eth1 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-	iptables -A FORWARD -i eth0 -o eth1 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A FORWARD -o eth0 -i eth1 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# masquerade crl fetches to winnetou
-	iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -d PH_IP_WINNETOU -j MASQUERADE
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev1/ip-two-pools-mixed/posttest.dat b/testing/tests/ikev1/ip-two-pools-mixed/posttest.dat
deleted file mode 100644
index 74e3cf2c0..000000000
--- a/testing/tests/ikev1/ip-two-pools-mixed/posttest.dat
+++ /dev/null
@@ -1,13 +0,0 @@
-carol::ipsec stop
-alice::ipsec stop
-moon::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-alice::/etc/init.d/iptables stop 2> /dev/null
-carol::ip addr del 10.3.0.1/32 dev eth0
-alice::ip addr del 10.4.0.1/32 dev eth0
-moon::ip route del 10.3.0.0/16 via PH_IP_MOON
-moon::ip route del 10.4.0.0/16 via PH_IP_MOON1
-moon::conntrack -F
-moon::ipsec pool --del intpool 2> /dev/null
-moon::rm /etc/ipsec.d/ipsec.*
diff --git a/testing/tests/ikev1/ip-two-pools-mixed/pretest.dat b/testing/tests/ikev1/ip-two-pools-mixed/pretest.dat
deleted file mode 100644
index 21e28ce0c..000000000
--- a/testing/tests/ikev1/ip-two-pools-mixed/pretest.dat
+++ /dev/null
@@ -1,15 +0,0 @@
-moon::cat /etc/ipsec.d/tables.sql > /etc/ipsec.d/ipsec.sql
-moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
-moon::ipsec pool --add intpool --start 10.4.0.1 --end 10.4.1.244 --timeout  0 2> /dev/null
-moon::ip route add 10.3.0.0/16 via PH_IP_MOON
-moon::ip route add 10.4.0.0/16 via PH_IP_MOON1
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-alice::/etc/init.d/iptables start 2> /dev/null
-carol::ipsec start
-moon::ipsec start
-alice::ipsec start
-carol::sleep 2 
-carol::ipsec up home
-alice::ipsec up home
-alice::sleep 1
diff --git a/testing/tests/ikev1/ip-two-pools-mixed/test.conf b/testing/tests/ikev1/ip-two-pools-mixed/test.conf
deleted file mode 100644
index 329774c0a..000000000
--- a/testing/tests/ikev1/ip-two-pools-mixed/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="alice carol"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="alice moon carol"
diff --git a/testing/tests/ikev1/ip-two-pools/description.txt b/testing/tests/ikev1/ip-two-pools/description.txt
deleted file mode 100644
index 33a5187c5..000000000
--- a/testing/tests/ikev1/ip-two-pools/description.txt
+++ /dev/null
@@ -1,9 +0,0 @@
-The hosts <b>alice</b> and <b>carol</b> set up a tunnel connection each to gateway <b>moon</b>.
-Both hosts request a <b>virtual IP</b> via the IKEv1 Mode Config payload by using the
-<b>leftsourceip=%config</b> parameter. Gateway <b>moon</b> assigns virtual IP
-addresses from a simple pool defined by <b>rightsourceip=10.3.0.0/28</b> to hosts connecting
-to the <b>eth0</b> (PH_IP_MOON) interface and virtual IP addresses from a simple pool defined 
-by <b>rightsourceip=10.4.0.0/28</b> to hosts connecting to the <b>eth1</b> (PH_IP_MOON1) interface.
-<p>
-Thus <b>carol</b> is assigned <b>PH_IP_CAROL1</b> whereas <b>alice</b> gets <b>10.4.0.1</b> and 
-both ping the gateway <b>moon</b>.
diff --git a/testing/tests/ikev1/ip-two-pools/evaltest.dat b/testing/tests/ikev1/ip-two-pools/evaltest.dat
deleted file mode 100644
index 2f19a77ba..000000000
--- a/testing/tests/ikev1/ip-two-pools/evaltest.dat
+++ /dev/null
@@ -1,18 +0,0 @@
-carol::ipsec status::home.*IPsec SA established::YES
-alice::ipsec status::home.*IPsec SA established::YES
-moon::ipsec status::ext.*carol@strongswan.org.*erouted::YES
-moon::ipsec status::int.*alice@strongswan.org.*erouted::YES
-moon::cat /var/log/auth.log::adding virtual IP address pool.*int.*10.4.0.0/28::YES
-moon::cat /var/log/auth.log::adding virtual IP address pool.*ext.*10.3.0.0/28::YES
-moon::ipsec leases ext::1/15, 1 online::YES
-moon::ipsec leases int::1/15, 1 online::YES
-moon::ipsec leases ext 10.3.0.1::carol@strongswan.org::YES
-moon::ipsec leases int 10.4.0.1::alice@strongswan.org::YES
-carol::cat /var/log/auth.log::setting virtual IP source address to 10.3.0.1::YES
-alice::cat /var/log/auth.log::setting virtual IP source address to 10.4.0.1::YES
-carol::ping -c 1 PH_IP_MOON::64 bytes from PH_IP_MOON: icmp_seq=1::YES
-alice::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES
-carol::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-carol::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-alice::tcpdump::IP alice.strongswan.org > moon1.strongswan.org: ESP::YES
-alice::tcpdump::IP moon1.strongswan.org > alice.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/ip-two-pools/hosts/alice/etc/init.d/iptables b/testing/tests/ikev1/ip-two-pools/hosts/alice/etc/init.d/iptables
deleted file mode 100755
index 97b773645..000000000
--- a/testing/tests/ikev1/ip-two-pools/hosts/alice/etc/init.d/iptables
+++ /dev/null
@@ -1,78 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-        # allow ESP 
-        iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-        iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-        iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-        iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-			
-	# allow MOBIKE 
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev1/ip-two-pools/hosts/alice/etc/ipsec.conf b/testing/tests/ikev1/ip-two-pools/hosts/alice/etc/ipsec.conf
deleted file mode 100755
index e8077b22a..000000000
--- a/testing/tests/ikev1/ip-two-pools/hosts/alice/etc/ipsec.conf
+++ /dev/null
@@ -1,24 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-	plutodebug=control
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-		
-conn home 
-	left=%defaultroute
-	leftsourceip=%config
-	leftcert=aliceCert.pem
-	leftid=alice@strongswan.org
-	leftfirewall=yes
-	right=PH_IP_MOON1
-	rightid=@moon.strongswan.org
-	auto=add
diff --git a/testing/tests/ikev1/ip-two-pools/hosts/alice/etc/strongswan.conf b/testing/tests/ikev1/ip-two-pools/hosts/alice/etc/strongswan.conf
deleted file mode 100644
index 4c40f76cc..000000000
--- a/testing/tests/ikev1/ip-two-pools/hosts/alice/etc/strongswan.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-}
diff --git a/testing/tests/ikev1/ip-two-pools/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/ip-two-pools/hosts/carol/etc/strongswan.conf
deleted file mode 100644
index 4c40f76cc..000000000
--- a/testing/tests/ikev1/ip-two-pools/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-}
diff --git a/testing/tests/ikev1/ip-two-pools/hosts/moon/etc/init.d/iptables b/testing/tests/ikev1/ip-two-pools/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index bb9d03acd..000000000
--- a/testing/tests/ikev1/ip-two-pools/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,91 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-        iptables -A INPUT  -i eth1 -p 50 -j ACCEPT
-        iptables -A OUTPUT -o eth1 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-        iptables -A INPUT  -i eth1 -p udp --sport 500 --dport 500 -j ACCEPT
-        iptables -A OUTPUT -o eth1 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-        iptables -A INPUT  -i eth1 -p udp --sport 4500 --dport 4500 -j ACCEPT
-        iptables -A OUTPUT -o eth1 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-	iptables -A FORWARD -i eth0 -o eth1 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A FORWARD -o eth0 -i eth1 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# masquerade crl fetches to winnetou
-	iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -d PH_IP_WINNETOU -j MASQUERADE
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev1/ip-two-pools/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/ip-two-pools/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index 4771e26d6..000000000
--- a/testing/tests/ikev1/ip-two-pools/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,28 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-	plutodebug=control
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-	leftfirewall=yes
-	right=%any
-
-conn int 
-	left=PH_IP_MOON1
-	rightsourceip=10.4.0.0/28
-	auto=add
-
-conn ext 
-	left=PH_IP_MOON
-	rightsourceip=10.3.0.0/28
-	auto=add
diff --git a/testing/tests/ikev1/ip-two-pools/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/ip-two-pools/hosts/moon/etc/strongswan.conf
deleted file mode 100644
index 4c40f76cc..000000000
--- a/testing/tests/ikev1/ip-two-pools/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-}
diff --git a/testing/tests/ikev1/ip-two-pools/posttest.dat b/testing/tests/ikev1/ip-two-pools/posttest.dat
deleted file mode 100644
index 4474e5ade..000000000
--- a/testing/tests/ikev1/ip-two-pools/posttest.dat
+++ /dev/null
@@ -1,12 +0,0 @@
-alice::ipsec stop
-moon::ipsec stop
-carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-alice::/etc/init.d/iptables stop 2> /dev/null
-carol::ip addr del 10.3.0.1/32 dev eth0
-alice::ip addr del 10.4.0.1/32 dev eth0
-moon::ip route del 10.3.0.0/16 via 192.168.0.1
-moon::ip route del 10.4.0.0/16 via 10.1.0.1
-moon::conntrack -F
-moon::rm /etc/ipsec.d/ipsec.*
diff --git a/testing/tests/ikev1/ip-two-pools/pretest.dat b/testing/tests/ikev1/ip-two-pools/pretest.dat
deleted file mode 100644
index 8091a6ed2..000000000
--- a/testing/tests/ikev1/ip-two-pools/pretest.dat
+++ /dev/null
@@ -1,12 +0,0 @@
-moon::ip route add 10.3.0.0/16 via 192.168.0.1
-moon::ip route add 10.4.0.0/16 via 10.1.0.1
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-alice::/etc/init.d/iptables start 2> /dev/null
-carol::ipsec start
-moon::ipsec start
-alice::ipsec start
-carol::sleep 2 
-carol::ipsec up home
-alice::ipsec up home
-alice::sleep 1 
diff --git a/testing/tests/ikev1/ip-two-pools/test.conf b/testing/tests/ikev1/ip-two-pools/test.conf
deleted file mode 100644
index 329774c0a..000000000
--- a/testing/tests/ikev1/ip-two-pools/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="alice carol"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="alice moon carol"
diff --git a/testing/tests/ikev1/mode-config-multiple/description.txt b/testing/tests/ikev1/mode-config-multiple/description.txt
deleted file mode 100644
index 6be00e744..000000000
--- a/testing/tests/ikev1/mode-config-multiple/description.txt
+++ /dev/null
@@ -1,6 +0,0 @@
-The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
-Both <b>carol</b> and <b>dave</b> request a <b>virtual IP</b> via the IKE Mode Config protocol
-by using the <b>leftsourceip=%modeconfig</b> parameter. After setting up an IPsec SA to reach
-the hosts <b>alice</b> and <b>venus</b>, respectively, both roadwarriors set up a second 
-IPsec SA to <b>venus</b> and <b>alice</b>, respectively, inheriting the virtual IP address
-from the previous Mode Config negotiation.
diff --git a/testing/tests/ikev1/mode-config-multiple/evaltest.dat b/testing/tests/ikev1/mode-config-multiple/evaltest.dat
deleted file mode 100644
index 735345315..000000000
--- a/testing/tests/ikev1/mode-config-multiple/evaltest.dat
+++ /dev/null
@@ -1,29 +0,0 @@
-carol::cat /var/log/auth.log::alice.*setting virtual IP source address to PH_IP_CAROL1::YES
-carol::ipsec status::alice.*STATE_QUICK_I2.*IPsec SA established::YES
-carol::cat /var/log/auth.log::venus.*inheriting virtual IP source address PH_IP_CAROL1 from ModeCfg::YES
-carol::ipsec status::venus.*STATE_QUICK_I2.*IPsec SA established::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
-dave::cat /var/log/auth.log::venus.*setting virtual IP source address to PH_IP_DAVE1::YES
-dave::ipsec status::venus.*STATE_QUICK_I2.*IPsec SA established::YES
-dave::cat /var/log/auth.log::alice.*inheriting virtual IP source address PH_IP_DAVE1 from ModeCfg::YES
-dave::ipsec status::alice.*STATE_QUICK_I2.*IPsec SA established::YES
-dave::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::ipsec status::carol-alice.*STATE_QUICK_R2.*IPsec SA established::YES
-moon::ipsec status::carol-venus.*STATE_QUICK_R2.*IPsec SA established::YES
-moon::ipsec status::dave-venus.*STATE_QUICK_R2.*IPsec SA established::YES
-moon::ipsec status::dave-alice.*STATE_QUICK_R2.*IPsec SA established::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
-alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
-alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
-alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
-alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES
-venus::tcpdump::IP carol1.strongswan.org > venus.strongswan.org: ICMP echo request::YES
-venus::tcpdump::IP venus.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
-venus::tcpdump::IP dave1.strongswan.org > venus.strongswan.org: ICMP echo request::YES
-venus::tcpdump::IP venus.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES
-
diff --git a/testing/tests/ikev1/mode-config-multiple/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/mode-config-multiple/hosts/dave/etc/ipsec.conf
deleted file mode 100755
index 0b93eb58f..000000000
--- a/testing/tests/ikev1/mode-config-multiple/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,33 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-
-conn alice
-        also=home
-        rightsubnet=10.1.0.10/32
-        auto=add
-
-conn venus
-        also=home
-        rightsubnet=10.1.0.20/32
-        auto=add
-
-conn home
-	left=PH_IP_DAVE
-	leftsourceip=%modeconfig
-	leftcert=daveCert.pem
-	leftid=dave@strongswan.org
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
diff --git a/testing/tests/ikev1/mode-config-multiple/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/mode-config-multiple/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index 7f5bb812f..000000000
--- a/testing/tests/ikev1/mode-config-multiple/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,52 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	left=192.168.0.1
-	leftsourceip=10.1.0.1
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-	leftfirewall=yes
-
-conn carol-alice
-	also=carol
-	leftsubnet=10.1.0.10/32
-	rightsourceip=10.3.0.1
-	auto=add
-
-conn carol-venus
-	also=carol
-	leftsubnet=10.1.0.20/32
-	rightsourceip=%carol-alice
-	auto=add
-	
-conn carol
-	right=%any
-	rightid=carol@strongswan.org
-
-conn dave-alice
-        also=dave
-        leftsubnet=10.1.0.10/32
-	rightsourceip=10.3.0.2
-        auto=add
-
-conn dave-venus
-        also=dave
-        leftsubnet=10.1.0.20/32
-	rightsourceip=%dave-alice
-        auto=add
-
-conn dave
-        right=%any
-        rightid=dave@strongswan.org
-
diff --git a/testing/tests/ikev1/mode-config-multiple/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/mode-config-multiple/hosts/moon/etc/strongswan.conf
deleted file mode 100644
index fb989daff..000000000
--- a/testing/tests/ikev1/mode-config-multiple/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,13 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl attr kernel-netlink
-  dns1 = PH_IP_WINNETOU
-  dns2 = PH_IP6_VENUS
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-}
diff --git a/testing/tests/ikev1/mode-config-multiple/posttest.dat b/testing/tests/ikev1/mode-config-multiple/posttest.dat
deleted file mode 100644
index 42fa8359b..000000000
--- a/testing/tests/ikev1/mode-config-multiple/posttest.dat
+++ /dev/null
@@ -1,8 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
-carol::ip addr del PH_IP_CAROL1/32 dev eth0
-dave::ip addr del PH_IP_DAVE1/32 dev eth0
diff --git a/testing/tests/ikev1/mode-config-multiple/pretest.dat b/testing/tests/ikev1/mode-config-multiple/pretest.dat
deleted file mode 100644
index 63f52e274..000000000
--- a/testing/tests/ikev1/mode-config-multiple/pretest.dat
+++ /dev/null
@@ -1,12 +0,0 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
-carol::ipsec start
-dave::ipsec start
-moon::ipsec start
-carol::sleep 2
-carol::ipsec up alice
-carol::ipsec up venus 
-dave::ipsec up venus
-dave::ipsec up alice
-carol::sleep 1
diff --git a/testing/tests/ikev1/mode-config-multiple/test.conf b/testing/tests/ikev1/mode-config-multiple/test.conf
deleted file mode 100644
index d8fa5162d..000000000
--- a/testing/tests/ikev1/mode-config-multiple/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon carol winnetou dave"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w-d.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon alice venus"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/mode-config-push/description.txt b/testing/tests/ikev1/mode-config-push/description.txt
deleted file mode 100644
index 387c3b409..000000000
--- a/testing/tests/ikev1/mode-config-push/description.txt
+++ /dev/null
@@ -1,10 +0,0 @@
-The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
-Both <b>carol</b> and <b>dave</b> request a <b>virtual IP</b> via the IKE Mode Config protocol
-by using the <b>leftsourceip=%modeconfig</b> parameter. By setting the option <b>modeconfig=push</b>
-on both the roadwarriors and the gateway, the Mode Config server <b>moon</b> will actively push
-the configuration down to <b>carol</b> and <b>dave</b>.
-<p>
-<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that let pass the
-tunneled traffic. In order to test the tunnels, <b>carol</b> and <b>dave</b> then ping the client
-<b>alice</b> behind the gateway <b>moon</b>. The source IP addresses of the two pings will
-be the virtual IPs <b>carol1</b> and <b>dave1</b>, respectively.
diff --git a/testing/tests/ikev1/mode-config-push/evaltest.dat b/testing/tests/ikev1/mode-config-push/evaltest.dat
deleted file mode 100644
index 3135a18fb..000000000
--- a/testing/tests/ikev1/mode-config-push/evaltest.dat
+++ /dev/null
@@ -1,18 +0,0 @@
-carol::cat /var/log/auth.log::setting virtual IP source address to 10.3.0.1::YES
-carol::cat /etc/resolv.conf::nameserver PH_IP_WINNETOU .*from moon.strongswan.org::YES
-carol::cat /etc/resolv.conf::nameserver PH_IP_VENUS .*from moon.strongswan.org::YES
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::cat /var/log/auth.log::setting virtual IP source address to 10.3.0.2::YES
-dave::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::ipsec status::rw-carol.*STATE_QUICK_R2.*IPsec SA established::YES
-moon::ipsec status::rw-dave.*STATE_QUICK_R2.*IPsec SA established::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
-alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
-alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
-alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
-alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES
diff --git a/testing/tests/ikev1/mode-config-push/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/mode-config-push/hosts/carol/etc/ipsec.conf
deleted file mode 100755
index 64c97eb16..000000000
--- a/testing/tests/ikev1/mode-config-push/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,31 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	rekey=no
-	keyingtries=1
-	keyexchange=ikev1
-
-conn home
-	left=PH_IP_CAROL
-	leftsourceip=%modeconfig
-	leftcert=carolCert.pem
-	leftid=carol@strongswan.org
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightsubnet=10.1.0.0/16
-	rightid=@moon.strongswan.org
-	modeconfig=push
-	auto=add
-
-
-
-
diff --git a/testing/tests/ikev1/mode-config-push/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/mode-config-push/hosts/carol/etc/strongswan.conf
deleted file mode 100644
index 56f13324a..000000000
--- a/testing/tests/ikev1/mode-config-push/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl resolve kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-}
diff --git a/testing/tests/ikev1/mode-config-push/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/mode-config-push/hosts/dave/etc/strongswan.conf
deleted file mode 100644
index 56f13324a..000000000
--- a/testing/tests/ikev1/mode-config-push/hosts/dave/etc/strongswan.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl resolve kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-}
diff --git a/testing/tests/ikev1/mode-config-push/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/mode-config-push/hosts/moon/etc/strongswan.conf
deleted file mode 100644
index f8d952d21..000000000
--- a/testing/tests/ikev1/mode-config-push/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,13 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl attr kernel-netlink
-  dns1 = PH_IP_WINNETOU
-  dns2 = PH_IP_VENUS
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-}
diff --git a/testing/tests/ikev1/mode-config-push/posttest.dat b/testing/tests/ikev1/mode-config-push/posttest.dat
deleted file mode 100644
index 42fa8359b..000000000
--- a/testing/tests/ikev1/mode-config-push/posttest.dat
+++ /dev/null
@@ -1,8 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
-carol::ip addr del PH_IP_CAROL1/32 dev eth0
-dave::ip addr del PH_IP_DAVE1/32 dev eth0
diff --git a/testing/tests/ikev1/mode-config-push/pretest.dat b/testing/tests/ikev1/mode-config-push/pretest.dat
deleted file mode 100644
index bb222992e..000000000
--- a/testing/tests/ikev1/mode-config-push/pretest.dat
+++ /dev/null
@@ -1,10 +0,0 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
-carol::ipsec start
-dave::ipsec start
-moon::ipsec start
-carol::sleep 2
-carol::ipsec up home
-dave::ipsec up home
-carol::sleep 1
diff --git a/testing/tests/ikev1/mode-config-push/test.conf b/testing/tests/ikev1/mode-config-push/test.conf
deleted file mode 100644
index 1a8f2a4e0..000000000
--- a/testing/tests/ikev1/mode-config-push/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon carol winnetou dave"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w-d.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon alice"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/mode-config-swapped/description.txt b/testing/tests/ikev1/mode-config-swapped/description.txt
deleted file mode 100644
index e29e6f654..000000000
--- a/testing/tests/ikev1/mode-config-swapped/description.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Same scenario as test <a href="../mode-config/"><b>mode-config</b></a> but with
-swapped end definitions:  <b>right</b> denotes the <b>local</b> side whereas
-<b>left</b> stands for the <b>remote</b> peer.
diff --git a/testing/tests/ikev1/mode-config-swapped/evaltest.dat b/testing/tests/ikev1/mode-config-swapped/evaltest.dat
deleted file mode 100644
index 9d60cf7b0..000000000
--- a/testing/tests/ikev1/mode-config-swapped/evaltest.dat
+++ /dev/null
@@ -1,16 +0,0 @@
-carol::cat /var/log/auth.log::setting virtual IP source address to PH_IP_CAROL1::YES
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::cat /var/log/auth.log::setting virtual IP source address to PH_IP_DAVE1::YES
-dave::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::ipsec status::rw-carol.*STATE_QUICK_R2.*IPsec SA established::YES
-moon::ipsec status::rw-dave.*STATE_QUICK_R2.*IPsec SA established::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
-alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
-alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
-alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
-alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES
diff --git a/testing/tests/ikev1/mode-config-swapped/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/mode-config-swapped/hosts/carol/etc/ipsec.conf
deleted file mode 100755
index 4cea3d81b..000000000
--- a/testing/tests/ikev1/mode-config-swapped/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,29 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-
-conn home
-	right=PH_IP_CAROL
-	rightsourceip=%modeconfig
-	rightcert=carolCert.pem
-	rightid=carol@strongswan.org
-	rightfirewall=yes
-	left=PH_IP_MOON
-	leftsubnet=10.1.0.0/16
-	leftid=@moon.strongswan.org
-	auto=add
-
-
-
-
diff --git a/testing/tests/ikev1/mode-config-swapped/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/mode-config-swapped/hosts/dave/etc/ipsec.conf
deleted file mode 100755
index cf96ddeca..000000000
--- a/testing/tests/ikev1/mode-config-swapped/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,29 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-
-conn home
-	right=PH_IP_DAVE
-	rightsourceip=%modeconfig
-	rightcert=daveCert.pem
-	rightid=dave@strongswan.org
-	rightfirewall=yes
-	left=PH_IP_MOON
-	leftsubnet=10.1.0.0/16
-	leftid=@moon.strongswan.org
-	auto=add
-
-
-
-
diff --git a/testing/tests/ikev1/mode-config-swapped/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/mode-config-swapped/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index b01f5b112..000000000
--- a/testing/tests/ikev1/mode-config-swapped/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,32 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	right=PH_IP_MOON
-	rightsubnet=10.1.0.0/16
-	rightsourceip=PH_IP_MOON1
-	rightcert=moonCert.pem
-	rightid=@moon.strongswan.org
-	rightfirewall=yes
-
-conn rw-carol
-	left=%any
-	leftid=carol@strongswan.org
-	leftsourceip=PH_IP_CAROL1
-	auto=add
-
-conn rw-dave
-	left=%any
-	leftid=dave@strongswan.org
-	leftsourceip=PH_IP_DAVE1
-	auto=add
diff --git a/testing/tests/ikev1/mode-config-swapped/posttest.dat b/testing/tests/ikev1/mode-config-swapped/posttest.dat
deleted file mode 100644
index 42fa8359b..000000000
--- a/testing/tests/ikev1/mode-config-swapped/posttest.dat
+++ /dev/null
@@ -1,8 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
-carol::ip addr del PH_IP_CAROL1/32 dev eth0
-dave::ip addr del PH_IP_DAVE1/32 dev eth0
diff --git a/testing/tests/ikev1/mode-config-swapped/pretest.dat b/testing/tests/ikev1/mode-config-swapped/pretest.dat
deleted file mode 100644
index 1e45f00fd..000000000
--- a/testing/tests/ikev1/mode-config-swapped/pretest.dat
+++ /dev/null
@@ -1,9 +0,0 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
-carol::ipsec start
-dave::ipsec start
-moon::ipsec start
-carol::sleep 2
-carol::ipsec up home
-dave::ipsec up home
diff --git a/testing/tests/ikev1/mode-config-swapped/test.conf b/testing/tests/ikev1/mode-config-swapped/test.conf
deleted file mode 100644
index 1a8f2a4e0..000000000
--- a/testing/tests/ikev1/mode-config-swapped/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon carol winnetou dave"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w-d.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon alice"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/mode-config/evaltest.dat b/testing/tests/ikev1/mode-config/evaltest.dat
deleted file mode 100644
index 7355a0560..000000000
--- a/testing/tests/ikev1/mode-config/evaltest.dat
+++ /dev/null
@@ -1,18 +0,0 @@
-carol::cat /var/log/auth.log::setting virtual IP source address to PH_IP_CAROL1::YES
-carol::cat /etc/resolv.conf::nameserver PH_IP_WINNETOU .*from moon.strongswan.org::YES
-carol::cat /etc/resolv.conf::nameserver PH_IP_VENUS .*from moon.strongswan.org::YES
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::cat /var/log/auth.log::setting virtual IP source address to PH_IP_DAVE1::YES
-dave::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::ipsec status::rw-carol.*STATE_QUICK_R2.*IPsec SA established::YES
-moon::ipsec status::rw-dave.*STATE_QUICK_R2.*IPsec SA established::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
-alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
-alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
-alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
-alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES
diff --git a/testing/tests/ikev1/mode-config/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/mode-config/hosts/carol/etc/ipsec.conf
deleted file mode 100755
index 9c75434c2..000000000
--- a/testing/tests/ikev1/mode-config/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,29 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-
-conn home
-	left=PH_IP_CAROL
-	leftsourceip=%modeconfig
-	leftcert=carolCert.pem
-	leftid=carol@strongswan.org
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightsubnet=10.1.0.0/16
-	rightid=@moon.strongswan.org
-	auto=add
-
-
-
-
diff --git a/testing/tests/ikev1/mode-config/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/mode-config/hosts/carol/etc/strongswan.conf
deleted file mode 100644
index 56f13324a..000000000
--- a/testing/tests/ikev1/mode-config/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl resolve kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-}
diff --git a/testing/tests/ikev1/mode-config/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/mode-config/hosts/dave/etc/strongswan.conf
deleted file mode 100644
index 56f13324a..000000000
--- a/testing/tests/ikev1/mode-config/hosts/dave/etc/strongswan.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl resolve kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-}
diff --git a/testing/tests/ikev1/mode-config/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/mode-config/hosts/moon/etc/strongswan.conf
deleted file mode 100644
index f8d952d21..000000000
--- a/testing/tests/ikev1/mode-config/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,13 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl attr kernel-netlink
-  dns1 = PH_IP_WINNETOU
-  dns2 = PH_IP_VENUS
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-}
diff --git a/testing/tests/ikev1/mode-config/posttest.dat b/testing/tests/ikev1/mode-config/posttest.dat
deleted file mode 100644
index 42fa8359b..000000000
--- a/testing/tests/ikev1/mode-config/posttest.dat
+++ /dev/null
@@ -1,8 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
-carol::ip addr del PH_IP_CAROL1/32 dev eth0
-dave::ip addr del PH_IP_DAVE1/32 dev eth0
diff --git a/testing/tests/ikev1/mode-config/pretest.dat b/testing/tests/ikev1/mode-config/pretest.dat
deleted file mode 100644
index bb222992e..000000000
--- a/testing/tests/ikev1/mode-config/pretest.dat
+++ /dev/null
@@ -1,10 +0,0 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
-carol::ipsec start
-dave::ipsec start
-moon::ipsec start
-carol::sleep 2
-carol::ipsec up home
-dave::ipsec up home
-carol::sleep 1
diff --git a/testing/tests/ikev1/mode-config/test.conf b/testing/tests/ikev1/mode-config/test.conf
deleted file mode 100644
index 1a8f2a4e0..000000000
--- a/testing/tests/ikev1/mode-config/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon carol winnetou dave"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w-d.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon alice"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/multi-level-ca-cr-init/description.txt b/testing/tests/ikev1/multi-level-ca-cr-init/description.txt
new file mode 100644
index 000000000..602d026c2
--- /dev/null
+++ b/testing/tests/ikev1/multi-level-ca-cr-init/description.txt
@@ -0,0 +1,6 @@
+The VPN gateway <b>moon</b> grants access to the hosts <b>alice</b> and
+<b>venus</b> to anyone presenting a certificate belonging to a trust chain anchored
+in the strongSwan Root CA.  The hosts <b>carol</b> and <b>dave</b> have certificates from
+the intermediate Research CA and Sales CA, respectively. Initiator <b>moon</b> does not possess
+copies of the Research and Sales CA certificates and must therefore request them from
+the responders <b>carol</b> and <b>dave</b>, respectively.
diff --git a/testing/tests/ikev1/multi-level-ca-cr-init/evaltest.dat b/testing/tests/ikev1/multi-level-ca-cr-init/evaltest.dat
new file mode 100644
index 000000000..03426ac44
--- /dev/null
+++ b/testing/tests/ikev1/multi-level-ca-cr-init/evaltest.dat
@@ -0,0 +1,12 @@
+carol::cat /var/log/daemon.log::sending issuer cert.*CN=Research CA::YES
+dave:: cat /var/log/daemon.log::sending issuer cert.*CN=Sales CA::YES
+moon:: cat /var/log/daemon.log::fetching crl from.*http.*research.crl::YES
+moon:: cat /var/log/daemon.log::crl correctly signed by.*Research CA::YES
+moon:: cat /var/log/daemon.log::fetching crl from.*http.*sales.crl::YES
+moon:: cat /var/log/daemon.log::crl correctly signed by.*Sales CA::YES
+moon:: cat /var/log/daemon.log::fetching crl from.*http.*strongswan.crl::YES
+moon:: cat /var/log/daemon.log::crl correctly signed by.*strongSwan Root CA::YES
+carol::ipsec status 2> /dev/null::alice.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::alice.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+dave:: ipsec status 2> /dev/null::venus.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::venus.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
diff --git a/testing/tests/ikev1/multi-level-ca-pathlen/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-cr-init/hosts/carol/etc/ipsec.conf
index 39a1aa825..73e17062d 100755..100644
--- a/testing/tests/ikev1/multi-level-ca-pathlen/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/multi-level-ca-cr-init/hosts/carol/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -13,13 +9,13 @@ conn %default
 	keyingtries=1
 	keyexchange=ikev1
 
-conn home
+conn alice
 	left=PH_IP_CAROL
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 	leftsendcert=ifasked
 	right=PH_IP_MOON
 	rightid=@moon.strongswan.org
-	rightsubnet=10.1.0.0/16
+	rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
+	rightsubnet=PH_IP_ALICE/32
 	auto=add
-
diff --git a/testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem b/testing/tests/ikev1/multi-level-ca-cr-init/hosts/carol/etc/ipsec.d/cacerts/researchCert.pem
index d53365f78..d53365f78 100644
--- a/testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem
+++ b/testing/tests/ikev1/multi-level-ca-cr-init/hosts/carol/etc/ipsec.d/cacerts/researchCert.pem
diff --git a/testing/tests/ikev1/multi-level-ca-ldap/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/ikev1/multi-level-ca-cr-init/hosts/carol/etc/ipsec.d/certs/carolCert.pem
index 69e5c05e3..69e5c05e3 100644
--- a/testing/tests/ikev1/multi-level-ca-ldap/hosts/carol/etc/ipsec.d/certs/carolCert.pem
+++ b/testing/tests/ikev1/multi-level-ca-cr-init/hosts/carol/etc/ipsec.d/certs/carolCert.pem
diff --git a/testing/tests/ikev1/multi-level-ca-ldap/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/ikev1/multi-level-ca-cr-init/hosts/carol/etc/ipsec.d/private/carolKey.pem
index 53e18680b..53e18680b 100644
--- a/testing/tests/ikev1/multi-level-ca-ldap/hosts/carol/etc/ipsec.d/private/carolKey.pem
+++ b/testing/tests/ikev1/multi-level-ca-cr-init/hosts/carol/etc/ipsec.d/private/carolKey.pem
diff --git a/testing/tests/ikev1/multi-level-ca-ldap/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/multi-level-ca-cr-init/hosts/carol/etc/ipsec.secrets
index fac55d63b..fac55d63b 100644
--- a/testing/tests/ikev1/multi-level-ca-ldap/hosts/carol/etc/ipsec.secrets
+++ b/testing/tests/ikev1/multi-level-ca-cr-init/hosts/carol/etc/ipsec.secrets
diff --git a/testing/tests/ikev1/multi-level-ca-cr-init/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/multi-level-ca-cr-init/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..85d8c191f
--- /dev/null
+++ b/testing/tests/ikev1/multi-level-ca-cr-init/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
+}
diff --git a/testing/tests/ikev1/attr-cert/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-cr-init/hosts/dave/etc/ipsec.conf
index ce3903596..7140befe6 100755..100644
--- a/testing/tests/ikev1/attr-cert/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev1/multi-level-ca-cr-init/hosts/dave/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -12,21 +8,14 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev1
+
+conn venus
 	left=PH_IP_DAVE
 	leftcert=daveCert.pem
 	leftid=dave@strongswan.org
+	leftsendcert=ifasked
 	right=PH_IP_MOON
 	rightid=@moon.strongswan.org
-
-conn alice
-	rightsubnet=PH_IP_ALICE/32
-	auto=add
-	
-conn venus
+	rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
 	rightsubnet=PH_IP_VENUS/32
 	auto=add
-
-
-
-
-
diff --git a/testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/ipsec.d/cacerts/salesCert.pem b/testing/tests/ikev1/multi-level-ca-cr-init/hosts/dave/etc/ipsec.d/cacerts/salesCert.pem
index a10a18cba..a10a18cba 100644
--- a/testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/ipsec.d/cacerts/salesCert.pem
+++ b/testing/tests/ikev1/multi-level-ca-cr-init/hosts/dave/etc/ipsec.d/cacerts/salesCert.pem
diff --git a/testing/tests/ikev1/multi-level-ca-ldap/hosts/dave/etc/ipsec.d/certs/daveCert.pem b/testing/tests/ikev1/multi-level-ca-cr-init/hosts/dave/etc/ipsec.d/certs/daveCert.pem
index 91df37a81..91df37a81 100644
--- a/testing/tests/ikev1/multi-level-ca-ldap/hosts/dave/etc/ipsec.d/certs/daveCert.pem
+++ b/testing/tests/ikev1/multi-level-ca-cr-init/hosts/dave/etc/ipsec.d/certs/daveCert.pem
diff --git a/testing/tests/ikev1/multi-level-ca-ldap/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/tests/ikev1/multi-level-ca-cr-init/hosts/dave/etc/ipsec.d/private/daveKey.pem
index 86740e86a..86740e86a 100644
--- a/testing/tests/ikev1/multi-level-ca-ldap/hosts/dave/etc/ipsec.d/private/daveKey.pem
+++ b/testing/tests/ikev1/multi-level-ca-cr-init/hosts/dave/etc/ipsec.d/private/daveKey.pem
diff --git a/testing/tests/ikev1/multi-level-ca-cr-init/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/multi-level-ca-cr-init/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..85d8c191f
--- /dev/null
+++ b/testing/tests/ikev1/multi-level-ca-cr-init/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
+}
diff --git a/testing/tests/ikev1/multi-level-ca-revoked/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-cr-init/hosts/moon/etc/ipsec.conf
index 0b9917b53..25716969f 100755..100644
--- a/testing/tests/ikev1/multi-level-ca-revoked/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/multi-level-ca-cr-init/hosts/moon/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=yes
-	charonstart=no
 
 ca strongswan
 	cacert=strongswanCert.pem
@@ -19,10 +15,19 @@ conn %default
 	keyexchange=ikev1
 	left=PH_IP_MOON
 	leftcert=moonCert.pem
+	leftsendcert=ifasked
 	leftid=@moon.strongswan.org
 
 conn alice
 	leftsubnet=PH_IP_ALICE/32
-	right=%any
-	rightca="C=CH, O=Linux strongSwan, OU=Research, CN=Research CA"
+	right=PH_IP_CAROL
+	rightid=carol@strongswan.org
+	rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
+	auto=add
+	
+conn venus
+	leftsubnet=PH_IP_VENUS/32
+	right=PH_IP_DAVE
+	rightid=dave@strongswan.org
+	rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
 	auto=add
diff --git a/testing/tests/ikev1/multi-level-ca-cr-init/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/multi-level-ca-cr-init/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..85d8c191f
--- /dev/null
+++ b/testing/tests/ikev1/multi-level-ca-cr-init/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
+}
diff --git a/testing/tests/ikev1/multi-level-ca-cr-init/posttest.dat b/testing/tests/ikev1/multi-level-ca-cr-init/posttest.dat
new file mode 100644
index 000000000..24cd041ed
--- /dev/null
+++ b/testing/tests/ikev1/multi-level-ca-cr-init/posttest.dat
@@ -0,0 +1,5 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+carol::rm /etc/ipsec.d/cacerts/*
+dave::rm /etc/ipsec.d/cacerts/*
diff --git a/testing/tests/ikev1/multi-level-ca-cr-init/pretest.dat b/testing/tests/ikev1/multi-level-ca-cr-init/pretest.dat
new file mode 100644
index 000000000..2eebc0f84
--- /dev/null
+++ b/testing/tests/ikev1/multi-level-ca-cr-init/pretest.dat
@@ -0,0 +1,6 @@
+carol::ipsec start
+dave::ipsec start
+moon::ipsec start
+moon::sleep 2
+moon::ipsec up alice
+moon::ipsec up venus
diff --git a/testing/tests/ikev1/multi-level-ca-cr-init/test.conf b/testing/tests/ikev1/multi-level-ca-cr-init/test.conf
new file mode 100644
index 000000000..9bb88d79f
--- /dev/null
+++ b/testing/tests/ikev1/multi-level-ca-cr-init/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice venus moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/multi-level-ca-cr-resp/description.txt b/testing/tests/ikev1/multi-level-ca-cr-resp/description.txt
new file mode 100644
index 000000000..06f9f6b91
--- /dev/null
+++ b/testing/tests/ikev1/multi-level-ca-cr-resp/description.txt
@@ -0,0 +1,6 @@
+The VPN gateway <b>moon</b> grants access to the hosts <b>alice</b> and
+<b>venus</b> to anyone presenting a certificate belonging to a trust chain anchored
+in the strongSwan Root CA.  The hosts <b>carol</b> and <b>dave</b> have certificates from
+the intermediate Research CA and Sales CA, respectively. Responder <b>moon</b> does not possess
+copies of the Research and Sales CA certificates and must therefore request them from
+the initiators <b>carol</b> and <b>dave</b>, respectively.
diff --git a/testing/tests/ikev1/multi-level-ca-cr-resp/evaltest.dat b/testing/tests/ikev1/multi-level-ca-cr-resp/evaltest.dat
new file mode 100644
index 000000000..dcd271772
--- /dev/null
+++ b/testing/tests/ikev1/multi-level-ca-cr-resp/evaltest.dat
@@ -0,0 +1,12 @@
+carol::cat /var/log/daemon.log::sending issuer cert.*CN=Research CA::YES
+dave:: cat /var/log/daemon.log::sending issuer cert.*CN=Sales CA::YES
+moon:: cat /var/log/daemon.log::fetching crl from.*http.*research.crl::YES
+moon:: cat /var/log/daemon.log::crl correctly signed by.*Research CA::YES
+moon:: cat /var/log/daemon.log::fetching crl from.*http.*sales.crl::YES
+moon:: cat /var/log/daemon.log::crl correctly signed by.*Sales CA::YES
+moon:: cat /var/log/daemon.log::fetching crl from.*http.*strongswan.crl::YES
+moon:: cat /var/log/daemon.log::crl correctly signed by.*strongSwan Root CA::YES
+carol::ipsec status 2> /dev/null::alice.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::alice.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::venus.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::venus.*INSTALLED, TUNNEL::YES
diff --git a/testing/tests/ikev1/multi-level-ca-loop/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/carol/etc/ipsec.conf
index 4d42b1419..96da6db1e 100755..100644
--- a/testing/tests/ikev1/multi-level-ca-loop/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/carol/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -14,14 +10,11 @@ conn %default
 	keyexchange=ikev1
 	left=PH_IP_CAROL
 	leftcert=carolCert.pem
+	leftsendcert=ifasked
 	right=PH_IP_MOON
 	rightid=@moon.strongswan.org
+	rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
 
 conn alice
 	rightsubnet=PH_IP_ALICE/32
 	auto=add
-
-
-
-
-
diff --git a/testing/tests/ikev1/multi-level-ca-pathlen/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem b/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/carol/etc/ipsec.d/cacerts/researchCert.pem
index d53365f78..d53365f78 100644
--- a/testing/tests/ikev1/multi-level-ca-pathlen/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem
+++ b/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/carol/etc/ipsec.d/cacerts/researchCert.pem
diff --git a/testing/tests/ikev1/multi-level-ca-loop/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/carol/etc/ipsec.d/certs/carolCert.pem
index 69e5c05e3..69e5c05e3 100644
--- a/testing/tests/ikev1/multi-level-ca-loop/hosts/carol/etc/ipsec.d/certs/carolCert.pem
+++ b/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/carol/etc/ipsec.d/certs/carolCert.pem
diff --git a/testing/tests/ikev1/multi-level-ca-loop/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/carol/etc/ipsec.d/private/carolKey.pem
index 53e18680b..53e18680b 100644
--- a/testing/tests/ikev1/multi-level-ca-loop/hosts/carol/etc/ipsec.d/private/carolKey.pem
+++ b/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/carol/etc/ipsec.d/private/carolKey.pem
diff --git a/testing/tests/ikev1/multi-level-ca-loop/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/carol/etc/ipsec.secrets
index fac55d63b..fac55d63b 100644
--- a/testing/tests/ikev1/multi-level-ca-loop/hosts/carol/etc/ipsec.secrets
+++ b/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/carol/etc/ipsec.secrets
diff --git a/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..85d8c191f
--- /dev/null
+++ b/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
+}
diff --git a/testing/tests/ikev1/multi-level-ca-strict/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/dave/etc/ipsec.conf
index 5f04445d2..bafec31f4 100755..100644
--- a/testing/tests/ikev1/multi-level-ca-strict/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/dave/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -14,18 +10,11 @@ conn %default
 	keyexchange=ikev1
 	left=PH_IP_DAVE
 	leftcert=daveCert.pem
+	leftsendcert=ifasked
 	right=PH_IP_MOON
 	rightid=@moon.strongswan.org
+	rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
 
-conn alice
-	rightsubnet=PH_IP_ALICE/32
-	auto=add
-	
 conn venus
 	rightsubnet=PH_IP_VENUS/32
 	auto=add
-
-
-
-
-
diff --git a/testing/tests/ikev1/multi-level-ca-strict/hosts/moon/etc/ipsec.d/cacerts/salesCert.pem b/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/dave/etc/ipsec.d/cacerts/salesCert.pem
index a10a18cba..a10a18cba 100644
--- a/testing/tests/ikev1/multi-level-ca-strict/hosts/moon/etc/ipsec.d/cacerts/salesCert.pem
+++ b/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/dave/etc/ipsec.d/cacerts/salesCert.pem
diff --git a/testing/tests/ikev1/multi-level-ca-strict/hosts/dave/etc/ipsec.d/certs/daveCert.pem b/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/dave/etc/ipsec.d/certs/daveCert.pem
index 91df37a81..91df37a81 100644
--- a/testing/tests/ikev1/multi-level-ca-strict/hosts/dave/etc/ipsec.d/certs/daveCert.pem
+++ b/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/dave/etc/ipsec.d/certs/daveCert.pem
diff --git a/testing/tests/ikev1/multi-level-ca-strict/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/dave/etc/ipsec.d/private/daveKey.pem
index 86740e86a..86740e86a 100644
--- a/testing/tests/ikev1/multi-level-ca-strict/hosts/dave/etc/ipsec.d/private/daveKey.pem
+++ b/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/dave/etc/ipsec.d/private/daveKey.pem
diff --git a/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..85d8c191f
--- /dev/null
+++ b/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
+}
diff --git a/testing/tests/ikev1/multi-level-ca-strict/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/moon/etc/ipsec.conf
index f79c501a8..7bae1ab0f 100755..100644
--- a/testing/tests/ikev1/multi-level-ca-strict/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/moon/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=yes
-	charonstart=no
 
 ca strongswan
 	cacert=strongswanCert.pem
@@ -19,17 +15,17 @@ conn %default
 	keyexchange=ikev1
 	left=PH_IP_MOON
 	leftcert=moonCert.pem
+	leftsendcert=ifasked
 	leftid=@moon.strongswan.org
 
 conn alice
 	leftsubnet=PH_IP_ALICE/32
 	right=%any
-	rightca="C=CH, O=Linux strongSwan, OU=Research, CN=Research CA"
+	rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
 	auto=add
 	
 conn venus
 	leftsubnet=PH_IP_VENUS/32
 	right=%any
-	rightca="C=CH, O=Linux strongSwan, OU=Sales, CN=Sales CA"
+	rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
 	auto=add
-	
diff --git a/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..85d8c191f
--- /dev/null
+++ b/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
+}
diff --git a/testing/tests/ikev1/multi-level-ca-cr-resp/posttest.dat b/testing/tests/ikev1/multi-level-ca-cr-resp/posttest.dat
new file mode 100644
index 000000000..24cd041ed
--- /dev/null
+++ b/testing/tests/ikev1/multi-level-ca-cr-resp/posttest.dat
@@ -0,0 +1,5 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+carol::rm /etc/ipsec.d/cacerts/*
+dave::rm /etc/ipsec.d/cacerts/*
diff --git a/testing/tests/ikev1/multi-level-ca-strict/pretest.dat b/testing/tests/ikev1/multi-level-ca-cr-resp/pretest.dat
index 67c50c2ef..86dd31e83 100644
--- a/testing/tests/ikev1/multi-level-ca-strict/pretest.dat
+++ b/testing/tests/ikev1/multi-level-ca-cr-resp/pretest.dat
@@ -1,9 +1,6 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
 carol::ipsec start
 dave::ipsec start
 moon::ipsec start
 carol::sleep 2
 carol::ipsec up alice
-carol::ipsec up venus
 dave::ipsec up venus
-dave::ipsec up alice
diff --git a/testing/tests/ikev1/multi-level-ca-cr-resp/test.conf b/testing/tests/ikev1/multi-level-ca-cr-resp/test.conf
new file mode 100644
index 000000000..9bb88d79f
--- /dev/null
+++ b/testing/tests/ikev1/multi-level-ca-cr-resp/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice venus moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/multi-level-ca-ldap/description.txt b/testing/tests/ikev1/multi-level-ca-ldap/description.txt
deleted file mode 100644
index 18fb88840..000000000
--- a/testing/tests/ikev1/multi-level-ca-ldap/description.txt
+++ /dev/null
@@ -1,11 +0,0 @@
-The VPN gateway <b>moon</b> controls the access to the hosts <b>alice</b> and
-<b>venus</b> by means of two different Intermediate CAs. Access to
-<b>alice</b> is granted to users presenting a certificate issued by the Research CA
-whereas <b>venus</b> can only be reached with a certificate issued by the
-Sales CA. The roadwarriors <b>carol</b> and <b>dave</b> have certificates from
-the Research CA and Sales CA, respectively. Therefore <b>carol</b> can access
-<b>alice</b> and <b>dave</b> can reach <b>venus</b>.
-<p>
-By setting <b>strictcrlpolicy=yes</b> the CRLs from the strongSwan, Research and
-Sales CAs must be fetched from the LDAP server <b>winnetou</b> first, before the
-connection setups can be successfully completed.
diff --git a/testing/tests/ikev1/multi-level-ca-ldap/evaltest.dat b/testing/tests/ikev1/multi-level-ca-ldap/evaltest.dat
deleted file mode 100644
index 9cfa502aa..000000000
--- a/testing/tests/ikev1/multi-level-ca-ldap/evaltest.dat
+++ /dev/null
@@ -1,13 +0,0 @@
-moon::cat /var/log/auth.log::PH_IP_CAROL.*X.509 certificate rejected::YES
-carol::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES
-moon::cat /var/log/auth.log::PH_IP_DAVE.*X.509 certificate rejected::YES
-dave::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES
-moon::cat /var/log/auth.log::fetching crl from .*ldap://ldap.strongswan.org::YES
-carol::ipsec status::alice.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::alice.*PH_IP_CAROL.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ipsec status::venus.*STATE_QUICK_I2.*IPsec SA established::NO
-moon::ipsec status::venus.*PH_IP_CAROL.*STATE_QUICK_R2.*IPsec SA established::NO
-dave::ipsec status::venus.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::venus.*PH_IP_DAVE.*STATE_QUICK_R2.*IPsec SA established::YES
-dave::ipsec status::alice.*STATE_QUICK_I2.*IPsec SA established::NO
-moon::ipsec status::alice.*PH_IP_DAVE.*STATE_QUICK_R2.*IPsec SA established::NO
diff --git a/testing/tests/ikev1/multi-level-ca-ldap/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-ldap/hosts/carol/etc/ipsec.conf
deleted file mode 100755
index d9e5b119e..000000000
--- a/testing/tests/ikev1/multi-level-ca-ldap/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,31 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-ca strongswan
-        cacert=strongswanCert.pem
-        crluri="ldap://ldap.strongswan.org/cn=strongSwan Root CA, o=Linux strongSwan, c=CH?certificateRevocationList"
-        auto=add
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	left=PH_IP_CAROL
-	leftcert=carolCert.pem
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-
-conn alice
-	rightsubnet=PH_IP_ALICE/32
-	auto=add
-	
-conn venus
-	rightsubnet=PH_IP_VENUS/32
-	auto=add
diff --git a/testing/tests/ikev1/multi-level-ca-ldap/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/multi-level-ca-ldap/hosts/carol/etc/strongswan.conf
deleted file mode 100644
index 71358d6c6..000000000
--- a/testing/tests/ikev1/multi-level-ca-ldap/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl ldap kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-}
diff --git a/testing/tests/ikev1/multi-level-ca-ldap/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-ldap/hosts/dave/etc/ipsec.conf
deleted file mode 100755
index bf83264af..000000000
--- a/testing/tests/ikev1/multi-level-ca-ldap/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,31 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-ca strongswan
-	cacert=strongswanCert.pem
-	crluri="ldap://ldap.strongswan.org/cn=strongSwan Root CA, o=Linux strongSwan, c=CH?certificateRevocationList"
-	auto=add
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	left=PH_IP_DAVE
-	leftcert=daveCert.pem
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-
-conn alice
-	rightsubnet=PH_IP_ALICE/32
-	auto=add
-	
-conn venus
-	rightsubnet=PH_IP_VENUS/32
-	auto=add
diff --git a/testing/tests/ikev1/multi-level-ca-ldap/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/multi-level-ca-ldap/hosts/dave/etc/strongswan.conf
deleted file mode 100644
index 71358d6c6..000000000
--- a/testing/tests/ikev1/multi-level-ca-ldap/hosts/dave/etc/strongswan.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl ldap kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-}
diff --git a/testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/init.d/iptables b/testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 8de514a2e..000000000
--- a/testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,76 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow ldap crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 389 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 389 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index 50b896541..000000000
--- a/testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,46 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=yes
-	charonstart=no
-
-ca strongswan
-	cacert=strongswanCert.pem
-	crluri="ldap://ldap.strongswan.org/cn=strongSwan Root CA, o=Linux strongSwan, c=CH?certificateRevocationList"
-	auto=add
-
-ca research 
-        cacert=researchCert.pem
-	crluri="ldap://ldap.strongswan.org/cn=Research CA, ou=Research, o=Linux strongSwan, c=CH?certificateRevocationList"
-	auto=add
-	
-ca sales 
-        cacert=salesCert.pem
-	crluri="ldap://ldap.strongswan.org/cn=Sales CA, ou=Sales, o=Linux strongSwan, c=CH?certificateRevocationList"
-	auto=add
-			
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	left=PH_IP_MOON
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-	leftfirewall=yes
-
-conn alice
-	leftsubnet=PH_IP_ALICE/32
-	right=%any
-	rightca="C=CH, O=Linux strongSwan, OU=Research, CN=Research CA"
-	auto=add
-	
-conn venus
-	leftsubnet=PH_IP_VENUS/32
-	right=%any
-	rightca="C=CH, O=Linux strongSwan, OU=Sales, CN=Sales CA"
-	auto=add
-	
diff --git a/testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/strongswan.conf
deleted file mode 100644
index 71358d6c6..000000000
--- a/testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl ldap kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-}
diff --git a/testing/tests/ikev1/multi-level-ca-ldap/posttest.dat b/testing/tests/ikev1/multi-level-ca-ldap/posttest.dat
deleted file mode 100644
index ec4ba6e10..000000000
--- a/testing/tests/ikev1/multi-level-ca-ldap/posttest.dat
+++ /dev/null
@@ -1,7 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
-moon::rm /etc/ipsec.d/cacerts/*
-winnetou::/etc/init.d/slapd stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-
diff --git a/testing/tests/ikev1/multi-level-ca-ldap/pretest.dat b/testing/tests/ikev1/multi-level-ca-ldap/pretest.dat
deleted file mode 100644
index 322f42102..000000000
--- a/testing/tests/ikev1/multi-level-ca-ldap/pretest.dat
+++ /dev/null
@@ -1,10 +0,0 @@
-winnetou::/etc/init.d/slapd start
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::ipsec start
-dave::ipsec start
-moon::ipsec start
-carol::sleep 2
-carol::ipsec up alice
-carol::ipsec up venus
-dave::ipsec up venus
-dave::ipsec up alice
diff --git a/testing/tests/ikev1/multi-level-ca-ldap/test.conf b/testing/tests/ikev1/multi-level-ca-ldap/test.conf
deleted file mode 100644
index 08e5cc145..000000000
--- a/testing/tests/ikev1/multi-level-ca-ldap/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice venus moon carol winnetou dave"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-v-m-c-w-d.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS=""
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/multi-level-ca-loop/description.txt b/testing/tests/ikev1/multi-level-ca-loop/description.txt
deleted file mode 100644
index 9b63c2c66..000000000
--- a/testing/tests/ikev1/multi-level-ca-loop/description.txt
+++ /dev/null
@@ -1,6 +0,0 @@
-The roadwarrior <b>carol</b>, possessing a certificate issued by the
-Research CA, tries to set up a tunnel to gateway <b>moon</b>.
-The Research CA's certificate is signed by the Sales CA and
-the Sales CA's certificate in turn is signed by the Research CA.
-This leads to an endless trust path loop but which is aborted by
-<b>moon</b> when the path level reaches a depth of 7 iterations.
diff --git a/testing/tests/ikev1/multi-level-ca-loop/evaltest.dat b/testing/tests/ikev1/multi-level-ca-loop/evaltest.dat
deleted file mode 100644
index 524846109..000000000
--- a/testing/tests/ikev1/multi-level-ca-loop/evaltest.dat
+++ /dev/null
@@ -1,3 +0,0 @@
-moon::cat /var/log/auth.log::maximum path length of 7 exceeded::YES
-carol::ipsec status::alice.*STATE_QUICK_I2.*IPsec SA established::NO
-moon::ipsec status::alice.*PH_IP_CAROL.*STATE_QUICK_R2.*IPsec SA established::NO
diff --git a/testing/tests/ikev1/multi-level-ca-loop/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-loop/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index f91ca63a8..000000000
--- a/testing/tests/ikev1/multi-level-ca-loop/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,23 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=yes
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	left=PH_IP_MOON
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-
-conn alice
-	leftsubnet=PH_IP_ALICE/32
-	right=%any
-	rightca="C=CH, O=Linux strongSwan, OU=Research, CN=Research CA"
-	auto=add
diff --git a/testing/tests/ikev1/multi-level-ca-loop/hosts/moon/etc/ipsec.d/cacerts/research_by_salesCert.pem b/testing/tests/ikev1/multi-level-ca-loop/hosts/moon/etc/ipsec.d/cacerts/research_by_salesCert.pem
deleted file mode 100644
index 37ef9c665..000000000
--- a/testing/tests/ikev1/multi-level-ca-loop/hosts/moon/etc/ipsec.d/cacerts/research_by_salesCert.pem
+++ /dev/null
@@ -1,24 +0,0 @@
------BEGIN CERTIFICATE-----
-MIID/TCCAuWgAwIBAgIBBjANBgkqhkiG9w0BAQsFADBLMQswCQYDVQQGEwJDSDEZ
-MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEOMAwGA1UECxMFU2FsZXMxETAPBgNV
-BAMTCFNhbGVzIENBMB4XDTEwMDcwMzE1MjgyOVoXDTE1MDcwMjE1MjgyOVowUTEL
-MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsT
-CFJlc2VhcmNoMRQwEgYDVQQDEwtSZXNlYXJjaCBDQTCCASIwDQYJKoZIhvcNAQEB
-BQADggEPADCCAQoCggEBALY5sjqm4AdbWKc/T7JahWpy9xtdPbHngBN6lbnpYaHf
-rxnGsvmDFCFZHCd7egRqQ/AuJHHcEv3DUdfJWWAypVnUvdlcp58hBjpxfTPXP9ID
-BxzQaQyUzsExIGWOVUY2e7xJ5BKBnXVkok3htY4Hr1GdqNh+3LEmbegJBngTRSRx
-4PKJ54FO/b78LUzB+rMxrzxw/lnI8jEmAtKlugQ7c9auMeFCz+NmlSfnSoWhHN5q
-m+0iNKy0C+25IuE8Nq+i3jtBiI8BwBqHY3u2IuflUh9Nc9d/R6vGsRPMHs30X1Ha
-/m0Ug494+wwqwfEBZRjzxMmMF/1SG4I1E3TDOJ3srjkCAwEAAaOB5TCB4jAPBgNV
-HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQU53XwoPKtIM3NYCPM
-x8gPKfPdVCAwbQYDVR0jBGYwZIAUX5sTRvkgcsgA1Yi1p0wul+oLkyihSaRHMEUx
-CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQD
-ExJzdHJvbmdTd2FuIFJvb3QgQ0GCASEwNAYDVR0fBC0wKzApoCegJYYjaHR0cDov
-L2NybC5zdHJvbmdzd2FuLm9yZy9zYWxlcy5jcmwwDQYJKoZIhvcNAQELBQADggEB
-ALRTVUS8bpb3NrwWV/aIE6K9MvtX1kPzMUbZgykwOm4g1jfDmqbPw28X6YZESQ2B
-bG1QRh3SUpSoT5vplPcD4OCv3ORKACzGhx4xemd7TpYP8dnptfk66cfFCP+It0t4
-hP45BqlgVZfd5ZAO/ogRQ+2s79Obc5XPq/ShGvConGVOPDuqkWrP/ISIMdBXFHqk
-WyW24e/Kzq7pPMG18Ect7NA4gRXSiWx0U33lhWNasPvSKtKgC6dcmRNqjyTHQoFy
-02FLgKP1p214ThLkSr9dgHT6e69R7ES9Vin3DUgPuJdlXcax/BWm6gLugqHcXVGF
-yuVPkDSgPds6m0KQcEVnuaU=
------END CERTIFICATE-----
diff --git a/testing/tests/ikev1/multi-level-ca-loop/hosts/moon/etc/ipsec.d/cacerts/sales_by_researchCert.pem b/testing/tests/ikev1/multi-level-ca-loop/hosts/moon/etc/ipsec.d/cacerts/sales_by_researchCert.pem
deleted file mode 100644
index 0a435b90d..000000000
--- a/testing/tests/ikev1/multi-level-ca-loop/hosts/moon/etc/ipsec.d/cacerts/sales_by_researchCert.pem
+++ /dev/null
@@ -1,24 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIEADCCAuigAwIBAgIBBzANBgkqhkiG9w0BAQsFADBRMQswCQYDVQQGEwJDSDEZ
-MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS
-BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTEwMDcwMzE1MTgzOVoXDTE1MDcwMjE1MTgz
-OVowSzELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAM
-BgNVBAsTBVNhbGVzMREwDwYDVQQDEwhTYWxlcyBDQTCCASIwDQYJKoZIhvcNAQEB
-BQADggEPADCCAQoCggEBAMJOTSaZjDe5UR+hJbodcE40WBxWm+r0FiD+FLc2c0hH
-/QcWm1Xfqnc9qaPPGoxO2BfwXgFEHfOdQzHGuthhsvdMPkmWP1Z3uDrwscqrmLyq
-4JI87exSen1ggmCVEib55T4fNxrTIGJaoe6Jn9v9ZwG2B+Ur3nFA/wdckSdqJxc6
-XL9DKcRk3TxZtv9SuDftE9G787O6PJSyfyUYhldz1EZe5PTsUoAbBJ0DDXJx3562
-kDtfQdwezat0LAyOsVabYq/0G/fBZwLLer4qGF2+3CsvP7jNXnhRYeSv2+4i2mAj
-gbBRI1A3iqoU3Nq1vPAqzrekOI/RV9Hre9L1r8X1dIECAwEAAaOB6DCB5TAPBgNV
-HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUX5sTRvkgcsgA1Yi1
-p0wul+oLkygwbQYDVR0jBGYwZIAU53XwoPKtIM3NYCPMx8gPKfPdVCChSaRHMEUx
-CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQD
-ExJzdHJvbmdTd2FuIFJvb3QgQ0GCASAwNwYDVR0fBDAwLjAsoCqgKIYmaHR0cDov
-L2NybC5zdHJvbmdzd2FuLm9yZy9yZXNlYXJjaC5jcmwwDQYJKoZIhvcNAQELBQAD
-ggEBADPiBfTbTkHwRdpt4iAY/wx0AKKwnF636+1E+m8dHn1HhTU8FZkiRCsRSRdx
-qpzprMga6v7ksV29CIJpTciaD48S2zWNsiQ2vfNB4UenG4wKVG8742CQakCzZk/7
-MrHutk+VDcN3oGcu4gFECPzrZiYPTVv74PCFRfd37SYlXmN0KF0Ivzgu2DNwJNMD
-Aa6sHs+/8H/7BbzHxUZkT7zrTuy4M5FGIKllQBxALp/8N/LN4vz0ZbLgbNU7Eo16
-EikbEASUs3Scmna+dFBSfexf0G9oqvHvxjWPiZRw6ZrS5TZkAE1DmdqLWwTNq/Fo
-aeDWsllgAdqMA2fL7i9tsFHZVYk=
------END CERTIFICATE-----
diff --git a/testing/tests/ikev1/multi-level-ca-loop/posttest.dat b/testing/tests/ikev1/multi-level-ca-loop/posttest.dat
deleted file mode 100644
index 076f51f4d..000000000
--- a/testing/tests/ikev1/multi-level-ca-loop/posttest.dat
+++ /dev/null
@@ -1,4 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-moon::rm /etc/ipsec.d/cacerts/*
-
diff --git a/testing/tests/ikev1/multi-level-ca-loop/pretest.dat b/testing/tests/ikev1/multi-level-ca-loop/pretest.dat
deleted file mode 100644
index 0a0ec22bf..000000000
--- a/testing/tests/ikev1/multi-level-ca-loop/pretest.dat
+++ /dev/null
@@ -1,6 +0,0 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
-moon::rm /etc/ipsec.d/cacerts/strongswanCert.pem
-carol::ipsec start
-moon::ipsec start
-carol::sleep 2
-carol::ipsec up alice
diff --git a/testing/tests/ikev1/multi-level-ca-loop/test.conf b/testing/tests/ikev1/multi-level-ca-loop/test.conf
deleted file mode 100644
index 3189fdfc7..000000000
--- a/testing/tests/ikev1/multi-level-ca-loop/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon carol winnetou dave"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS=""
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev1/multi-level-ca-pathlen/description.txt b/testing/tests/ikev1/multi-level-ca-pathlen/description.txt
deleted file mode 100644
index 1852f7157..000000000
--- a/testing/tests/ikev1/multi-level-ca-pathlen/description.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-The <b>strongSwan Root CA</b> constrains the path length to <b>one</b> intermediate CA
-but the <b>Research CA</b> creates a subsidiary <b>Duck Research CA</b> which in turn
-issues an end entity certificate to roadwarrior <b>carol</b> so that the total
-path length becomes <b>two</b>. This is detected by gateway <b>moon</b> which aborts
-the negotiation.
diff --git a/testing/tests/ikev1/multi-level-ca-pathlen/evaltest.dat b/testing/tests/ikev1/multi-level-ca-pathlen/evaltest.dat
deleted file mode 100644
index 235b7672e..000000000
--- a/testing/tests/ikev1/multi-level-ca-pathlen/evaltest.dat
+++ /dev/null
@@ -1,4 +0,0 @@
-moon::cat /var/log/auth.log::path length of 2 violates constraint of 1::YES
-carol::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::NO
-moon::ipsec status::duck.*STATE_QUICK_R2.*IPsec SA established::NO
diff --git a/testing/tests/ikev1/multi-level-ca-pathlen/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/ikev1/multi-level-ca-pathlen/hosts/carol/etc/ipsec.d/certs/carolCert.pem
deleted file mode 100644
index 4e13b52d0..000000000
--- a/testing/tests/ikev1/multi-level-ca-pathlen/hosts/carol/etc/ipsec.d/certs/carolCert.pem
+++ /dev/null
@@ -1,24 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIEBzCCAu+gAwIBAgIBATANBgkqhkiG9w0BAQsFADBWMQswCQYDVQQGEwJDSDEZ
-MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxGTAX
-BgNVBAMTEER1Y2sgUmVzZWFyY2ggQ0EwHhcNMDkxMTA0MTYyMzM1WhcNMTQxMTAz
-MTYyMzM1WjBfMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dh
-bjEWMBQGA1UECxMNRHVjayBSZXNlYXJjaDEdMBsGA1UEAxQUY2Fyb2xAc3Ryb25n
-c3dhbi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6LueCi67Y
-IGRDKP5bkysGWZHrFrztq7elIFCPPSUxyIOYo4Upzr5WsvO0dIfcZY3agV2NcAI2
-30sATlfTUp+obedZMHbzE3VBvQuLjgK42ox2XIXDj23Vy496mVqlwUQulhBcAhMb
-jnBb4T0aR7WCnJvfzyckEyWrTN0ajRyQhJEmTn+spYNQX/2lg6hEn/K1T/3Py7sG
-veeF6BRenHR5L60NSK7qV7AU+hM4R0UIvgwYqzxSStgGS9G6Bwj9QTOWwSV1tuii
-ABiRdZSBoON0uMMpRjgEzuVe0f4VbOCIEXO8MtdpCu7Rwa9tc8OwneLcGCYVomr5
-7KKRJdvC5As3AgMBAAGjgdYwgdMwCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYD
-VR0OBBYEFFSYDz2TYOMxfyrIx20NhPPHTCOIMHkGA1UdIwRyMHCAFHYqqKQxp8Zx
-jzAlvAJmm8sXVI0goVWkUzBRMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXgg
-c3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDASBgNVBAMTC1Jlc2VhcmNo
-IENBggEFMB8GA1UdEQQYMBaBFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMA0GCSqGSIb3
-DQEBCwUAA4IBAQBIpl8SH4Nytgr6KvmXzns80u615WnDmP6oJrnwIZUkunVns8HH
-TFUVjvDKoQ+8CvuaH9Ifo2dokGjtGObeO4Y38y0xBIkUO+JpwfTa3SeCEhdOZb3G
-4e9WxHhV9IGfRyPsXQG+3JpAMaHYH+PNKiv7RBTq6rGaHzvgUEXRMTbv/bJI+Fs6
-Yfd/XxIur/ftVh4dZocyC74MUyXy5tyZJkHe1aBszOa0iT1852fq93lNUQPQqw0O
-3q3Lg7CvbNSdWqeAMqUgeBqh6oQItY9Exrwh0tfuCsjZ0oWXUBghsuiV+GTmZ6ok
-BiGmSmtX5OD4UtKcicuMRqnK2MYJHp1z1goE
------END CERTIFICATE-----
diff --git a/testing/tests/ikev1/multi-level-ca-pathlen/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/ikev1/multi-level-ca-pathlen/hosts/carol/etc/ipsec.d/private/carolKey.pem
deleted file mode 100644
index 48727ed9d..000000000
--- a/testing/tests/ikev1/multi-level-ca-pathlen/hosts/carol/etc/ipsec.d/private/carolKey.pem
+++ /dev/null
@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEAui7ngouu2CBkQyj+W5MrBlmR6xa87au3pSBQjz0lMciDmKOF
-Kc6+VrLztHSH3GWN2oFdjXACNt9LAE5X01KfqG3nWTB28xN1Qb0Li44CuNqMdlyF
-w49t1cuPeplapcFELpYQXAITG45wW+E9Gke1gpyb388nJBMlq0zdGo0ckISRJk5/
-rKWDUF/9pYOoRJ/ytU/9z8u7Br3nhegUXpx0eS+tDUiu6lewFPoTOEdFCL4MGKs8
-UkrYBkvRugcI/UEzlsEldbboogAYkXWUgaDjdLjDKUY4BM7lXtH+FWzgiBFzvDLX
-aQru0cGvbXPDsJ3i3BgmFaJq+eyikSXbwuQLNwIDAQABAoIBAGK7cOXXsTbHpqO+
-33QsjQpnAWyLuFDJWS/l/RKYuFq4HKEbRgivrFxJtdciXNHRwPH43GWe2m3C6AEX
-ipd0H1qwPZkcjFfHH81mtPKismrY6tfxpLXaH8LamhHHtTxlSwTxa2d/aiaY2JjA
-zyhakrTa3AZJ0lXdGYLH1hC4eEdiPghIqwL8YNB0V2ldq+bMdtQ1i3dcmseV9TI2
-DEAKWzjc7oIcuY9HtfEEAIPzSSqwrM7wUWd9dk70o7b05eK9pnTF59Lnk5U1J1Ag
-QnXBHBZfLVDnTYd+dFWM8wUIpO0n6ccUToINppwSejyOs726jUuWGZCthxLBsFZp
-5Pj9B6ECgYEA3lRxGRJsAfMoyOc4kLfDmlDtrP88knRlqRW7mVYjclhMbVtrtaTP
-44VqmxKIVNQt1p5hB/Gn4kbhC7OnUja/FVHdosEjFhYNh+QCisyaS2V7RNyEidJX
-Q61V8v0Z7MxHxxDljVvWfSdAUDRrFwWYxRXZJWwStEmtdAbiZa6aydkCgYEA1mEV
-2D+gaR+oBouqcZMiSAjV/qHbnfw4EC2XFCw84JMPerBwl4noWCgvgf0lRirbI+Ar
-PDOfoclLnDQRgnqkK4okSIW0SddxttbKdDhhZ2c2CoyKxUqN7/NEyy/tZ2WZRcmX
-LILTLXzi/9qq8lF9odjIl5KKsRpXhqMsf5b1w48CgYEAqDT8yDo+yw7b6Xu+OQc/
-Ds5xs3P7sNYtX8qYfz9DXCxfzlDfYbMKsZlr+V0BFiTddUWoJal4GeMEOqU2TyYq
-VYf1hkBXOkt++zPPlJGNnsNtisDH6bng2cwXfdpttdEr8Pjgo5063r9GkifGacmL
-Nnj8K6rjT9F6UJEw0jtS0qkCgYAi3RMSYfaSYgWPWvNTGRyAHn++s0/l93iemOty
-6mbUFtZzm3IUEudoPtDLEQIY0StmQDSHy9VwGC5lrsoSMCO2uPaBnMzfHVxu4at3
-Dxw4Fr7hJE4FG8TNewB7EsZHBGzSvqAJKxVw1liMR2F5musVgQ3OKJTJjIEjcjHw
-Zfp93QKBgQCPp6SH510qK9Rf+HjeWXJpOB2ByruC5rBgqrxE4rbIB3/fAl86a3Kq
-Q1VqdGb+CW0FlkPshDmmdi3IoCliXywadSaXi/unPfPTel0pQAC8NM7WpPoaUfnS
-QgL5iNXshicKoE8U6PRhYvn81zVpt4bFn3DZRgIlau2GQnijLkGvQw==
------END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev1/multi-level-ca-pathlen/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-pathlen/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index ca5919d5c..000000000
--- a/testing/tests/ikev1/multi-level-ca-pathlen/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,24 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-
-conn duck 
-	left=PH_IP_MOON
-	leftcert=moonCert.pem
-	leftsendcert=ifasked
-	leftid=@moon.strongswan.org
-	leftsubnet=10.1.0.0/16
-	right=%any
-	rightca="C=CH, O=Linux strongSwan, OU=Research, CN=Duck Research CA"
-	auto=add
diff --git a/testing/tests/ikev1/multi-level-ca-pathlen/hosts/moon/etc/ipsec.d/cacerts/duckCert.pem b/testing/tests/ikev1/multi-level-ca-pathlen/hosts/moon/etc/ipsec.d/cacerts/duckCert.pem
deleted file mode 100644
index bb205a0fd..000000000
--- a/testing/tests/ikev1/multi-level-ca-pathlen/hosts/moon/etc/ipsec.d/cacerts/duckCert.pem
+++ /dev/null
@@ -1,23 +0,0 @@
------BEGIN CERTIFICATE-----
-MIID0jCCArqgAwIBAgIBBTANBgkqhkiG9w0BAQsFADBRMQswCQYDVQQGEwJDSDEZ
-MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS
-BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTA5MTEwNDE2MTUwM1oXDTE1MTEwMzE2MTUw
-M1owVjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP
-BgNVBAsTCFJlc2VhcmNoMRkwFwYDVQQDExBEdWNrIFJlc2VhcmNoIENBMIIBIjAN
-BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApIBRSgHCxHhMjsVZo4PtFnENkHNu
-MfyRDsc7m1KRDVt8N4h/EcbduU7xeq/RjxZSmlc1q6EWEgDv3KwDYY0sX+qrpQKa
-ub5AgsRa2fOOR9xfyf0Q7Nc3oR3keWqQUiigCuaw9NQRtdMm/JFdXLNY3r60tBsO
-UHOJAPZNoGPey5UL9ZjjsN6ROUVTh0NAkFwkmnTRwmUvY5bi/T7ulsSkO9BrfqKD
-h/pliP7uZANd0ZpPcrIc68WwrelpI1zu0kYGqu/y8HZpuPuAXtGqS2jctrjSieeY
-i9wFLnS2tgV3ID4LzEEICSeqVqOvYgGKbarqLkARdxmdRKM9QYpu+5J+YQIDAQAB
-o4GvMIGsMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgEGMB0GA1UdDgQWBBR2
-KqikMafGcY8wJbwCZpvLF1SNIDBtBgNVHSMEZjBkgBTndfCg8q0gzc1gI8zHyA8p
-891UIKFJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3
-YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIBDzANBgkqhkiG9w0BAQsF
-AAOCAQEAsHR1vDlz2sPQpD9xnt1PL4qX7XWSSM6d+QG3cjdiKCjH8t78ecEm1duv
-YozLg6SYHGUF9qYuPz2SAZjQjmIWLlkQpBfQm8/orG+jbsQl5HkXFYX0UWAKZFGx
-rjHnOzmQxnmIWHky4uMDT/UmhmWy6kuCmZbKeeOqkBR2gVxfLyzelTSbF4ntEm1C
-1XqqtM4OfTOD5QUPD+6rZ5RoIPId9+2A8pJ2NyCUCf47FbkmYzU5+oiChhcGzsC5
-wDlgP32NA88kSiSJ2p2ZveYveRqcyZXZDAiTxRaIwJY0bt2Dk4wKicvy6vPdLA5v
-DSlBqDpnqK8tEI9V9YeroihTcygrEg==
------END CERTIFICATE-----
diff --git a/testing/tests/ikev1/multi-level-ca-pathlen/posttest.dat b/testing/tests/ikev1/multi-level-ca-pathlen/posttest.dat
deleted file mode 100644
index f84b7e37b..000000000
--- a/testing/tests/ikev1/multi-level-ca-pathlen/posttest.dat
+++ /dev/null
@@ -1,3 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-moon::rm /etc/ipsec.d/cacerts/*
diff --git a/testing/tests/ikev1/multi-level-ca-pathlen/pretest.dat b/testing/tests/ikev1/multi-level-ca-pathlen/pretest.dat
deleted file mode 100644
index 9f0232a7b..000000000
--- a/testing/tests/ikev1/multi-level-ca-pathlen/pretest.dat
+++ /dev/null
@@ -1,5 +0,0 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
-carol::ipsec start
-moon::ipsec start
-carol::sleep 2
-carol::ipsec up home 
diff --git a/testing/tests/ikev1/multi-level-ca-pathlen/test.conf b/testing/tests/ikev1/multi-level-ca-pathlen/test.conf
deleted file mode 100644
index b118cb7dc..000000000
--- a/testing/tests/ikev1/multi-level-ca-pathlen/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice venus moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS=""
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev1/multi-level-ca-revoked/description.txt b/testing/tests/ikev1/multi-level-ca-revoked/description.txt
deleted file mode 100644
index c91ac285b..000000000
--- a/testing/tests/ikev1/multi-level-ca-revoked/description.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-The roadwarrior <b>carol</b> possesses a certificate issued by the Research CA.
-The certificate of the Research CA has been revoked by the Root CA by entering
-the serial number in the CRL. Therefore upon verification of the trust path
-the gateway <b>moon</b> will reject the roadwarrior's certificate  
diff --git a/testing/tests/ikev1/multi-level-ca-revoked/evaltest.dat b/testing/tests/ikev1/multi-level-ca-revoked/evaltest.dat
deleted file mode 100644
index 0fd1cae8c..000000000
--- a/testing/tests/ikev1/multi-level-ca-revoked/evaltest.dat
+++ /dev/null
@@ -1,6 +0,0 @@
-moon::cat /var/log/auth.log::X.509 certificate rejected::YES
-moon::cat /var/log/auth.log::certificate was revoked::YES
-carol::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES
-moon::ipsec listcrls:: ok::YES
-moon::ipsec status::rw.*STATE_MAIN_R3.*ISAKMP SA established::NO
-carol::ipsec status::home.*STATE_MAIN_I4.*ISAKMP SA established::NO
diff --git a/testing/tests/ikev1/multi-level-ca-revoked/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/ikev1/multi-level-ca-revoked/hosts/carol/etc/ipsec.d/certs/carolCert.pem
deleted file mode 100644
index 69e5c05e3..000000000
--- a/testing/tests/ikev1/multi-level-ca-revoked/hosts/carol/etc/ipsec.d/certs/carolCert.pem
+++ /dev/null
@@ -1,25 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIELDCCAxSgAwIBAgIBBjANBgkqhkiG9w0BAQsFADBRMQswCQYDVQQGEwJDSDEZ
-MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS
-BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTEwMDQwNzA5MjA1N1oXDTE1MDQwNjA5MjA1
-N1owWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP
-BgNVBAsTCFJlc2VhcmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCC
-ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOio9tKOkESjZumThDvt1aFy
-dPDPNAhNrIon8aCvZMxFQBXsams1LOL47UKQEeOJcDUQ1s90P05vAwX+TwOA2nBD
-hgVBe8c+RsBRfERmxcszK7dgj5yrjwbJFrUJPem04KEPnrR7LpT5s7+z1n+pZYr9
-HyJTvYJd3c968frowQW98mgEJG9xs2LfaqTV3RES1B9vIeQGWh64DSrF6Xy/HY+n
-3MeSMGZ3UJoXS6YZIxvGNd7heB/2xxv3Vv0TNyGikmP8Z5ibgN5jn7mQkU9SM9Qz
-Qb2ZY1m3Dn93cbJ5w3AXeClhJhoze6UvhVs4e/ASuJb6b9NLML4eB0BMCZD66Y8C
-AwEAAaOCAQQwggEAMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBTE
-AO+W2V1eu0sjCQcfemzz9lSRvTBtBgNVHSMEZjBkgBTndfCg8q0gzc1gI8zHyA8p
-891UIKFJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3
-YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIBIDAfBgNVHREEGDAWgRRj
-YXJvbEBzdHJvbmdzd2FuLm9yZzA3BgNVHR8EMDAuMCygKqAohiZodHRwOi8vY3Js
-LnN0cm9uZ3N3YW4ub3JnL3Jlc2VhcmNoLmNybDANBgkqhkiG9w0BAQsFAAOCAQEA
-ajgFI8Kz611i0Ihu8+M1C2W1kFbL4EoYyon3trjRZ3Iqz6ksf9KSKCS6Fiylq4DG
-il0mtMtlP+HKcXzRgSY96M4CO73w26liwmZsFBNaZKI/5vKRPPLyU9raGshfpBeC
-CywZ4vcb+EViIPstzOYiK5y/1tSGsMEdnlX2JZsJAKhbLRTmC02O3MbGGBQQq1eU
-n1xkR8pndTWTJmFZ61fZlUMSwLgLF9/VchAa7cIdEA044OCtTdabiYoyLFmqDutq
-8GYvWOzLf2qOKcRxkHxPfeJDrWOLePEYnaMkSBkUKAUIkI+LaJbWF3ASTGgHqh2/
-pwU12A3BovJKUaR0B7Uy2A==
------END CERTIFICATE-----
diff --git a/testing/tests/ikev1/multi-level-ca-revoked/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/ikev1/multi-level-ca-revoked/hosts/carol/etc/ipsec.d/private/carolKey.pem
deleted file mode 100644
index 53e18680b..000000000
--- a/testing/tests/ikev1/multi-level-ca-revoked/hosts/carol/etc/ipsec.d/private/carolKey.pem
+++ /dev/null
@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEpQIBAAKCAQEA6Kj20o6QRKNm6ZOEO+3VoXJ08M80CE2siifxoK9kzEVAFexq
-azUs4vjtQpAR44lwNRDWz3Q/Tm8DBf5PA4DacEOGBUF7xz5GwFF8RGbFyzMrt2CP
-nKuPBskWtQk96bTgoQ+etHsulPmzv7PWf6lliv0fIlO9gl3dz3rx+ujBBb3yaAQk
-b3GzYt9qpNXdERLUH28h5AZaHrgNKsXpfL8dj6fcx5IwZndQmhdLphkjG8Y13uF4
-H/bHG/dW/RM3IaKSY/xnmJuA3mOfuZCRT1Iz1DNBvZljWbcOf3dxsnnDcBd4KWEm
-GjN7pS+FWzh78BK4lvpv00swvh4HQEwJkPrpjwIDAQABAoIBAQCGhpwg5znX1jt9
-N0SwejaaIVoom0ZUvsTTJYF7Da9UxX3mr0phLuADZTea0z7kt+VfaZsrXOX17g5r
-er4pImorm390roZpkELMlNEro9keQzo1z+l6B2Ct5bvxdaSM638u4Z88cDVhAnjC
-kbOnIUWLdgx4hr7/EFNe0pH0KHzjWfS4YMUXZFYER3W+lQ68j3U/iFdCsMdABrLV
-BnKozAUOWTHeZc+8Ca0MFWChrj9b2DCs2M0ASgAx5s9CNo1dIbqwJmb7OLlwm3G+
-Xx0JzN7eOOZdiFSPcyNoRwE6rKvrs2GtQ9LqWdkvVEuFjyIkl97cnoOkRIj5bAvN
-DfjfjmeBAoGBAP9rdEPjprVbEeAS+acLc/6oWlGqo23nO31IuUWHT10yxf0E5FIp
-waLJchqT+jD5tYehfZ1+OVtYiWWKBJIXnVK+a4rc/GIRWX/BRHMtWeenv7wR72pt
-1GRxp7yTZtj1AeJhuXcSHpntAo0kG6gHC/+FvbrNgyuSYn9siIa+C5RhAoGBAOkw
-RgOX7hXYzOSATbKZcnNFdPECYaBDjXV/Rcg966Ng4UcxWl3vJRYf3A55ehmc2Jdm
-CSqt6CrsR/RxKrljsCe7gD/GGEktV7fknnXC5Bfx3hUXQ4rATLx8xwlae+wc+ANM
-eaY1HB0KOGGGH2kT4l4UFChgnfpZN+vpel/cFkPvAoGBAJPqZZVfQ87o44wxUPSl
-FFKYql17BVQDQhdGw0x5lMNzQOdLKvJODj44jOTJZ21vXuoh4n4PeCXnOwJbkFQO
-auRdNChh26LrSzpJ8VsGG3elVMsUU+L9oa9dhncVoczo7mNslpxXGPOpJv4XuBBx
-rEgY6oxAscLM7k++yb3GVyxhAoGBAMK6lT0a+q8zxKZsnnWuvmyUa/t3SZ9TyiV8
-iwGU89oTZQzWoegfdJDtOg68UsJgwF5tzundICv39H6kolD+dnQ3l/mpq04wlzfx
-qoIcpe15BUQHkVelDm+4o12kOigKaPIYQt4RK9D0X/DQ2BofiMGXct3lEQemyZQv
-/Qlf+RfxAoGABBRf9DcyA/RdmTszqebfPPNmx7iHaNbrZ3Xbvyv3P5LkzXlFLTvA
-hDz/UqnVM7Bwe1OGeJYkXfmijRjpJ+U8dteb2YzZ3tnlzKwifz+051/LcjavX9X2
-5PuEB2Y65V0OWImIFVlLnp3MRyE4bImveBliWrTRQUVsxQt2WIDgThw=
------END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev1/multi-level-ca-revoked/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem b/testing/tests/ikev1/multi-level-ca-revoked/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem
deleted file mode 100644
index c380a5110..000000000
--- a/testing/tests/ikev1/multi-level-ca-revoked/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem
+++ /dev/null
@@ -1,23 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDwTCCAqmgAwIBAgIBDDANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJDSDEZ
-MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
-b290IENBMB4XDTA1MDMyMzA2MjUzNloXDTE0MDMyMTA2MjUzNlowUTELMAkGA1UE
-BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh
-cmNoMRQwEgYDVQQDEwtSZXNlYXJjaCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP
-ADCCAQoCggEBALY5sjqm4AdbWKc/T7JahWpy9xtdPbHngBN6lbnpYaHfrxnGsvmD
-FCFZHCd7egRqQ/AuJHHcEv3DUdfJWWAypVnUvdlcp58hBjpxfTPXP9IDBxzQaQyU
-zsExIGWOVUY2e7xJ5BKBnXVkok3htY4Hr1GdqNh+3LEmbegJBngTRSRx4PKJ54FO
-/b78LUzB+rMxrzxw/lnI8jEmAtKlugQ7c9auMeFCz+NmlSfnSoWhHN5qm+0iNKy0
-C+25IuE8Nq+i3jtBiI8BwBqHY3u2IuflUh9Nc9d/R6vGsRPMHs30X1Ha/m0Ug494
-+wwqwfEBZRjzxMmMF/1SG4I1E3TDOJ3srjkCAwEAAaOBrzCBrDAPBgNVHRMBAf8E
-BTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQU53XwoPKtIM3NYCPMx8gPKfPd
-VCAwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNV
-BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJv
-bmdTd2FuIFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQEFBQADggEBAA4jpa5Vc/q94/X1
-LAHO2m7v2AFPl68SwspZLbCL7Le+iv5BUQ814Y9qCXMySak+NpZ5RLzm/cC+3GCa
-6eyozhZnS5LDxIgtStXWaC3vIQKQhJMwnc43RgcqneqqS5/H5zNXz/f0g/bRG8bN
-T6nO0ZRdpy8Zu0+fH3f/u9/sQPRX3iNL/rd3x/UVLoowkQHdKzZfjcrFm+8CPl4r
-9xOKjzC6epPY2ApfXmLodd0zemf84CKSJCXfkVlk0cYw1YLKUINnHToFfDAw0kCL
-cVc7wHWZlzSVSE3u0PYXVssnsm08RWqAGPL3TO09fnUntNMzlIxNpOTuWsKVXZPq
-YO2C4HE=
------END CERTIFICATE-----
diff --git a/testing/tests/ikev1/multi-level-ca-revoked/posttest.dat b/testing/tests/ikev1/multi-level-ca-revoked/posttest.dat
deleted file mode 100644
index f84b7e37b..000000000
--- a/testing/tests/ikev1/multi-level-ca-revoked/posttest.dat
+++ /dev/null
@@ -1,3 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-moon::rm /etc/ipsec.d/cacerts/*
diff --git a/testing/tests/ikev1/multi-level-ca-revoked/pretest.dat b/testing/tests/ikev1/multi-level-ca-revoked/pretest.dat
deleted file mode 100644
index d92333d86..000000000
--- a/testing/tests/ikev1/multi-level-ca-revoked/pretest.dat
+++ /dev/null
@@ -1,4 +0,0 @@
-moon::ipsec start
-carol::ipsec start
-carol::sleep 2
-carol::ipsec up home
diff --git a/testing/tests/ikev1/multi-level-ca-revoked/test.conf b/testing/tests/ikev1/multi-level-ca-revoked/test.conf
deleted file mode 100644
index 2b240d895..000000000
--- a/testing/tests/ikev1/multi-level-ca-revoked/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="m-c-w.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS=""
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev1/multi-level-ca-strict/description.txt b/testing/tests/ikev1/multi-level-ca-strict/description.txt
deleted file mode 100644
index 32413e3de..000000000
--- a/testing/tests/ikev1/multi-level-ca-strict/description.txt
+++ /dev/null
@@ -1,10 +0,0 @@
-The VPN gateway <b>moon</b> controls the access to the hosts <b>alice</b> and
-<b>venus</b> by means of two different Intermediate CAs. Access to
-<b>alice</b> is granted to users presenting a certificate issued by the Research CA
-whereas <b>venus</b> can only be reached with a certificate issued by the
-Sales CA. The roadwarriors <b>carol</b> and <b>dave</b> have certificates from
-the Research CA and Sales CA, respectively. Therefore <b>carol</b> can access
-<b>alice</b> and <b>dave</b> can reach <b>venus</b>.
-<p>
-By setting <b>strictcrlpolicy=yes</b> the CRLs from the strongSwan, Research and
-Sales CAs must be fetched first, before the connection setups can be successfully completed.
diff --git a/testing/tests/ikev1/multi-level-ca-strict/evaltest.dat b/testing/tests/ikev1/multi-level-ca-strict/evaltest.dat
deleted file mode 100644
index 5a181a62d..000000000
--- a/testing/tests/ikev1/multi-level-ca-strict/evaltest.dat
+++ /dev/null
@@ -1,12 +0,0 @@
-moon::cat /var/log/auth.log::PH_IP_CAROL.*X.509 certificate rejected::YES
-carol::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES
-moon::cat /var/log/auth.log::PH_IP_DAVE.*X.509 certificate rejected::YES
-dave::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES
-carol::ipsec status::alice.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::alice.*PH_IP_CAROL.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ipsec status::venus.*STATE_QUICK_I2.*IPsec SA established::NO
-moon::ipsec status::venus.*PH_IP_CAROL.*STATE_QUICK_R2.*IPsec SA established::NO
-dave::ipsec status::venus.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::venus.*PH_IP_DAVE.*STATE_QUICK_R2.*IPsec SA established::YES
-dave::ipsec status::alice.*STATE_QUICK_I2.*IPsec SA established::NO
-moon::ipsec status::alice.*PH_IP_DAVE.*STATE_QUICK_R2.*IPsec SA established::NO
diff --git a/testing/tests/ikev1/multi-level-ca-strict/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-strict/hosts/carol/etc/ipsec.conf
deleted file mode 100755
index cf93bb231..000000000
--- a/testing/tests/ikev1/multi-level-ca-strict/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,31 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	left=PH_IP_CAROL
-	leftcert=carolCert.pem
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-
-conn alice
-	rightsubnet=PH_IP_ALICE/32
-	auto=add
-	
-conn venus
-	rightsubnet=PH_IP_VENUS/32
-	auto=add
-
-
-
-
-
diff --git a/testing/tests/ikev1/multi-level-ca-strict/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/ikev1/multi-level-ca-strict/hosts/carol/etc/ipsec.d/certs/carolCert.pem
deleted file mode 100644
index 69e5c05e3..000000000
--- a/testing/tests/ikev1/multi-level-ca-strict/hosts/carol/etc/ipsec.d/certs/carolCert.pem
+++ /dev/null
@@ -1,25 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIELDCCAxSgAwIBAgIBBjANBgkqhkiG9w0BAQsFADBRMQswCQYDVQQGEwJDSDEZ
-MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS
-BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTEwMDQwNzA5MjA1N1oXDTE1MDQwNjA5MjA1
-N1owWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP
-BgNVBAsTCFJlc2VhcmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCC
-ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOio9tKOkESjZumThDvt1aFy
-dPDPNAhNrIon8aCvZMxFQBXsams1LOL47UKQEeOJcDUQ1s90P05vAwX+TwOA2nBD
-hgVBe8c+RsBRfERmxcszK7dgj5yrjwbJFrUJPem04KEPnrR7LpT5s7+z1n+pZYr9
-HyJTvYJd3c968frowQW98mgEJG9xs2LfaqTV3RES1B9vIeQGWh64DSrF6Xy/HY+n
-3MeSMGZ3UJoXS6YZIxvGNd7heB/2xxv3Vv0TNyGikmP8Z5ibgN5jn7mQkU9SM9Qz
-Qb2ZY1m3Dn93cbJ5w3AXeClhJhoze6UvhVs4e/ASuJb6b9NLML4eB0BMCZD66Y8C
-AwEAAaOCAQQwggEAMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBTE
-AO+W2V1eu0sjCQcfemzz9lSRvTBtBgNVHSMEZjBkgBTndfCg8q0gzc1gI8zHyA8p
-891UIKFJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3
-YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIBIDAfBgNVHREEGDAWgRRj
-YXJvbEBzdHJvbmdzd2FuLm9yZzA3BgNVHR8EMDAuMCygKqAohiZodHRwOi8vY3Js
-LnN0cm9uZ3N3YW4ub3JnL3Jlc2VhcmNoLmNybDANBgkqhkiG9w0BAQsFAAOCAQEA
-ajgFI8Kz611i0Ihu8+M1C2W1kFbL4EoYyon3trjRZ3Iqz6ksf9KSKCS6Fiylq4DG
-il0mtMtlP+HKcXzRgSY96M4CO73w26liwmZsFBNaZKI/5vKRPPLyU9raGshfpBeC
-CywZ4vcb+EViIPstzOYiK5y/1tSGsMEdnlX2JZsJAKhbLRTmC02O3MbGGBQQq1eU
-n1xkR8pndTWTJmFZ61fZlUMSwLgLF9/VchAa7cIdEA044OCtTdabiYoyLFmqDutq
-8GYvWOzLf2qOKcRxkHxPfeJDrWOLePEYnaMkSBkUKAUIkI+LaJbWF3ASTGgHqh2/
-pwU12A3BovJKUaR0B7Uy2A==
------END CERTIFICATE-----
diff --git a/testing/tests/ikev1/multi-level-ca-strict/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/ikev1/multi-level-ca-strict/hosts/carol/etc/ipsec.d/private/carolKey.pem
deleted file mode 100644
index 53e18680b..000000000
--- a/testing/tests/ikev1/multi-level-ca-strict/hosts/carol/etc/ipsec.d/private/carolKey.pem
+++ /dev/null
@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEpQIBAAKCAQEA6Kj20o6QRKNm6ZOEO+3VoXJ08M80CE2siifxoK9kzEVAFexq
-azUs4vjtQpAR44lwNRDWz3Q/Tm8DBf5PA4DacEOGBUF7xz5GwFF8RGbFyzMrt2CP
-nKuPBskWtQk96bTgoQ+etHsulPmzv7PWf6lliv0fIlO9gl3dz3rx+ujBBb3yaAQk
-b3GzYt9qpNXdERLUH28h5AZaHrgNKsXpfL8dj6fcx5IwZndQmhdLphkjG8Y13uF4
-H/bHG/dW/RM3IaKSY/xnmJuA3mOfuZCRT1Iz1DNBvZljWbcOf3dxsnnDcBd4KWEm
-GjN7pS+FWzh78BK4lvpv00swvh4HQEwJkPrpjwIDAQABAoIBAQCGhpwg5znX1jt9
-N0SwejaaIVoom0ZUvsTTJYF7Da9UxX3mr0phLuADZTea0z7kt+VfaZsrXOX17g5r
-er4pImorm390roZpkELMlNEro9keQzo1z+l6B2Ct5bvxdaSM638u4Z88cDVhAnjC
-kbOnIUWLdgx4hr7/EFNe0pH0KHzjWfS4YMUXZFYER3W+lQ68j3U/iFdCsMdABrLV
-BnKozAUOWTHeZc+8Ca0MFWChrj9b2DCs2M0ASgAx5s9CNo1dIbqwJmb7OLlwm3G+
-Xx0JzN7eOOZdiFSPcyNoRwE6rKvrs2GtQ9LqWdkvVEuFjyIkl97cnoOkRIj5bAvN
-DfjfjmeBAoGBAP9rdEPjprVbEeAS+acLc/6oWlGqo23nO31IuUWHT10yxf0E5FIp
-waLJchqT+jD5tYehfZ1+OVtYiWWKBJIXnVK+a4rc/GIRWX/BRHMtWeenv7wR72pt
-1GRxp7yTZtj1AeJhuXcSHpntAo0kG6gHC/+FvbrNgyuSYn9siIa+C5RhAoGBAOkw
-RgOX7hXYzOSATbKZcnNFdPECYaBDjXV/Rcg966Ng4UcxWl3vJRYf3A55ehmc2Jdm
-CSqt6CrsR/RxKrljsCe7gD/GGEktV7fknnXC5Bfx3hUXQ4rATLx8xwlae+wc+ANM
-eaY1HB0KOGGGH2kT4l4UFChgnfpZN+vpel/cFkPvAoGBAJPqZZVfQ87o44wxUPSl
-FFKYql17BVQDQhdGw0x5lMNzQOdLKvJODj44jOTJZ21vXuoh4n4PeCXnOwJbkFQO
-auRdNChh26LrSzpJ8VsGG3elVMsUU+L9oa9dhncVoczo7mNslpxXGPOpJv4XuBBx
-rEgY6oxAscLM7k++yb3GVyxhAoGBAMK6lT0a+q8zxKZsnnWuvmyUa/t3SZ9TyiV8
-iwGU89oTZQzWoegfdJDtOg68UsJgwF5tzundICv39H6kolD+dnQ3l/mpq04wlzfx
-qoIcpe15BUQHkVelDm+4o12kOigKaPIYQt4RK9D0X/DQ2BofiMGXct3lEQemyZQv
-/Qlf+RfxAoGABBRf9DcyA/RdmTszqebfPPNmx7iHaNbrZ3Xbvyv3P5LkzXlFLTvA
-hDz/UqnVM7Bwe1OGeJYkXfmijRjpJ+U8dteb2YzZ3tnlzKwifz+051/LcjavX9X2
-5PuEB2Y65V0OWImIFVlLnp3MRyE4bImveBliWrTRQUVsxQt2WIDgThw=
------END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev1/multi-level-ca-strict/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem b/testing/tests/ikev1/multi-level-ca-strict/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem
deleted file mode 100644
index d53365f78..000000000
--- a/testing/tests/ikev1/multi-level-ca-strict/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem
+++ /dev/null
@@ -1,23 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDwTCCAqmgAwIBAgIBIDANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
-MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
-b290IENBMB4XDTEwMDQwNjA5NTM1MFoXDTE5MDQwNDA5NTM1MFowUTELMAkGA1UE
-BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh
-cmNoMRQwEgYDVQQDEwtSZXNlYXJjaCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP
-ADCCAQoCggEBALY5sjqm4AdbWKc/T7JahWpy9xtdPbHngBN6lbnpYaHfrxnGsvmD
-FCFZHCd7egRqQ/AuJHHcEv3DUdfJWWAypVnUvdlcp58hBjpxfTPXP9IDBxzQaQyU
-zsExIGWOVUY2e7xJ5BKBnXVkok3htY4Hr1GdqNh+3LEmbegJBngTRSRx4PKJ54FO
-/b78LUzB+rMxrzxw/lnI8jEmAtKlugQ7c9auMeFCz+NmlSfnSoWhHN5qm+0iNKy0
-C+25IuE8Nq+i3jtBiI8BwBqHY3u2IuflUh9Nc9d/R6vGsRPMHs30X1Ha/m0Ug494
-+wwqwfEBZRjzxMmMF/1SG4I1E3TDOJ3srjkCAwEAAaOBrzCBrDAPBgNVHRMBAf8E
-BTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQU53XwoPKtIM3NYCPMx8gPKfPd
-VCAwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNV
-BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJv
-bmdTd2FuIFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQELBQADggEBAI1toW0bLcyBXAoy
-FeLKGy4SibcNBZs/roChcwUav0foyLdCYMYFKEeHOLvIsTIjifpY4MPy3SBgQ5Xp
-cs5vOFwW97jM6YfByqjx4+7qTBqOaLMXBbeJ3LIwQyJirpqHZzlsOscchxCjcMAM
-POBGmWjpdOqULoLlwX9EFhBA2rEZB1iamgbUJ5M5eRNEubm8xR6Baw/0ORz/tt+t
-xC9jxcjHoJnOFV0ss7Xs3d32PqhvKGgBxjVLZyq3zD/rMG2xXVyKPU46zelMCP1U
-dsM62tL1cwAi4soka02GQrP/rwBhHt22bJMN4gNs5NSvhTdjjgwVYzLu63IFYBvW
-8sFmiZI=
------END CERTIFICATE-----
diff --git a/testing/tests/ikev1/multi-level-ca-strict/posttest.dat b/testing/tests/ikev1/multi-level-ca-strict/posttest.dat
deleted file mode 100644
index 1646d5ed2..000000000
--- a/testing/tests/ikev1/multi-level-ca-strict/posttest.dat
+++ /dev/null
@@ -1,5 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
-moon::rm /etc/ipsec.d/cacerts/*
-
diff --git a/testing/tests/ikev1/multi-level-ca-strict/test.conf b/testing/tests/ikev1/multi-level-ca-strict/test.conf
deleted file mode 100644
index 08e5cc145..000000000
--- a/testing/tests/ikev1/multi-level-ca-strict/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice venus moon carol winnetou dave"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-v-m-c-w-d.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS=""
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/multi-level-ca/evaltest.dat b/testing/tests/ikev1/multi-level-ca/evaltest.dat
index 72f620b8e..ede771fb6 100644
--- a/testing/tests/ikev1/multi-level-ca/evaltest.dat
+++ b/testing/tests/ikev1/multi-level-ca/evaltest.dat
@@ -1,12 +1,18 @@
-carol::cat /var/log/auth.log::alice.*we have a cert and are sending it upon request::YES
-moon::cat /var/log/auth.log::alice.*we have a cert and are sending it upon request::YES
-dave::cat /var/log/auth.log::venus.*we have a cert and are sending it upon request::YES
-moon::cat /var/log/auth.log::venus.*we have a cert and are sending it upon request::YES
-carol::ipsec status::alice.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::alice.*PH_IP_CAROL.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ipsec status::venus.*STATE_QUICK_I2.*IPsec SA established::NO
-moon::ipsec status::venus.*PH_IP_CAROL.*STATE_QUICK_R2.*IPsec SA established::NO
-dave::ipsec status::venus.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::venus.*PH_IP_DAVE.*STATE_QUICK_R2.*IPsec SA established::YES
-dave::ipsec status::alice.*STATE_QUICK_I2.*IPsec SA established::NO
-moon::ipsec status::alice.*PH_IP_DAVE.*STATE_QUICK_R2.*IPsec SA established::NO
+moon:: cat /var/log/daemon.log::fetching crl from.*http.*research.crl::YES
+moon:: cat /var/log/daemon.log::crl correctly signed by.*Research CA::YES
+moon:: cat /var/log/daemon.log::fetching crl from.*http.*sales.crl::YES
+moon:: cat /var/log/daemon.log::crl correctly signed by.*Sales CA::YES
+moon:: cat /var/log/daemon.log::fetching crl from.*http.*strongswan.crl::YES
+moon:: cat /var/log/daemon.log::crl correctly signed by.*strongSwan Root CA::YES
+carol::ipsec status 2> /dev/null::alice.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::alice.*ESTABLISHED.*carol@strongswan.org::YES
+carol::cat /var/log/daemon.log::received INVALID_ID_INFORMATION error notify::YES
+carol::ipsec status 2> /dev/null::venus.*INSTALLED::NO
+moon:: ipsec status 2> /dev/null::venus.*ESTABLISHED.*carol@strongswan.org::NO
+moon:: cat /var/log/daemon.log::constraint check failed: peer not authenticated by.*Research CA::YES
+moon:: cat /var/log/daemon.log::switching to peer config.*venus::YES
+dave:: ipsec status 2> /dev/null::venus.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::venus.*ESTABLISHED.*dave@strongswan.org::YES
+dave:: cat /var/log/daemon.log::received INVALID_ID_INFORMATION error notify::YES
+dave:: ipsec status 2> /dev/null::alice.*INSTALLED::NO
+moon:: ipsec status 2> /dev/null::alice.*ESTABLISHED.*dave@strongswan.org::NO
diff --git a/testing/tests/ikev1/multi-level-ca/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca/hosts/carol/etc/ipsec.conf
index d11724c28..3df94ba2d 100755..100644
--- a/testing/tests/ikev1/multi-level-ca/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/multi-level-ca/hosts/carol/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -17,6 +13,7 @@ conn %default
 	leftsendcert=ifasked
 	right=PH_IP_MOON
 	rightid=@moon.strongswan.org
+	rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
 
 conn alice
 	rightsubnet=PH_IP_ALICE/32
@@ -25,8 +22,3 @@ conn alice
 conn venus
 	rightsubnet=PH_IP_VENUS/32
 	auto=add
-
-
-
-
-
diff --git a/testing/tests/ikev1/multi-level-ca/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/multi-level-ca/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..85d8c191f
--- /dev/null
+++ b/testing/tests/ikev1/multi-level-ca/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
+}
diff --git a/testing/tests/ikev1/multi-level-ca/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca/hosts/dave/etc/ipsec.conf
index 2d80aad8a..28389112a 100755..100644
--- a/testing/tests/ikev1/multi-level-ca/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev1/multi-level-ca/hosts/dave/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -17,6 +13,7 @@ conn %default
 	leftsendcert=ifasked
 	right=PH_IP_MOON
 	rightid=@moon.strongswan.org
+	rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
 
 conn alice
 	rightsubnet=PH_IP_ALICE/32
@@ -25,8 +22,3 @@ conn alice
 conn venus
 	rightsubnet=PH_IP_VENUS/32
 	auto=add
-
-
-
-
-
diff --git a/testing/tests/ikev1/multi-level-ca/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/multi-level-ca/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..85d8c191f
--- /dev/null
+++ b/testing/tests/ikev1/multi-level-ca/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
+}
diff --git a/testing/tests/ikev1/multi-level-ca/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca/hosts/moon/etc/ipsec.conf
index 9b97015fd..2dfd40f99 100755..100644
--- a/testing/tests/ikev1/multi-level-ca/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/multi-level-ca/hosts/moon/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
 
 ca strongswan
 	cacert=strongswanCert.pem
@@ -33,4 +29,3 @@ conn venus
 	right=%any
 	rightca="C=CH, O=Linux strongSwan, OU=Sales, CN=Sales CA"
 	auto=add
-	
diff --git a/testing/tests/ikev1/multi-level-ca/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/multi-level-ca/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..85d8c191f
--- /dev/null
+++ b/testing/tests/ikev1/multi-level-ca/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
+}
diff --git a/testing/tests/ikev1/multi-level-ca/pretest.dat b/testing/tests/ikev1/multi-level-ca/pretest.dat
index 67c50c2ef..755564cbc 100644
--- a/testing/tests/ikev1/multi-level-ca/pretest.dat
+++ b/testing/tests/ikev1/multi-level-ca/pretest.dat
@@ -1,4 +1,3 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
 carol::ipsec start
 dave::ipsec start
 moon::ipsec start
diff --git a/testing/tests/ikev1/multi-level-ca/test.conf b/testing/tests/ikev1/multi-level-ca/test.conf
index 08e5cc145..9bb88d79f 100644
--- a/testing/tests/ikev1/multi-level-ca/test.conf
+++ b/testing/tests/ikev1/multi-level-ca/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon carol winnetou dave"
+VIRTHOSTS="alice venus moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/nat-before-esp/description.txt b/testing/tests/ikev1/nat-before-esp/description.txt
deleted file mode 100644
index e42ace476..000000000
--- a/testing/tests/ikev1/nat-before-esp/description.txt
+++ /dev/null
@@ -1,6 +0,0 @@
-An IPsec tunnel connecting the gateway <b>moon</b> with the subnet behind
-gateway <b>sun</b> is set up. This host-to-net connection can also be
-used by the clients <b>alice</b> and <b>venus</b> via the trick of NAT-ing
-them to the outer IP address of gateway <b>moon</b> prior to tunnelling.
-The IPsec tunnel is first tested by <b>moon</b> pinging <b>bob</b> and vice versa,
-followed by the NAT-ed clients <b>alice</b> and <b>venus</b> pinging <b>bob</b>.
diff --git a/testing/tests/ikev1/nat-before-esp/evaltest.dat b/testing/tests/ikev1/nat-before-esp/evaltest.dat
deleted file mode 100644
index d466038ed..000000000
--- a/testing/tests/ikev1/nat-before-esp/evaltest.dat
+++ /dev/null
@@ -1,9 +0,0 @@
-moon::ipsec status::host-net.*STATE_QUICK_I2.*IPsec SA established::YES
-sun::ipsec status::host-net.*STATE_QUICK_R2.*IPsec SA established::YES
-moon::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-bob::ping -c 1 PH_IP_MOON::64 bytes from PH_IP_MOON: icmp_seq=1::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
-sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
-bob::tcpdump::ICMP::YES
diff --git a/testing/tests/ikev1/nat-before-esp/hosts/moon/etc/init.d/iptables b/testing/tests/ikev1/nat-before-esp/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index f87ec0e58..000000000
--- a/testing/tests/ikev1/nat-before-esp/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,83 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# NAT traffic from 10.1.0.0/16
-	iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -j MASQUERADE
-	
-	# forward traffic from 10.1.0.0/16 to POSTROUTING chain
-	iptables -A FORWARD -i eth1 -o eth0 -s 10.1.0.0/16 -d 10.2.0.0/16 -j ACCEPT
-	iptables -A FORWARD -o eth1 -i eth0 -d 10.1.0.0/16 -s 10.2.0.0/16 -j ACCEPT
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev1/nat-before-esp/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/nat-before-esp/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index 1ee1b7749..000000000
--- a/testing/tests/ikev1/nat-before-esp/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,24 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-
-conn host-net
-	left=192.168.0.1
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-	leftfirewall=yes
-	right=192.168.0.2
-	rightsubnet=10.2.0.0/16
-	rightid=@sun.strongswan.org
-	auto=add
diff --git a/testing/tests/ikev1/nat-before-esp/posttest.dat b/testing/tests/ikev1/nat-before-esp/posttest.dat
deleted file mode 100644
index 307b96888..000000000
--- a/testing/tests/ikev1/nat-before-esp/posttest.dat
+++ /dev/null
@@ -1,5 +0,0 @@
-moon::iptables -t nat -v -n -L
-moon::ipsec stop
-sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev1/nat-before-esp/pretest.dat b/testing/tests/ikev1/nat-before-esp/pretest.dat
deleted file mode 100644
index 75565540a..000000000
--- a/testing/tests/ikev1/nat-before-esp/pretest.dat
+++ /dev/null
@@ -1,6 +0,0 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
-moon::ipsec start
-sun::ipsec start
-moon::sleep 2
-moon::ipsec up host-net
diff --git a/testing/tests/ikev1/nat-before-esp/test.conf b/testing/tests/ikev1/nat-before-esp/test.conf
deleted file mode 100644
index 4234eaf63..000000000
--- a/testing/tests/ikev1/nat-before-esp/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice venus moon winnetou sun bob"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-w-s-b.png"
- 
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="sun bob"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev1/nat-one-rw/description.txt b/testing/tests/ikev1/nat-one-rw/description.txt
deleted file mode 100644
index c3b9bb820..000000000
--- a/testing/tests/ikev1/nat-one-rw/description.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-The roadwarrior <b>alice</b> sitting behind the NAT router <b>moon</b> sets up a tunnel to
-gateway <b>sun</b>. UDP encapsulation is used to traverse the NAT router.
-<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that let pass
-the tunneled traffic. In order to test the tunnel, the NAT-ed host <b>alice</b> pings the
-client <b>bob</b> behind the gateway <b>sun</b>.
diff --git a/testing/tests/ikev1/nat-one-rw/evaltest.dat b/testing/tests/ikev1/nat-one-rw/evaltest.dat
deleted file mode 100644
index bc193963d..000000000
--- a/testing/tests/ikev1/nat-one-rw/evaltest.dat
+++ /dev/null
@@ -1,5 +0,0 @@
-alice::ipsec status::nat-t.*STATE_QUICK_I2.*IPsec SA established::YES
-sun::ipsec status::nat-t.*STATE_QUICK_R2.*IPsec SA established::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.ipsec-nat-t: UDP::YES
-moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.*: UDP::YES
diff --git a/testing/tests/ikev1/nat-one-rw/posttest.dat b/testing/tests/ikev1/nat-one-rw/posttest.dat
deleted file mode 100644
index cd0d4df25..000000000
--- a/testing/tests/ikev1/nat-one-rw/posttest.dat
+++ /dev/null
@@ -1,6 +0,0 @@
-alice::ipsec stop
-sun::ipsec stop
-alice::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
-moon::iptables -t nat -F
-moon::conntrack -F
diff --git a/testing/tests/ikev1/nat-one-rw/pretest.dat b/testing/tests/ikev1/nat-one-rw/pretest.dat
deleted file mode 100644
index 9dacc672c..000000000
--- a/testing/tests/ikev1/nat-one-rw/pretest.dat
+++ /dev/null
@@ -1,10 +0,0 @@
-alice::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
-moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100
-moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100
-alice::ipsec start
-sun::ipsec start
-alice::sleep 5
-alice::ipsec up nat-t
-
diff --git a/testing/tests/ikev1/nat-one-rw/test.conf b/testing/tests/ikev1/nat-one-rw/test.conf
deleted file mode 100644
index d84149aaf..000000000
--- a/testing/tests/ikev1/nat-one-rw/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon winnetou sun bob"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-w-s-b.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="alice sun"
diff --git a/testing/tests/ikev1/nat-two-rw/description.txt b/testing/tests/ikev1/nat-rw/description.txt
index dcf4b94bd..dcf4b94bd 100644
--- a/testing/tests/ikev1/nat-two-rw/description.txt
+++ b/testing/tests/ikev1/nat-rw/description.txt
diff --git a/testing/tests/ikev1/nat-rw/evaltest.dat b/testing/tests/ikev1/nat-rw/evaltest.dat
new file mode 100644
index 000000000..387dbae23
--- /dev/null
+++ b/testing/tests/ikev1/nat-rw/evaltest.dat
@@ -0,0 +1,18 @@
+alice::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*alice@strongswan.org.*sun.strongswan.org::YES
+venus::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*venus.strongswan.org.*sun.strongswan.org::YES
+sun::  ipsec status 2> /dev/null::nat-t\[1]: ESTABLISHED.*sun.strongswan.org.*alice@strongswan.org::YES
+sun::  ipsec status 2> /dev/null::nat-t\[2]: ESTABLISHED.*sun.strongswan.org.*venus.strongswan.org::YES
+alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES
+venus::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES
+sun::  ipsec status 2> /dev/null::nat-t[{]1}.*INSTALLED, TUNNEL, ESP in UDP::YES
+sun::  ipsec status 2> /dev/null::nat-t[{]2}.*INSTALLED, TUNNEL, ESP in UDP::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+moon:: sleep 6::no output expected::NO
+bob::  ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+bob::  ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
+moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.4500: UDP-encap: ESP::YES
+moon::tcpdump::IP sun.strongswan.org.4500 > moon.strongswan.org.*: UDP-encap: ESP::YES
+moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.4500: isakmp-nat-keep-alive::YES
+alice::cat /var/log/daemon.log::sending keep alive::YES
+venus::cat /var/log/daemon.log::sending keep alive::YES
diff --git a/testing/tests/ikev2/nat-one-rw/hosts/alice/etc/ipsec.conf b/testing/tests/ikev1/nat-rw/hosts/alice/etc/ipsec.conf
index 8db43213f..df626c201 100755..100644
--- a/testing/tests/ikev2/nat-one-rw/hosts/alice/etc/ipsec.conf
+++ b/testing/tests/ikev1/nat-rw/hosts/alice/etc/ipsec.conf
@@ -1,19 +1,16 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
-	keyexchange=ikev2
-
+	keyexchange=ikev1
+		
 conn nat-t
-	left=%defaultroute
+	left=%any
 	leftcert=aliceCert.pem
 	leftid=alice@strongswan.org
 	leftfirewall=yes
diff --git a/testing/tests/ikev1/nat-rw/hosts/alice/etc/strongswan.conf b/testing/tests/ikev1/nat-rw/hosts/alice/etc/strongswan.conf
new file mode 100644
index 000000000..dabff38e4
--- /dev/null
+++ b/testing/tests/ikev1/nat-rw/hosts/alice/etc/strongswan.conf
@@ -0,0 +1,7 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+
+  keep_alive = 5
+}
diff --git a/testing/tests/ikev1/nat-two-rw-psk/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/nat-rw/hosts/sun/etc/ipsec.conf
index a7c500fe2..c321102ce 100755..100644
--- a/testing/tests/ikev1/nat-two-rw-psk/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev1/nat-rw/hosts/sun/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	nat_traversal=yes
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -11,12 +8,13 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev1
-	authby=secret
-	
+
 conn nat-t
 	left=PH_IP_SUN
-	leftsubnet=10.2.0.0/16
+	leftcert=sunCert.pem
+	leftid=@sun.strongswan.org
 	leftfirewall=yes
+	leftsubnet=10.2.0.0/16
 	right=%any
-	rightsubnetwithin=10.1.0.0/16
+	rightsubnet=10.1.0.0/16
 	auto=add
diff --git a/testing/tests/ikev1/nat-rw/hosts/sun/etc/iptables.rules b/testing/tests/ikev1/nat-rw/hosts/sun/etc/iptables.rules
new file mode 100644
index 000000000..ae8f9a61e
--- /dev/null
+++ b/testing/tests/ikev1/nat-rw/hosts/sun/etc/iptables.rules
@@ -0,0 +1,24 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev1/nat-rw/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/nat-rw/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..ca23c6971
--- /dev/null
+++ b/testing/tests/ikev1/nat-rw/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev1/nat-two-rw-psk/hosts/venus/etc/ipsec.conf b/testing/tests/ikev1/nat-rw/hosts/venus/etc/ipsec.conf
index eee3c45e8..6c627e0a6 100755..100644
--- a/testing/tests/ikev1/nat-two-rw-psk/hosts/venus/etc/ipsec.conf
+++ b/testing/tests/ikev1/nat-rw/hosts/venus/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	nat_traversal=yes
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -11,11 +8,13 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev1
-	authby=secret
-		
+
 conn nat-t
-	left=%defaultroute
+	left=%any
+	leftcert=venusCert.pem
+	leftid=@venus.strongswan.org
 	leftfirewall=yes
 	right=PH_IP_SUN
+	rightid=@sun.strongswan.org
 	rightsubnet=10.2.0.0/16
 	auto=add
diff --git a/testing/tests/ikev1/nat-rw/hosts/venus/etc/strongswan.conf b/testing/tests/ikev1/nat-rw/hosts/venus/etc/strongswan.conf
new file mode 100644
index 000000000..dabff38e4
--- /dev/null
+++ b/testing/tests/ikev1/nat-rw/hosts/venus/etc/strongswan.conf
@@ -0,0 +1,7 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+
+  keep_alive = 5
+}
diff --git a/testing/tests/ikev1/nat-rw/posttest.dat b/testing/tests/ikev1/nat-rw/posttest.dat
new file mode 100644
index 000000000..4643a3a7b
--- /dev/null
+++ b/testing/tests/ikev1/nat-rw/posttest.dat
@@ -0,0 +1,8 @@
+sun::ipsec stop
+alice::ipsec stop
+venus::ipsec stop
+alice::iptables-restore < /etc/iptables.flush
+venus::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
+moon::iptables -t nat -F
+moon::conntrack -F
diff --git a/testing/tests/pfkey/nat-two-rw/pretest.dat b/testing/tests/ikev1/nat-rw/pretest.dat
index e365ff5c5..d701a1d61 100644
--- a/testing/tests/pfkey/nat-two-rw/pretest.dat
+++ b/testing/tests/ikev1/nat-rw/pretest.dat
@@ -1,7 +1,6 @@
-alice::/etc/init.d/iptables start 2> /dev/null
-venus::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
+alice::iptables-restore < /etc/iptables.rules
+venus::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100
 moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100
 alice::ipsec start
diff --git a/testing/tests/ikev1/nat-rw/test.conf b/testing/tests/ikev1/nat-rw/test.conf
new file mode 100644
index 000000000..f515d4bc7
--- /dev/null
+++ b/testing/tests/ikev1/nat-rw/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice venus moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-w-s-b.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="alice venus sun"
diff --git a/testing/tests/ikev1/nat-two-rw-mark/evaltest.dat b/testing/tests/ikev1/nat-two-rw-mark/evaltest.dat
deleted file mode 100644
index fa64c3d88..000000000
--- a/testing/tests/ikev1/nat-two-rw-mark/evaltest.dat
+++ /dev/null
@@ -1,18 +0,0 @@
-alice::ipsec status::nat-t.*STATE_QUICK_I2.*IPsec SA established::YES
-venus::ipsec status::nat-t.*STATE_QUICK_I2.*IPsec SA established::YES
-sun::ipsec status::alice.*STATE_QUICK_R2.*IPsec SA established::YES
-sun::ipsec status::alice.*alice@strongswan.org::YES
-sun::ipsec status::venus.*STATE_QUICK_R2.*IPsec SA established::YES
-sun::ipsec status::venus.*venus.strongswan.org::YES
-sun::ipsec statusall::alice.*10.2.0.0/16===.*===10.1.0.0/25::YES
-sun::ipsec statusall::venus.*10.2.0.0/16===.*===10.1.0.0/25::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-moon::tcpdump::IP moon.strongswan.org.4510.* > sun.strongswan.org.ipsec-nat-t: UDP::YES
-moon::tcpdump::IP moon.strongswan.org.4520.* > sun.strongswan.org.ipsec-nat-t: UDP::YES
-moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.4510.*: UDP::YES
-moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.4520.*: UDP::YES
-bob::tcpdump::10.3.0.10 > bob.strongswan.org: ICMP echo request::YES
-bob::tcpdump::10.3.0.20 > bob.strongswan.org: ICMP echo request::YES
-bob::tcpdump::bob.strongswan.org > 10.3.0.10: ICMP echo reply::YES
-bob::tcpdump::bob.strongswan.org > 10.3.0.20: ICMP echo reply::YES
diff --git a/testing/tests/ikev1/nat-two-rw-mark/hosts/alice/etc/ipsec.conf b/testing/tests/ikev1/nat-two-rw-mark/hosts/alice/etc/ipsec.conf
deleted file mode 100755
index 4ed556226..000000000
--- a/testing/tests/ikev1/nat-two-rw-mark/hosts/alice/etc/ipsec.conf
+++ /dev/null
@@ -1,27 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	nat_traversal=yes
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-
-conn nat-t
-	left=%defaultroute
-	leftsubnet=10.1.0.0/25
-	leftcert=aliceCert.pem
-	leftid=alice@strongswan.org
-	leftfirewall=yes
-	lefthostaccess=yes
-	right=PH_IP_SUN
-	rightid=@sun.strongswan.org
-	rightsubnet=10.2.0.0/16
-	auto=add
diff --git a/testing/tests/ikev1/nat-two-rw-mark/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/nat-two-rw-mark/hosts/sun/etc/ipsec.conf
deleted file mode 100755
index 2b346430e..000000000
--- a/testing/tests/ikev1/nat-two-rw-mark/hosts/sun/etc/ipsec.conf
+++ /dev/null
@@ -1,36 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug="control parsing" #parsing to get knl 2 messages
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	nat_traversal=yes
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-
-conn alice
-	rightid=alice@strongswan.org
-	mark=10/0xffffffff
-	also=sun
-	auto=add
-
-conn venus
-	rightid=@venus.strongswan.org
-	mark=20  #0xffffffff is used by default
-	also=sun
-	auto=add
-
-conn sun
-	left=PH_IP_SUN
-	leftcert=sunCert.pem
-	leftid=@sun.strongswan.org
-	leftsubnet=10.2.0.0/16
-	leftupdown=/etc/mark_updown
-	right=%any
-	rightsubnet=10.1.0.0/25
diff --git a/testing/tests/ikev1/nat-two-rw-mark/hosts/venus/etc/ipsec.conf b/testing/tests/ikev1/nat-two-rw-mark/hosts/venus/etc/ipsec.conf
deleted file mode 100755
index 0be3477c1..000000000
--- a/testing/tests/ikev1/nat-two-rw-mark/hosts/venus/etc/ipsec.conf
+++ /dev/null
@@ -1,27 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	nat_traversal=yes
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-
-conn nat-t
-	left=%defaultroute
-	leftsubnet=10.1.0.0/25
-	leftcert=venusCert.pem
-	leftid=@venus.strongswan.org
-	leftfirewall=yes
-	lefthostaccess=yes
-	right=PH_IP_SUN
-	rightid=@sun.strongswan.org
-	rightsubnet=10.2.0.0/16
-	auto=add
diff --git a/testing/tests/ikev1/nat-two-rw-mark/posttest.dat b/testing/tests/ikev1/nat-two-rw-mark/posttest.dat
deleted file mode 100644
index 89d5f534b..000000000
--- a/testing/tests/ikev1/nat-two-rw-mark/posttest.dat
+++ /dev/null
@@ -1,11 +0,0 @@
-sun::iptables -t mangle -v -n -L PREROUTING
-sun::ipsec stop
-alice::ipsec stop
-venus::ipsec stop
-alice::/etc/init.d/iptables stop 2> /dev/null
-venus::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
-moon::iptables -t nat -F
-moon::conntrack -F
-sun::conntrack -F
-sun::rm /etc/mark_updown
diff --git a/testing/tests/ikev1/nat-two-rw-mark/test.conf b/testing/tests/ikev1/nat-two-rw-mark/test.conf
deleted file mode 100644
index ae3c190b8..000000000
--- a/testing/tests/ikev1/nat-two-rw-mark/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice venus moon winnetou sun bob"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-v-m-w-s-b.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon bob"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="alice venus sun"
diff --git a/testing/tests/ikev1/nat-two-rw-psk/evaltest.dat b/testing/tests/ikev1/nat-two-rw-psk/evaltest.dat
deleted file mode 100644
index e8aaf0b5f..000000000
--- a/testing/tests/ikev1/nat-two-rw-psk/evaltest.dat
+++ /dev/null
@@ -1,9 +0,0 @@
-alice::ipsec status::nat-t.*STATE_QUICK_I2.*IPsec SA established::YES
-venus::ipsec status::nat-t.*STATE_QUICK_I2.*IPsec SA established::YES
-sun::ipsec status::nat-t.*STATE_QUICK_R2.*IPsec SA established::YES
-sun::ipsec status::nat-t.*\[PH_IP_ALICE\]::YES
-sun::ipsec status::nat-t.*\[PH_IP_VENUS\]::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.ipsec-nat-t: UDP::YES
-moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.*: UDP::YES
diff --git a/testing/tests/ikev1/nat-two-rw-psk/hosts/alice/etc/ipsec.secrets b/testing/tests/ikev1/nat-two-rw-psk/hosts/alice/etc/ipsec.secrets
deleted file mode 100644
index e8c151f05..000000000
--- a/testing/tests/ikev1/nat-two-rw-psk/hosts/alice/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
diff --git a/testing/tests/ikev1/nat-two-rw-psk/hosts/alice/etc/strongswan.conf b/testing/tests/ikev1/nat-two-rw-psk/hosts/alice/etc/strongswan.conf
deleted file mode 100644
index 453cdc07c..000000000
--- a/testing/tests/ikev1/nat-two-rw-psk/hosts/alice/etc/strongswan.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-}
diff --git a/testing/tests/ikev1/nat-two-rw-psk/hosts/sun/etc/ipsec.secrets b/testing/tests/ikev1/nat-two-rw-psk/hosts/sun/etc/ipsec.secrets
deleted file mode 100644
index e8c151f05..000000000
--- a/testing/tests/ikev1/nat-two-rw-psk/hosts/sun/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
diff --git a/testing/tests/ikev1/nat-two-rw-psk/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/nat-two-rw-psk/hosts/sun/etc/strongswan.conf
deleted file mode 100644
index 453cdc07c..000000000
--- a/testing/tests/ikev1/nat-two-rw-psk/hosts/sun/etc/strongswan.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-}
diff --git a/testing/tests/ikev1/nat-two-rw-psk/hosts/venus/etc/ipsec.secrets b/testing/tests/ikev1/nat-two-rw-psk/hosts/venus/etc/ipsec.secrets
deleted file mode 100644
index e8c151f05..000000000
--- a/testing/tests/ikev1/nat-two-rw-psk/hosts/venus/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
diff --git a/testing/tests/ikev1/nat-two-rw-psk/hosts/venus/etc/strongswan.conf b/testing/tests/ikev1/nat-two-rw-psk/hosts/venus/etc/strongswan.conf
deleted file mode 100644
index 453cdc07c..000000000
--- a/testing/tests/ikev1/nat-two-rw-psk/hosts/venus/etc/strongswan.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-}
diff --git a/testing/tests/ikev1/nat-two-rw-psk/posttest.dat b/testing/tests/ikev1/nat-two-rw-psk/posttest.dat
deleted file mode 100644
index 52572ece8..000000000
--- a/testing/tests/ikev1/nat-two-rw-psk/posttest.dat
+++ /dev/null
@@ -1,8 +0,0 @@
-sun::ipsec stop
-alice::ipsec stop
-venus::ipsec stop
-alice::/etc/init.d/iptables stop 2> /dev/null
-venus::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
-moon::iptables -t nat -F
-moon::conntrack -F
diff --git a/testing/tests/ikev1/nat-two-rw-psk/pretest.dat b/testing/tests/ikev1/nat-two-rw-psk/pretest.dat
deleted file mode 100644
index 6172bd088..000000000
--- a/testing/tests/ikev1/nat-two-rw-psk/pretest.dat
+++ /dev/null
@@ -1,16 +0,0 @@
-alice::/etc/init.d/iptables start 2> /dev/null
-venus::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
-moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100
-moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100
-alice::rm /etc/ipsec.d/cacerts/*
-venus::rm /etc/ipsec.d/cacerts/*
-sun::rm /etc/ipsec.d/cacerts/*
-alice::ipsec start
-venus::ipsec start
-sun::ipsec start
-alice::sleep 5 
-alice::ipsec up nat-t
-venus::sleep 5 
-venus::ipsec up nat-t
diff --git a/testing/tests/ikev1/nat-two-rw-psk/test.conf b/testing/tests/ikev1/nat-two-rw-psk/test.conf
deleted file mode 100644
index 84317fd70..000000000
--- a/testing/tests/ikev1/nat-two-rw-psk/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice venus moon winnetou sun bob"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-v-m-w-s-b.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="alice venus sun"
diff --git a/testing/tests/ikev1/nat-two-rw/evaltest.dat b/testing/tests/ikev1/nat-two-rw/evaltest.dat
deleted file mode 100644
index 03c6d8ae6..000000000
--- a/testing/tests/ikev1/nat-two-rw/evaltest.dat
+++ /dev/null
@@ -1,9 +0,0 @@
-alice::ipsec status::nat-t.*STATE_QUICK_I2.*IPsec SA established::YES
-venus::ipsec status::nat-t.*STATE_QUICK_I2.*IPsec SA established::YES
-sun::ipsec status::nat-t.*STATE_QUICK_R2.*IPsec SA established::YES
-sun::ipsec status::nat-t.*alice@strongswan.org::YES
-sun::ipsec status::nat-t.*venus.strongswan.org::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.ipsec-nat-t: UDP::YES
-moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.*: UDP::YES
diff --git a/testing/tests/ikev1/nat-two-rw/posttest.dat b/testing/tests/ikev1/nat-two-rw/posttest.dat
deleted file mode 100644
index 52572ece8..000000000
--- a/testing/tests/ikev1/nat-two-rw/posttest.dat
+++ /dev/null
@@ -1,8 +0,0 @@
-sun::ipsec stop
-alice::ipsec stop
-venus::ipsec stop
-alice::/etc/init.d/iptables stop 2> /dev/null
-venus::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
-moon::iptables -t nat -F
-moon::conntrack -F
diff --git a/testing/tests/ikev1/nat-two-rw/test.conf b/testing/tests/ikev1/nat-two-rw/test.conf
deleted file mode 100644
index 84317fd70..000000000
--- a/testing/tests/ikev1/nat-two-rw/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice venus moon winnetou sun bob"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-v-m-w-s-b.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="alice venus sun"
diff --git a/testing/tests/ikev1/nat-virtual-ip/description.txt b/testing/tests/ikev1/nat-virtual-ip/description.txt
new file mode 100644
index 000000000..31d24cda6
--- /dev/null
+++ b/testing/tests/ikev1/nat-virtual-ip/description.txt
@@ -0,0 +1,6 @@
+The router <b>moon</b> sets up a connection to gateway <b>sun</b> in order
+to reach the subnet hidden behind <b>sun</b>. The gateway <b>sun</b> assigns a
+virtual IP address to router <b>moon</b>. A special updown script on <b>moon</b>
+specified by <b>leftupdown=/etc/nat_updown</b> dynamically inserts a source NAT rule
+which maps the IP address of client <b>alice</b> to the virtual IP of <b>moon</b>.
+This allows <b>alice</b> to access client <b>bob</b> via the established IPsec tunnel.
diff --git a/testing/tests/ikev1/nat-virtual-ip/evaltest.dat b/testing/tests/ikev1/nat-virtual-ip/evaltest.dat
new file mode 100644
index 000000000..c60ffc772
--- /dev/null
+++ b/testing/tests/ikev1/nat-virtual-ip/evaltest.dat
@@ -0,0 +1,8 @@
+moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun::  ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon:: cat /var/log/daemon.log::inserted NAT rule mapping PH_IP_ALICE to virtual IP::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
+bob::tcpdump::IP alice2.strongswan.org > bob.strongswan.org: ICMP::YES
+bob::tcpdump::IP bob.strongswan.org > alice2.strongswan.org: ICMP::YES
diff --git a/testing/tests/ikev1/nat-virtual-ip/hosts/bob/etc/hosts b/testing/tests/ikev1/nat-virtual-ip/hosts/bob/etc/hosts
new file mode 100644
index 000000000..ee854da09
--- /dev/null
+++ b/testing/tests/ikev1/nat-virtual-ip/hosts/bob/etc/hosts
@@ -0,0 +1,70 @@
+# /etc/hosts:  This file describes a number of hostname-to-address
+#              mappings for the TCP/IP subsystem.  It is mostly
+#              used at boot time, when no name servers are running.
+#              On small systems, this file can be used instead of a
+#              "named" name server.  Just add the names, addresses
+#              and any aliases to this file...
+#
+
+127.0.0.1	localhost
+
+192.168.0.254	uml0.strongswan.org	uml0
+10.1.0.254	uml1.strongswan.org	uml1
+10.2.0.254	uml1.strongswan.org	uml2
+
+10.1.0.10	alice.strongswan.org	alice
+10.1.0.20	venus.strongswan.org	venus
+10.1.0.1	moon1.strongswan.org	moon1
+192.168.0.1	moon.strongswan.org	moon
+192.168.0.50	alice1.strongswan.org	alice1
+192.168.0.100	carol.strongswan.org	carol
+10.3.0.1	carol1.strongswan.org	carol1
+192.168.0.150	winnetou.strongswan.org	winnetou crl.strongswan.org ocsp.strongswan.org ldap.strongswan.org
+192.168.0.200	dave.strongswan.org	dave
+10.3.0.2	dave1.strongswan.org	dave1
+192.168.0.2	sun.strongswan.org	sun
+10.2.0.1	sun1.strongswan.org	sun1
+10.2.0.10	bob.strongswan.org	bob
+10.4.0.1	alice2.strongswan.org	alice2
+
+# IPv6 versions of localhost and co
+::1 ip6-localhost ip6-loopback
+fe00::0 ip6-localnet
+ff00::0 ip6-mcastprefix
+ff02::1 ip6-allnodes
+ff02::2 ip6-allrouters
+ff02::3 ip6-allhosts
+
+# IPv6 solicited-node multicast addresses
+ff02::1:ff00:1	ip6-mcast-1
+ff02::1:ff00:2	ip6-mcast-2
+ff02::1:ff00:10	ip6-mcast-10
+ff02::1:ff00:15	ip6-mcast-15
+ff02::1:ff00:20	ip6-mcast-20
+
+# IPv6 site-local addresses
+fec0::5		ip6-alice1.strongswan.org   ip6-alice1
+fec1::10	ip6-alice.strongswan.org    ip6-alice
+fec1::20	ip6-venus.strongswan.org    ip6-venus
+fec1::1 	ip6-moon1.strongswan.org    ip6-moon1
+fec0::1 	ip6-moon.strongswan.org     ip6-moon
+fec0::10	ip6-carol.strongswan.org    ip6-carol
+fec3::1 	ip6-carol1.strongswan.org   ip6-carol1
+fec0::15	ip6-winnetou.strongswan.org ip6-winnetou 
+fec0::20	ip6-dave.strongswan.org     ip6-dave
+fec3::2 	ip6-dave1.strongswan.org    ip6-dave1
+fec0::2 	ip6-sun.strongswan.org      ip6-sun
+fec2::1 	ip6-sun1.strongswan.org     ip6-sun1
+fec2::10	ip6-bob.strongswan.org      ip6-bob
+
+# IPv6 link-local HW derived addresses
+fe80::fcfd:0aff:fe01:14	ip6-hw-venus.strongswan.org    ip6-hw-venus
+fe80::fcfd:0aff:fe01:0a	ip6-hw-alice.strongswan.org    ip6-hw-alice
+fe80::fcfd:0aff:fe01:01	ip6-hw-moon1.strongswan.org    ip6-hw-moon1
+fe80::fcfd:c0ff:fea8:01 ip6-hw-moon.strongswan.org     ip6-hw-moon
+fe80::fcfd:c0ff:fea8:64	ip6-hw-carol.strongswan.org    ip6-hw-carol
+fe80::fcfd:c0ff:fea8:96 ip6-hw-winnetou.strongswan.org ip6-hw-winnetou
+fe80::fcfd:c0ff:fea8:c8	ip6-hw-dave.strongswan.org     ip6-hw-dave
+fe80::fcfd:c0ff:fea8:02	ip6-hw-sun.strongswan.org      ip6-hw-sun
+fe80::fcfd:0aff:fe02:01	ip6-hw-sun1.strongswan.org     ip6-hw-sun1
+fe80::fcfd:0aff:fe02:0a ip6-hw-bob.strongswan.org      ip6-hw-bob
diff --git a/testing/tests/ikev1/net2net-same-nets/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/nat-virtual-ip/hosts/moon/etc/ipsec.conf
index 30af017ff..28853ce75 100755..100644
--- a/testing/tests/ikev1/net2net-same-nets/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/nat-virtual-ip/hosts/moon/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-	plutodebug=control
 
 conn %default
 	ikelifetime=60m
@@ -12,14 +8,15 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev1
+	mobike=no
 
 conn net-net 
 	left=PH_IP_MOON
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
-	leftsubnet=10.0.0.0/14
-	leftfirewall=yes
+	leftsourceip=%config
+	leftupdown=/etc/nat_updown
 	right=PH_IP_SUN
 	rightid=@sun.strongswan.org
-	rightsubnet=10.4.0.0/14
+	rightsubnet=10.2.0.0/16
 	auto=add
diff --git a/testing/tests/ikev1/nat-virtual-ip/hosts/moon/etc/nat_updown b/testing/tests/ikev1/nat-virtual-ip/hosts/moon/etc/nat_updown
new file mode 100755
index 000000000..aab1df687
--- /dev/null
+++ b/testing/tests/ikev1/nat-virtual-ip/hosts/moon/etc/nat_updown
@@ -0,0 +1,152 @@
+#! /bin/sh
+# NAT updown script
+#
+# Copyright (C) 2010 Andreas Steffen <andreas.steffen@strongswan.org>
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at your
+# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# for more details.
+
+# things that this script gets (from ipsec_pluto(8) man page)
+#
+#      PLUTO_VERSION
+#              indicates  what  version of this interface is being
+#              used.  This document describes version  1.1.   This
+#              is upwardly compatible with version 1.0.
+#
+#       PLUTO_VERB
+#              specifies the name of the operation to be performed
+#              (prepare-host, prepare-client, up-host, up-client,
+#              down-host, or down-client).  If the address family
+#              for security gateway to security gateway communica-
+#              tions is IPv6, then a suffix of -v6 is added to the
+#              verb.
+#
+#       PLUTO_CONNECTION
+#              is the name of the  connection  for  which  we  are
+#              routing.
+#
+#       PLUTO_NEXT_HOP
+#              is the next hop to which packets bound for the peer
+#              must be sent.
+#
+#       PLUTO_INTERFACE
+#              is the name of the ipsec interface to be used.
+#
+#       PLUTO_REQID
+#              is the requid of the ESP policy
+#
+#       PLUTO_ME
+#              is the IP address of our host.
+#
+#       PLUTO_MY_ID
+#              is the ID of our host.
+#
+#       PLUTO_MY_CLIENT
+#              is the IP address / count of our client subnet.  If
+#              the  client  is  just  the  host,  this will be the
+#              host's own IP address / max (where max  is  32  for
+#              IPv4 and 128 for IPv6).
+#
+#       PLUTO_MY_CLIENT_NET
+#              is the IP address of our client net.  If the client
+#              is just the host, this will be the  host's  own  IP
+#              address.
+#
+#       PLUTO_MY_CLIENT_MASK
+#              is  the  mask for our client net.  If the client is
+#              just the host, this will be 255.255.255.255.
+#
+#       PLUTO_MY_SOURCEIP
+#              if non-empty, then the source address for the route will be
+#              set to this IP address.
+#
+#       PLUTO_MY_PROTOCOL
+#              is the IP protocol that will be transported.
+#
+#       PLUTO_MY_PORT
+#              is  the  UDP/TCP  port  to  which  the IPsec SA  is
+#              restricted on our side.
+#
+#       PLUTO_PEER
+#              is the IP address of our peer.
+#
+#       PLUTO_PEER_ID
+#              is the ID of our peer.
+#
+#       PLUTO_PEER_CA
+#              is the CA which issued the cert of our peer.
+#
+#       PLUTO_PEER_CLIENT
+#              is the IP address / count of the peer's client sub-
+#              net.   If the client is just the peer, this will be
+#              the peer's own IP address / max (where  max  is  32
+#              for IPv4 and 128 for IPv6).
+#
+#       PLUTO_PEER_CLIENT_NET
+#              is the IP address of the peer's client net.  If the
+#              client is just the peer, this will  be  the  peer's
+#              own IP address.
+#
+#       PLUTO_PEER_CLIENT_MASK
+#              is  the  mask  for  the  peer's client net.  If the
+#              client   is   just   the   peer,   this   will   be
+#              255.255.255.255.
+#
+#       PLUTO_PEER_PROTOCOL
+#              is the IP protocol that will be transported.
+#
+#       PLUTO_PEER_PORT
+#              is  the  UDP/TCP  port  to  which  the IPsec SA  is
+#              restricted on the peer side.
+#
+
+# define a minimum PATH environment in case it is not set
+PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin"
+export PATH
+
+# resolve octal escape sequences
+PLUTO_MY_ID=`printf "$PLUTO_MY_ID"`
+PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"`
+
+case "$PLUTO_VERB:$1" in
+up-host:)
+	# connection to me coming up
+	# If you are doing a custom version, firewall commands go here.
+	;;
+down-host:)
+	# connection to me going down
+	# If you are doing a custom version, firewall commands go here.
+	;;
+up-client:)
+	# connection to my client subnet coming up
+	# If you are doing a custom version, firewall commands go here.
+	iptables -A FORWARD -i eth1 -o $PLUTO_INTERFACE -s PH_IP_ALICE \
+	    -d $PLUTO_PEER_CLIENT -j ACCEPT
+        iptables -A FORWARD -o eth1 -i $PLUTO_INTERFACE -d PH_IP_ALICE \
+            -s $PLUTO_PEER_CLIENT -j ACCEPT
+	iptables -t nat -A POSTROUTING -o $PLUTO_INTERFACE -s PH_IP_ALICE \
+	    -d $PLUTO_PEER_CLIENT -j SNAT --to-source $PLUTO_MY_SOURCEIP
+	echo "inserted NAT rule mapping PH_IP_ALICE to virtual IP $PLUTO_MY_SOURCEIP" >&2 
+	;;
+down-client:)
+	# connection to my client subnet going down
+	# If you are doing a custom version, firewall commands go here.
+        iptables -D FORWARD -i eth1 -o $PLUTO_INTERFACE -s PH_IP_ALICE \
+            -d $PLUTO_PEER_CLIENT -j ACCEPT
+        iptables -D FORWARD -o eth1 -i $PLUTO_INTERFACE -d PH_IP_ALICE \
+            -s $PLUTO_PEER_CLIENT -j ACCEPT
+         iptables -t nat -D POSTROUTING -o $PLUTO_INTERFACE -s PH_IP_ALICE \
+            -d $PLUTO_PEER_CLIENT -j SNAT --to-source $PLUTO_MY_SOURCEIP
+        echo "deleted NAT rule mapping PH_IP_ALICE to virtual IP $PLUTO_MY_SOURCEIP" >&2    
+	;;
+*)	echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
+	exit 1
+	;;
+esac
diff --git a/testing/tests/ikev1/nat-virtual-ip/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/nat-virtual-ip/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..8e685c862
--- /dev/null
+++ b/testing/tests/ikev1/nat-virtual-ip/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  multiple_authentication = no
+}
diff --git a/testing/tests/ikev1/net2net-same-nets/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/nat-virtual-ip/hosts/sun/etc/ipsec.conf
index 5e924cf25..ff030b5b5 100755..100644
--- a/testing/tests/ikev1/net2net-same-nets/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev1/nat-virtual-ip/hosts/sun/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-	plutodebug=control
 
 conn %default
 	ikelifetime=60m
@@ -12,16 +8,15 @@ conn %default
 	rekeymargin=3m
         keyingtries=1
 	keyexchange=ikev1
+	mobike=no
 
 conn net-net 
 	left=PH_IP_SUN
 	leftcert=sunCert.pem
 	leftid=@sun.strongswan.org
-	leftsubnet=10.4.0.0/14
-	leftupdown=/etc/mark_updown
+	leftsubnet=10.2.0.0/16
+	leftfirewall=yes
 	right=PH_IP_MOON
 	rightid=@moon.strongswan.org
-	rightsubnet=10.0.0.0/14
-	mark_in=8
-	mark_out=4
+	rightsourceip=10.4.0.0/24
 	auto=add
diff --git a/testing/tests/ikev1/nat-virtual-ip/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/nat-virtual-ip/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..8e685c862
--- /dev/null
+++ b/testing/tests/ikev1/nat-virtual-ip/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  multiple_authentication = no
+}
diff --git a/testing/tests/ikev1/nat-virtual-ip/posttest.dat b/testing/tests/ikev1/nat-virtual-ip/posttest.dat
new file mode 100644
index 000000000..11bd19da7
--- /dev/null
+++ b/testing/tests/ikev1/nat-virtual-ip/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+sun::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
+moon::conntrack -F
+moon::rm /etc/nat_updown
diff --git a/testing/tests/ikev1/nat-virtual-ip/pretest.dat b/testing/tests/ikev1/nat-virtual-ip/pretest.dat
new file mode 100644
index 000000000..eb0c28c7f
--- /dev/null
+++ b/testing/tests/ikev1/nat-virtual-ip/pretest.dat
@@ -0,0 +1,8 @@
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
+moon::conntrack -F
+moon::ipsec start
+sun::ipsec start
+moon::sleep 1 
+moon::ipsec up net-net
+moon::sleep 1
diff --git a/testing/tests/ikev1/nat-virtual-ip/test.conf b/testing/tests/ikev1/nat-virtual-ip/test.conf
new file mode 100644
index 000000000..f46f137b4
--- /dev/null
+++ b/testing/tests/ikev1/nat-virtual-ip/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-w-s-b.png"
+ 
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun bob"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev1/net2net-cert/evaltest.dat b/testing/tests/ikev1/net2net-cert/evaltest.dat
index 7cbf92687..2b37cad99 100644
--- a/testing/tests/ikev1/net2net-cert/evaltest.dat
+++ b/testing/tests/ikev1/net2net-cert/evaltest.dat
@@ -1,5 +1,7 @@
-moon::ipsec status::net-net.*STATE_QUICK_I2.*IPsec SA established::YES
-sun::ipsec status::net-net.*STATE_QUICK_R2.*IPsec SA established::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/net2net-route/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/net2net-cert/hosts/moon/etc/ipsec.conf
index bc72fab0f..b1a8c98fc 100755..100644
--- a/testing/tests/ikev1/net2net-route/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/net2net-cert/hosts/moon/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -13,13 +9,13 @@ conn %default
 	keyingtries=1
 	keyexchange=ikev1
 
-conn net-net
+conn net-net 
 	left=PH_IP_MOON
-	leftsubnet=10.1.0.0/16
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
 	leftfirewall=yes
 	right=PH_IP_SUN
-	rightsubnet=10.2.0.0/16
 	rightid=@sun.strongswan.org
-	auto=route
+	rightsubnet=10.2.0.0/16
+	auto=add
diff --git a/testing/tests/ikev1/net2net-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/net2net-cert/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..bad10ca43
--- /dev/null
+++ b/testing/tests/ikev1/net2net-cert/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+}
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/passthrough/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/net2net-cert/hosts/sun/etc/ipsec.conf
index 7541aa894..5f0405b05 100755..100644
--- a/testing/tests/ikev1/passthrough/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev1/net2net-cert/hosts/sun/etc/ipsec.conf
@@ -1,26 +1,21 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	nat_traversal=yes
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
 	keylife=20m
 	rekeymargin=3m
-	keyingtries=1
+        keyingtries=1
 	keyexchange=ikev1
 
-conn net-net
+conn net-net 
 	left=PH_IP_SUN
 	leftcert=sunCert.pem
 	leftid=@sun.strongswan.org
+	leftsubnet=10.2.0.0/16
 	leftfirewall=yes
-	leftsubnet=0.0.0.0/0
 	right=PH_IP_MOON
-	rightsubnet=10.1.0.0/16
 	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
 	auto=add
diff --git a/testing/tests/ikev1/net2net-cert/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/net2net-cert/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..bad10ca43
--- /dev/null
+++ b/testing/tests/ikev1/net2net-cert/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+}
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/net2net-cert/posttest.dat b/testing/tests/ikev1/net2net-cert/posttest.dat
index 5a9150bc8..837738fc6 100644
--- a/testing/tests/ikev1/net2net-cert/posttest.dat
+++ b/testing/tests/ikev1/net2net-cert/posttest.dat
@@ -1,4 +1,5 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
+
diff --git a/testing/tests/ikev1/net2net-cert/pretest.dat b/testing/tests/ikev1/net2net-cert/pretest.dat
index 9f60760c6..c724e5df8 100644
--- a/testing/tests/ikev1/net2net-cert/pretest.dat
+++ b/testing/tests/ikev1/net2net-cert/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 sun::ipsec start
-moon::sleep 2
+moon::sleep 1 
 moon::ipsec up net-net
diff --git a/testing/tests/ikev1/net2net-cert/test.conf b/testing/tests/ikev1/net2net-cert/test.conf
index d9a61590f..646b8b3e6 100644
--- a/testing/tests/ikev1/net2net-cert/test.conf
+++ b/testing/tests/ikev1/net2net-cert/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b.png"
  
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev1/net2net-rsa/description.txt b/testing/tests/ikev1/net2net-fragmentation/description.txt
index a23fae8c3..6fe773299 100644
--- a/testing/tests/ikev1/net2net-rsa/description.txt
+++ b/testing/tests/ikev1/net2net-fragmentation/description.txt
@@ -1,6 +1,9 @@
 A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
-The authentication is based on <b>raw RSA keys</b>. Upon the successful
-establishment of the IPsec tunnel, <b>leftfirewall=yes</b> automatically
+The authentication is based on <b>X.509 certificates</b>. The proprietary IKEv1 fragmentation
+protocol prevents the IP fragmentation of the IKEv1 messages carrying the large X.509
+certificates.
+<p/>
+Upon the successful establishment of the IPsec tunnel, <b>leftfirewall=yes</b> automatically
 inserts iptables-based firewall rules that let pass the tunneled traffic.
 In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b>
 pings client <b>bob</b> located behind gateway <b>sun</b>.
diff --git a/testing/tests/ikev1/net2net-fragmentation/evaltest.dat b/testing/tests/ikev1/net2net-fragmentation/evaltest.dat
new file mode 100644
index 000000000..876787495
--- /dev/null
+++ b/testing/tests/ikev1/net2net-fragmentation/evaltest.dat
@@ -0,0 +1,15 @@
+moon::cat /var/log/daemon.log::received FRAGMENTATION vendor ID::YES
+sun::cat /var/log/daemon.log::received FRAGMENTATION vendor ID::YES
+moon::cat /var/log/daemon.log::sending IKE message with length of 1468 bytes in 2 fragments::YES
+sun::cat /var/log/daemon.log::sending IKE message with length of 1388 bytes in 2 fragments::YES
+moon::cat /var/log/daemon.log::received fragment #1, waiting for complete IKE message::YES
+moon::cat /var/log/daemon.log::received fragment #2, reassembling fragmented IKE message::YES
+sun::cat /var/log/daemon.log::received fragment #1, waiting for complete IKE message::YES
+sun::cat /var/log/daemon.log::received fragment #2, reassembling fragmented IKE message::YES
+moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/net2net-start/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/net2net-fragmentation/hosts/moon/etc/ipsec.conf
index acb12e7f3..cdd430408 100755..100644
--- a/testing/tests/ikev1/net2net-start/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/net2net-fragmentation/hosts/moon/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -12,14 +8,15 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev1
+	fragmentation=yes
 
-conn net-net
+conn net-net 
 	left=PH_IP_MOON
-	leftsubnet=10.1.0.0/16
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
 	leftfirewall=yes
 	right=PH_IP_SUN
-	rightsubnet=10.2.0.0/16
 	rightid=@sun.strongswan.org
-	auto=start
+	rightsubnet=10.2.0.0/16
+	auto=add
diff --git a/testing/tests/ikev1/net2net-fragmentation/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/net2net-fragmentation/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..9caf4fa37
--- /dev/null
+++ b/testing/tests/ikev1/net2net-fragmentation/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+
+  fragment_size = 1024
+}
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/net2net-fragmentation/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/net2net-fragmentation/hosts/sun/etc/ipsec.conf
new file mode 100644
index 000000000..448525bf7
--- /dev/null
+++ b/testing/tests/ikev1/net2net-fragmentation/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+        keyingtries=1
+	keyexchange=ikev1
+	fragmentation=yes
+
+conn net-net 
+	left=PH_IP_SUN
+	leftcert=sunCert.pem
+	leftid=@sun.strongswan.org
+	leftsubnet=10.2.0.0/16
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/ikev1/net2net-fragmentation/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/net2net-fragmentation/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..9caf4fa37
--- /dev/null
+++ b/testing/tests/ikev1/net2net-fragmentation/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+
+  fragment_size = 1024
+}
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/net2net-fragmentation/posttest.dat b/testing/tests/ikev1/net2net-fragmentation/posttest.dat
new file mode 100644
index 000000000..837738fc6
--- /dev/null
+++ b/testing/tests/ikev1/net2net-fragmentation/posttest.dat
@@ -0,0 +1,5 @@
+moon::ipsec stop
+sun::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
+
diff --git a/testing/tests/ikev1/net2net-fragmentation/pretest.dat b/testing/tests/ikev1/net2net-fragmentation/pretest.dat
new file mode 100644
index 000000000..c724e5df8
--- /dev/null
+++ b/testing/tests/ikev1/net2net-fragmentation/pretest.dat
@@ -0,0 +1,6 @@
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
+moon::ipsec start
+sun::ipsec start
+moon::sleep 1 
+moon::ipsec up net-net
diff --git a/testing/tests/ikev1/net2net-fragmentation/test.conf b/testing/tests/ikev1/net2net-fragmentation/test.conf
new file mode 100644
index 000000000..646b8b3e6
--- /dev/null
+++ b/testing/tests/ikev1/net2net-fragmentation/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-w-s-b.png"
+ 
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev1/net2net-pgp-v3/evaltest.dat b/testing/tests/ikev1/net2net-pgp-v3/evaltest.dat
deleted file mode 100644
index 7cbf92687..000000000
--- a/testing/tests/ikev1/net2net-pgp-v3/evaltest.dat
+++ /dev/null
@@ -1,5 +0,0 @@
-moon::ipsec status::net-net.*STATE_QUICK_I2.*IPsec SA established::YES
-sun::ipsec status::net-net.*STATE_QUICK_R2.*IPsec SA established::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
-sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/ipsec.d/certs/moonCert.asc b/testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/ipsec.d/certs/moonCert.asc
deleted file mode 100644
index 135cfaec0..000000000
--- a/testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/ipsec.d/certs/moonCert.asc
+++ /dev/null
@@ -1,15 +0,0 @@
-Type Bits/KeyID    Date       User ID
-pub  1024/613A3B61 2005/08/07 moon <moon.strongswan.org>
-
------BEGIN PGP PUBLIC KEY BLOCK-----
-Version: 2.6.3i
-
-mQCNA0L2KI8AAAEEAM5GYrwuf1M9Cv7+Yfr6i5+17zMVGIyj/D4+msK43iUbEH61
-+bhRKcrF+9NKvM+ujjZoUbfGjUipsBbTlPTaY7muZ9KaVy2OBHm73x13eiemkPS9
-RFWesrL9L39aBO5K47ti0PwRP8QIPMaNWMs2z7yoZLE/flVNQfWsCnlhOjthAAUR
-tBptb29uIDxtb29uLnN0cm9uZ3N3YW4ub3JnPokAlQMFEEL2KI/1rAp5YTo7YQEB
-vX4EAKtr0e6WMDIRlpE4VhhdQ7AgBgGyhgfqAdD9KDx8o4fG4nkmh7H1bG/PLJA1
-f+UfDGnOyIwPOrILNyNnwAbDHXjJaNylahM7poOP7i0VlbhZPLAC0cSQi02/Zrac
-t5bED5tHSrNSjcA/CjuxRuu9lmR6s57IQnQnwt9I4LTM+CFP
-=oaBj
------END PGP PUBLIC KEY BLOCK-----
diff --git a/testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/ipsec.d/certs/sunCert.asc b/testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/ipsec.d/certs/sunCert.asc
deleted file mode 100644
index 32f204b10..000000000
--- a/testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/ipsec.d/certs/sunCert.asc
+++ /dev/null
@@ -1,15 +0,0 @@
-Type Bits/KeyID    Date       User ID
-pub  1024/79949ADD 2005/08/07 sun <sun.strongswan.org>
-
------BEGIN PGP PUBLIC KEY BLOCK-----
-Version: 2.6.3i
-
-mQCNA0L2Km8AAAEEANRAVMn8HBxfYaGhLqtQ3IZJArn9wpcQ+7sH/F9PaXIjzHRQ
-rfFkfmxxp9lVjCk0LM/BnnlnUmyz6F8K7V0Gi40Am4+ln1zHvZZIQJYGrDhDnjb7
-I5TVeD4Ib5bQ1CoUbIhv2LocCeR6OjefQgGmerC5RQ3d5ci7uB0pVpd5lJrdAAUR
-tBhzdW4gPHN1bi5zdHJvbmdzd2FuLm9yZz6JAJUDBRBC9ipvHSlWl3mUmt0BAUZR
-A/43nuZbxADMSviu54Mj8pvQbYeGLQVabiWT6h7L0ZPX4MWpFH3dTixBfRrZRSsj
-0AgiMMuZAMebfOe+Xf9uDQv7p1yumEiNg43tg85zyawkARWNTZZ04woxtvAqNwXn
-lQotGz7YA6JMxry9RQo5yI4Y4dPnVZ/o8eDpP0+I88cOhQ==
-=lLvB
------END PGP PUBLIC KEY BLOCK-----
diff --git a/testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/ipsec.d/private/moonKey.asc b/testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/ipsec.d/private/moonKey.asc
deleted file mode 100644
index 6524773e0..000000000
--- a/testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/ipsec.d/private/moonKey.asc
+++ /dev/null
@@ -1,19 +0,0 @@
-Type Bits/KeyID    Date       User ID
-sec  1024/613A3B61 2005/08/07 moon <moon.strongswan.org>
-
------BEGIN PGP SECRET KEY BLOCK-----
-Version: 2.6.3i
-
-lQHYA0L2KI8AAAEEAM5GYrwuf1M9Cv7+Yfr6i5+17zMVGIyj/D4+msK43iUbEH61
-+bhRKcrF+9NKvM+ujjZoUbfGjUipsBbTlPTaY7muZ9KaVy2OBHm73x13eiemkPS9
-RFWesrL9L39aBO5K47ti0PwRP8QIPMaNWMs2z7yoZLE/flVNQfWsCnlhOjthAAUR
-AAP9Fj7OaaCfTL3Met8yuS8ZGMDL/fq+4f2bM+OdPSgD4N1Fiye0B1QMCVGWI1Xd
-JXS0+9QI0A3iD12YAnYwsP50KmsLHA69AqchN7BuimoMfHDXqpTSRW57E9MCEzQ9
-FFN8mVPRiDxAUro8qCjdHmk1vmtdt/PXn1BuXHE36SzZmmMCANBA4WHaO6MJshM6
-7StRicSCxoMn/lPcj6rfJS4EaS+a0MwECxKQ3HKTpP3/+7kaWfLI/D65Xmi3cVK3
-0CPwUK8CAP2RYWoBZPSA8dBGFYwR7W6bdNYhdmGmsVCaM7v4sVr0FwHwMERadByN
-8v0n5As3ZbrCURRp68wuE+JjfOM5mO8CAM3ZK7AVlBOqkoI3X3Ji3yviLlsr2ET7
-QrVKFQBq7eUhwYFo6mVemEqQb61tGirq+qL4Wfk/7+FffZPsUyLX1amfjLQabW9v
-biA8bW9vbi5zdHJvbmdzd2FuLm9yZz4=
-=YFQm
------END PGP SECRET KEY BLOCK-----
diff --git a/testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/strongswan.conf
deleted file mode 100644
index 71896491e..000000000
--- a/testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 pgp gmp random curl kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-}
diff --git a/testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/ipsec.d/certs/moonCert.asc b/testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/ipsec.d/certs/moonCert.asc
deleted file mode 100644
index 135cfaec0..000000000
--- a/testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/ipsec.d/certs/moonCert.asc
+++ /dev/null
@@ -1,15 +0,0 @@
-Type Bits/KeyID    Date       User ID
-pub  1024/613A3B61 2005/08/07 moon <moon.strongswan.org>
-
------BEGIN PGP PUBLIC KEY BLOCK-----
-Version: 2.6.3i
-
-mQCNA0L2KI8AAAEEAM5GYrwuf1M9Cv7+Yfr6i5+17zMVGIyj/D4+msK43iUbEH61
-+bhRKcrF+9NKvM+ujjZoUbfGjUipsBbTlPTaY7muZ9KaVy2OBHm73x13eiemkPS9
-RFWesrL9L39aBO5K47ti0PwRP8QIPMaNWMs2z7yoZLE/flVNQfWsCnlhOjthAAUR
-tBptb29uIDxtb29uLnN0cm9uZ3N3YW4ub3JnPokAlQMFEEL2KI/1rAp5YTo7YQEB
-vX4EAKtr0e6WMDIRlpE4VhhdQ7AgBgGyhgfqAdD9KDx8o4fG4nkmh7H1bG/PLJA1
-f+UfDGnOyIwPOrILNyNnwAbDHXjJaNylahM7poOP7i0VlbhZPLAC0cSQi02/Zrac
-t5bED5tHSrNSjcA/CjuxRuu9lmR6s57IQnQnwt9I4LTM+CFP
-=oaBj
------END PGP PUBLIC KEY BLOCK-----
diff --git a/testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/ipsec.d/certs/sunCert.asc b/testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/ipsec.d/certs/sunCert.asc
deleted file mode 100644
index 32f204b10..000000000
--- a/testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/ipsec.d/certs/sunCert.asc
+++ /dev/null
@@ -1,15 +0,0 @@
-Type Bits/KeyID    Date       User ID
-pub  1024/79949ADD 2005/08/07 sun <sun.strongswan.org>
-
------BEGIN PGP PUBLIC KEY BLOCK-----
-Version: 2.6.3i
-
-mQCNA0L2Km8AAAEEANRAVMn8HBxfYaGhLqtQ3IZJArn9wpcQ+7sH/F9PaXIjzHRQ
-rfFkfmxxp9lVjCk0LM/BnnlnUmyz6F8K7V0Gi40Am4+ln1zHvZZIQJYGrDhDnjb7
-I5TVeD4Ib5bQ1CoUbIhv2LocCeR6OjefQgGmerC5RQ3d5ci7uB0pVpd5lJrdAAUR
-tBhzdW4gPHN1bi5zdHJvbmdzd2FuLm9yZz6JAJUDBRBC9ipvHSlWl3mUmt0BAUZR
-A/43nuZbxADMSviu54Mj8pvQbYeGLQVabiWT6h7L0ZPX4MWpFH3dTixBfRrZRSsj
-0AgiMMuZAMebfOe+Xf9uDQv7p1yumEiNg43tg85zyawkARWNTZZ04woxtvAqNwXn
-lQotGz7YA6JMxry9RQo5yI4Y4dPnVZ/o8eDpP0+I88cOhQ==
-=lLvB
------END PGP PUBLIC KEY BLOCK-----
diff --git a/testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/ipsec.d/private/sunKey.asc b/testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/ipsec.d/private/sunKey.asc
deleted file mode 100644
index de2393649..000000000
--- a/testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/ipsec.d/private/sunKey.asc
+++ /dev/null
@@ -1,19 +0,0 @@
-Type Bits/KeyID    Date       User ID
-sec  1024/79949ADD 2005/08/07 sun <sun.strongswan.org>
-
------BEGIN PGP SECRET KEY BLOCK-----
-Version: 2.6.3i
-
-lQHYA0L2Km8AAAEEANRAVMn8HBxfYaGhLqtQ3IZJArn9wpcQ+7sH/F9PaXIjzHRQ
-rfFkfmxxp9lVjCk0LM/BnnlnUmyz6F8K7V0Gi40Am4+ln1zHvZZIQJYGrDhDnjb7
-I5TVeD4Ib5bQ1CoUbIhv2LocCeR6OjefQgGmerC5RQ3d5ci7uB0pVpd5lJrdAAUR
-AAP8DHxBOQ7UeiO6cutdGSLfy6nxGf/eRR8d3dNLFKpRfy9IQxPN/yQHb8pzSQUI
-Pqi3V4PcJUJQJIMNqzzgyTyey/OdTc+IFngywRGKQowyD7vY+urVbcEDHe+sRTL1
-GvrsQGMZoXNDimABHn5NbT6Pc06xQ9rNvpCSyHMyzcylpk0CANqf96aEaryGJozg
-vSN5GlS77rPJ9Y9mU2EJs1+0BlMcb7Sy4HN2RRc/V56ZmlW2m3UbGwPqG8R9XQQ2
-LO03bTcCAPiJbTcRdA/YnZExbZPgEnV5nq8tVXTc7bz1Sw7ZWRef0iZyIQEXbwLn
-2Z2EJik9bQpkcVJSBV17cH7Av/VdIosCAKJPVoBETiVzWejIpGHHqbnmZC8P9rUs
-xAXZbNukbL3YElLeopNMyddTi6kf45/m0sb7fr7rzW/OJ7WP8mDrGPec4rQYc3Vu
-IDxzdW4uc3Ryb25nc3dhbi5vcmc+
-=DwEu
------END PGP SECRET KEY BLOCK-----
diff --git a/testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/strongswan.conf
deleted file mode 100644
index 71896491e..000000000
--- a/testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/strongswan.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 pgp gmp random curl kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-}
diff --git a/testing/tests/ikev1/net2net-pgp-v3/posttest.dat b/testing/tests/ikev1/net2net-pgp-v3/posttest.dat
deleted file mode 100644
index fafcde975..000000000
--- a/testing/tests/ikev1/net2net-pgp-v3/posttest.dat
+++ /dev/null
@@ -1,8 +0,0 @@
-moon::ipsec stop
-sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
-moon::rm /etc/ipsec.d/certs/*
-moon::rm /etc/ipsec.d/private/*
-sun::rm /etc/ipsec.d/certs/*
-sun::rm /etc/ipsec.d/private/*
diff --git a/testing/tests/ikev1/net2net-pgp-v3/pretest.dat b/testing/tests/ikev1/net2net-pgp-v3/pretest.dat
deleted file mode 100644
index 9e40684ab..000000000
--- a/testing/tests/ikev1/net2net-pgp-v3/pretest.dat
+++ /dev/null
@@ -1,8 +0,0 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
-moon::rm /etc/ipsec.d/cacerts/*
-sun::rm /etc/ipsec.d/cacerts/*
-moon::ipsec start
-sun::ipsec start
-moon::sleep 2
-moon::ipsec up net-net
diff --git a/testing/tests/ikev1/net2net-pgp-v3/test.conf b/testing/tests/ikev1/net2net-pgp-v3/test.conf
deleted file mode 100644
index f74d0f7d6..000000000
--- a/testing/tests/ikev1/net2net-pgp-v3/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon winnetou sun bob"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-w-s-b.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="sun"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev1/net2net-pgp-v4/evaltest.dat b/testing/tests/ikev1/net2net-pgp-v4/evaltest.dat
deleted file mode 100644
index 7cbf92687..000000000
--- a/testing/tests/ikev1/net2net-pgp-v4/evaltest.dat
+++ /dev/null
@@ -1,5 +0,0 @@
-moon::ipsec status::net-net.*STATE_QUICK_I2.*IPsec SA established::YES
-sun::ipsec status::net-net.*STATE_QUICK_R2.*IPsec SA established::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
-sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index 094ab3bed..000000000
--- a/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,24 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug="control parsing"
-	nocrsend=yes
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	
-conn net-net
-	left=PH_IP_MOON
-	leftsubnet=10.1.0.0/16
-	leftcert=moonCert.asc
-	leftfirewall=yes
-	right=PH_IP_SUN
-	rightsubnet=10.2.0.0/16
-	rightcert=sunCert.asc
-	rightid=@#b42f31fec80ae3264a101c85977a04ac8d1638d3
-	auto=add
diff --git a/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/ipsec.d/certs/moonCert.asc b/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/ipsec.d/certs/moonCert.asc
deleted file mode 100644
index a512f8f52..000000000
--- a/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/ipsec.d/certs/moonCert.asc
+++ /dev/null
@@ -1,24 +0,0 @@
------BEGIN PGP PUBLIC KEY BLOCK-----
-Version: GnuPG v1.4.9 (GNU/Linux)
-
-mQENBEpg0UQBCADWgUvdhUfaNdmWZkvECCcDRE+qlbJnVtIbBNkfsfTL1B20g2Mf
-UhWJORD0ka01pc6Tc5BF/379npNu48lj0g6OdgG5ivvhAAK/6tdGNW/xZQEhTB+A
-nmOu/9HbxtsXjZ5peX6F2k8OlG9hSJgTdGamhmkNaja0FrzSOz5jGhrEc2oCQVnd
-6BXRz4eq7W+VwlC6cxlgi7f5pUFfSqKYVwPLf+VkPVUHo+vSzuidJSL/jaEr9my/
-I0c/fUsVVWa3Z/KyGNY4Ej1DB21PnWYBo9H5SK7YC7auiHGwekdybWoI/6IPOP3f
-JqKbhO3ZbTw9bEZv+Lt52GeN4tNaWsOIbpVDABEBAAG0E21vb24uc3Ryb25nc3dh
-bi5vcmeJATcEEwECACEFAkpg0UQCGwMHCwkIBwMCAQQVAggDBBYCAwECHgECF4AA
-CgkQ9djQiWs7dNHHNQf/UiwJPioLef7dgGG2E+kwVQUK3LK+wXLrCVlRdTpSbw8K
-N2yl6/L8djIdox0jw3yCYhCWxf94N4Yqw4zUjaA4wt+U37ZPqlx/kdfNZwn2383K
-1niLPYmJf5sMWXPAmetT6tNEHNhkmE7CsmDqikX1GUvJ4NmoHp/2DQLKR4/Olb1Y
-D4HulHK0nfMxf1gVmFhRFtGpzrGS26G3HzV0ZDs4fYEkVFfTBkCyGzE667O8W9Gk
-/EoRdO7hDOAEk80Gp23bDX6ygnvsAqUeWNwYYctkiJKb/YMiAR/bOtFHtgN43atv
-1I5GZ96wAo+s+KZAXaHlxFvq7r6OMzxgEWTtyNTtG4kBHAQQAQIABgUCSmDShgAK
-CRCXegSsjRY401hVB/9HlBSdkal26U8HmVSjblOpMhaEKWjAZG1VnhcA5/GstzHc
-ql7CuciAzOfRY9kcUvvonjLLBEb6P8H7mNaosE0XtqBI+Il8w6FIsfqXG+w2lISt
-21/OoS3uXmUD43xdGkJACgoQP3eAqscRnoiNq/Wrg4GFvMmhK3pu3UR0joFrxwoX
-mIbpJ1CZFrYDhLRFWUMV+93rzde7UfIeSuPwuE96yTJFgc4QKKFKT+msELTko9Fb
-G5N0Q//Rfy+mbqQlk7JVd2WqUMfSx6Fw9X8z88uQamdcgx2/6HzFSL1QiBNyF/3D
-spAwu2H5T4gSZH3FywlmRp+JJzNy+aci+M/eTvDz
-=j2hu
------END PGP PUBLIC KEY BLOCK-----
diff --git a/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/ipsec.d/certs/sunCert.asc b/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/ipsec.d/certs/sunCert.asc
deleted file mode 100644
index 5117cbb04..000000000
--- a/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/ipsec.d/certs/sunCert.asc
+++ /dev/null
@@ -1,24 +0,0 @@
------BEGIN PGP PUBLIC KEY BLOCK-----
-Version: GnuPG v1.4.9 (GNU/Linux)
-
-mQENBEpg0bgBCADIozng/tZLr8mEcHvXe4S4zRE31EngymiBFytJ0r2sky43lJXB
-QdW2h/elDDO2drrKVt9iwR/WS25r7Er1ibDn1cje9dERDU/IWyS7UaCewUG7WTZM
-/aWrt1cnq11FhpdckQfdalh+au0rnsJJP+mwZBti6KtX9LFi0kKvVoDt+jlNJMlV
-CLRgQ30BmgApiqEDxbVURmHf8UPDNy6GDcQYnJ1AmliIavzjpDl/l68TadBCf8WP
-B2hBe/AoB9ODgc9GnBRMN6RGSvpXGBugKhleFUtCtUR0h3NZtpcD8479XuqSjbyN
-4mUEAeXJIIkT/hLHmmbQK0DTrHPaTtXGfeOjABEBAAG0EnN1bi5zdHJvbmdzd2Fu
-Lm9yZ4kBNwQTAQIAIQUCSmDRuAIbAwcLCQgHAwIBBBUCCAMEFgIDAQIeAQIXgAAK
-CRCXegSsjRY407LCCACqHrnT1xqsQRAIL9GQtI6AkaLJLtJXbALtSKg1Ik1DQA9g
-0P+Scnu84xj1o5bRWX2WyPYZUgDY6fB3bSQuX/Z0lIUtl16xRL53jKroGDzg3JZ0
-eNYmehGoIes4JfQm08UM7roywGaaWAfTK2gDFdjsetU4FkpbziVp8cOeAzUMU5/D
-RLu5rvCB6m5u62RncmppraAYuQWRjZALIxugFW9IBe+hItY3eBa0rnrCPUb2ywSG
-6XXcCnBr/34g/bQXWRxBhbf91ewVaDxgLeoFzQl34h8MxxxBAzG/1023wkN+K97j
-vnvvZKUwbd/TRFJkorkhkRpA1wSrJ0tAsvODgc8biQEcBBABAgAGBQJKYNK9AAoJ
-EPXY0IlrO3TR8X4H/2eabptQ49q6SX5bwZ+13QoGZdarAvFxVGbbhaRrOrbsYNbg
-Wd8k6R/Uwz1qkH3RJBmANm2wcDYhXsztprUrQ3a5jIgZfc+ZH/0cZiFUWk004m7t
-mXdvWsGkbxye0kUChQOP9/VJBgpOBnK4MngX7d3nwSIO75r4ugey2Aud/eOvrm5m
-t5MJBANTGAnBGwqXtsDm7v0L9VQY6PuLIgPwftB+vwy/Ea8vU5AmFKVkfAR/pVIT
-gELY5mDHaqLxgvfMVJ+PFkvb5HF7QdpIcxUjo3SNgyOyYpN+pfQQbVLkPoOs1xqf
-lIbIyjzMp02KM3iRElcuU/EBEfsp0/voJ/iyd+o=
-=tAh4
------END PGP PUBLIC KEY BLOCK-----
diff --git a/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/ipsec.d/private/moonKey.asc b/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/ipsec.d/private/moonKey.asc
deleted file mode 100644
index 59de821d6..000000000
--- a/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/ipsec.d/private/moonKey.asc
+++ /dev/null
@@ -1,32 +0,0 @@
------BEGIN PGP PRIVATE KEY BLOCK-----
-Version: GnuPG v1.4.9 (GNU/Linux)
-
-lQOYBEpg0UQBCADWgUvdhUfaNdmWZkvECCcDRE+qlbJnVtIbBNkfsfTL1B20g2Mf
-UhWJORD0ka01pc6Tc5BF/379npNu48lj0g6OdgG5ivvhAAK/6tdGNW/xZQEhTB+A
-nmOu/9HbxtsXjZ5peX6F2k8OlG9hSJgTdGamhmkNaja0FrzSOz5jGhrEc2oCQVnd
-6BXRz4eq7W+VwlC6cxlgi7f5pUFfSqKYVwPLf+VkPVUHo+vSzuidJSL/jaEr9my/
-I0c/fUsVVWa3Z/KyGNY4Ej1DB21PnWYBo9H5SK7YC7auiHGwekdybWoI/6IPOP3f
-JqKbhO3ZbTw9bEZv+Lt52GeN4tNaWsOIbpVDABEBAAEAB/42Vsa7NTpAgwe92+gx
-nscTQsjTs9xf5VSQV6gRKWmUAQYNZoNDue2Ot5AeBJFWV8x++fWAZfrrkLJUkwu/
-Z8UcPbSuJhEsrG4F5B3owTy8cBPbNYd9c6JZAKFPBY8W5l9M5OQyUF1amiuk/1jX
-BNPEN6SBK3j0IhZvQ2bIgCJrxUH9igvOig2HmfOYv11UMzOErSA/eGRSA+TrM+QK
-BDCG1ae3dLe/pXtIuh1/jkLo7Byk0ofgv2+Ty/LSwBCj0vtUjtMHHRNZFRYFrNiN
-S6FyrS7+Q9BJolNkuXT83i4dm208+6bKQBPxV3ZaLgf2y19/g5av8f745ercygQI
-MdGBBADaWGKpev55Oom2gNV4jaQFaAc4K4OqW1IbsXk8QSl1iaoHmt9VlGP+A+8O
-GG+h0cfIlUHnAC29Hs5lDnlByqdTnG9zTyOrnzZEY1+jFGGgs+O/ehS3riGI5dB8
-mwReZfY/aqp7naLkkymHuIAizmxkYORPZtTugyi99Zha4m8j4QQA+39fTOthVIYi
-RXMzGknEjh9fMLvCkx33ghapCtc4ftJRACfaatQJVBG2li7LHbPg9fboIyG/x/Ey
-iyGtPxwBLo7MJige6xpzVB4Qk+zLDCKouca29uY1rGQzZ0FTmMMtu3Rm+dKh9lLv
-vg7ZJNTfhxldC+R/L/gOIBWEzy/iXaMD/2A+wQuKDLDRb9/sOiq/6z7Ryl6FPbTC
-AvvNU3hJtRImfmHodob//zzYYgOY7exY/qubC6FsDW4AN+2iHesCdIzCrAG7v9X3
-Rn1WPq96FfY2y5b6qEl8Tx+a71TZi5RJRtoWPe3IolausE0T3IjRbWI4XgMu/T5o
-Rmv/f5gyc5OxPpG0E21vb24uc3Ryb25nc3dhbi5vcmeJATcEEwECACEFAkpg0UQC
-GwMHCwkIBwMCAQQVAggDBBYCAwECHgECF4AACgkQ9djQiWs7dNHHNQf/UiwJPioL
-ef7dgGG2E+kwVQUK3LK+wXLrCVlRdTpSbw8KN2yl6/L8djIdox0jw3yCYhCWxf94
-N4Yqw4zUjaA4wt+U37ZPqlx/kdfNZwn2383K1niLPYmJf5sMWXPAmetT6tNEHNhk
-mE7CsmDqikX1GUvJ4NmoHp/2DQLKR4/Olb1YD4HulHK0nfMxf1gVmFhRFtGpzrGS
-26G3HzV0ZDs4fYEkVFfTBkCyGzE667O8W9Gk/EoRdO7hDOAEk80Gp23bDX6ygnvs
-AqUeWNwYYctkiJKb/YMiAR/bOtFHtgN43atv1I5GZ96wAo+s+KZAXaHlxFvq7r6O
-MzxgEWTtyNTtGw==
-=Vb4y
------END PGP PRIVATE KEY BLOCK-----
diff --git a/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/strongswan.conf
deleted file mode 100644
index 71896491e..000000000
--- a/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 pgp gmp random curl kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-}
diff --git a/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/ipsec.d/certs/moonCert.asc b/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/ipsec.d/certs/moonCert.asc
deleted file mode 100644
index a512f8f52..000000000
--- a/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/ipsec.d/certs/moonCert.asc
+++ /dev/null
@@ -1,24 +0,0 @@
------BEGIN PGP PUBLIC KEY BLOCK-----
-Version: GnuPG v1.4.9 (GNU/Linux)
-
-mQENBEpg0UQBCADWgUvdhUfaNdmWZkvECCcDRE+qlbJnVtIbBNkfsfTL1B20g2Mf
-UhWJORD0ka01pc6Tc5BF/379npNu48lj0g6OdgG5ivvhAAK/6tdGNW/xZQEhTB+A
-nmOu/9HbxtsXjZ5peX6F2k8OlG9hSJgTdGamhmkNaja0FrzSOz5jGhrEc2oCQVnd
-6BXRz4eq7W+VwlC6cxlgi7f5pUFfSqKYVwPLf+VkPVUHo+vSzuidJSL/jaEr9my/
-I0c/fUsVVWa3Z/KyGNY4Ej1DB21PnWYBo9H5SK7YC7auiHGwekdybWoI/6IPOP3f
-JqKbhO3ZbTw9bEZv+Lt52GeN4tNaWsOIbpVDABEBAAG0E21vb24uc3Ryb25nc3dh
-bi5vcmeJATcEEwECACEFAkpg0UQCGwMHCwkIBwMCAQQVAggDBBYCAwECHgECF4AA
-CgkQ9djQiWs7dNHHNQf/UiwJPioLef7dgGG2E+kwVQUK3LK+wXLrCVlRdTpSbw8K
-N2yl6/L8djIdox0jw3yCYhCWxf94N4Yqw4zUjaA4wt+U37ZPqlx/kdfNZwn2383K
-1niLPYmJf5sMWXPAmetT6tNEHNhkmE7CsmDqikX1GUvJ4NmoHp/2DQLKR4/Olb1Y
-D4HulHK0nfMxf1gVmFhRFtGpzrGS26G3HzV0ZDs4fYEkVFfTBkCyGzE667O8W9Gk
-/EoRdO7hDOAEk80Gp23bDX6ygnvsAqUeWNwYYctkiJKb/YMiAR/bOtFHtgN43atv
-1I5GZ96wAo+s+KZAXaHlxFvq7r6OMzxgEWTtyNTtG4kBHAQQAQIABgUCSmDShgAK
-CRCXegSsjRY401hVB/9HlBSdkal26U8HmVSjblOpMhaEKWjAZG1VnhcA5/GstzHc
-ql7CuciAzOfRY9kcUvvonjLLBEb6P8H7mNaosE0XtqBI+Il8w6FIsfqXG+w2lISt
-21/OoS3uXmUD43xdGkJACgoQP3eAqscRnoiNq/Wrg4GFvMmhK3pu3UR0joFrxwoX
-mIbpJ1CZFrYDhLRFWUMV+93rzde7UfIeSuPwuE96yTJFgc4QKKFKT+msELTko9Fb
-G5N0Q//Rfy+mbqQlk7JVd2WqUMfSx6Fw9X8z88uQamdcgx2/6HzFSL1QiBNyF/3D
-spAwu2H5T4gSZH3FywlmRp+JJzNy+aci+M/eTvDz
-=j2hu
------END PGP PUBLIC KEY BLOCK-----
diff --git a/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/ipsec.d/certs/sunCert.asc b/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/ipsec.d/certs/sunCert.asc
deleted file mode 100644
index 5117cbb04..000000000
--- a/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/ipsec.d/certs/sunCert.asc
+++ /dev/null
@@ -1,24 +0,0 @@
------BEGIN PGP PUBLIC KEY BLOCK-----
-Version: GnuPG v1.4.9 (GNU/Linux)
-
-mQENBEpg0bgBCADIozng/tZLr8mEcHvXe4S4zRE31EngymiBFytJ0r2sky43lJXB
-QdW2h/elDDO2drrKVt9iwR/WS25r7Er1ibDn1cje9dERDU/IWyS7UaCewUG7WTZM
-/aWrt1cnq11FhpdckQfdalh+au0rnsJJP+mwZBti6KtX9LFi0kKvVoDt+jlNJMlV
-CLRgQ30BmgApiqEDxbVURmHf8UPDNy6GDcQYnJ1AmliIavzjpDl/l68TadBCf8WP
-B2hBe/AoB9ODgc9GnBRMN6RGSvpXGBugKhleFUtCtUR0h3NZtpcD8479XuqSjbyN
-4mUEAeXJIIkT/hLHmmbQK0DTrHPaTtXGfeOjABEBAAG0EnN1bi5zdHJvbmdzd2Fu
-Lm9yZ4kBNwQTAQIAIQUCSmDRuAIbAwcLCQgHAwIBBBUCCAMEFgIDAQIeAQIXgAAK
-CRCXegSsjRY407LCCACqHrnT1xqsQRAIL9GQtI6AkaLJLtJXbALtSKg1Ik1DQA9g
-0P+Scnu84xj1o5bRWX2WyPYZUgDY6fB3bSQuX/Z0lIUtl16xRL53jKroGDzg3JZ0
-eNYmehGoIes4JfQm08UM7roywGaaWAfTK2gDFdjsetU4FkpbziVp8cOeAzUMU5/D
-RLu5rvCB6m5u62RncmppraAYuQWRjZALIxugFW9IBe+hItY3eBa0rnrCPUb2ywSG
-6XXcCnBr/34g/bQXWRxBhbf91ewVaDxgLeoFzQl34h8MxxxBAzG/1023wkN+K97j
-vnvvZKUwbd/TRFJkorkhkRpA1wSrJ0tAsvODgc8biQEcBBABAgAGBQJKYNK9AAoJ
-EPXY0IlrO3TR8X4H/2eabptQ49q6SX5bwZ+13QoGZdarAvFxVGbbhaRrOrbsYNbg
-Wd8k6R/Uwz1qkH3RJBmANm2wcDYhXsztprUrQ3a5jIgZfc+ZH/0cZiFUWk004m7t
-mXdvWsGkbxye0kUChQOP9/VJBgpOBnK4MngX7d3nwSIO75r4ugey2Aud/eOvrm5m
-t5MJBANTGAnBGwqXtsDm7v0L9VQY6PuLIgPwftB+vwy/Ea8vU5AmFKVkfAR/pVIT
-gELY5mDHaqLxgvfMVJ+PFkvb5HF7QdpIcxUjo3SNgyOyYpN+pfQQbVLkPoOs1xqf
-lIbIyjzMp02KM3iRElcuU/EBEfsp0/voJ/iyd+o=
-=tAh4
------END PGP PUBLIC KEY BLOCK-----
diff --git a/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/ipsec.d/private/sunKey.asc b/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/ipsec.d/private/sunKey.asc
deleted file mode 100644
index 68899ae37..000000000
--- a/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/ipsec.d/private/sunKey.asc
+++ /dev/null
@@ -1,32 +0,0 @@
------BEGIN PGP PRIVATE KEY BLOCK-----
-Version: GnuPG v1.4.9 (GNU/Linux)
-
-lQOYBEpg0bgBCADIozng/tZLr8mEcHvXe4S4zRE31EngymiBFytJ0r2sky43lJXB
-QdW2h/elDDO2drrKVt9iwR/WS25r7Er1ibDn1cje9dERDU/IWyS7UaCewUG7WTZM
-/aWrt1cnq11FhpdckQfdalh+au0rnsJJP+mwZBti6KtX9LFi0kKvVoDt+jlNJMlV
-CLRgQ30BmgApiqEDxbVURmHf8UPDNy6GDcQYnJ1AmliIavzjpDl/l68TadBCf8WP
-B2hBe/AoB9ODgc9GnBRMN6RGSvpXGBugKhleFUtCtUR0h3NZtpcD8479XuqSjbyN
-4mUEAeXJIIkT/hLHmmbQK0DTrHPaTtXGfeOjABEBAAEAB/0XU57hkU9R6mSoALnt
-Qh+aqsDjOEvEllPTGmH+icFipJP9g0lr+B8EQ0egCUyj3Kb36mS7Yw+0Bv4WDxlh
-9bm7Iohhn7vIWz9Y4HvjSWi+vGJLiWI+TkkqLz0zUAGemTjU2snKzNfwDrd3WFRn
-VsZxKxpiBAITzk+nWSHGp+yCfl3NVaA/MYAI+FgiQlq/qTCRreEsexAJ09weDLGN
-P95V4E6LACRy+wiy7X0lRzS1047UUtTcZUF6c5ERfgAGT5NKT/ZA4THZy5pPrSOw
-bRIHbozSlWbnrZNz8DNa4iyHsEw/42IvjU/LflmGWL2hvVxA40ezlxGVi5ea5gFV
-5q9dBADWGXToEaHMqie/HAC4+1/VCTmAvqIKcegNWHCL1PGYBBfRonF/TDcbkawy
-0ATlk+rkyTaRvkapb1LdqE1qThGQWC6iLb3v8E2UEizCM1VFo2EqcKxbCoJdsEtR
-mrK/zIqZ/h/4iEu/ekLPeDwdIWWdBlfYTtTwdMH40eoPOLyo/QQA7+dSOQcAUp8H
-1NuNpyK+9M3/mkpXRF3cqdiY7AnHIf4WWDtgDUHugtO8HlAkq4cL27QYBojVHCqB
-P+NLJo6A35nNbt2IPqAotCgk8NlgtsA+oJ9tvWGarOLMnIt0eBv80blqa5PGeoFt
-EuYxYO2bRAE2cQtMXPMLKpl3VKSRMR8EAKINBJ81zq2twDG1qvRg40XAz2LOKkFd
-B+fNAd0JSC8+qx4MMdn0iL6WaCIN6t1wzI7l1whLUc7f3MPF2dwrsrB9j3MgHppr
-GBLl0A3a1tIkWPAejMcpSgFR63ooQQgoX+XH0woST3wgHTZT6fF+zFn3eaGJ3wqv
-JNcE4vcbJf1COoi0EnN1bi5zdHJvbmdzd2FuLm9yZ4kBNwQTAQIAIQUCSmDRuAIb
-AwcLCQgHAwIBBBUCCAMEFgIDAQIeAQIXgAAKCRCXegSsjRY407LCCACqHrnT1xqs
-QRAIL9GQtI6AkaLJLtJXbALtSKg1Ik1DQA9g0P+Scnu84xj1o5bRWX2WyPYZUgDY
-6fB3bSQuX/Z0lIUtl16xRL53jKroGDzg3JZ0eNYmehGoIes4JfQm08UM7roywGaa
-WAfTK2gDFdjsetU4FkpbziVp8cOeAzUMU5/DRLu5rvCB6m5u62RncmppraAYuQWR
-jZALIxugFW9IBe+hItY3eBa0rnrCPUb2ywSG6XXcCnBr/34g/bQXWRxBhbf91ewV
-aDxgLeoFzQl34h8MxxxBAzG/1023wkN+K97jvnvvZKUwbd/TRFJkorkhkRpA1wSr
-J0tAsvODgc8b
-=QOF4
------END PGP PRIVATE KEY BLOCK-----
diff --git a/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/strongswan.conf
deleted file mode 100644
index 71896491e..000000000
--- a/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/strongswan.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 pgp gmp random curl kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-}
diff --git a/testing/tests/ikev1/net2net-pgp-v4/posttest.dat b/testing/tests/ikev1/net2net-pgp-v4/posttest.dat
deleted file mode 100644
index fafcde975..000000000
--- a/testing/tests/ikev1/net2net-pgp-v4/posttest.dat
+++ /dev/null
@@ -1,8 +0,0 @@
-moon::ipsec stop
-sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
-moon::rm /etc/ipsec.d/certs/*
-moon::rm /etc/ipsec.d/private/*
-sun::rm /etc/ipsec.d/certs/*
-sun::rm /etc/ipsec.d/private/*
diff --git a/testing/tests/ikev1/net2net-pgp-v4/test.conf b/testing/tests/ikev1/net2net-pgp-v4/test.conf
deleted file mode 100644
index f74d0f7d6..000000000
--- a/testing/tests/ikev1/net2net-pgp-v4/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon winnetou sun bob"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-w-s-b.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="sun"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev1/net2net-psk-fail/description.txt b/testing/tests/ikev1/net2net-psk-fail/description.txt
index 5a794bd17..688182be4 100644
--- a/testing/tests/ikev1/net2net-psk-fail/description.txt
+++ b/testing/tests/ikev1/net2net-psk-fail/description.txt
@@ -1,7 +1,5 @@
-An IPsec tunnel connecting the subnets behind the gateways <b>moon</b> and 
-<b>sun</b> is set up. The authentication is based on <b>Preshared Keys</b>
-(PSK). Unfortunately the secret keys of <b>moon</b> and <b>sun</b> do not
-match, so that the responder cannot decrypt ISAKMP message MI3. The resulting
-encrypted notification message cannot in turn be read by the initiator
-<b>moon</b>. In order to avoid a <b>notify-war</b>, any further generation of
-PAYLOAD_MALFORMED messages is suppressed.
+A connection between the gateways <b>moon</b> and <b>sun</b> is set up.
+The authentication is based on <b>Preshared Keys</b> (PSK), but gateway <b>moon</b>
+uses a wrong PSK. This makes it impossible for gateway <b>sun</b> to decrypt the
+IKEv1 message correctly. Thus <b>sun</b> returns a <b>PAYLOAD-MALFORMED</b> error
+notify which in turn cannot be decrypted by <b>moon</b>.
diff --git a/testing/tests/ikev1/net2net-psk-fail/evaltest.dat b/testing/tests/ikev1/net2net-psk-fail/evaltest.dat
index 7f7cb9726..36ad061ac 100644
--- a/testing/tests/ikev1/net2net-psk-fail/evaltest.dat
+++ b/testing/tests/ikev1/net2net-psk-fail/evaltest.dat
@@ -1,6 +1,8 @@
-moon::cat /var/log/auth.log::malformed payload in packet::YES
-sun::cat /var/log/auth.log::probable authentication failure.*mismatch of preshared secrets.*malformed payload in packet::YES
-sun::cat /var/log/auth.log::sending encrypted notification PAYLOAD_MALFORMED::YES
-moon::ipsec status::net-net.*STATE_MAIN_I4.*ISAKMP SA established::NO
-sun::ipsec status::net-net.*STATE_MAIN_R3.*ISAKMP SA established::NO
-
+sun:: cat /var/log/daemon.log::invalid ID_V1 payload length, decryption failed::YES
+sun:: cat /var/log/daemon.log::generating INFORMATIONAL_V1 request.*HASH N(PLD_MAL)::YES
+moon::cat /var/log/daemon.log::invalid HASH_V1 payload length, decryption failed::YES
+moon::cat /var/log/daemon.log::ignore malformed INFORMATIONAL request::YES
+moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::NO
+sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::NO
+moon::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::NO
+sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::NO
diff --git a/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/ipsec.conf
index ad0359f01..5917bab81 100755..100644
--- a/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/ipsec.conf
@@ -1,21 +1,20 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
-	keyexchange=ikev1
 	authby=secret
-	
+	keyexchange=ikev1
+
 conn net-net
 	left=PH_IP_MOON
 	leftsubnet=10.1.0.0/16
 	leftid=@moon.strongswan.org
+	leftfirewall=yes
 	right=PH_IP_SUN
 	rightsubnet=10.2.0.0/16
 	rightid=@sun.strongswan.org
diff --git a/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/ipsec.secrets
index be95c4d99..38ebf966c 100644
--- a/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/ipsec.secrets
+++ b/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/ipsec.secrets
@@ -1,7 +1,4 @@
 # /etc/ipsec.secrets - strongSwan IPsec secrets file
 
-@moon.strongswan.org @sun.strongswan.org : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
-
-
-
+@moon.strongswan.org @sun.strongswan.org : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2dxxxx
 
diff --git a/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/strongswan.conf
index 453cdc07c..5db4358d6 100644
--- a/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/strongswan.conf
@@ -1,11 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
-pluto {
-  load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
+charon {
+  load = aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown
+  multiple_authentication = no
 }
diff --git a/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/ipsec.conf
index 9bbff9039..8fe02b10b 100755..100644
--- a/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/ipsec.conf
@@ -1,21 +1,20 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
-	keyexchange=ikev1
 	authby=secret
-	
+	keyexchange=ikev1
+
 conn net-net
 	left=PH_IP_SUN
 	leftsubnet=10.2.0.0/16
 	leftid=@sun.strongswan.org
+	leftfirewall=yes
 	right=PH_IP_MOON
 	rightsubnet=10.1.0.0/16
 	rightid=@moon.strongswan.org
diff --git a/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/ipsec.secrets b/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/ipsec.secrets
index b53577e1d..be95c4d99 100644
--- a/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/ipsec.secrets
+++ b/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/ipsec.secrets
@@ -1,6 +1,6 @@
 # /etc/ipsec.secrets - strongSwan IPsec secrets file
 
-@moon.strongswan.org @sun.strongswan.org : PSK 0sZNbttZkdViYmLWprfhiZBtDjJbNAMHil
+@moon.strongswan.org @sun.strongswan.org : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
 
 
 
diff --git a/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/strongswan.conf
index 453cdc07c..5db4358d6 100644
--- a/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/strongswan.conf
@@ -1,11 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
-pluto {
-  load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
+charon {
+  load = aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown
+  multiple_authentication = no
 }
diff --git a/testing/tests/ikev1/net2net-psk-fail/posttest.dat b/testing/tests/ikev1/net2net-psk-fail/posttest.dat
index dff181797..1f7aa73a1 100644
--- a/testing/tests/ikev1/net2net-psk-fail/posttest.dat
+++ b/testing/tests/ikev1/net2net-psk-fail/posttest.dat
@@ -1,2 +1,4 @@
 moon::ipsec stop
 sun::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/net2net-psk-fail/pretest.dat b/testing/tests/ikev1/net2net-psk-fail/pretest.dat
index aa8e332e0..0f4ae0f4f 100644
--- a/testing/tests/ikev1/net2net-psk-fail/pretest.dat
+++ b/testing/tests/ikev1/net2net-psk-fail/pretest.dat
@@ -1,5 +1,7 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
-sun::echo 1 > /proc/sys/net/ipv4/ip_forward
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
+moon::rm /etc/ipsec.d/cacerts/*
+sun::rm /etc/ipsec.d/cacerts/*
 moon::ipsec start
 sun::ipsec start
 moon::sleep 2
diff --git a/testing/tests/ikev1/net2net-psk-fail/test.conf b/testing/tests/ikev1/net2net-psk-fail/test.conf
index f6e064e7d..eb4822b5d 100644
--- a/testing/tests/ikev1/net2net-psk-fail/test.conf
+++ b/testing/tests/ikev1/net2net-psk-fail/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="moon winnetou sun"
+VIRTHOSTS="moon winnetou sun"
 
 # Corresponding block diagram
 #
 DIAGRAM="m-w-s.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev1/net2net-psk/evaltest.dat b/testing/tests/ikev1/net2net-psk/evaltest.dat
index 7cbf92687..2b37cad99 100644
--- a/testing/tests/ikev1/net2net-psk/evaltest.dat
+++ b/testing/tests/ikev1/net2net-psk/evaltest.dat
@@ -1,5 +1,7 @@
-moon::ipsec status::net-net.*STATE_QUICK_I2.*IPsec SA established::YES
-sun::ipsec status::net-net.*STATE_QUICK_R2.*IPsec SA established::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/net2net-psk/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/net2net-psk/hosts/moon/etc/ipsec.conf
index c63ec2f30..e4243e294 100755..100644
--- a/testing/tests/ikev1/net2net-psk/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/net2net-psk/hosts/moon/etc/ipsec.conf
@@ -1,8 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev1/net2net-psk/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/net2net-psk/hosts/moon/etc/strongswan.conf
index 453cdc07c..238ec24b7 100644
--- a/testing/tests/ikev1/net2net-psk/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/net2net-psk/hosts/moon/etc/strongswan.conf
@@ -1,11 +1,9 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
-pluto {
-  load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink
+charon {
+  load = aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown
 }
 
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
 libstrongswan {
   dh_exponent_ansi_x9_42 = no
 }
diff --git a/testing/tests/ikev1/net2net-psk/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/net2net-psk/hosts/sun/etc/ipsec.conf
index e21ee9910..38dab14b4 100755..100644
--- a/testing/tests/ikev1/net2net-psk/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev1/net2net-psk/hosts/sun/etc/ipsec.conf
@@ -1,8 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev1/net2net-psk/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/net2net-psk/hosts/sun/etc/strongswan.conf
index 453cdc07c..238ec24b7 100644
--- a/testing/tests/ikev1/net2net-psk/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev1/net2net-psk/hosts/sun/etc/strongswan.conf
@@ -1,11 +1,9 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
-pluto {
-  load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink
+charon {
+  load = aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown
 }
 
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
 libstrongswan {
   dh_exponent_ansi_x9_42 = no
 }
diff --git a/testing/tests/ikev1/net2net-psk/posttest.dat b/testing/tests/ikev1/net2net-psk/posttest.dat
index 5a9150bc8..1f7aa73a1 100644
--- a/testing/tests/ikev1/net2net-psk/posttest.dat
+++ b/testing/tests/ikev1/net2net-psk/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/net2net-psk/pretest.dat b/testing/tests/ikev1/net2net-psk/pretest.dat
index 9e40684ab..0f4ae0f4f 100644
--- a/testing/tests/ikev1/net2net-psk/pretest.dat
+++ b/testing/tests/ikev1/net2net-psk/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::rm /etc/ipsec.d/cacerts/*
 sun::rm /etc/ipsec.d/cacerts/*
 moon::ipsec start
diff --git a/testing/tests/ikev1/net2net-psk/test.conf b/testing/tests/ikev1/net2net-psk/test.conf
index f74d0f7d6..afa2accbe 100644
--- a/testing/tests/ikev1/net2net-psk/test.conf
+++ b/testing/tests/ikev1/net2net-psk/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev1/net2net-route/description.txt b/testing/tests/ikev1/net2net-route/description.txt
deleted file mode 100644
index 323f09555..000000000
--- a/testing/tests/ikev1/net2net-route/description.txt
+++ /dev/null
@@ -1,9 +0,0 @@
-A tunnel that will connect the subnets behind the gateways <b>moon</b>
-and <b>sun</b>, respectively, is preconfigured by installing a %trap eroute
-on gateway <b>moon</b> by means of the setting <b>auto=route</b> in ipsec.conf.
-A subsequent ping issued by client <b>alice</b> behind gateway <b>moon</b> to
-<b>bob</b> located behind gateway <b>sun</b> triggers the %trap eroute and
-leads to the automatic establishment of the subnet-to-subnet tunnel.
-<p>
-<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules
-that let pass the tunneled traffic.
diff --git a/testing/tests/ikev1/net2net-route/evaltest.dat b/testing/tests/ikev1/net2net-route/evaltest.dat
deleted file mode 100644
index 38d589e5a..000000000
--- a/testing/tests/ikev1/net2net-route/evaltest.dat
+++ /dev/null
@@ -1,6 +0,0 @@
-moon::cat /var/log/auth.log::initiate on demand from PH_IP_ALICE::YES
-moon::ipsec status::net-net.*STATE_QUICK_I2.*IPsec SA established::YES
-sun::ipsec status::net-net.*STATE_QUICK_R2.*IPsec SA established::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
-sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/net2net-route/posttest.dat b/testing/tests/ikev1/net2net-route/posttest.dat
deleted file mode 100644
index 5a9150bc8..000000000
--- a/testing/tests/ikev1/net2net-route/posttest.dat
+++ /dev/null
@@ -1,4 +0,0 @@
-moon::ipsec stop
-sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev1/net2net-route/pretest.dat b/testing/tests/ikev1/net2net-route/pretest.dat
deleted file mode 100644
index 2eef7de19..000000000
--- a/testing/tests/ikev1/net2net-route/pretest.dat
+++ /dev/null
@@ -1,6 +0,0 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
-moon::ipsec start
-sun::ipsec start
-moon::sleep 2 
-alice::ping -c 10 PH_IP_BOB
diff --git a/testing/tests/ikev1/net2net-route/test.conf b/testing/tests/ikev1/net2net-route/test.conf
deleted file mode 100644
index d9a61590f..000000000
--- a/testing/tests/ikev1/net2net-route/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon winnetou sun bob"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-w-s-b.png"
- 
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="sun"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev1/net2net-rsa/evaltest.dat b/testing/tests/ikev1/net2net-rsa/evaltest.dat
deleted file mode 100644
index 7cbf92687..000000000
--- a/testing/tests/ikev1/net2net-rsa/evaltest.dat
+++ /dev/null
@@ -1,5 +0,0 @@
-moon::ipsec status::net-net.*STATE_QUICK_I2.*IPsec SA established::YES
-sun::ipsec status::net-net.*STATE_QUICK_R2.*IPsec SA established::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
-sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/net2net-rsa/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/net2net-rsa/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index 837c1ab56..000000000
--- a/testing/tests/ikev1/net2net-rsa/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,24 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	
-conn net-net
-	left=PH_IP_MOON
-	leftsubnet=10.1.0.0/16
-	leftid=@moon.strongswan.org
-	leftrsasigkey=0sAQN+mkeECF5Bm7XnDkkkfmgny/TZndTkN1XzFZWB7nJroM3cTk3zMtdSPX8hY9GQxVGWSsmUBq7mGA5Qx39JpRNpyzxW7wRcMbwqDquG1PRfblLzV1ixdXOGSLUNaXonqDI/h5fCkqTuZtLbE4q3Pf4PmQAwzWVWaTZQ1gXXqUqKlN6218Hm2vbvNRE/CBHuFMmaCz11jckvaPvcqBLZzRTx9b/Mi+qD6xT7k9RpYHmtaGCJ95ed1bY6SZkapgHWu88/3M6bxCzD0KOA3oFbwlkHkFyaGWFB2+fc7L6BfYq0wr/d84tQdOxEn3BwLTrVKo7+6AxDrMi0I+blD2nd9cxj
-	leftfirewall=yes
-	right=PH_IP_SUN
-	rightsubnet=10.2.0.0/16
-	rightid=@sun.strongswan.org
-	rightrsasigkey=0sAQOiSuR9e/WMZFOxK3IdaFBOT2DGoObFDJURejqLcjMpmY2yVbA9Lpc+AEGKxqjb37WG6sVo3fBCDBOAhgmMw9s0b6DTSeXaIQloqW1M8IC+xe1fT+F0BsW1ttaEN0WTF5H+J+a4/arYg4HyiA+sjoqHagnCVPM15Rm5mkmg913XmSCgtkenD4WUq+NfPLuOcggqTjHAAoGD0doswRa3sebyqHQNAb32PXW9ecKi9ExcPrdr5hR5uNXRMYGumBtoxcE6xEvCM/sPRK1hbyynixc5nfMQ5Ymb4mdCUotUGaCyKDa4pF58sYgP6xpd/HXMXGdRP+KxqA4sfes46gp8UuJT
-	auto=add
diff --git a/testing/tests/ikev1/net2net-rsa/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/net2net-rsa/hosts/moon/etc/ipsec.secrets
deleted file mode 100644
index 9859ae8ed..000000000
--- a/testing/tests/ikev1/net2net-rsa/hosts/moon/etc/ipsec.secrets
+++ /dev/null
@@ -1,17 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA	{
-	# RSA 2048 bits   moon.strongswan.org   Wed Dec  8 21:41:27 2004
-	# for signatures only, UNSAFE FOR ENCRYPTION
-	#pubkey=0sAQN+mkeECF5Bm7XnDkkkfmgny/TZndTkN1XzFZWB7nJroM3cTk3zMtdSPX8hY9GQxVGWSsmUBq7mGA5Qx39JpRNpyzxW7wRcMbwqDquG1PRfblLzV1ixdXOGSLUNaXonqDI/h5fCkqTuZtLbE4q3Pf4PmQAwzWVWaTZQ1gXXqUqKlN6218Hm2vbvNRE/CBHuFMmaCz11jckvaPvcqBLZzRTx9b/Mi+qD6xT7k9RpYHmtaGCJ95ed1bY6SZkapgHWu88/3M6bxCzD0KOA3oFbwlkHkFyaGWFB2+fc7L6BfYq0wr/d84tQdOxEn3BwLTrVKo7+6AxDrMi0I+blD2nd9cxj
-	Modulus: 0x7e9a4784085e419bb5e70e49247e6827cbf4d99dd4e43755f3159581ee726ba0cddc4e4df332d7523d7f2163d190c551964ac99406aee6180e50c77f49a51369cb3c56ef045c31bc2a0eab86d4f45f6e52f35758b175738648b50d697a27a8323f8797c292a4ee66d2db138ab73dfe0f990030cd6556693650d605d7a94a8a94deb6d7c1e6daf6ef35113f0811ee14c99a0b3d758dc92f68fbdca812d9cd14f1f5bfcc8bea83eb14fb93d4696079ad686089f7979dd5b63a49991aa601d6bbcf3fdcce9bc42cc3d0a380de815bc25907905c9a196141dbe7dcecbe817d8ab4c2bfddf38b5074ec449f70702d3ad52a8efee80c43acc8b423e6e50f69ddf5cc63
-	PublicExponent: 0x03
-	# everything after this point is secret
-	PrivateExponent: 0x1519b69601650aef48fbd7b6db6a66b14ca8ceefa37b5e8e532e4395a7bdbc9accfa0d0cfdddce8db4ea8590a2ed763843b72198abc7d1040262cbea8c462de6f734b927d60f5d9f5c57c741237e0fe7b87de3e41d9393410c1e2ce6e9b146b30a96994b1870d2667879d8971e8a5502998008223b8e66de62ce564e9c37171893a0e8a94749590fef394b9deda1e73937b1c664d2e4764ae49572771130a097024380c258fa25f9083eefc5eabe762d8e856237bdd8ad8217f899688f70ac1f37650dc08bf3748b74a4f30873842fe27bdfbc49d0cb14c3861ff18b1219153ddb69e5bcb09ff691473a856e63e23d2f36389959f804e82b13a547decc7d6df7
-	Prime1: 0xc11b8705063c662ee0a168b904bbd9c514025360c75e43e7c60c3c17846ede31bba328dfaf8abf513175f312a4263645db0f0797ca7f36d04f996680772264a63c1f76a2a2fe250aa0ca8e96122438bdd5b327e925742047f2b7d0fe3fa6ea07a10cd9a40f8994a95af505116131584c5fc247a7d69df08bfac1b5a23b7c157f
-	Prime2: 0xa7d5dcc534e67a60b918109b7b66cfad37de43b7d51025bfda4fbd30ee3a73362c879f1e251c47ed98a442b33bdcb2112e5aa2b160426e5d6a2c1bb22e104e6db75f0575d979e38146d89db8948500fad36b0875570b3f0ac5754440d14d4b47fa55b77b1d2b9033991c4a858256632759d22c80060d52957643aa8ed789231d
-	Exponent1: 0x80bd04ae0428441f406b9b260327e68362ac3795da3ed7efd95d7d6502f4942127c21b3fca5c7f8b764ea20c6d6eced93cb4afba86ff79e03510ef004f6c43197d6a4f17175418b1c08709b9616d7b2939221a9b6e4d6adaa1cfe0a97fc49c05160891180a5bb870e74e0360eb763add952c2fc539bea05d51d67916d252b8ff
-	Exponent2: 0x6fe3e8837899a6eb26100b1252448a737a942d2538b56e7fe6dfd375f426f779730514bec3682ff3bb182c777d3dcc0b743c6c76402c49939c1d67cc1eb5899e7a3f58f93ba697ab84906925b858ab51e2475af8e4b22a072e4e2d808b88dcdaa6e3cfa768c7b577bb6831ae56e4421a3be173000408e1b8f98271b48fb0c213
-	Coefficient: 0x0a9ea0e995d8d635ac37b5d5f1121ecd4d6387262ea65ea969499ec4c7af9d7a79b256654bda5c972b6efaf5aba35d6790ce4db39258930488ddb2443d19c344312380bed3290f29f0ff5b0ce382622c849f3279f653a2b7c4cc8efbfc5098852fe39aee9da947e53ddfe58bb6b7bb02b693a1b1228dc0481b681d51865d0339
-	}
-# do not change the indenting of that "}"
diff --git a/testing/tests/ikev1/net2net-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/net2net-rsa/hosts/moon/etc/strongswan.conf
deleted file mode 100644
index c50c4c594..000000000
--- a/testing/tests/ikev1/net2net-rsa/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = sha1 sha2 md5 aes des hmac dnskey pkcs1 x509 gmp random curl kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-}
diff --git a/testing/tests/ikev1/net2net-rsa/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/net2net-rsa/hosts/sun/etc/ipsec.conf
deleted file mode 100755
index efd9c798a..000000000
--- a/testing/tests/ikev1/net2net-rsa/hosts/sun/etc/ipsec.conf
+++ /dev/null
@@ -1,24 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	
-conn net-net
-	left=PH_IP_SUN
-	leftsubnet=10.2.0.0/16
-	leftid=@sun.strongswan.org
-	leftrsasigkey=0sAQOiSuR9e/WMZFOxK3IdaFBOT2DGoObFDJURejqLcjMpmY2yVbA9Lpc+AEGKxqjb37WG6sVo3fBCDBOAhgmMw9s0b6DTSeXaIQloqW1M8IC+xe1fT+F0BsW1ttaEN0WTF5H+J+a4/arYg4HyiA+sjoqHagnCVPM15Rm5mkmg913XmSCgtkenD4WUq+NfPLuOcggqTjHAAoGD0doswRa3sebyqHQNAb32PXW9ecKi9ExcPrdr5hR5uNXRMYGumBtoxcE6xEvCM/sPRK1hbyynixc5nfMQ5Ymb4mdCUotUGaCyKDa4pF58sYgP6xpd/HXMXGdRP+KxqA4sfes46gp8UuJT
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightsubnet=10.1.0.0/16
-	rightid=@moon.strongswan.org
-	rightrsasigkey=0sAQN+mkeECF5Bm7XnDkkkfmgny/TZndTkN1XzFZWB7nJroM3cTk3zMtdSPX8hY9GQxVGWSsmUBq7mGA5Qx39JpRNpyzxW7wRcMbwqDquG1PRfblLzV1ixdXOGSLUNaXonqDI/h5fCkqTuZtLbE4q3Pf4PmQAwzWVWaTZQ1gXXqUqKlN6218Hm2vbvNRE/CBHuFMmaCz11jckvaPvcqBLZzRTx9b/Mi+qD6xT7k9RpYHmtaGCJ95ed1bY6SZkapgHWu88/3M6bxCzD0KOA3oFbwlkHkFyaGWFB2+fc7L6BfYq0wr/d84tQdOxEn3BwLTrVKo7+6AxDrMi0I+blD2nd9cxj
-	auto=add
diff --git a/testing/tests/ikev1/net2net-rsa/hosts/sun/etc/ipsec.secrets b/testing/tests/ikev1/net2net-rsa/hosts/sun/etc/ipsec.secrets
deleted file mode 100644
index bf976a8d3..000000000
--- a/testing/tests/ikev1/net2net-rsa/hosts/sun/etc/ipsec.secrets
+++ /dev/null
@@ -1,17 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA	{
-	# RSA 2048 bits   sun.strongswan.org   Wed Dec  8 21:44:27 2004
-	# for signatures only, UNSAFE FOR ENCRYPTION
-	#pubkey=0sAQOiSuR9e/WMZFOxK3IdaFBOT2DGoObFDJURejqLcjMpmY2yVbA9Lpc+AEGKxqjb37WG6sVo3fBCDBOAhgmMw9s0b6DTSeXaIQloqW1M8IC+xe1fT+F0BsW1ttaEN0WTF5H+J+a4/arYg4HyiA+sjoqHagnCVPM15Rm5mkmg913XmSCgtkenD4WUq+NfPLuOcggqTjHAAoGD0doswRa3sebyqHQNAb32PXW9ecKi9ExcPrdr5hR5uNXRMYGumBtoxcE6xEvCM/sPRK1hbyynixc5nfMQ5Ymb4mdCUotUGaCyKDa4pF58sYgP6xpd/HXMXGdRP+KxqA4sfes46gp8UuJT
-	Modulus: 0xa24ae47d7bf58c6453b12b721d68504e4f60c6a0e6c50c95117a3a8b723329998db255b03d2e973e00418ac6a8dbdfb586eac568ddf0420c138086098cc3db346fa0d349e5da210968a96d4cf080bec5ed5f4fe17406c5b5b6d6843745931791fe27e6b8fdaad88381f2880fac8e8a876a09c254f335e519b99a49a0f75dd79920a0b647a70f8594abe35f3cbb8e72082a4e31c0028183d1da2cc116b7b1e6f2a8740d01bdf63d75bd79c2a2f44c5c3eb76be61479b8d5d13181ae981b68c5c13ac44bc233fb0f44ad616f2ca78b17399df310e5899be26742528b5419a0b22836b8a45e7cb1880feb1a5dfc75cc5c67513fe2b1a80e2c7deb38ea0a7c52e253
-	PublicExponent: 0x03
-	# everything after this point is secret
-	PrivateExponent: 0x04eaff2a9726789e3114e24946b595d3d3dc250ca22500619bae5edd701110c697b0121c9d01696e7c21043490c0d83bcdc90dbd5c0f09c24e2aaeba78a1162860793cb4a9dfd274a614a638a27081e6f7ad8e0e96e8eeb7ee448fa49580941bb25e4ccf4d814c611373f49ba061690bdc6ce6dbc94f357ce69811bf0f40e780b643cbe7e076031f234e842b41bc10fb2d359617c64b434cb3dd4d9add91dcbcaef9fba1fb6f217a8ad65bde553bd2792c939ea8b5c0591598e7291597609a779a088e36c1ebe15ebb5e9a7774d9d9cd90913030b88e215f9e66fe0daafb198a3bb9d4e6277b625460ede2d84ce7f3334bf641829c826dbc1549625377c517db
-	Prime1: 0xfee3308b1f16875eeb4ca7ba6a9b8f9279eceff06531aae2bb50d2ccbf7f2b0901f2c5e046856c54c338f4b79943f8ad6d20a97fe0a48786cd659aff3f55e3a8c4c09cad526975180d1c2905ba028b58dd05a71d3a268153fae62eb5e9fe9184b20f9fbd626b14054c4acd7e2de69934d91cbf239c7a63c9d2721cd466df26eb
-	Prime2: 0xa3003cd898c297323377adeed7b4b214dc78e8bf0d9c2c0bef54ed53686547971847d7400e1d8055149ef6425e5241f28b43c8d52b48d281ae4fc7d0589ef8ad9ae95a05e2298cf679135cc0dd7378611e363380852313bfdc259cdb2543d5d1d1b492f6035ec72a2025529c5dff6995ad64b1b7dec3a3755a512073a50ba839
-	Exponent1: 0xa9eccb076a0f04e9f2331a7c47125fb6fbf34aa0437671ec7ce08c887faa1cb0abf72e958458f2e32cd0a32510d7fb1e48c070ffeb185a59de43bcaa2a394270832b131e36f0f8bab3681b5926ac5ce5e8ae6f68d16f00e2a7441f23f1546103215fbfd396f20d58dd8733a973ef10cde6132a17bda6ed3136f6bde2ef3f6f47
-	Exponent2: 0x6caad33b1081ba2177a51e9f3a7876b892fb45d4b3bd72b29f8df38cf043850f65853a2ab413aae36314a42c3ee1814c5cd7db38c785e1abc98a85359069fb1e67463c03ec1bb34efb623dd5e8f7a59614242255ae17627fe819133cc3828e8be1230ca4023f2f716ac38c683eaa4663c8edcbcfe9d7c24e3c3615a26e07c57b
-	Coefficient: 0xbf865c3ed94693c7f16e04fd73929d7b4a3a296d6113eb9b01e87d5cf3be71afa2f838a5a82a97b55e8309025214312edefd3b77c989054bf28ec81bf3989d698671cb64eac9f016cc136f6ab78ce4d5d3837198eea5ec8ed057ba8e0e6f240a60202171f65be992d7bcd54ee0f803e5bd6b8385223b55440e095b28f01bbd0a
-	}
-# do not change the indenting of that "}"
diff --git a/testing/tests/ikev1/net2net-rsa/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/net2net-rsa/hosts/sun/etc/strongswan.conf
deleted file mode 100644
index c50c4c594..000000000
--- a/testing/tests/ikev1/net2net-rsa/hosts/sun/etc/strongswan.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = sha1 sha2 md5 aes des hmac dnskey pkcs1 x509 gmp random curl kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-}
diff --git a/testing/tests/ikev1/net2net-rsa/posttest.dat b/testing/tests/ikev1/net2net-rsa/posttest.dat
deleted file mode 100644
index 5a9150bc8..000000000
--- a/testing/tests/ikev1/net2net-rsa/posttest.dat
+++ /dev/null
@@ -1,4 +0,0 @@
-moon::ipsec stop
-sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev1/net2net-rsa/test.conf b/testing/tests/ikev1/net2net-rsa/test.conf
deleted file mode 100644
index f74d0f7d6..000000000
--- a/testing/tests/ikev1/net2net-rsa/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon winnetou sun bob"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-w-s-b.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="sun"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev1/net2net-same-nets/description.txt b/testing/tests/ikev1/net2net-same-nets/description.txt
deleted file mode 100644
index d0eb3374f..000000000
--- a/testing/tests/ikev1/net2net-same-nets/description.txt
+++ /dev/null
@@ -1,15 +0,0 @@
-A connection between two identical <b>10.0.0.0/14</b> networks behind the gateways <b>moon</b>
-and <b>sun</b> is set up. In order to make network routing work, the subnet behind <b>moon</b>
-sees the subnet behind <b>sun</b> as <b>10.4.0.0/14</b> whereas the subnet behind <b>sun</b>
-sees the subnet behind <b>moon</b> as <b>10.8.0.0/14</b>. The necessary network mappings are
-done on gateway <b>sun</b> using the iptables <b>MARK</b> and <b>NETMAP</b> targets.
-<p/>
-Upon the successful establishment of the IPsec tunnel, on gateway <b>moon</b> the directive
-<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that let pass
-the tunneled traffic whereas on gateway <b>sun</b> the script indicated by
-<b>leftupdown=/etc/mark_updown</b> inserts iptables rules that set marks defined in the
-connection definition of <b>ipsec.conf</b> both on the inbound and outbound traffic, create
-the necessary NETMAP operations and forward the tunneled traffic.
-<p/>
-In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b>
-pings client <b>bob</b> located behind gateway <b>sun</b> and vice versa.
diff --git a/testing/tests/ikev1/net2net-same-nets/evaltest.dat b/testing/tests/ikev1/net2net-same-nets/evaltest.dat
deleted file mode 100644
index b5ad0628e..000000000
--- a/testing/tests/ikev1/net2net-same-nets/evaltest.dat
+++ /dev/null
@@ -1,10 +0,0 @@
-moon::ipsec statusall::net-net.*IPsec SA established::YES
-sun::ipsec statusall::net-net.*IPsec SA established::YES
-alice::ping -c 1 10.6.0.10::64 bytes from 10.6.0.10: icmp_seq=1::YES
-bob::ping -c 1 10.9.0.10::64 bytes from 10.9.0.10: icmp_seq=1::YES
-sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
-sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
-bob::tcpdump::IP 10.9.0.10 > bob.strongswan.org: ICMP echo request::YES
-bob::tcpdump::IP bob.strongswan.org > 10.9.0.10: ICMP echo reply::YES
-bob::tcpdump::IP bob.strongswan.org > 10.9.0.10: ICMP echo request::YES
-bob::tcpdump::IP 10.9.0.10 > bob.strongswan.org: ICMP echo reply::YES 
diff --git a/testing/tests/ikev1/net2net-same-nets/hosts/sun/etc/mark_updown b/testing/tests/ikev1/net2net-same-nets/hosts/sun/etc/mark_updown
deleted file mode 100755
index 0bfdcad85..000000000
--- a/testing/tests/ikev1/net2net-same-nets/hosts/sun/etc/mark_updown
+++ /dev/null
@@ -1,376 +0,0 @@
-#! /bin/sh
-# updown script setting inbound marks on ESP traffic in the mangle chain
-#
-# Copyright (C) 2003-2004 Nigel Meteringham
-# Copyright (C) 2003-2004 Tuomo Soini
-# Copyright (C) 2002-2004 Michael Richardson
-# Copyright (C) 2005-2010 Andreas Steffen <andreas.steffen@strongswan.org>
-#
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
-#
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# for more details.
-
-# CAUTION:  Installing a new version of strongSwan will install a new
-# copy of this script, wiping out any custom changes you make.  If
-# you need changes, make a copy of this under another name, and customize
-# that, and use the (left/right)updown parameters in ipsec.conf to make
-# strongSwan use yours instead of this default one.
-
-# things that this script gets (from ipsec_pluto(8) man page)
-#
-#      PLUTO_VERSION
-#              indicates  what  version of this interface is being
-#              used.  This document describes version  1.1.   This
-#              is upwardly compatible with version 1.0.
-#
-#       PLUTO_VERB
-#              specifies the name of the operation to be performed
-#              (prepare-host, prepare-client, up-host, up-client,
-#              down-host, or down-client).  If the address family
-#              for security gateway to security gateway communica-
-#              tions is IPv6, then a suffix of -v6 is added to the
-#              verb.
-#
-#       PLUTO_CONNECTION
-#              is the name of the  connection  for  which  we  are
-#              routing.
-#
-#       PLUTO_NEXT_HOP
-#              is the next hop to which packets bound for the peer
-#              must be sent.
-#
-#       PLUTO_INTERFACE
-#              is the name of the ipsec interface to be used.
-#
-#       PLUTO_REQID
-#              is the requid of the ESP policy
-#
-#       PLUTO_ME
-#              is the IP address of our host.
-#
-#       PLUTO_MY_ID
-#              is the ID of our host.
-#
-#       PLUTO_MY_CLIENT
-#              is the IP address / count of our client subnet.  If
-#              the  client  is  just  the  host,  this will be the
-#              host's own IP address / max (where max  is  32  for
-#              IPv4 and 128 for IPv6).
-#
-#       PLUTO_MY_CLIENT_NET
-#              is the IP address of our client net.  If the client
-#              is just the host, this will be the  host's  own  IP
-#              address.
-#
-#       PLUTO_MY_CLIENT_MASK
-#              is  the  mask for our client net.  If the client is
-#              just the host, this will be 255.255.255.255.
-#
-#       PLUTO_MY_SOURCEIP
-#              if non-empty, then the source address for the route will be
-#              set to this IP address.
-#
-#       PLUTO_MY_PROTOCOL
-#              is the IP protocol that will be transported.
-#
-#       PLUTO_MY_PORT
-#              is  the  UDP/TCP  port  to  which  the IPsec SA  is
-#              restricted on our side.
-#
-#       PLUTO_PEER
-#              is the IP address of our peer.
-#
-#       PLUTO_PEER_ID
-#              is the ID of our peer.
-#
-#       PLUTO_PEER_CA
-#              is the CA which issued the cert of our peer.
-#
-#       PLUTO_PEER_CLIENT
-#              is the IP address / count of the peer's client sub-
-#              net.   If the client is just the peer, this will be
-#              the peer's own IP address / max (where  max  is  32
-#              for IPv4 and 128 for IPv6).
-#
-#       PLUTO_PEER_CLIENT_NET
-#              is the IP address of the peer's client net.  If the
-#              client is just the peer, this will  be  the  peer's
-#              own IP address.
-#
-#       PLUTO_PEER_CLIENT_MASK
-#              is  the  mask  for  the  peer's client net.  If the
-#              client   is   just   the   peer,   this   will   be
-#              255.255.255.255.
-#
-#       PLUTO_PEER_PROTOCOL
-#              is the IP protocol that will be transported.
-#
-#       PLUTO_PEER_PORT
-#              is  the  UDP/TCP  port  to  which  the IPsec SA  is
-#              restricted on the peer side.
-#
-#       PLUTO_XAUTH_ID
-#              is an optional user ID employed by the XAUTH protocol
-#
-#       PLUTO_MARK_IN
-#              is an optional XFRM mark set on the inbound IPsec SA
-#
-#       PLUTO_MARK_OUT
-#              is an optional XFRM mark set on the outbound IPsec SA
-#
-#       PLUTO_UDP_ENC
-#              contains the remote UDP port in the case of ESP_IN_UDP
-#              encapsulation
-#
-
-# define a minimum PATH environment in case it is not set
-PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin"
-export PATH
-
-# check parameter(s)
-case "$1:$*" in
-':')			# no parameters
-	;;
-iptables:iptables)	# due to (left/right)firewall; for default script only
-	;;
-custom:*)		# custom parameters (see above CAUTION comment)
-	;;
-*)	echo "$0: unknown parameters \`$*'" >&2
-	exit 2
-	;;
-esac
-
-# utility functions for route manipulation
-# Meddling with this stuff should not be necessary and requires great care.
-uproute() {
-	doroute add
-	ip route flush cache
-}
-downroute() {
-	doroute delete
-	ip route flush cache
-}
-
-addsource() {
-	st=0
-	if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local
-	then
-	    it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE"
-	    oops="`eval $it 2>&1`"
-	    st=$?
-	    if test " $oops" = " " -a " $st" != " 0"
-	    then
-		oops="silent error, exit status $st"
-	    fi
-	    if test " $oops" != " " -o " $st" != " 0"
-	    then
-		echo "$0: addsource \`$it' failed ($oops)" >&2
-	    fi
-	fi
-	return $st
-}
-
-doroute() {
-	st=0
-
-	if [ -z "$PLUTO_MY_SOURCEIP" ]
-	then
-	    for dir in /etc/sysconfig /etc/conf.d; do
-		if [ -f "$dir/defaultsource" ]
-		then
-		    . "$dir/defaultsource"
-		fi
-	    done
-
-	    if [ -n "$DEFAULTSOURCE" ]
-	    then
-		PLUTO_MY_SOURCEIP=$DEFAULTSOURCE
-	    fi
-        fi
-
-	if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
-	then
-	    # leave because no route entry is required
-	    return $st
-	fi
-
-	parms1="$PLUTO_PEER_CLIENT"
-
-	if [ -n "$PLUTO_NEXT_HOP" ]
-	then
-	    parms2="via $PLUTO_NEXT_HOP"
-	else
-	    parms2="via $PLUTO_PEER"
-	fi
-	parms2="$parms2 dev $PLUTO_INTERFACE"
-
-	parms3=
-	if [ -n "$PLUTO_MY_SOURCEIP" ]
-	then
-	    if test "$1" = "add"
-	    then
-		addsource
-		if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE"
-		then
-		    ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE
-		fi
-	    fi
-	    parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE"
-	fi
-
-	case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
-	"0.0.0.0/0.0.0.0")
-		# opportunistic encryption work around
-		# need to provide route that eclipses default, without
-		# replacing it.
-		it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
-			ip route $1 128.0.0.0/1 $parms2 $parms3"
-		;;
-	*)	it="ip route $1 $parms1 $parms2 $parms3"
-		;;
-	esac
-	oops="`eval $it 2>&1`"
-	st=$?
-	if test " $oops" = " " -a " $st" != " 0"
-	then
-	    oops="silent error, exit status $st"
-	fi
-	if test " $oops" != " " -o " $st" != " 0"
-	then
-	    echo "$0: doroute \`$it' failed ($oops)" >&2
-	fi
-	return $st
-}
-# define NETMAP
-SAME_NET=$PLUTO_PEER_CLIENT
-IN_NET=$PLUTO_MY_CLIENT
-OUT_NET="10.8.0.0/14"
-
-# define internal interface
-INT_INTERFACE="eth1"
-
-# is there an inbound mark to be set?
-if [ -n "$PLUTO_MARK_IN" ]
-then
-	if [ -n "$PLUTO_UDP_ENC" ]
-	then
-	    SET_MARK_IN="-p udp --sport $PLUTO_UDP_ENC"
-	else
-		SET_MARK_IN="-p esp"
-	fi
-	SET_MARK_IN="$SET_MARK_IN -s $PLUTO_PEER -j MARK --set-mark $PLUTO_MARK_IN"
-fi
-
-# is there an outbound mark to be set?
-if [ -n "$PLUTO_MARK_OUT" ]
-then
-	SET_MARK_OUT="-i $INT_INTERFACE -s $SAME_NET -d $OUT_NET -j MARK --set-mark $PLUTO_MARK_OUT"
-fi
-
-# resolve octal escape sequences
-PLUTO_MY_ID=`printf "$PLUTO_MY_ID"`
-PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"`
-
-# the big choice
-case "$PLUTO_VERB:$1" in
-prepare-host:*|prepare-client:*)
-	if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
-	then
-	    # exit because no route will be added,
-	    # so that existing routes can stay
-	    exit 0
-	fi
-
-	# delete possibly-existing route (preliminary to adding a route)
-	case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
-	"0.0.0.0/0.0.0.0")
-		# need to provide route that eclipses default, without
-		# replacing it.
-		parms1="0.0.0.0/1"
-		parms2="128.0.0.0/1"
-		it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1"
-		oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`"
-		;;
-	*)
-		parms="$PLUTO_PEER_CLIENT"
-		it="ip route delete $parms 2>&1"
-		oops="`ip route delete $parms 2>&1`"
-		;;
-	esac
-	status="$?"
-	if test " $oops" = " " -a " $status" != " 0"
-	then
-		oops="silent error, exit status $status"
-	fi
-	case "$oops" in
-	*'RTNETLINK answers: No such process'*)
-		# This is what route (currently -- not documented!) gives
-		# for "could not find such a route".
-		oops=
-		status=0
-		;;
-	esac
-	if test " $oops" != " " -o " $status" != " 0"
-	then
-		echo "$0: \`$it' failed ($oops)" >&2
-	fi
-	exit $status
-	;;
-route-host:*|route-client:*)
-	# connection to me or my client subnet being routed
-	uproute
-	;;
-unroute-host:*|unroute-client:*)
-	# connection to me or my client subnet being unrouted
-	downroute
-	;;
-up-client:)
-	# connection to my client subnet coming up
-	# If you are doing a custom version, firewall commands go here.
-	if [ -n "$PLUTO_MARK_IN" ]
-	then
-	    iptables -t mangle -A PREROUTING $SET_MARK_IN
-	    iptables -t nat -A PREROUTING -i $PLUTO_INTERFACE -m mark --mark $PLUTO_MARK_IN \
-		     -d $IN_NET -j NETMAP --to $SAME_NET 
-	    iptables -I FORWARD 1 -i $PLUTO_INTERFACE -m mark --mark $PLUTO_MARK_IN -j ACCEPT
-	    iptables -t nat -A POSTROUTING -o $INT_INTERFACE -m mark --mark $PLUTO_MARK_IN \
-	             -s $SAME_NET -j NETMAP --to $OUT_NET 
-	fi
-	if [ -n "$PLUTO_MARK_OUT" ]
-	then
-	    iptables -t mangle -A PREROUTING $SET_MARK_OUT 
-	    iptables -t nat -A PREROUTING -i $INT_INTERFACE -m mark --mark $PLUTO_MARK_OUT \
-	             -d $OUT_NET -j NETMAP --to $SAME_NET
-	    iptables -I FORWARD 1 -o $PLUTO_INTERFACE -m mark --mark $PLUTO_MARK_OUT -j ACCEPT
-            iptables -t nat -A POSTROUTING -o $PLUTO_INTERFACE -m mark --mark $PLUTO_MARK_OUT \
-                     -s $SAME_NET -j NETMAP --to $IN_NET
-	fi
-	;;
-down-client:)
-	# connection to my client subnet going down
-	# If you are doing a custom version, firewall commands go here.
-	if [ -n "$PLUTO_MARK_IN" ]
-	then
-	    iptables -t mangle -D PREROUTING $SET_MARK_IN
-	    iptables -t nat -D PREROUTING -i $PLUTO_INTERFACE -m mark --mark $PLUTO_MARK_IN \
-	             -d $IN_NET -j NETMAP --to $SAME_NET 
-	    iptables -D FORWARD -i $PLUTO_INTERFACE -m mark --mark $PLUTO_MARK_IN -j ACCEPT
-	    iptables -t nat -D POSTROUTING -o eth1 -m mark --mark $PLUTO_MARK_IN \
-	             -s $SAME_NET -j NETMAP --to $OUT_NET 
-	fi
-	if [ -n "$PLUTO_MARK_OUT" ]
-	then
-	    iptables -t mangle -D PREROUTING $SET_MARK_OUT
-	    iptables -D FORWARD -o $PLUTO_INTERFACE -m mark --mark $PLUTO_MARK_OUT -j ACCEPT
-	fi
-	;;
-*)	echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
-	exit 1
-	;;
-esac
diff --git a/testing/tests/ikev1/net2net-same-nets/posttest.dat b/testing/tests/ikev1/net2net-same-nets/posttest.dat
deleted file mode 100644
index e75e66650..000000000
--- a/testing/tests/ikev1/net2net-same-nets/posttest.dat
+++ /dev/null
@@ -1,7 +0,0 @@
-sun::iptables -t mangle -n -v -L PREROUTING
-sun::iptables -t nat -n -v -L
-moon::ipsec stop
-sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
-sun::conntrack -F
diff --git a/testing/tests/ikev1/net2net-same-nets/pretest.dat b/testing/tests/ikev1/net2net-same-nets/pretest.dat
deleted file mode 100644
index 2d7a78acb..000000000
--- a/testing/tests/ikev1/net2net-same-nets/pretest.dat
+++ /dev/null
@@ -1,6 +0,0 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
-moon::ipsec start
-sun::ipsec start
-moon::sleep 1 
-moon::ipsec up net-net
diff --git a/testing/tests/ikev1/net2net-same-nets/test.conf b/testing/tests/ikev1/net2net-same-nets/test.conf
deleted file mode 100644
index 1971a33ab..000000000
--- a/testing/tests/ikev1/net2net-same-nets/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon winnetou sun bob"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-w-s-b.png"
- 
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="sun bob"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev1/net2net-start/description.txt b/testing/tests/ikev1/net2net-start/description.txt
deleted file mode 100644
index f5320685e..000000000
--- a/testing/tests/ikev1/net2net-start/description.txt
+++ /dev/null
@@ -1,8 +0,0 @@
-A tunnel connecting the subnets behind the gateways <b>moon</b> and <b>sun</b>,
-respectively, is automatically established by means of the setting
-<b>auto=start</b> in ipsec.conf. The connection is tested by client <b>alice</b>
-behind gateway <b>moon</b> pinging the client <b>bob</b> located behind
-gateway <b>sun</b>.
-<p>
-<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules
-that let pass the tunneled traffic.
diff --git a/testing/tests/ikev1/net2net-start/evaltest.dat b/testing/tests/ikev1/net2net-start/evaltest.dat
deleted file mode 100644
index 7cbf92687..000000000
--- a/testing/tests/ikev1/net2net-start/evaltest.dat
+++ /dev/null
@@ -1,5 +0,0 @@
-moon::ipsec status::net-net.*STATE_QUICK_I2.*IPsec SA established::YES
-sun::ipsec status::net-net.*STATE_QUICK_R2.*IPsec SA established::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
-sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/net2net-start/posttest.dat b/testing/tests/ikev1/net2net-start/posttest.dat
deleted file mode 100644
index 5a9150bc8..000000000
--- a/testing/tests/ikev1/net2net-start/posttest.dat
+++ /dev/null
@@ -1,4 +0,0 @@
-moon::ipsec stop
-sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev1/net2net-start/pretest.dat b/testing/tests/ikev1/net2net-start/pretest.dat
deleted file mode 100644
index f0c5bcec6..000000000
--- a/testing/tests/ikev1/net2net-start/pretest.dat
+++ /dev/null
@@ -1,5 +0,0 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
-moon::ipsec start
-sun::ipsec start
-alice::sleep 20 
diff --git a/testing/tests/ikev1/net2net-start/test.conf b/testing/tests/ikev1/net2net-start/test.conf
deleted file mode 100644
index d9a61590f..000000000
--- a/testing/tests/ikev1/net2net-start/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon winnetou sun bob"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-w-s-b.png"
- 
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="sun"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev1/no-priv-key/description.txt b/testing/tests/ikev1/no-priv-key/description.txt
deleted file mode 100644
index 21b8eccb1..000000000
--- a/testing/tests/ikev1/no-priv-key/description.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-This scenario tests whether the correct encrypted informational messages are
-generated by the initiator <b>carol</b> and subsequently decoded by the
-responder <b>moon</b> when roadwarrior <b>carol</b> finds out that she
-doesn't have a private RSA key to sign her hash with.
diff --git a/testing/tests/ikev1/no-priv-key/evaltest.dat b/testing/tests/ikev1/no-priv-key/evaltest.dat
deleted file mode 100644
index e5a8de0b9..000000000
--- a/testing/tests/ikev1/no-priv-key/evaltest.dat
+++ /dev/null
@@ -1,3 +0,0 @@
-carol::cat /var/log/auth.log::unable to locate my private key::YES
-moon::ipsec status::rw.*STATE_MAIN_R3.*ISAKMP SA established::NO
-carol::ipsec status::home.*STATE_MAIN_I4.*ISAKMP SA established::NO
diff --git a/testing/tests/ikev1/no-priv-key/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/no-priv-key/hosts/carol/etc/ipsec.secrets
deleted file mode 100644
index 23b311aa6..000000000
--- a/testing/tests/ikev1/no-priv-key/hosts/carol/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-# missing private RSA key
diff --git a/testing/tests/ikev1/no-priv-key/posttest.dat b/testing/tests/ikev1/no-priv-key/posttest.dat
deleted file mode 100644
index c6d6235f9..000000000
--- a/testing/tests/ikev1/no-priv-key/posttest.dat
+++ /dev/null
@@ -1,2 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
diff --git a/testing/tests/ikev1/no-priv-key/pretest.dat b/testing/tests/ikev1/no-priv-key/pretest.dat
deleted file mode 100644
index d92333d86..000000000
--- a/testing/tests/ikev1/no-priv-key/pretest.dat
+++ /dev/null
@@ -1,4 +0,0 @@
-moon::ipsec start
-carol::ipsec start
-carol::sleep 2
-carol::ipsec up home
diff --git a/testing/tests/ikev1/no-priv-key/test.conf b/testing/tests/ikev1/no-priv-key/test.conf
deleted file mode 100644
index 2b240d895..000000000
--- a/testing/tests/ikev1/no-priv-key/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="m-c-w.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS=""
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev1/ocsp-revoked/description.txt b/testing/tests/ikev1/ocsp-revoked/description.txt
deleted file mode 100644
index cbdd1305a..000000000
--- a/testing/tests/ikev1/ocsp-revoked/description.txt
+++ /dev/null
@@ -1,7 +0,0 @@
-By setting <b>strictcrlpolicy=yes</b> a <b>strict CRL policy</b> is enforced on
-both roadwarrior <b>carol</b> and gateway <b>moon</b>. Thus when <b>carol</b> initiates
-the connection and no current revocation information is available, the Main Mode
-negotiation fails but an OCSP request issued to the OCSP server <b>winnetou</b>.
-When the second Main Mode trial comes around the OCSP response will be available
-but because the certificate presented by carol has been revoked,
-the IKE negotatiation will fail..
diff --git a/testing/tests/ikev1/ocsp-revoked/evaltest.dat b/testing/tests/ikev1/ocsp-revoked/evaltest.dat
deleted file mode 100644
index f5286cb61..000000000
--- a/testing/tests/ikev1/ocsp-revoked/evaltest.dat
+++ /dev/null
@@ -1,6 +0,0 @@
-moon::cat /var/log/auth.log::X.509 certificate rejected::YES
-moon::cat /var/log/auth.log::certificate was revoked::YES
-carol::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES
-moon::ipsec listocsp:: revoked::YES
-moon::ipsec status::rw.*STATE_MAIN_R3.*ISAKMP SA established::NO
-carol::ipsec status::home.*STATE_MAIN_I4.*ISAKMP SA established::NO
diff --git a/testing/tests/ikev1/ocsp-revoked/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/ocsp-revoked/hosts/carol/etc/ipsec.conf
deleted file mode 100755
index a62964829..000000000
--- a/testing/tests/ikev1/ocsp-revoked/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,28 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=yes
-	charonstart=no
-
-ca strongswan
-	cacert=strongswanCert.pem
-	ocspuri=http://ocsp.strongswan.org:8880
-	auto=add
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	left=PH_IP_CAROL
-	leftcert=carolRevokedCert.pem
-	leftid=carol@strongswan.org
-
-conn home
-	right=PH_IP_MOON
-	rightsubnet=10.1.0.0/16
-	rightid=@moon.strongswan.org
-	auto=add
diff --git a/testing/tests/ikev1/ocsp-revoked/hosts/carol/etc/ipsec.d/certs/carolRevokedCert.pem b/testing/tests/ikev1/ocsp-revoked/hosts/carol/etc/ipsec.d/certs/carolRevokedCert.pem
deleted file mode 100644
index a92610c4f..000000000
--- a/testing/tests/ikev1/ocsp-revoked/hosts/carol/etc/ipsec.d/certs/carolRevokedCert.pem
+++ /dev/null
@@ -1,25 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIEIjCCAwqgAwIBAgIBGzANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
-MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
-b290IENBMB4XDTA5MDgyNzEwMzEwNloXDTE0MDgyNjEwMzEwNlowWjELMAkGA1UE
-BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh
-cmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcN
-AQEBBQADggEPADCCAQoCggEBAOHh/BBf9VwUbx3IU2ZvKJylwCUP2Gr40Velcexr
-lR1PoK3nwZrJxxfhhxrxdx7Wnt/PDiF2eyzA9U4cOyS1zPpWuRt69PEOWfzQJZkD
-e5C6bXZMHwJGaCM0h8EugnwI7/XgbEq8U/1PBwIeFh8xSyIwyn8NqyHWm+6haFZG
-Urz7y0ZOAYcX5ZldP8vjm2SyAl0hPlod0ypk2K1igmO8w3cRRFqD27XhztgIJyoi
-+BO3umc+BXcpPGoZ7IFaXvHcMVECrxbkrvRdpKiz/4+u8FakQJtBmYuqP2TLodRJ
-TKSJ4UvIPXZ8DTEYC/Ja/wrm1hNfH4T3YjWGT++lVbYF7qECAwEAAaOCAQYwggEC
-MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBQRnt9aYXsi/fgMXGVh
-ZpTfg8kSYjBtBgNVHSMEZjBkgBRdp91wBlEyfue2bbO15eBg6i5N76FJpEcwRTEL
-MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMT
-EnN0cm9uZ1N3YW4gUm9vdCBDQYIBADAfBgNVHREEGDAWgRRjYXJvbEBzdHJvbmdz
-d2FuLm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4u
-b3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBBAUAA4IBAQCY2EMqkuhtAls/
-jkjXm+sI5YVglE62itSYgJxKZhxoFn3l4Afc6+XBeftK8Y1IjXdeyQUg8qHhkctl
-nBiEzRCClporCOXl5hOzWi+ft2hyKgcx8mFB8Qw5ZE9z8dvY70jdPCB4cH5EVaiC
-6ElGcI02iO073iCe38b3rmpwfnkIWZ0FVjSFSsTiNPLXWH6m6tt9Gux/PFuLff4a
-cdGfEGs01DEp9t0bHqZd6ESf2rEUljT57i9wSBfT5ULj78VTgudw/WhB0CgiXD+f
-q2dZC/19B8Xmk6XmEpRQjFK6wFmfBiQdelJo17/8M4LdT/RfvTHJOxr2OAtvCm2Z
-0xafBd5x
------END CERTIFICATE-----
diff --git a/testing/tests/ikev1/ocsp-revoked/hosts/carol/etc/ipsec.d/private/carolRevokedKey.pem b/testing/tests/ikev1/ocsp-revoked/hosts/carol/etc/ipsec.d/private/carolRevokedKey.pem
deleted file mode 100644
index 60e7fdfa9..000000000
--- a/testing/tests/ikev1/ocsp-revoked/hosts/carol/etc/ipsec.d/private/carolRevokedKey.pem
+++ /dev/null
@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEpQIBAAKCAQEA4eH8EF/1XBRvHchTZm8onKXAJQ/YavjRV6Vx7GuVHU+grefB
-msnHF+GHGvF3Htae388OIXZ7LMD1Thw7JLXM+la5G3r08Q5Z/NAlmQN7kLptdkwf
-AkZoIzSHwS6CfAjv9eBsSrxT/U8HAh4WHzFLIjDKfw2rIdab7qFoVkZSvPvLRk4B
-hxflmV0/y+ObZLICXSE+Wh3TKmTYrWKCY7zDdxFEWoPbteHO2AgnKiL4E7e6Zz4F
-dyk8ahnsgVpe8dwxUQKvFuSu9F2kqLP/j67wVqRAm0GZi6o/ZMuh1ElMpInhS8g9
-dnwNMRgL8lr/CubWE18fhPdiNYZP76VVtgXuoQIDAQABAoIBAQCbF5UAkUJgdM9O
-fat128DgvZXOXLDV0f261igAkmWR+Ih0n3n5E64VoY4oW77Ud7wiI4KqSzWLpvlH
-Jm8dZ45UHJOAYM4pbRcwVKJcC14eI0LhRKbN4xXBhmHnrE1/aIuKIQt5zRFGDarc
-M1gxFqFl2mZPEk18MGRkVoLTKfnJMzdHI1m0IAMwg3Rl9cmuVdkhTS+IAoULVNnI
-0iAOsFN8SdDaKBqRcPkypT5s4wjGH4s7zjW4PmEDwDhhfeHkVccCuH8n3un1bPT2
-oc73RSXdCYMgDTD3waXC+4cCQGPZmUCl6Mfq7YCECkUpUg6rHlaCYRSZZoQPf5vH
-VsBUvjABAoGBAPHSnJOL6tcqJCCZ27E3zIsmZ+d6dX4B/YN1Xk3vKHhavN5Ks6Gx
-ZCsaluMuB2qyBRrpKnSAz6lUQ1TOxzuphlVIX1EnLW+JvNgFyem9PARsP2SMsKqm
-VaqnId6pprdbP53NpL9Z7AsbS/i/Ab6WpVPyYHdqVsimCdRGK9/JlOnBAoGBAO8g
-I4a4dJKiwHBHyP6wkYrhWdYwmjTJlskNNjrvtn7bCJ/Lm0SaGFXKIHCExnenZji0
-bBp3XiFNPlPfjTaXG++3IH6fxYdHonsrkxbUHvGAVETmHVLzeFiAKuUBvrWuKecD
-yoywVenugORQIPal3AcLwPsVRfDU89tTQhiFq3zhAoGBAIqmfy/54URM3Tnz/Yq2
-u4htFNYb2JHPAlQFT3TP0xxuqiuqGSR0WUJ9lFXdZlM+jr7HQZha4rXrok9V39XN
-dUAgpsYY+GwjRSt25jYmUesXRaGZKRIvHJ8kBL9t9jDbGLaZ2gP8wuH7XKvamF12
-coSXS8gsKGYTDT+wnCdLpR4BAoGAFwuV4Ont8iPVP/zrFgCWRjgpnEba1bOH4KBx
-VYS8pcUeM6g/soDXT41HSxDAv89WPqjEslhGrhbvps2oolY1zwhrDUkAlGUG96/f
-YRfYU5X2iR1UPiZQttbDS4a7hm7egvEOmDh2TzE5IsfGJX8ekV9Ene4S637acYy4
-lfxr5oECgYEAzRuvh6aG7UmKwNTfatEKav7/gUH3QBGK+Pp3TPSmR5PKh/Pk4py6
-95bT4mHrKCBIfSv/8h+6baYZr9Ha1Oj++J94RXEi8wdjjl1w3LGQrM/X+0AVqn5P
-b5w1nvRK7bMikIXbZmPJmivrfChcjD21gvWeF6Osq8McWF8jW2HzrZw=
------END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev1/ocsp-revoked/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/ocsp-revoked/hosts/carol/etc/ipsec.secrets
deleted file mode 100644
index 8e31be4cb..000000000
--- a/testing/tests/ikev1/ocsp-revoked/hosts/carol/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA carolRevokedKey.pem
diff --git a/testing/tests/ikev1/ocsp-revoked/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/ocsp-revoked/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index cd2ab0aca..000000000
--- a/testing/tests/ikev1/ocsp-revoked/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,39 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=yes
-	charonstart=no
-
-ca strongswan
-	cacert=strongswanCert.pem
-	ocspuri=http://ocsp.strongswan.org:8880
-	auto=add
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	left=PH_IP_MOON
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-
-conn net-net
-	leftsubnet=10.1.0.0/16
-	right=PH_IP_SUN
-	rightsubnet=10.2.0.0/16
-	rightid=@sun.strongswan.org
-	auto=add
-        
-conn host-host
-	right=PH_IP_SUN
-	rightid=@sun.strongswan.org
-	auto=add
-
-conn rw
-	leftsubnet=10.1.0.0/16
-	right=%any
-	auto=add
diff --git a/testing/tests/ikev1/ocsp-revoked/posttest.dat b/testing/tests/ikev1/ocsp-revoked/posttest.dat
deleted file mode 100644
index d742e8410..000000000
--- a/testing/tests/ikev1/ocsp-revoked/posttest.dat
+++ /dev/null
@@ -1,4 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-carol::rm /etc/ipsec.d/private/*
-carol::rm /etc/ipsec.d/certs/*
diff --git a/testing/tests/ikev1/ocsp-revoked/pretest.dat b/testing/tests/ikev1/ocsp-revoked/pretest.dat
deleted file mode 100644
index d92333d86..000000000
--- a/testing/tests/ikev1/ocsp-revoked/pretest.dat
+++ /dev/null
@@ -1,4 +0,0 @@
-moon::ipsec start
-carol::ipsec start
-carol::sleep 2
-carol::ipsec up home
diff --git a/testing/tests/ikev1/ocsp-revoked/test.conf b/testing/tests/ikev1/ocsp-revoked/test.conf
deleted file mode 100644
index 2b240d895..000000000
--- a/testing/tests/ikev1/ocsp-revoked/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="m-c-w.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS=""
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev1/ocsp-strict/description.txt b/testing/tests/ikev1/ocsp-strict/description.txt
deleted file mode 100644
index 7cb983140..000000000
--- a/testing/tests/ikev1/ocsp-strict/description.txt
+++ /dev/null
@@ -1,6 +0,0 @@
-By setting <b>strictcrlpolicy=yes</b> a <b>strict CRL policy</b> is enforced on
-both roadwarrior <b>carol</b> and gateway <b>moon</b>. Thus when <b>carol</b> initiates
-the connection and no current revocation information is available, the Main Mode
-negotiation fails but an OCSP request is issued to the OCSP server <b>winnetou</b>.
-When the second Main Mode trial comes around, the OCSP response will be available
-and the IKE negotiation completes.
diff --git a/testing/tests/ikev1/ocsp-strict/evaltest.dat b/testing/tests/ikev1/ocsp-strict/evaltest.dat
deleted file mode 100644
index 66b27aaac..000000000
--- a/testing/tests/ikev1/ocsp-strict/evaltest.dat
+++ /dev/null
@@ -1,8 +0,0 @@
-moon::cat /var/log/auth.log::X.509 certificate rejected::YES
-carol::cat /var/log/auth.log::X.509 certificate rejected::YES
-moon::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES
-carol::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec listocsp:: good::YES
-carol::ipsec listocsp:: good::YES
diff --git a/testing/tests/ikev1/ocsp-strict/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/ocsp-strict/hosts/carol/etc/ipsec.conf
deleted file mode 100755
index c79b1c3e2..000000000
--- a/testing/tests/ikev1/ocsp-strict/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,28 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=yes
-	charonstart=no
-
-ca strongswan
-	cacert=strongswanCert.pem
-	ocspuri=http://ocsp.strongswan.org:8880
-	auto=add
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	left=PH_IP_CAROL
-	leftcert=carolCert.pem
-	leftid=carol@strongswan.org
-
-conn home
-	right=PH_IP_MOON
-	rightsubnet=10.1.0.0/16
-	rightid=@moon.strongswan.org
-	auto=add
diff --git a/testing/tests/ikev1/ocsp-strict/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/ocsp-strict/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index cd2ab0aca..000000000
--- a/testing/tests/ikev1/ocsp-strict/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,39 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=yes
-	charonstart=no
-
-ca strongswan
-	cacert=strongswanCert.pem
-	ocspuri=http://ocsp.strongswan.org:8880
-	auto=add
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	left=PH_IP_MOON
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-
-conn net-net
-	leftsubnet=10.1.0.0/16
-	right=PH_IP_SUN
-	rightsubnet=10.2.0.0/16
-	rightid=@sun.strongswan.org
-	auto=add
-        
-conn host-host
-	right=PH_IP_SUN
-	rightid=@sun.strongswan.org
-	auto=add
-
-conn rw
-	leftsubnet=10.1.0.0/16
-	right=%any
-	auto=add
diff --git a/testing/tests/ikev1/ocsp-strict/posttest.dat b/testing/tests/ikev1/ocsp-strict/posttest.dat
deleted file mode 100644
index c6d6235f9..000000000
--- a/testing/tests/ikev1/ocsp-strict/posttest.dat
+++ /dev/null
@@ -1,2 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
diff --git a/testing/tests/ikev1/ocsp-strict/pretest.dat b/testing/tests/ikev1/ocsp-strict/pretest.dat
deleted file mode 100644
index d92333d86..000000000
--- a/testing/tests/ikev1/ocsp-strict/pretest.dat
+++ /dev/null
@@ -1,4 +0,0 @@
-moon::ipsec start
-carol::ipsec start
-carol::sleep 2
-carol::ipsec up home
diff --git a/testing/tests/ikev1/ocsp-strict/test.conf b/testing/tests/ikev1/ocsp-strict/test.conf
deleted file mode 100644
index 2b240d895..000000000
--- a/testing/tests/ikev1/ocsp-strict/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="m-c-w.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS=""
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev1/passthrough/description.txt b/testing/tests/ikev1/passthrough/description.txt
deleted file mode 100644
index 145c5b79c..000000000
--- a/testing/tests/ikev1/passthrough/description.txt
+++ /dev/null
@@ -1,6 +0,0 @@
-All IP traffic from the subnet behind the gateway <b>moon</b> is tunneled
-to the gateway  <b>sun</b> using the 0.0.0.0/0 network mask. In order
-to prevent local subnet traffic from escaping through the tunnel, a
-passthrough policy for the 10.1.0.0/16 network is inserted on <b>moon</b>.
-A series of internal and external pings verifies the correct
-functioning of the setup.
diff --git a/testing/tests/ikev1/passthrough/evaltest.dat b/testing/tests/ikev1/passthrough/evaltest.dat
deleted file mode 100644
index 942222f08..000000000
--- a/testing/tests/ikev1/passthrough/evaltest.dat
+++ /dev/null
@@ -1,9 +0,0 @@
-moon::ipsec status::net-net.*STATE_QUICK_I2.*IPsec SA established::YES
-sun::ipsec status::net-net.*STATE_QUICK_R2.*IPsec SA established::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-alice::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES
-alice::ping -c 1 PH_IP_MOON::64 bytes from PH_IP_MOON: icmp_seq=1::YES
-moon::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-moon::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
-sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/passthrough/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/passthrough/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index 25eec2a3e..000000000
--- a/testing/tests/ikev1/passthrough/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,33 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	left=PH_IP_MOON
-	leftsubnet=10.1.0.0/16
-	right=PH_IP_SUN
-
-conn net-net
-	rightsubnet=0.0.0.0/0
-	rightid=@sun.strongswan.org
-	leftid=@moon.strongswan.org
-	leftcert=moonCert.pem
-	leftsourceip=10.1.0.1
-	leftfirewall=yes
-	lefthostaccess=yes
-	auto=add
-        
-conn pass
-	rightsubnet=10.1.0.0/16
-	type=passthrough
-	authby=never
-	auto=route
diff --git a/testing/tests/ikev1/passthrough/posttest.dat b/testing/tests/ikev1/passthrough/posttest.dat
deleted file mode 100644
index db17f4c65..000000000
--- a/testing/tests/ikev1/passthrough/posttest.dat
+++ /dev/null
@@ -1,6 +0,0 @@
-moon::ipsec stop
-sun::ipsec stop
-moon::ip route flush table 50 
-moon::ip rule del table 50
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev1/passthrough/pretest.dat b/testing/tests/ikev1/passthrough/pretest.dat
deleted file mode 100644
index 6b5295469..000000000
--- a/testing/tests/ikev1/passthrough/pretest.dat
+++ /dev/null
@@ -1,11 +0,0 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
-moon::iptables -I INPUT  -i eth1 -s 10.1.0.0/16 -j ACCEPT
-moon::iptables -I OUTPUT -o eth1 -d 10.1.0.0/16 -j ACCEPT
-moon::ip rule add pref 50 table 50
-moon::ip route add 192.168.0.254 via PH_IP_MOON table 50
-moon::ip route add 10.1.0.0/16 via PH_IP_MOON1 table 50
-moon::ipsec start
-sun::ipsec start
-moon::sleep 2
-moon::ipsec up net-net
diff --git a/testing/tests/ikev1/passthrough/test.conf b/testing/tests/ikev1/passthrough/test.conf
deleted file mode 100644
index d9a61590f..000000000
--- a/testing/tests/ikev1/passthrough/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon winnetou sun bob"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-w-s-b.png"
- 
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="sun"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev1/protoport-dual/evaltest.dat b/testing/tests/ikev1/protoport-dual/evaltest.dat
index 11c34929f..cf45f3b52 100644
--- a/testing/tests/ikev1/protoport-dual/evaltest.dat
+++ b/testing/tests/ikev1/protoport-dual/evaltest.dat
@@ -1,7 +1,9 @@
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-carol::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES
+carol::ipsec status 2> /dev/null::home-icmp.*INSTALLED, TUNNEL::YES
+carol::ipsec status 2> /dev/null::home-ssh.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw-icmp.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw-ssh.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+carol::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_req=1::YES
 carol::ssh -o ConnectTimeout=5 PH_IP_ALICE hostname::alice::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/protoport-dual/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/protoport-dual/hosts/carol/etc/ipsec.conf
index 48df689af..37eb67d51 100755..100644
--- a/testing/tests/ikev1/protoport-dual/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/protoport-dual/hosts/carol/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev1/protoport-dual/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/protoport-dual/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..dc937641c
--- /dev/null
+++ b/testing/tests/ikev1/protoport-dual/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev1/protoport-dual/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/protoport-dual/hosts/moon/etc/ipsec.conf
index c4bfebda1..26c6882f5 100755..100644
--- a/testing/tests/ikev1/protoport-dual/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/protoport-dual/hosts/moon/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev1/protoport-dual/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/protoport-dual/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..dc937641c
--- /dev/null
+++ b/testing/tests/ikev1/protoport-dual/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev1/protoport-dual/posttest.dat b/testing/tests/ikev1/protoport-dual/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/ikev1/protoport-dual/posttest.dat
+++ b/testing/tests/ikev1/protoport-dual/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/protoport-dual/pretest.dat b/testing/tests/ikev1/protoport-dual/pretest.dat
index d3d0061c3..efb2e5712 100644
--- a/testing/tests/ikev1/protoport-dual/pretest.dat
+++ b/testing/tests/ikev1/protoport-dual/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 2
diff --git a/testing/tests/ikev1/protoport-dual/test.conf b/testing/tests/ikev1/protoport-dual/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/ikev1/protoport-dual/test.conf
+++ b/testing/tests/ikev1/protoport-dual/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev1/protoport-pass/description.txt b/testing/tests/ikev1/protoport-pass/description.txt
deleted file mode 100644
index 63744fa47..000000000
--- a/testing/tests/ikev1/protoport-pass/description.txt
+++ /dev/null
@@ -1,13 +0,0 @@
-The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
-Using the <b>left|rightprotoport</b> selectors, the IPsec tunnel is
-restricted to the ICMP protocol. Upon the successful establishment of the
-IPsec tunnel, <b>firewall=yes</b> automatically inserts iptables-based
-firewall rules that let pass the tunneled ICMP traffic. In order to test
-both tunnel and firewall, <b>carol</b> pings the client <b>alice</b> behind
-the gateway <b>moon</b> as well as the inner interface of the gateway.
-For the latter ping <b>lefthostaccess=yes</b> is required.
-<p>
-By default, the native IPsec stack of the Linux 2.6 kernel transmits
-protocols and ports not covered by any IPsec SA in the clear. Thus by
-selectively opening the firewalls, <b>carol</b> sets up an SSH session to
-<b>alice</b> that is not going through the tunnel.
diff --git a/testing/tests/ikev1/protoport-pass/evaltest.dat b/testing/tests/ikev1/protoport-pass/evaltest.dat
deleted file mode 100644
index 11c34929f..000000000
--- a/testing/tests/ikev1/protoport-pass/evaltest.dat
+++ /dev/null
@@ -1,7 +0,0 @@
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-carol::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES
-carol::ssh -o ConnectTimeout=5 PH_IP_ALICE hostname::alice::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/protoport-pass/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/protoport-pass/hosts/carol/etc/ipsec.conf
deleted file mode 100755
index aae781b69..000000000
--- a/testing/tests/ikev1/protoport-pass/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,26 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-
-conn home-icmp
-	left=PH_IP_CAROL
-        leftid=carol@strongswan.org
-	leftcert=carolCert.pem
-	leftprotoport=icmp
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightsubnet=10.1.0.0/16
-	rightprotoport=icmp
-        rightid=@moon.strongswan.org
-	auto=add
diff --git a/testing/tests/ikev1/protoport-pass/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/protoport-pass/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index 7b80a299e..000000000
--- a/testing/tests/ikev1/protoport-pass/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,26 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-
-conn rw-icmp
-	left=PH_IP_MOON
-	leftsubnet=10.1.0.0/16
-	leftprotoport=icmp
-	leftid=@moon.strongswan.org
-	leftcert=moonCert.pem
-	leftfirewall=yes
-	lefthostaccess=yes
-	right=%any
-	rightprotoport=icmp
-	auto=add
diff --git a/testing/tests/ikev1/protoport-pass/posttest.dat b/testing/tests/ikev1/protoport-pass/posttest.dat
deleted file mode 100644
index d6f014882..000000000
--- a/testing/tests/ikev1/protoport-pass/posttest.dat
+++ /dev/null
@@ -1,5 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-carol::ip route del 10.1.0.0/16 via PH_IP_MOON
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev1/protoport-pass/pretest.dat b/testing/tests/ikev1/protoport-pass/pretest.dat
deleted file mode 100644
index 37f545062..000000000
--- a/testing/tests/ikev1/protoport-pass/pretest.dat
+++ /dev/null
@@ -1,11 +0,0 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-moon::iptables -I FORWARD -i eth0 -p tcp -d 10.1.0.0/16 --dport ssh -jACCEPT
-moon::iptables -I FORWARD -o eth0 -p tcp -s 10.1.0.0/16 --sport ssh -jACCEPT
-carol::/etc/init.d/iptables start 2> /dev/null
-carol::iptables -I INPUT  -i eth0 -p tcp -s 10.1.0.0/16 --sport ssh -d PH_IP_CAROL -jACCEPT
-carol::iptables -I OUTPUT -o eth0 -p tcp -d 10.1.0.0/16 --dport ssh -s PH_IP_CAROL -jACCEPT
-carol::ip route add 10.1.0.0/16 via PH_IP_MOON
-moon::ipsec start
-carol::ipsec start
-carol::sleep 2
-carol::ipsec up home-icmp
diff --git a/testing/tests/ikev1/protoport-pass/test.conf b/testing/tests/ikev1/protoport-pass/test.conf
deleted file mode 100644
index 9cd583b16..000000000
--- a/testing/tests/ikev1/protoport-pass/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev1/protoport-route/description.txt b/testing/tests/ikev1/protoport-route/description.txt
deleted file mode 100644
index ec7ec69b0..000000000
--- a/testing/tests/ikev1/protoport-route/description.txt
+++ /dev/null
@@ -1,8 +0,0 @@
-Using the <b>left|rightprotoport</b> selectors, two IPsec tunnels 
-between the roadwarrior <b>carol</b> and the gateway <b>moon</b> are
-defined. The first IPsec SA is restricted to ICMP packets and the second
-covers TCP-based SSH connections. Using <b>add=route</b> %trap
-eroutes for these IPsec SAs are prepared on <b>carol</b>. By sending
-a ping to the client <b>alice</b> behind <b>moon</b>, the ICMP eroute
-is triggered and the corresponding IPsec tunnel is set up. In the same
-way an ssh session to <b>alice</b> over the second IPsec SA is established.
diff --git a/testing/tests/ikev1/protoport-route/evaltest.dat b/testing/tests/ikev1/protoport-route/evaltest.dat
deleted file mode 100644
index b266d86d8..000000000
--- a/testing/tests/ikev1/protoport-route/evaltest.dat
+++ /dev/null
@@ -1,8 +0,0 @@
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq::YES
-carol::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq::YES
-carol::ssh PH_IP_ALICE hostname::alice::YES
-carol::cat /var/log/auth.log::initiate on demand::YES
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/protoport-route/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/protoport-route/hosts/carol/etc/ipsec.conf
deleted file mode 100755
index 2bb557410..000000000
--- a/testing/tests/ikev1/protoport-route/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,30 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	left=PH_IP_CAROL
-	leftcert=carolCert.pem
-	leftid=carol@strongswan.org
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightsubnet=10.1.0.0/16
-	rightid=@moon.strongswan.org
-	auto=route
-	
-conn home-icmp
-	leftprotoport=icmp
-	rightprotoport=icmp
-
-conn home-ssh
-	leftprotoport=tcp
-	rightprotoport=tcp/ssh
diff --git a/testing/tests/ikev1/protoport-route/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/protoport-route/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index c4bfebda1..000000000
--- a/testing/tests/ikev1/protoport-route/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,30 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	left=PH_IP_MOON
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-	leftfirewall=yes
-	leftsubnet=10.1.0.0/16
-	right=%any
-	auto=add
-
-conn rw-icmp
-	lefthostaccess=yes
-	leftprotoport=icmp
-	rightprotoport=icmp
-
-conn rw-ssh
-	leftprotoport=tcp/ssh
-	rightprotoport=tcp
diff --git a/testing/tests/ikev1/protoport-route/posttest.dat b/testing/tests/ikev1/protoport-route/posttest.dat
deleted file mode 100644
index 94a400606..000000000
--- a/testing/tests/ikev1/protoport-route/posttest.dat
+++ /dev/null
@@ -1,4 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev1/protoport-route/pretest.dat b/testing/tests/ikev1/protoport-route/pretest.dat
deleted file mode 100644
index d52aeaeb8..000000000
--- a/testing/tests/ikev1/protoport-route/pretest.dat
+++ /dev/null
@@ -1,8 +0,0 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-moon::ipsec start
-carol::ipsec start
-carol::sleep 3 
-carol::ssh -o ConnectTimeout=5 PH_IP_ALICE hostname
-carol::ping -c 1 PH_IP_MOON1 > /dev/null
-carol::sleep 2 
diff --git a/testing/tests/ikev1/protoport-route/test.conf b/testing/tests/ikev1/protoport-route/test.conf
deleted file mode 100644
index 9cd583b16..000000000
--- a/testing/tests/ikev1/protoport-route/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev1/req-pkcs10/description.txt b/testing/tests/ikev1/req-pkcs10/description.txt
deleted file mode 100644
index a958cb8e8..000000000
--- a/testing/tests/ikev1/req-pkcs10/description.txt
+++ /dev/null
@@ -1,11 +0,0 @@
-Both the roadwarrior <b>carol</b> and the gateway <b>moon</b> generate a
-PKCS#1 RSA private key and a PKCS#10 certificate request using the 
-<b>ipsec scepclient</b> function. Because the UML testing environment
-does not offer enough entropy, the non-blocking /dev/urandom device is
-used in place of /dev/random for generating the random primes.
-<p>
-The certificate requests are copied to <b>winnetou</b> where a certification
-authority based on OpenSSL issues X.509 certificates by verifying and
-signing the PCKS#10 requests. The certificates are then copied back to
-the corresponding hosts and used to set up a road warrior connection
-initiated by <b>carol</b> 
diff --git a/testing/tests/ikev1/req-pkcs10/evaltest.dat b/testing/tests/ikev1/req-pkcs10/evaltest.dat
deleted file mode 100644
index c7657801e..000000000
--- a/testing/tests/ikev1/req-pkcs10/evaltest.dat
+++ /dev/null
@@ -1,5 +0,0 @@
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/req-pkcs10/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/req-pkcs10/hosts/carol/etc/ipsec.secrets
deleted file mode 100644
index 167d743df..000000000
--- a/testing/tests/ikev1/req-pkcs10/hosts/carol/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA myKey.der
diff --git a/testing/tests/ikev1/req-pkcs10/hosts/carol/etc/scepclient.conf b/testing/tests/ikev1/req-pkcs10/hosts/carol/etc/scepclient.conf
deleted file mode 100644
index 6afd3fa11..000000000
--- a/testing/tests/ikev1/req-pkcs10/hosts/carol/etc/scepclient.conf
+++ /dev/null
@@ -1,3 +0,0 @@
---debug-control
---out pkcs1
---out pkcs10
diff --git a/testing/tests/ikev1/req-pkcs10/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/req-pkcs10/hosts/carol/etc/strongswan.conf
deleted file mode 100644
index e589a9425..000000000
--- a/testing/tests/ikev1/req-pkcs10/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,15 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink
-}
-
-scepclient {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-}
diff --git a/testing/tests/ikev1/req-pkcs10/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/req-pkcs10/hosts/moon/etc/ipsec.secrets
deleted file mode 100644
index b9ec17dbc..000000000
--- a/testing/tests/ikev1/req-pkcs10/hosts/moon/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA moonKey.der
diff --git a/testing/tests/ikev1/req-pkcs10/hosts/moon/etc/scepclient.conf b/testing/tests/ikev1/req-pkcs10/hosts/moon/etc/scepclient.conf
deleted file mode 100644
index da8177348..000000000
--- a/testing/tests/ikev1/req-pkcs10/hosts/moon/etc/scepclient.conf
+++ /dev/null
@@ -1,4 +0,0 @@
---debug-control
---keylength 2064
---out pkcs1=moonKey.der
---out pkcs10=moonReq.der
diff --git a/testing/tests/ikev1/req-pkcs10/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/req-pkcs10/hosts/moon/etc/strongswan.conf
deleted file mode 100644
index e589a9425..000000000
--- a/testing/tests/ikev1/req-pkcs10/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,15 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink
-}
-
-scepclient {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-}
diff --git a/testing/tests/ikev1/req-pkcs10/hosts/winnetou/etc/openssl/yy.txt b/testing/tests/ikev1/req-pkcs10/hosts/winnetou/etc/openssl/yy.txt
deleted file mode 100644
index 9b48ee4cf..000000000
--- a/testing/tests/ikev1/req-pkcs10/hosts/winnetou/etc/openssl/yy.txt
+++ /dev/null
@@ -1,2 +0,0 @@
-y
-y
diff --git a/testing/tests/ikev1/req-pkcs10/posttest.dat b/testing/tests/ikev1/req-pkcs10/posttest.dat
deleted file mode 100644
index 933b4b6c4..000000000
--- a/testing/tests/ikev1/req-pkcs10/posttest.dat
+++ /dev/null
@@ -1,11 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-carol::rm /etc/ipsec.d/private/*
-carol::rm /etc/ipsec.d/certs/*
-carol::rm /etc/ipsec.d/reqs/*
-moon::rm /etc/ipsec.d/private/*
-moon::rm /etc/ipsec.d/reqs/*
-winnetou::rm /etc/openssl/carol*
-winnetou::rm /etc/openssl/moon*
diff --git a/testing/tests/ikev1/req-pkcs10/pretest.dat b/testing/tests/ikev1/req-pkcs10/pretest.dat
deleted file mode 100644
index cb4355efa..000000000
--- a/testing/tests/ikev1/req-pkcs10/pretest.dat
+++ /dev/null
@@ -1,23 +0,0 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-carol::rm /etc/ipsec.d/private/*
-carol::rm /etc/ipsec.d/certs/*
-carol::cat /etc/scepclient.conf
-carol::ipsec scepclient --dn \"C=CH, O=Linux strongSwan, CN=carol@strongswan.org\" --optionsfrom /etc/scepclient.conf
-winnetou::scp carol:/etc/ipsec.d/reqs/myReq.der /etc/openssl/carolReq.der
-winnetou::openssl req -inform der -in /etc/openssl/carolReq.der -out /etc/openssl/carolReq.pem
-winnetou::cd /etc/openssl; COMMON_NAME="carol@strongswan.org" openssl ca -in carolReq.pem -out carolCert.pem -notext -config openssl.cnf -extensions user_ext < yy.txt
-winnetou::scp /etc/openssl/carolCert.pem carol:/etc/ipsec.d/certs/myCert.pem
-moon::rm /etc/ipsec.d/private/*
-moon::rm /etc/ipsec.d/certs/*
-moon::cat /etc/scepclient.conf
-moon::ipsec scepclient --dn \"C=CH, O=Linux strongSwan, SN=01, CN=moon.strongswan.org\" --optionsfrom /etc/scepclient.conf
-winnetou::scp moon:/etc/ipsec.d/reqs/moonReq.der /etc/openssl/
-winnetou::openssl req -inform der -in /etc/openssl/moonReq.der -out /etc/openssl/moonReq.pem
-winnetou::cd /etc/openssl; COMMON_NAME="moon.strongswan.org" openssl ca -in moonReq.pem -out moonCert.pem -notext -config openssl.cnf -extensions host_ext < yy.txt
-winnetou::scp /etc/openssl/moonCert.pem moon:/etc/ipsec.d/certs/
-carol::sleep 2
-carol::ipsec start
-moon::ipsec start
-carol::sleep 2
-carol::ipsec up home
diff --git a/testing/tests/ikev1/req-pkcs10/test.conf b/testing/tests/ikev1/req-pkcs10/test.conf
deleted file mode 100644
index 9cd583b16..000000000
--- a/testing/tests/ikev1/req-pkcs10/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev1/rw-cert-aggressive/description.txt b/testing/tests/ikev1/rw-cert-aggressive/description.txt
new file mode 100644
index 000000000..1c4535c23
--- /dev/null
+++ b/testing/tests/ikev1/rw-cert-aggressive/description.txt
@@ -0,0 +1,7 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each 
+to gateway <b>moon</b> using <b>IKEv1 Aggressive Mode</b>. The authentication is
+based on <b>X.509 certificates</b>. Upon the successful establishment of the IPsec
+tunnels, <b>leftfirewall=yes</b> automatically inserts iptables-based firewall
+rules that let pass the tunneled traffic. In order to test both tunnel and
+firewall, both <b>carol</b> and <b>dave</b> ping the client <b>alice</b> behind
+the gateway <b>moon</b>.
diff --git a/testing/tests/ikev1/rw-cert-aggressive/evaltest.dat b/testing/tests/ikev1/rw-cert-aggressive/evaltest.dat
new file mode 100644
index 000000000..ba661975b
--- /dev/null
+++ b/testing/tests/ikev1/rw-cert-aggressive/evaltest.dat
@@ -0,0 +1,15 @@
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+
diff --git a/testing/tests/ikev1/rw-cert-aggressive/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/rw-cert-aggressive/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..77ed2c0c9
--- /dev/null
+++ b/testing/tests/ikev1/rw-cert-aggressive/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	charondebug="job 2"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+	aggressive=yes
+
+conn home
+	left=PH_IP_CAROL
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/ikev1/rw-cert-aggressive/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/rw-cert-aggressive/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..c032d8291
--- /dev/null
+++ b/testing/tests/ikev1/rw-cert-aggressive/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
+}
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/mode-config/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/rw-cert-aggressive/hosts/dave/etc/ipsec.conf
index 726998e19..82a8f38c5 100755..100644
--- a/testing/tests/ikev1/mode-config/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev1/rw-cert-aggressive/hosts/dave/etc/ipsec.conf
@@ -1,10 +1,7 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
+	charondebug="job 2"
 
 conn %default
 	ikelifetime=60m
@@ -12,18 +9,14 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev1
+	aggressive=yes
 
 conn home
 	left=PH_IP_DAVE
-	leftsourceip=%modeconfig
 	leftcert=daveCert.pem
 	leftid=dave@strongswan.org
 	leftfirewall=yes
 	right=PH_IP_MOON
-	rightsubnet=10.1.0.0/16
 	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
 	auto=add
-
-
-
-
diff --git a/testing/tests/ikev1/rw-cert-aggressive/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/rw-cert-aggressive/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..c032d8291
--- /dev/null
+++ b/testing/tests/ikev1/rw-cert-aggressive/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
+}
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/rw-psk-no-policy/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/rw-cert-aggressive/hosts/moon/etc/ipsec.conf
index f0dbeb323..49d0909a5 100755..100644
--- a/testing/tests/ikev1/rw-psk-no-policy/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/rw-cert-aggressive/hosts/moon/etc/ipsec.conf
@@ -1,8 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -10,6 +8,7 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev1
+	aggressive=yes
 
 conn rw
 	left=PH_IP_MOON
diff --git a/testing/tests/ikev1/rw-cert-aggressive/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/rw-cert-aggressive/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..c032d8291
--- /dev/null
+++ b/testing/tests/ikev1/rw-cert-aggressive/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
+}
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/rw-cert-aggressive/posttest.dat b/testing/tests/ikev1/rw-cert-aggressive/posttest.dat
new file mode 100644
index 000000000..1865a1c60
--- /dev/null
+++ b/testing/tests/ikev1/rw-cert-aggressive/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/rw-cert-aggressive/pretest.dat b/testing/tests/ikev1/rw-cert-aggressive/pretest.dat
new file mode 100644
index 000000000..8bbea1412
--- /dev/null
+++ b/testing/tests/ikev1/rw-cert-aggressive/pretest.dat
@@ -0,0 +1,9 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+carol::ipsec up home
+dave::ipsec up home
diff --git a/testing/tests/ikev1/rw-cert-aggressive/test.conf b/testing/tests/ikev1/rw-cert-aggressive/test.conf
new file mode 100644
index 000000000..f29298850
--- /dev/null
+++ b/testing/tests/ikev1/rw-cert-aggressive/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/rw-cert-unity/description.txt b/testing/tests/ikev1/rw-cert-unity/description.txt
new file mode 100644
index 000000000..5e887c7f4
--- /dev/null
+++ b/testing/tests/ikev1/rw-cert-unity/description.txt
@@ -0,0 +1,6 @@
+The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
+The authentication is based on <b>X.509 certificates</b>. <b>carol</b>
+requests a virtual IP using <b>leftsourceip=%config</b> and indicates
+support for the Cisco Unity extension. Gateway <b>moon</b> responds with
+two Split-Include subnets configured in the <b>leftsubnet</b> definition and a
+global Local-LAN exclude option defined in strongswan.conf.
diff --git a/testing/tests/ikev1/rw-cert-unity/evaltest.dat b/testing/tests/ikev1/rw-cert-unity/evaltest.dat
new file mode 100644
index 000000000..c183f48e9
--- /dev/null
+++ b/testing/tests/ikev1/rw-cert-unity/evaltest.dat
@@ -0,0 +1,8 @@
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::10.2.1.1/32 === 192.168.0.0/24 PASS::YES
+carol::ipsec status 2> /dev/null::home.*10.2.1.1/32 === 10.1.0.0/16 10.2.1.0/24::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*10.1.0.0/16 10.2.1.0/24 === 10.2.1.1/32::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/ip-two-pools-mixed/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/rw-cert-unity/hosts/carol/etc/ipsec.conf
index 99a8c60ff..bad62811b 100755..100644
--- a/testing/tests/ikev1/ip-two-pools-mixed/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/rw-cert-unity/hosts/carol/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-	plutodebug=control
 
 conn %default
 	ikelifetime=60m
@@ -15,10 +11,10 @@ conn %default
 
 conn home
 	left=PH_IP_CAROL
-	leftsourceip=%config
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
-	leftfirewall=yes
+	leftsourceip=%config
 	right=PH_IP_MOON
 	rightid=@moon.strongswan.org
+	rightsubnet=0.0.0.0/0
 	auto=add
diff --git a/testing/tests/ikev1/rw-cert-unity/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/rw-cert-unity/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..14e061408
--- /dev/null
+++ b/testing/tests/ikev1/rw-cert-unity/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,10 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default unity
+  cisco_unity = yes
+}
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/rw-cert-unity/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/rw-cert-unity/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..ee8ee9093
--- /dev/null
+++ b/testing/tests/ikev1/rw-cert-unity/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,19 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+
+conn rw
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16,10.2.1.0/24
+	right=%any
+	rightsourceip=10.2.1.0/24
+	auto=add
diff --git a/testing/tests/ikev1/rw-cert-unity/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/rw-cert-unity/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..cbc51d38c
--- /dev/null
+++ b/testing/tests/ikev1/rw-cert-unity/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,15 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default attr unity
+  cisco_unity = yes
+  plugins {
+    attr {
+      split-exclude = 192.168.0.0/24
+    }
+  }
+}
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/gcrypt-ikev1/alg-camellia/posttest.dat b/testing/tests/ikev1/rw-cert-unity/posttest.dat
index c6d6235f9..c6d6235f9 100644
--- a/testing/tests/gcrypt-ikev1/alg-camellia/posttest.dat
+++ b/testing/tests/ikev1/rw-cert-unity/posttest.dat
diff --git a/testing/tests/ikev1/xauth-rsa-nosecret/pretest.dat b/testing/tests/ikev1/rw-cert-unity/pretest.dat
index 89e487ad3..4fbe475bf 100644
--- a/testing/tests/ikev1/xauth-rsa-nosecret/pretest.dat
+++ b/testing/tests/ikev1/rw-cert-unity/pretest.dat
@@ -1,5 +1,4 @@
-carol::ipsec start
 moon::ipsec start
-carol::sleep 2
-carol::ipsec up home
+carol::ipsec start
 carol::sleep 1
+carol::ipsec up home
diff --git a/testing/tests/ikev1/rw-cert-unity/test.conf b/testing/tests/ikev1/rw-cert-unity/test.conf
new file mode 100644
index 000000000..09e6f6cdb
--- /dev/null
+++ b/testing/tests/ikev1/rw-cert-unity/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev1/rw-cert/description.txt b/testing/tests/ikev1/rw-cert/description.txt
index 8df6b1c0d..15b3822b5 100644
--- a/testing/tests/ikev1/rw-cert/description.txt
+++ b/testing/tests/ikev1/rw-cert/description.txt
@@ -1,6 +1,6 @@
-The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
-The authentication is based on <b>X.509 certificates</b>. Upon the successful
-establishment of the IPsec tunnel, <b>leftfirewall=yes</b> automatically
-inserts iptables-based firewall rules that let pass the tunneled traffic.
-In order to test both tunnel and firewall, <b>carol</b> pings the client
-<b>alice</b> behind the gateway <b>moon</b>.
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each 
+to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>.
+Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
+automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping
+the client <b>alice</b> behind the gateway <b>moon</b>.
diff --git a/testing/tests/ikev1/rw-cert/evaltest.dat b/testing/tests/ikev1/rw-cert/evaltest.dat
index c7657801e..ba661975b 100644
--- a/testing/tests/ikev1/rw-cert/evaltest.dat
+++ b/testing/tests/ikev1/rw-cert/evaltest.dat
@@ -1,5 +1,15 @@
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+
diff --git a/testing/tests/ikev1/rw-cert/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/rw-cert/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..58914391c
--- /dev/null
+++ b/testing/tests/ikev1/rw-cert/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,20 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+
+conn home
+	left=PH_IP_CAROL
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/ikev1/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/rw-cert/hosts/carol/etc/strongswan.conf
index 7403971e9..8822cae64 100644
--- a/testing/tests/ikev1/rw-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/rw-cert/hosts/carol/etc/strongswan.conf
@@ -1,11 +1,9 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
-pluto {
-  load = test-vectors sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth kernel-netlink
+charon {
+  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
 }
 
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
 libstrongswan {
   dh_exponent_ansi_x9_42 = no
   integrity_test = yes
diff --git a/testing/tests/gcrypt-ikev1/rw-cert/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/rw-cert/hosts/dave/etc/ipsec.conf
index 73167caad..150c63bc7 100755..100644
--- a/testing/tests/gcrypt-ikev1/rw-cert/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev1/rw-cert/hosts/dave/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-	plutodebug=control
 
 conn %default
 	ikelifetime=60m
@@ -12,7 +8,6 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev1
-	ike=aes256-sha256-modp2048!
 
 conn home
 	left=PH_IP_DAVE
diff --git a/testing/tests/ikev1/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/rw-cert/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..8822cae64
--- /dev/null
+++ b/testing/tests/ikev1/rw-cert/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,13 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
+}
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+  integrity_test = yes
+  crypto_test {
+    on_add = yes
+  }
+}
diff --git a/testing/tests/ikev1/after-2038-certs/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/rw-cert/hosts/moon/etc/ipsec.conf
index 991ae4368..5cf82c6b8 100755..100644
--- a/testing/tests/ikev1/after-2038-certs/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/rw-cert/hosts/moon/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev1/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/rw-cert/hosts/moon/etc/strongswan.conf
index 7403971e9..8822cae64 100644
--- a/testing/tests/ikev1/rw-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/rw-cert/hosts/moon/etc/strongswan.conf
@@ -1,11 +1,9 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
-pluto {
-  load = test-vectors sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth kernel-netlink
+charon {
+  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
 }
 
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
 libstrongswan {
   dh_exponent_ansi_x9_42 = no
   integrity_test = yes
diff --git a/testing/tests/ikev1/rw-cert/posttest.dat b/testing/tests/ikev1/rw-cert/posttest.dat
index 94a400606..1865a1c60 100644
--- a/testing/tests/ikev1/rw-cert/posttest.dat
+++ b/testing/tests/ikev1/rw-cert/posttest.dat
@@ -1,4 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+dave::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/rw-cert/pretest.dat b/testing/tests/ikev1/rw-cert/pretest.dat
index 4fe0ee90b..8bbea1412 100644
--- a/testing/tests/ikev1/rw-cert/pretest.dat
+++ b/testing/tests/ikev1/rw-cert/pretest.dat
@@ -1,6 +1,9 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-carol::ipsec start
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
-carol::sleep 2
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
 carol::ipsec up home
+dave::ipsec up home
diff --git a/testing/tests/ikev1/rw-cert/test.conf b/testing/tests/ikev1/rw-cert/test.conf
index 9cd583b16..f29298850 100644
--- a/testing/tests/ikev1/rw-cert/test.conf
+++ b/testing/tests/ikev1/rw-cert/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
-DIAGRAM="a-m-c-w.png"
+DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
-IPSECHOSTS="moon carol"
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/rw-initiator-only/description.txt b/testing/tests/ikev1/rw-initiator-only/description.txt
new file mode 100644
index 000000000..478004162
--- /dev/null
+++ b/testing/tests/ikev1/rw-initiator-only/description.txt
@@ -0,0 +1,10 @@
+The roadwarrior <b>dave</b> tries to set up a connection to roadwarrior <b>carol</b>
+but because <b>carol</b> has set the strongswan.conf option <b>initiator_only = yes</b>
+she ignores the repeated IKE requests sent by <b>dave</b>.
+<p/>
+After the failed connection attempt by <b>dave</b>, roadwarrior <b>carol</b> sets up a
+connection to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>.
+Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
+automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, <b>carol</b> pings the client <b>alice</b> behind
+the gateway <b>moon</b>.
diff --git a/testing/tests/ikev1/rw-initiator-only/evaltest.dat b/testing/tests/ikev1/rw-initiator-only/evaltest.dat
new file mode 100644
index 000000000..80fd7c5be
--- /dev/null
+++ b/testing/tests/ikev1/rw-initiator-only/evaltest.dat
@@ -0,0 +1,8 @@
+dave::cat /var/log/daemon.log::establishing IKE_SA failed, peer not responding::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/rw-initiator-only/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/rw-initiator-only/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..58914391c
--- /dev/null
+++ b/testing/tests/ikev1/rw-initiator-only/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,20 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+
+conn home
+	left=PH_IP_CAROL
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/ikev1/rw-initiator-only/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/rw-initiator-only/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..dc900c4f2
--- /dev/null
+++ b/testing/tests/ikev1/rw-initiator-only/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,7 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown
+
+  initiator_only = yes
+}
diff --git a/testing/tests/ikev1/rw-initiator-only/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/rw-initiator-only/hosts/dave/etc/ipsec.conf
new file mode 100644
index 000000000..b262ecbea
--- /dev/null
+++ b/testing/tests/ikev1/rw-initiator-only/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,19 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+
+conn peer
+	left=PH_IP_DAVE
+	leftcert=daveCert.pem
+	leftid=dave@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_CAROL
+	rightid=carol@strongswan.org
+	auto=add
diff --git a/testing/tests/ikev1/rw-initiator-only/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/rw-initiator-only/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..9251921ff
--- /dev/null
+++ b/testing/tests/ikev1/rw-initiator-only/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown
+
+  retransmit_timeout = 2
+  retransmit_base = 1.5
+  retransmit_tries = 3 
+}
diff --git a/testing/tests/ikev1/rw-initiator-only/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/rw-initiator-only/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..4c5df8825
--- /dev/null
+++ b/testing/tests/ikev1/rw-initiator-only/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,18 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekey=no
+	keyexchange=ikev1
+
+conn rw
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	leftfirewall=yes
+	right=%any
+	auto=add
diff --git a/testing/tests/ikev1/rw-initiator-only/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/rw-initiator-only/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..7f31b170b
--- /dev/null
+++ b/testing/tests/ikev1/rw-initiator-only/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev1/rw-initiator-only/posttest.dat b/testing/tests/ikev1/rw-initiator-only/posttest.dat
new file mode 100644
index 000000000..1865a1c60
--- /dev/null
+++ b/testing/tests/ikev1/rw-initiator-only/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/rw-initiator-only/pretest.dat b/testing/tests/ikev1/rw-initiator-only/pretest.dat
new file mode 100644
index 000000000..fc7173430
--- /dev/null
+++ b/testing/tests/ikev1/rw-initiator-only/pretest.dat
@@ -0,0 +1,9 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+dave::ipsec up peer
+carol::ipsec up home
diff --git a/testing/tests/ikev1/rw-initiator-only/test.conf b/testing/tests/ikev1/rw-initiator-only/test.conf
new file mode 100644
index 000000000..f29298850
--- /dev/null
+++ b/testing/tests/ikev1/rw-initiator-only/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/rw-mark-in-out/description.txt b/testing/tests/ikev1/rw-mark-in-out/description.txt
deleted file mode 100644
index 4c35081b1..000000000
--- a/testing/tests/ikev1/rw-mark-in-out/description.txt
+++ /dev/null
@@ -1,16 +0,0 @@
-The roadwarriors <b>alice</b> and <b>venus</b> sitting behind the router <b>moon</b> set up
-tunnels to gateway <b>sun</b>. Since both roadwarriors possess the same 10.1.0.0/25 subnet,
-gateway <b>sun</b> uses Source NAT after ESP decryption to map these subnets to 10.3.0.10
-and 10.3.0.20, respectively.
-<p/>
-In order to differentiate between the tunnels to <b>alice</b> and <b>venus</b>, respectively,
-<b>XFRM marks</b> are defined for both the inbound and outbound IPsec SAs and policies using
-the <b>mark_in</b> and <b>mark_out</b> parameters in ipsec.conf.
-<p/>
-<b>iptables -t mangle</b> rules are then used in the PREROUTING chain to mark the traffic to
-and from <b>alice</b> and <b>venus</b>, respectively.
-<p/>
-The script designated by <b>leftupdown=/etc/mark_updown</b> automatically inserts
-iptables mangle rules that mark the inbound ESP packets as well as iptables IPsec-policy rules
-that let pass the tunneled traffic. In order to test the tunnel, the hosts <b>alice</b>
-and <b>venus</b> ping the client <b>bob</b> behind the gateway <b>sun</b>.
diff --git a/testing/tests/ikev1/rw-mark-in-out/evaltest.dat b/testing/tests/ikev1/rw-mark-in-out/evaltest.dat
deleted file mode 100644
index 168b3dfb9..000000000
--- a/testing/tests/ikev1/rw-mark-in-out/evaltest.dat
+++ /dev/null
@@ -1,18 +0,0 @@
-alice::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-venus::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-sun::ipsec status::alice.*STATE_QUICK_R2.*IPsec SA established::YES
-sun::ipsec status::alice.*alice@strongswan.org::YES
-sun::ipsec status::venus.*STATE_QUICK_R2.*IPsec SA established::YES
-sun::ipsec status::venus.*venus.strongswan.org::YES
-sun::ipsec statusall::alice.*10.2.0.0/16===.*===10.1.0.0/25::YES
-sun::ipsec statusall::venus.*10.2.0.0/16===.*===10.1.0.0/25::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-moon::tcpdump::IP alice.strongswan.org > sun.strongswan.org: ESP::YES
-moon::tcpdump::IP venus.strongswan.org > sun.strongswan.org: ESP::YES
-moon::tcpdump::IP sun.strongswan.org > alice.strongswan.org: ESP::YES
-moon::tcpdump::IP sun.strongswan.org > venus.strongswan.org: ESP::YES
-bob::tcpdump::10.3.0.10 > bob.strongswan.org: ICMP echo request::YES
-bob::tcpdump::10.3.0.20 > bob.strongswan.org: ICMP echo request::YES
-bob::tcpdump::bob.strongswan.org > 10.3.0.10: ICMP echo reply::YES
-bob::tcpdump::bob.strongswan.org > 10.3.0.20: ICMP echo reply::YES
diff --git a/testing/tests/ikev1/rw-mark-in-out/hosts/alice/etc/init.d/iptables b/testing/tests/ikev1/rw-mark-in-out/hosts/alice/etc/init.d/iptables
deleted file mode 100755
index 5594bbf52..000000000
--- a/testing/tests/ikev1/rw-mark-in-out/hosts/alice/etc/init.d/iptables
+++ /dev/null
@@ -1,77 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-        # allow ESP 
-        iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-        iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-			
-	# allow MOBIKE 
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev1/rw-mark-in-out/hosts/alice/etc/ipsec.conf b/testing/tests/ikev1/rw-mark-in-out/hosts/alice/etc/ipsec.conf
deleted file mode 100755
index 4256006c0..000000000
--- a/testing/tests/ikev1/rw-mark-in-out/hosts/alice/etc/ipsec.conf
+++ /dev/null
@@ -1,26 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-
-conn home
-	left=%defaultroute
-	leftsubnet=10.1.0.0/25
-	leftcert=aliceCert.pem
-	leftid=alice@strongswan.org
-	leftfirewall=yes
-	lefthostaccess=yes
-	right=PH_IP_SUN
-	rightid=@sun.strongswan.org
-	rightsubnet=10.2.0.0/16
-	auto=add
diff --git a/testing/tests/ikev1/rw-mark-in-out/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/rw-mark-in-out/hosts/sun/etc/ipsec.conf
deleted file mode 100755
index 83fe9eed2..000000000
--- a/testing/tests/ikev1/rw-mark-in-out/hosts/sun/etc/ipsec.conf
+++ /dev/null
@@ -1,37 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug="control"
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-
-conn alice
-	rightid=alice@strongswan.org
-	mark_in=10/0xffffffff
-	mark_out=11/0xffffffff
-	also=sun
-	auto=add
-
-conn venus
-	rightid=@venus.strongswan.org
-	mark_in=20  #0xffffffff is used by default
-	mark_out=21 #0xffffffff is used by default
-	also=sun
-	auto=add
-
-conn sun
-	left=PH_IP_SUN
-	leftcert=sunCert.pem
-	leftid=@sun.strongswan.org
-	leftsubnet=10.2.0.0/16
-	leftupdown=/etc/mark_updown
-	right=%any
-	rightsubnet=10.1.0.0/25
diff --git a/testing/tests/ikev1/rw-mark-in-out/hosts/venus/etc/init.d/iptables b/testing/tests/ikev1/rw-mark-in-out/hosts/venus/etc/init.d/iptables
deleted file mode 100755
index 5594bbf52..000000000
--- a/testing/tests/ikev1/rw-mark-in-out/hosts/venus/etc/init.d/iptables
+++ /dev/null
@@ -1,77 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-        # allow ESP 
-        iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-        iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-			
-	# allow MOBIKE 
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev1/rw-mark-in-out/hosts/venus/etc/ipsec.conf b/testing/tests/ikev1/rw-mark-in-out/hosts/venus/etc/ipsec.conf
deleted file mode 100755
index e7561ebbe..000000000
--- a/testing/tests/ikev1/rw-mark-in-out/hosts/venus/etc/ipsec.conf
+++ /dev/null
@@ -1,26 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-
-conn home
-	left=%defaultroute
-	leftsubnet=10.1.0.0/25
-	leftcert=venusCert.pem
-	leftid=@venus.strongswan.org
-	leftfirewall=yes
-	lefthostaccess=yes
-	right=PH_IP_SUN
-	rightid=@sun.strongswan.org
-	rightsubnet=10.2.0.0/16
-	auto=add
diff --git a/testing/tests/ikev1/rw-mark-in-out/posttest.dat b/testing/tests/ikev1/rw-mark-in-out/posttest.dat
deleted file mode 100644
index fae79271b..000000000
--- a/testing/tests/ikev1/rw-mark-in-out/posttest.dat
+++ /dev/null
@@ -1,12 +0,0 @@
-sun::iptables -t mangle -v -n -L PREROUTING
-sun::ipsec stop
-alice::ipsec stop
-venus::ipsec stop
-alice::/etc/init.d/iptables stop 2> /dev/null
-venus::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
-sun::ip route del 10.1.0.0/16 via PH_IP_MOON
-sun::conntrack -F
-sun::rm /etc/mark_updown
-moon::iptables -t nat -F
-moon::conntrack -F
diff --git a/testing/tests/ikev1/rw-mark-in-out/pretest.dat b/testing/tests/ikev1/rw-mark-in-out/pretest.dat
deleted file mode 100644
index 427e5c67f..000000000
--- a/testing/tests/ikev1/rw-mark-in-out/pretest.dat
+++ /dev/null
@@ -1,18 +0,0 @@
-alice::/etc/init.d/iptables start 2> /dev/null
-venus::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
-moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to PH_IP_MOON
-sun::ip route add 10.1.0.0/16 via PH_IP_MOON
-sun::iptables -t nat -A POSTROUTING -o eth1 -m mark --mark 10 -j SNAT --to 10.3.0.10
-sun::iptables -t nat -A POSTROUTING -o eth1 -m mark --mark 20 -j SNAT --to 10.3.0.20
-sun::iptables -t mangle -A PREROUTING -d 10.3.0.10 -j MARK --set-mark 11
-sun::iptables -t mangle -A PREROUTING -d 10.3.0.20 -j MARK --set-mark 21
-alice::ipsec start
-venus::ipsec start
-sun::ipsec start
-alice::sleep 2
-alice::ipsec up home
-venus::sleep 2
-venus::ipsec up home
-venus::sleep 2
diff --git a/testing/tests/ikev1/rw-mark-in-out/test.conf b/testing/tests/ikev1/rw-mark-in-out/test.conf
deleted file mode 100644
index ae3c190b8..000000000
--- a/testing/tests/ikev1/rw-mark-in-out/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice venus moon winnetou sun bob"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-v-m-w-s-b.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon bob"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="alice venus sun"
diff --git a/testing/tests/ikev1/rw-psk-aggressive/description.txt b/testing/tests/ikev1/rw-psk-aggressive/description.txt
new file mode 100644
index 000000000..32a476ee8
--- /dev/null
+++ b/testing/tests/ikev1/rw-psk-aggressive/description.txt
@@ -0,0 +1,7 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each 
+to gateway <b>moon</b> using <b>IKEv1 Aggressive Mode</b>. The authentication
+is based on distinct <b>pre-shared keys</b> and <b>Fully Qualified Domain Names</b>.
+Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
+automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping the
+client <b>alice</b> behind the gateway <b>moon</b>.
diff --git a/testing/tests/ikev1/rw-psk-aggressive/evaltest.dat b/testing/tests/ikev1/rw-psk-aggressive/evaltest.dat
new file mode 100644
index 000000000..2342d024b
--- /dev/null
+++ b/testing/tests/ikev1/rw-psk-aggressive/evaltest.dat
@@ -0,0 +1,14 @@
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/rw-psk-no-policy/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/rw-psk-aggressive/hosts/carol/etc/ipsec.conf
index c040fe88f..fe086b8d5 100755..100644
--- a/testing/tests/ikev1/rw-psk-no-policy/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/rw-psk-aggressive/hosts/carol/etc/ipsec.conf
@@ -1,8 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -10,13 +8,14 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev1
+	authby=secret
+	aggressive=yes
 	
 conn home
-	authby=secret
 	left=PH_IP_CAROL
 	leftid=carol@strongswan.org
 	leftfirewall=yes
 	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
 	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
 	auto=add
diff --git a/testing/tests/ikev1/rw-psk-aggressive/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/rw-psk-aggressive/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..47e31ca21
--- /dev/null
+++ b/testing/tests/ikev1/rw-psk-aggressive/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+carol@strongswan.org : PSK 0sFpZAZqEN6Ti9sqt4ZP5EWcqx
diff --git a/testing/tests/ikev1/rw-psk-aggressive/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-aggressive/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..d84cba2b0
--- /dev/null
+++ b/testing/tests/ikev1/rw-psk-aggressive/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev1/rw-psk-fqdn-named/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/rw-psk-aggressive/hosts/dave/etc/ipsec.conf
index ffa211299..df2887263 100755..100644
--- a/testing/tests/ikev1/rw-psk-fqdn-named/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/rw-psk-aggressive/hosts/dave/etc/ipsec.conf
@@ -1,8 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -11,10 +9,11 @@ conn %default
 	keyingtries=1
 	keyexchange=ikev1
 	authby=secret
+	aggressive=yes
 	
 conn home
-	left=PH_IP_CAROL
-	leftid=@carol.strongswan.org
+	left=PH_IP_DAVE
+	leftid=dave@strongswan.org
 	leftfirewall=yes
 	right=PH_IP_MOON
 	rightsubnet=10.1.0.0/16
diff --git a/testing/tests/ikev1/rw-psk-aggressive/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev1/rw-psk-aggressive/hosts/dave/etc/ipsec.secrets
new file mode 100644
index 000000000..f6c1a22ef
--- /dev/null
+++ b/testing/tests/ikev1/rw-psk-aggressive/hosts/dave/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+dave@strongswan.org  : PSK 0sjVzONCF02ncsgiSlmIXeqhGN
diff --git a/testing/tests/ikev1/rw-psk-aggressive/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-aggressive/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..d84cba2b0
--- /dev/null
+++ b/testing/tests/ikev1/rw-psk-aggressive/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev1/rw-rsa-no-policy/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/rw-psk-aggressive/hosts/moon/etc/ipsec.conf
index dbd3adb4c..cb8a0cd78 100755..100644
--- a/testing/tests/ikev1/rw-rsa-no-policy/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/rw-psk-aggressive/hosts/moon/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
 
 conn %default
 	ikelifetime=60m
@@ -9,12 +8,13 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev1
-
-conn rw-psk
 	authby=secret
+	aggressive=yes
+
+conn rw
 	left=PH_IP_MOON
-	leftid=@moon.strongswan.org
 	leftsubnet=10.1.0.0/16
+	leftid=@moon.strongswan.org
 	leftfirewall=yes
 	right=%any
 	auto=add
diff --git a/testing/tests/ikev1/rw-psk-aggressive/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/rw-psk-aggressive/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..e3dd0fba3
--- /dev/null
+++ b/testing/tests/ikev1/rw-psk-aggressive/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,5 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+@moon.strongswan.org carol@strongswan.org : PSK 0sFpZAZqEN6Ti9sqt4ZP5EWcqx
+
+@moon.strongswan.org dave@strongswan.org  : PSK 0sjVzONCF02ncsgiSlmIXeqhGN
diff --git a/testing/tests/ikev1/rw-psk-aggressive/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-aggressive/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..708a71c7e
--- /dev/null
+++ b/testing/tests/ikev1/rw-psk-aggressive/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,7 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown
+
+  i_dont_care_about_security_and_use_aggressive_mode_psk = yes
+}
diff --git a/testing/tests/ikev1/rw-psk-aggressive/posttest.dat b/testing/tests/ikev1/rw-psk-aggressive/posttest.dat
new file mode 100644
index 000000000..1865a1c60
--- /dev/null
+++ b/testing/tests/ikev1/rw-psk-aggressive/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/xauth-id-psk-mode-config/pretest.dat b/testing/tests/ikev1/rw-psk-aggressive/pretest.dat
index 95a6be131..44f41f995 100644
--- a/testing/tests/ikev1/xauth-id-psk-mode-config/pretest.dat
+++ b/testing/tests/ikev1/rw-psk-aggressive/pretest.dat
@@ -1,12 +1,12 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::rm /etc/ipsec.d/cacerts/*
 carol::rm /etc/ipsec.d/cacerts/*
 dave::rm /etc/ipsec.d/cacerts/*
-moon::ipsec start
 carol::ipsec start
 dave::ipsec start
+moon::ipsec start
 carol::sleep 2
 carol::ipsec up home
 dave::ipsec up home
diff --git a/testing/tests/ikev1/rw-psk-aggressive/test.conf b/testing/tests/ikev1/rw-psk-aggressive/test.conf
new file mode 100644
index 000000000..f29298850
--- /dev/null
+++ b/testing/tests/ikev1/rw-psk-aggressive/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/rw-psk-fqdn-named/description.txt b/testing/tests/ikev1/rw-psk-fqdn-named/description.txt
deleted file mode 100644
index adfab2f4d..000000000
--- a/testing/tests/ikev1/rw-psk-fqdn-named/description.txt
+++ /dev/null
@@ -1,11 +0,0 @@
-The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>. The authentication is
-based on <b>Preshared Keys</b> (PSK) and <b>Fully Qualified Domain Names</b> (ID_FQDN). 
-<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that let pass the
-tunneled traffic. In order to test the tunnel <b>carol</b> pings the client <b>alice</b> behind
-the gateway <b>moon</b>.
-<p>
-The significant difference between this scenario and the test
-<a href="../rw-psk-fqdn"><b>rw-psk-fqdn</b></a>
-is the additional line <b>rightid=@carol.strongswan.org</b> by which gateway
-<b>moon</b> restricts the roadwarrior connection to host <b>carol</b>.
-</p>
diff --git a/testing/tests/ikev1/rw-psk-fqdn-named/evaltest.dat b/testing/tests/ikev1/rw-psk-fqdn-named/evaltest.dat
deleted file mode 100644
index c7657801e..000000000
--- a/testing/tests/ikev1/rw-psk-fqdn-named/evaltest.dat
+++ /dev/null
@@ -1,5 +0,0 @@
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/rw-psk-fqdn-named/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/rw-psk-fqdn-named/hosts/carol/etc/ipsec.secrets
deleted file mode 100644
index db3884e57..000000000
--- a/testing/tests/ikev1/rw-psk-fqdn-named/hosts/carol/etc/ipsec.secrets
+++ /dev/null
@@ -1,7 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-@carol.strongswan.org @moon.strongswan.org : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
-
-
-
-
diff --git a/testing/tests/ikev1/rw-psk-fqdn-named/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-fqdn-named/hosts/carol/etc/strongswan.conf
deleted file mode 100644
index 453cdc07c..000000000
--- a/testing/tests/ikev1/rw-psk-fqdn-named/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-}
diff --git a/testing/tests/ikev1/rw-psk-fqdn-named/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/rw-psk-fqdn-named/hosts/moon/etc/ipsec.secrets
deleted file mode 100644
index 6281340ae..000000000
--- a/testing/tests/ikev1/rw-psk-fqdn-named/hosts/moon/etc/ipsec.secrets
+++ /dev/null
@@ -1,7 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-@moon.strongswan.org : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
-
-
-
-
diff --git a/testing/tests/ikev1/rw-psk-fqdn-named/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-fqdn-named/hosts/moon/etc/strongswan.conf
deleted file mode 100644
index 453cdc07c..000000000
--- a/testing/tests/ikev1/rw-psk-fqdn-named/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-}
diff --git a/testing/tests/ikev1/rw-psk-fqdn-named/posttest.dat b/testing/tests/ikev1/rw-psk-fqdn-named/posttest.dat
deleted file mode 100644
index 94a400606..000000000
--- a/testing/tests/ikev1/rw-psk-fqdn-named/posttest.dat
+++ /dev/null
@@ -1,4 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev1/rw-psk-fqdn-named/pretest.dat b/testing/tests/ikev1/rw-psk-fqdn-named/pretest.dat
deleted file mode 100644
index dbf03f552..000000000
--- a/testing/tests/ikev1/rw-psk-fqdn-named/pretest.dat
+++ /dev/null
@@ -1,8 +0,0 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-moon::rm /etc/ipsec.d/cacerts/*
-carol::rm /etc/ipsec.d/cacerts/*
-carol::ipsec start
-moon::ipsec start
-carol::sleep 2
-carol::ipsec up home
diff --git a/testing/tests/ikev1/rw-psk-fqdn-named/test.conf b/testing/tests/ikev1/rw-psk-fqdn-named/test.conf
deleted file mode 100644
index 9cd583b16..000000000
--- a/testing/tests/ikev1/rw-psk-fqdn-named/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev1/rw-psk-fqdn/description.txt b/testing/tests/ikev1/rw-psk-fqdn/description.txt
index d6c79afb2..47f6968ae 100644
--- a/testing/tests/ikev1/rw-psk-fqdn/description.txt
+++ b/testing/tests/ikev1/rw-psk-fqdn/description.txt
@@ -1,5 +1,6 @@
-The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>. The authentication is
-based on <b>Preshared Keys</b> (PSK) and <b>Fully Qualified Domain Names</b> (ID_FQDN). 
-<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that let pass the
-tunneled traffic. In order to test the tunnel <b>carol</b> pings the client <b>alice</b> behind
-the gateway <b>moon</b>.
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each 
+to gateway <b>moon</b>. The authentication is based on distinct <b>pre-shared keys</b>
+and <b>Fully Qualified Domain Names</b>. Upon the successful establishment of the IPsec tunnels,
+<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that
+let pass the tunneled traffic. In order to test both tunnel and firewall, both
+<b>carol</b> and <b>dave</b> ping the client <b>alice</b> behind the gateway <b>moon</b>.
diff --git a/testing/tests/ikev1/rw-psk-fqdn/evaltest.dat b/testing/tests/ikev1/rw-psk-fqdn/evaltest.dat
index c7657801e..77f548848 100644
--- a/testing/tests/ikev1/rw-psk-fqdn/evaltest.dat
+++ b/testing/tests/ikev1/rw-psk-fqdn/evaltest.dat
@@ -1,5 +1,14 @@
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw-carol.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw-dave.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw-carol.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw-dave.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/ipsec.conf
index ffa211299..936a75401 100755..100644
--- a/testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/ipsec.conf
@@ -1,8 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -14,7 +12,7 @@ conn %default
 	
 conn home
 	left=PH_IP_CAROL
-	leftid=@carol.strongswan.org
+	leftid=carol@strongswan.org
 	leftfirewall=yes
 	right=PH_IP_MOON
 	rightsubnet=10.1.0.0/16
diff --git a/testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/ipsec.secrets
index db3884e57..47e31ca21 100644
--- a/testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/ipsec.secrets
+++ b/testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/ipsec.secrets
@@ -1,7 +1,3 @@
 # /etc/ipsec.secrets - strongSwan IPsec secrets file
 
-@carol.strongswan.org @moon.strongswan.org : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
-
-
-
-
+carol@strongswan.org : PSK 0sFpZAZqEN6Ti9sqt4ZP5EWcqx
diff --git a/testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/strongswan.conf
index 453cdc07c..d84cba2b0 100644
--- a/testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/strongswan.conf
@@ -1,11 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
-pluto {
-  load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
+charon {
+  load = aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev1/strong-certs/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/rw-psk-fqdn/hosts/dave/etc/ipsec.conf
index e10e9d45c..45cdd3eca 100755..100644
--- a/testing/tests/ikev1/strong-certs/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev1/rw-psk-fqdn/hosts/dave/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	strictcrlpolicy=no
-	crlcheckinterval=180
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -12,13 +8,13 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev1
-
+	authby=secret
+	
 conn home
 	left=PH_IP_DAVE
-	leftcert=daveCert-sha512.pem
 	leftid=dave@strongswan.org
 	leftfirewall=yes
 	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
 	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
 	auto=add
diff --git a/testing/tests/ikev1/rw-psk-fqdn/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev1/rw-psk-fqdn/hosts/dave/etc/ipsec.secrets
new file mode 100644
index 000000000..f6c1a22ef
--- /dev/null
+++ b/testing/tests/ikev1/rw-psk-fqdn/hosts/dave/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+dave@strongswan.org  : PSK 0sjVzONCF02ncsgiSlmIXeqhGN
diff --git a/testing/tests/ikev1/rw-psk-fqdn/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-fqdn/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..d84cba2b0
--- /dev/null
+++ b/testing/tests/ikev1/rw-psk-fqdn/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/ipsec.conf
index efec3b33d..63bdd6bb8 100755..100644
--- a/testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/ipsec.conf
@@ -1,8 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -11,11 +9,21 @@ conn %default
 	keyingtries=1
 	keyexchange=ikev1
 	authby=secret
+
+conn rw-carol
+	also=rw
+	right=PH_IP_CAROL
+	rightid=carol@strongswan.org
+	auto=add
+
+conn rw-dave
+	also=rw
+	right=PH_IP_DAVE
+	rightid=dave@strongswan.org
+	auto=add
 	
 conn rw
 	left=PH_IP_MOON
 	leftsubnet=10.1.0.0/16
 	leftid=@moon.strongswan.org
 	leftfirewall=yes
-	right=%any
-	auto=add
diff --git a/testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/ipsec.secrets
index 661168fb5..e3dd0fba3 100644
--- a/testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/ipsec.secrets
+++ b/testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/ipsec.secrets
@@ -1,3 +1,5 @@
 # /etc/ipsec.secrets - strongSwan IPsec secrets file
 
-@moon.strongswan.org : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
+@moon.strongswan.org carol@strongswan.org : PSK 0sFpZAZqEN6Ti9sqt4ZP5EWcqx
+
+@moon.strongswan.org dave@strongswan.org  : PSK 0sjVzONCF02ncsgiSlmIXeqhGN
diff --git a/testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/strongswan.conf
index 453cdc07c..d84cba2b0 100644
--- a/testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/strongswan.conf
@@ -1,11 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
-pluto {
-  load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
+charon {
+  load = aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev1/rw-psk-fqdn/posttest.dat b/testing/tests/ikev1/rw-psk-fqdn/posttest.dat
index 94a400606..1865a1c60 100644
--- a/testing/tests/ikev1/rw-psk-fqdn/posttest.dat
+++ b/testing/tests/ikev1/rw-psk-fqdn/posttest.dat
@@ -1,4 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+dave::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/rw-psk-fqdn/pretest.dat b/testing/tests/ikev1/rw-psk-fqdn/pretest.dat
index dbf03f552..44f41f995 100644
--- a/testing/tests/ikev1/rw-psk-fqdn/pretest.dat
+++ b/testing/tests/ikev1/rw-psk-fqdn/pretest.dat
@@ -1,8 +1,12 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::rm /etc/ipsec.d/cacerts/*
 carol::rm /etc/ipsec.d/cacerts/*
+dave::rm /etc/ipsec.d/cacerts/*
 carol::ipsec start
+dave::ipsec start
 moon::ipsec start
 carol::sleep 2
 carol::ipsec up home
+dave::ipsec up home
diff --git a/testing/tests/ikev1/rw-psk-fqdn/test.conf b/testing/tests/ikev1/rw-psk-fqdn/test.conf
index 9cd583b16..f29298850 100644
--- a/testing/tests/ikev1/rw-psk-fqdn/test.conf
+++ b/testing/tests/ikev1/rw-psk-fqdn/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
-DIAGRAM="a-m-c-w.png"
+DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
-IPSECHOSTS="moon carol"
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/rw-psk-ipv4/description.txt b/testing/tests/ikev1/rw-psk-ipv4/description.txt
index b3a0bc192..b4aaa6a6a 100644
--- a/testing/tests/ikev1/rw-psk-ipv4/description.txt
+++ b/testing/tests/ikev1/rw-psk-ipv4/description.txt
@@ -1,5 +1,6 @@
-The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>. The authentication is
-based on <b>Preshared Keys</b> (PSK) and <b>IPv4 addresses</b> (ID_IPV4_ADDR).
-<b>firewall=yes</b> automatically inserts iptables-based firewall rules that let pass
-the tunneled traffic. In order to test the tunnel <b>carol</b> pings the client <b>alice</b>
-behind the gateway <b>moon</b>.
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each 
+to gateway <b>moon</b>. The authentication is based on distinct <b>pre-shared keys</b>
+and <b>IPv4</b> addresses. Upon the successful establishment of the IPsec tunnels,
+<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that
+let pass the tunneled traffic. In order to test both tunnel and firewall, both
+<b>carol</b> and <b>dave</b> ping the client <b>alice</b> behind the gateway <b>moon</b>.
diff --git a/testing/tests/ikev1/rw-psk-ipv4/evaltest.dat b/testing/tests/ikev1/rw-psk-ipv4/evaltest.dat
index c7657801e..df37719e9 100644
--- a/testing/tests/ikev1/rw-psk-ipv4/evaltest.dat
+++ b/testing/tests/ikev1/rw-psk-ipv4/evaltest.dat
@@ -1,5 +1,14 @@
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*\[192.168.0.100].*\[192.168.0.1]::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*\[192.168.0.200].*\[192.168.0.1]::YES
+moon:: ipsec status 2> /dev/null::rw-carol.*ESTABLISHED.*\[192.168.0.1].*\[192.168.0.100]::YES
+moon:: ipsec status 2> /dev/null::rw-dave.*ESTABLISHED.*\[192.168.0.1].*\[192.168.0.200]::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw-carol.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw-dave.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/ipsec.conf
index 0d2a5d2c4..3214ace92 100755..100644
--- a/testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/ipsec.conf
@@ -1,8 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/ipsec.secrets
index 69313b289..18a074472 100644
--- a/testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/ipsec.secrets
+++ b/testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/ipsec.secrets
@@ -1,7 +1,3 @@
 # /etc/ipsec.secrets - strongSwan IPsec secrets file
 
-PH_IP_CAROL PH_IP_MOON : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
-
-
-
-
+192.168.0.100 : PSK 0sFpZAZqEN6Ti9sqt4ZP5EWcqx
diff --git a/testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/strongswan.conf
index 453cdc07c..d84cba2b0 100644
--- a/testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/strongswan.conf
@@ -1,11 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
-pluto {
-  load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
+charon {
+  load = aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev1/rw-psk-ipv4/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/rw-psk-ipv4/hosts/dave/etc/ipsec.conf
new file mode 100644
index 000000000..f59de5f72
--- /dev/null
+++ b/testing/tests/ikev1/rw-psk-ipv4/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,18 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+	authby=secret
+	
+conn home
+	left=PH_IP_DAVE
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/ikev1/rw-psk-ipv4/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev1/rw-psk-ipv4/hosts/dave/etc/ipsec.secrets
new file mode 100644
index 000000000..a048cb5f2
--- /dev/null
+++ b/testing/tests/ikev1/rw-psk-ipv4/hosts/dave/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+192.168.0.200 : PSK 0sjVzONCF02ncsgiSlmIXeqhGN
diff --git a/testing/tests/ikev1/rw-psk-ipv4/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-ipv4/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..d84cba2b0
--- /dev/null
+++ b/testing/tests/ikev1/rw-psk-ipv4/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/ipsec.conf
index 41582eaef..b6bb51c0c 100755..100644
--- a/testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/ipsec.conf
@@ -1,8 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -11,10 +9,18 @@ conn %default
 	keyingtries=1
 	keyexchange=ikev1
 	authby=secret
+
+conn rw-carol
+	also=rw
+	right=PH_IP_CAROL
+	auto=add
+
+conn rw-dave
+	also=rw
+	right=PH_IP_DAVE
+	auto=add
 	
 conn rw
 	left=PH_IP_MOON
 	leftsubnet=10.1.0.0/16
 	leftfirewall=yes
-	right=%any
-	auto=add
diff --git a/testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/ipsec.secrets
index a8e367950..55c639704 100644
--- a/testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/ipsec.secrets
+++ b/testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/ipsec.secrets
@@ -1,7 +1,5 @@
 # /etc/ipsec.secrets - strongSwan IPsec secrets file
 
-PH_IP_MOON %any : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
-
-
-
+192.168.0.1 192.168.0.100 : PSK 0sFpZAZqEN6Ti9sqt4ZP5EWcqx
 
+192.168.0.1 192.168.0.200 : PSK 0sjVzONCF02ncsgiSlmIXeqhGN
diff --git a/testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/strongswan.conf
index 453cdc07c..d84cba2b0 100644
--- a/testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/strongswan.conf
@@ -1,11 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
-pluto {
-  load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
+charon {
+  load = aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev1/rw-psk-ipv4/posttest.dat b/testing/tests/ikev1/rw-psk-ipv4/posttest.dat
index 94a400606..1865a1c60 100644
--- a/testing/tests/ikev1/rw-psk-ipv4/posttest.dat
+++ b/testing/tests/ikev1/rw-psk-ipv4/posttest.dat
@@ -1,4 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+dave::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/rw-psk-ipv4/pretest.dat b/testing/tests/ikev1/rw-psk-ipv4/pretest.dat
index dbf03f552..44f41f995 100644
--- a/testing/tests/ikev1/rw-psk-ipv4/pretest.dat
+++ b/testing/tests/ikev1/rw-psk-ipv4/pretest.dat
@@ -1,8 +1,12 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::rm /etc/ipsec.d/cacerts/*
 carol::rm /etc/ipsec.d/cacerts/*
+dave::rm /etc/ipsec.d/cacerts/*
 carol::ipsec start
+dave::ipsec start
 moon::ipsec start
 carol::sleep 2
 carol::ipsec up home
+dave::ipsec up home
diff --git a/testing/tests/ikev1/rw-psk-ipv4/test.conf b/testing/tests/ikev1/rw-psk-ipv4/test.conf
index 9cd583b16..f29298850 100644
--- a/testing/tests/ikev1/rw-psk-ipv4/test.conf
+++ b/testing/tests/ikev1/rw-psk-ipv4/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
-DIAGRAM="a-m-c-w.png"
+DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
-IPSECHOSTS="moon carol"
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/rw-psk-no-policy/description.txt b/testing/tests/ikev1/rw-psk-no-policy/description.txt
deleted file mode 100644
index 0e359414f..000000000
--- a/testing/tests/ikev1/rw-psk-no-policy/description.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-The roadwarrior <b>carol</b> wants to set up a connection to gateway <b>moon</b> using
-<b>PSK</b>-based authentication. Since <b>moon</b> supports <b>RSASIG</b>-based
-authentication only, the connection setup fails.
diff --git a/testing/tests/ikev1/rw-psk-no-policy/evaltest.dat b/testing/tests/ikev1/rw-psk-no-policy/evaltest.dat
deleted file mode 100644
index a28377dbd..000000000
--- a/testing/tests/ikev1/rw-psk-no-policy/evaltest.dat
+++ /dev/null
@@ -1,5 +0,0 @@
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::NO
-moon::cat /var/log/auth.log::peer requests PSK authentication::YES
-moon::cat /var/log/auth.log::but no connection has been authorized with policy=PSK::YES
-moon::ipsec status::*PH_IP_CAROL STATE_QUICK_R2.*IPsec SA established::NO
-
diff --git a/testing/tests/ikev1/rw-psk-no-policy/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-no-policy/hosts/carol/etc/strongswan.conf
deleted file mode 100644
index 453cdc07c..000000000
--- a/testing/tests/ikev1/rw-psk-no-policy/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-}
diff --git a/testing/tests/ikev1/rw-psk-no-policy/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-no-policy/hosts/moon/etc/strongswan.conf
deleted file mode 100644
index 453cdc07c..000000000
--- a/testing/tests/ikev1/rw-psk-no-policy/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-}
diff --git a/testing/tests/ikev1/rw-psk-no-policy/posttest.dat b/testing/tests/ikev1/rw-psk-no-policy/posttest.dat
deleted file mode 100644
index c6d6235f9..000000000
--- a/testing/tests/ikev1/rw-psk-no-policy/posttest.dat
+++ /dev/null
@@ -1,2 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
diff --git a/testing/tests/ikev1/rw-psk-no-policy/pretest.dat b/testing/tests/ikev1/rw-psk-no-policy/pretest.dat
deleted file mode 100644
index 3a7804ddd..000000000
--- a/testing/tests/ikev1/rw-psk-no-policy/pretest.dat
+++ /dev/null
@@ -1,5 +0,0 @@
-carol::rm /etc/ipsec.d/cacerts/*
-carol::ipsec start
-moon::ipsec start
-carol::sleep 2
-carol::ipsec up home
diff --git a/testing/tests/ikev1/rw-psk-no-policy/test.conf b/testing/tests/ikev1/rw-psk-no-policy/test.conf
deleted file mode 100644
index f622c18b7..000000000
--- a/testing/tests/ikev1/rw-psk-no-policy/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS=""
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev1/rw-psk-rsa-mixed/description.txt b/testing/tests/ikev1/rw-psk-rsa-mixed/description.txt
deleted file mode 100644
index b99a8e5b3..000000000
--- a/testing/tests/ikev1/rw-psk-rsa-mixed/description.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-The roadwarriors <b>carol</b> and <b>dave</b> each set up a connection to gateway <b>moon</b>.
-<b>carol</b>'s authentication is based on a Pre-Shared Key (<b>PSK</b>) whereas <b>dave</b>'s
-is based on an RSA signature (<b>RSASIG</b>). Gateway <b>moon</b> supports both authentication modes
-and automatically selects the correct roadwarrior connection definition based on policy
-information gained from pre-parsing the peers' ISAKMP proposal payload. 
diff --git a/testing/tests/ikev1/rw-psk-rsa-mixed/evaltest.dat b/testing/tests/ikev1/rw-psk-rsa-mixed/evaltest.dat
deleted file mode 100644
index 5ab6632cc..000000000
--- a/testing/tests/ikev1/rw-psk-rsa-mixed/evaltest.dat
+++ /dev/null
@@ -1,7 +0,0 @@
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-dave::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::cat /var/log/auth.log::peer requests PSK authentication::YES
-moon::ipsec status::rw-psk.*PH_IP_CAROL STATE_QUICK_R2.*IPsec SA established::YES
-moon::cat /var/log/auth.log::peer requests PUBKEY authentication::YES
-moon::ipsec status::rw-rsasig.*PH_IP_DAVE STATE_QUICK_R2.*IPsec SA established::YES
-
diff --git a/testing/tests/ikev1/rw-psk-rsa-mixed/posttest.dat b/testing/tests/ikev1/rw-psk-rsa-mixed/posttest.dat
deleted file mode 100644
index ed530f6d9..000000000
--- a/testing/tests/ikev1/rw-psk-rsa-mixed/posttest.dat
+++ /dev/null
@@ -1,3 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
diff --git a/testing/tests/ikev1/rw-psk-rsa-mixed/pretest.dat b/testing/tests/ikev1/rw-psk-rsa-mixed/pretest.dat
deleted file mode 100644
index 35797b589..000000000
--- a/testing/tests/ikev1/rw-psk-rsa-mixed/pretest.dat
+++ /dev/null
@@ -1,7 +0,0 @@
-carol::rm /etc/ipsec.d/cacerts/*
-carol::ipsec start
-dave::ipsec start
-moon::ipsec start
-carol::sleep 2
-carol::ipsec up home
-dave::ipsec up home
diff --git a/testing/tests/ikev1/rw-psk-rsa-mixed/test.conf b/testing/tests/ikev1/rw-psk-rsa-mixed/test.conf
deleted file mode 100644
index 699b88e88..000000000
--- a/testing/tests/ikev1/rw-psk-rsa-mixed/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="moon carol dave winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w-d.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS=""
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/rw-rsa-no-policy/description.txt b/testing/tests/ikev1/rw-rsa-no-policy/description.txt
deleted file mode 100644
index c3336b769..000000000
--- a/testing/tests/ikev1/rw-rsa-no-policy/description.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-The roadwarrior <b>carol</b> wants to set up a connection to gateway <b>moon</b> using
-<b>RSASIG</b>-based authentication. Since <b>moon</b> supports <b>PSK</b>-based
-authentication only, the connection setup fails.
diff --git a/testing/tests/ikev1/rw-rsa-no-policy/evaltest.dat b/testing/tests/ikev1/rw-rsa-no-policy/evaltest.dat
deleted file mode 100644
index 849ae5d66..000000000
--- a/testing/tests/ikev1/rw-rsa-no-policy/evaltest.dat
+++ /dev/null
@@ -1,5 +0,0 @@
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::NO
-moon::cat /var/log/auth.log::peer requests PUBKEY authentication::YES
-moon::cat /var/log/auth.log::but no connection has been authorized with policy=PUBKEY::YES
-moon::ipsec status::*PH_IP_CAROL STATE_QUICK_R2.*IPsec SA established::NO
-
diff --git a/testing/tests/ikev1/rw-rsa-no-policy/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/rw-rsa-no-policy/hosts/moon/etc/ipsec.secrets
deleted file mode 100644
index e8c151f05..000000000
--- a/testing/tests/ikev1/rw-rsa-no-policy/hosts/moon/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
diff --git a/testing/tests/ikev1/rw-rsa-no-policy/posttest.dat b/testing/tests/ikev1/rw-rsa-no-policy/posttest.dat
deleted file mode 100644
index c6d6235f9..000000000
--- a/testing/tests/ikev1/rw-rsa-no-policy/posttest.dat
+++ /dev/null
@@ -1,2 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
diff --git a/testing/tests/ikev1/rw-rsa-no-policy/pretest.dat b/testing/tests/ikev1/rw-rsa-no-policy/pretest.dat
deleted file mode 100644
index 0d2a0dd1f..000000000
--- a/testing/tests/ikev1/rw-rsa-no-policy/pretest.dat
+++ /dev/null
@@ -1,5 +0,0 @@
-moon::rm /etc/ipsec.d/cacerts/*
-carol::ipsec start
-moon::ipsec start
-carol::sleep 2
-carol::ipsec up home
diff --git a/testing/tests/ikev1/rw-rsa-no-policy/test.conf b/testing/tests/ikev1/rw-rsa-no-policy/test.conf
deleted file mode 100644
index f622c18b7..000000000
--- a/testing/tests/ikev1/rw-rsa-no-policy/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS=""
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev1/self-signed/description.txt b/testing/tests/ikev1/self-signed/description.txt
deleted file mode 100644
index 2d7bfc2bf..000000000
--- a/testing/tests/ikev1/self-signed/description.txt
+++ /dev/null
@@ -1,8 +0,0 @@
-Roadwarrior <b>carol</b> and gateway <b>moon</b> each generate a
-PKCS#1 RSA private key and a self-signed X.509 certificate
-using the <b>ipsec scepclient</b> function. Because the UML testing
-environment does not offer enough entropy, the non-blocking /dev/urandom
-device is used in place of /dev/random for generating the random primes.
-<p>
-The self-signed certificates are then distributed to the peers via scp
-and are used to set up a road warrior connection initiated by <b>carol</b> 
diff --git a/testing/tests/ikev1/self-signed/evaltest.dat b/testing/tests/ikev1/self-signed/evaltest.dat
deleted file mode 100644
index f190d7066..000000000
--- a/testing/tests/ikev1/self-signed/evaltest.dat
+++ /dev/null
@@ -1,7 +0,0 @@
-carol::cat /var/log/auth.log::we have a cert but are not sending it::YES
-moon::cat /var/log/auth.log::we have a cert but are not sending it::YES
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::carol.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/self-signed/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/self-signed/hosts/carol/etc/ipsec.conf
deleted file mode 100755
index f6859b8a4..000000000
--- a/testing/tests/ikev1/self-signed/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,26 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=0
-	strictcrlpolicy=no
-	nocrsend=yes
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-
-conn home
-	left=PH_IP_CAROL
-	leftcert=selfCert.der
-	leftsendcert=never
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightsubnet=10.1.0.0/16
-	rightcert=peerCert.der
-	rightid=@moon.strongswan.org
-	auto=add
diff --git a/testing/tests/ikev1/self-signed/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/self-signed/hosts/carol/etc/ipsec.secrets
deleted file mode 100644
index 167d743df..000000000
--- a/testing/tests/ikev1/self-signed/hosts/carol/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA myKey.der
diff --git a/testing/tests/ikev1/self-signed/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/self-signed/hosts/carol/etc/strongswan.conf
deleted file mode 100644
index e589a9425..000000000
--- a/testing/tests/ikev1/self-signed/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,15 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink
-}
-
-scepclient {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-}
diff --git a/testing/tests/ikev1/self-signed/hosts/moon/etc/init.d/iptables b/testing/tests/ikev1/self-signed/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 13ad3063f..000000000
--- a/testing/tests/ikev1/self-signed/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,78 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A INPUT  -p tcp --sport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev1/self-signed/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/self-signed/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index f14352bf8..000000000
--- a/testing/tests/ikev1/self-signed/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,27 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=0
-	strictcrlpolicy=no
-	nocrsend=yes
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-
-conn carol
-	left=PH_IP_MOON
-	leftcert=moonCert.der
-	leftid=@moon.strongswan.org
-	leftsendcert=never
-	leftfirewall=yes
-	leftsubnet=10.1.0.0/16
-	right=%any
-	rightcert=carolCert.der
-	auto=add
-
diff --git a/testing/tests/ikev1/self-signed/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/self-signed/hosts/moon/etc/ipsec.secrets
deleted file mode 100644
index b9ec17dbc..000000000
--- a/testing/tests/ikev1/self-signed/hosts/moon/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA moonKey.der
diff --git a/testing/tests/ikev1/self-signed/hosts/moon/etc/scepclient.conf b/testing/tests/ikev1/self-signed/hosts/moon/etc/scepclient.conf
deleted file mode 100644
index b84f3e131..000000000
--- a/testing/tests/ikev1/self-signed/hosts/moon/etc/scepclient.conf
+++ /dev/null
@@ -1,6 +0,0 @@
---debug-control
---keylength 2032
---days 1460
---subjectAltName dns=moon.strongswan.org
---out pkcs1=moonKey.der
---out cert-self=moonCert.der 
diff --git a/testing/tests/ikev1/self-signed/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/self-signed/hosts/moon/etc/strongswan.conf
deleted file mode 100644
index e589a9425..000000000
--- a/testing/tests/ikev1/self-signed/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,15 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink
-}
-
-scepclient {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-}
diff --git a/testing/tests/ikev1/self-signed/posttest.dat b/testing/tests/ikev1/self-signed/posttest.dat
deleted file mode 100644
index 8cada5e7e..000000000
--- a/testing/tests/ikev1/self-signed/posttest.dat
+++ /dev/null
@@ -1,8 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-carol::rm /etc/ipsec.d/private/*
-carol::rm /etc/ipsec.d/certs/*
-moon::rm /etc/ipsec.d/private/*
-moon::rm /etc/ipsec.d/certs/*
diff --git a/testing/tests/ikev1/self-signed/pretest.dat b/testing/tests/ikev1/self-signed/pretest.dat
deleted file mode 100644
index a7cddf677..000000000
--- a/testing/tests/ikev1/self-signed/pretest.dat
+++ /dev/null
@@ -1,17 +0,0 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-carol::rm /etc/ipsec.d/private/*
-carol::rm /etc/ipsec.d/certs/*
-carol::rm /etc/ipsec.d/cacerts/*
-carol::ipsec scepclient --out pkcs1 --out cert-self
-moon::rm /etc/ipsec.d/private/*
-moon::rm /etc/ipsec.d/certs/*
-moon::rm /etc/ipsec.d/cacerts/*
-moon::cat /etc/scepclient.conf
-moon::ipsec scepclient --dn \"C=CH, O=Linux strongSwan, CN=moon.strongswan.org\" --optionsfrom /etc/scepclient.conf
-moon::scp carol:/etc/ipsec.d/certs/selfCert.der /etc/ipsec.d/certs/carolCert.der
-moon::scp /etc/ipsec.d/certs/moonCert.der carol:/etc/ipsec.d/certs/peerCert.der
-carol::ipsec start
-moon::ipsec start
-carol::sleep 2
-carol::ipsec up home
diff --git a/testing/tests/ikev1/self-signed/test.conf b/testing/tests/ikev1/self-signed/test.conf
deleted file mode 100644
index 0baa48d90..000000000
--- a/testing/tests/ikev1/self-signed/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon carol"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev1/starter-also-loop/description.txt b/testing/tests/ikev1/starter-also-loop/description.txt
deleted file mode 100644
index 7451f4e12..000000000
--- a/testing/tests/ikev1/starter-also-loop/description.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-This scenario is the same as test <b><a href="../rw-cert">rw-cert</a></b> but
-uses the <b>also</b> parameter in <b>moon</b>'s ipsec.conf in order to define
-the connections in a modular form. A closed also loop created by including
-<b>conn host-host</b> in <b>conn moon</b> is successfully detected.
diff --git a/testing/tests/ikev1/starter-also-loop/evaltest.dat b/testing/tests/ikev1/starter-also-loop/evaltest.dat
deleted file mode 100644
index 161772f8e..000000000
--- a/testing/tests/ikev1/starter-also-loop/evaltest.dat
+++ /dev/null
@@ -1,3 +0,0 @@
-moon::cat /var/log/auth.log::detected also loop::YES
-moon::cat /var/log/auth.log::errors in config::YES
-
diff --git a/testing/tests/ikev1/starter-also-loop/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/starter-also-loop/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index af2fcc5dc..000000000
--- a/testing/tests/ikev1/starter-also-loop/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,47 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-
-conn net-net
-	also=host-host
-	also=moon-net
-	also=sun-net
-        
-conn host-host
-	also=moon
-	also=sun
-	auto=add
-
-conn rw
-	right=%any
-	also=moon
-	also=moon-net
-	auto=add
-
-conn moon
-	left=PH_IP_MOON
-        leftcert=moonCert.pem
-        leftid=@moon.strongswan.org
-        leftfirewall=yes
-	also=host-host
-
-conn moon-net
-	leftsubnet=10.1.0.0/16
-
-conn sun
-	right=PH_IP_SUN
-	rightid=@sun.strongswan.org
-
-conn sun-net
-	rightsubnet=10.2.0.0/16
diff --git a/testing/tests/ikev1/starter-also-loop/posttest.dat b/testing/tests/ikev1/starter-also-loop/posttest.dat
deleted file mode 100644
index e69de29bb..000000000
--- a/testing/tests/ikev1/starter-also-loop/posttest.dat
+++ /dev/null
diff --git a/testing/tests/ikev1/starter-also-loop/pretest.dat b/testing/tests/ikev1/starter-also-loop/pretest.dat
deleted file mode 100644
index b135b12c3..000000000
--- a/testing/tests/ikev1/starter-also-loop/pretest.dat
+++ /dev/null
@@ -1,2 +0,0 @@
-moon::ipsec start --debug-all
-moon::sleep 1
diff --git a/testing/tests/ikev1/starter-also-loop/test.conf b/testing/tests/ikev1/starter-also-loop/test.conf
deleted file mode 100644
index e7735308f..000000000
--- a/testing/tests/ikev1/starter-also-loop/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS=""
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon"
diff --git a/testing/tests/ikev1/starter-also/description.txt b/testing/tests/ikev1/starter-also/description.txt
deleted file mode 100644
index 3d4ff7dbf..000000000
--- a/testing/tests/ikev1/starter-also/description.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-This scenario is the same as test <b><a href="../rw-cert">rw-cert</a></b> but
-uses the <b>also</b> parameter in <b>moon</b>'s ipsec.conf in order to define
-the connections in a modular form.
diff --git a/testing/tests/ikev1/starter-also/evaltest.dat b/testing/tests/ikev1/starter-also/evaltest.dat
deleted file mode 100644
index c7657801e..000000000
--- a/testing/tests/ikev1/starter-also/evaltest.dat
+++ /dev/null
@@ -1,5 +0,0 @@
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/starter-also/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/starter-also/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index 2bd4985ca..000000000
--- a/testing/tests/ikev1/starter-also/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,46 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-
-conn net-net
-	also=host-host
-	also=moon-net
-	also=sun-net
-        
-conn host-host
-	also=moon
-	also=sun
-	auto=add
-
-conn rw
-	right=%any
-	also=moon
-	also=moon-net
-	auto=add
-
-conn moon
-	left=PH_IP_MOON
-        leftcert=moonCert.pem
-        leftid=@moon.strongswan.org
-        leftfirewall=yes
-
-conn moon-net
-	leftsubnet=10.1.0.0/16
-
-conn sun
-	right=PH_IP_SUN
-	rightid=@sun.strongswan.org
-
-conn sun-net
-	rightsubnet=10.2.0.0/16
diff --git a/testing/tests/ikev1/starter-also/posttest.dat b/testing/tests/ikev1/starter-also/posttest.dat
deleted file mode 100644
index 94a400606..000000000
--- a/testing/tests/ikev1/starter-also/posttest.dat
+++ /dev/null
@@ -1,4 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev1/starter-also/pretest.dat b/testing/tests/ikev1/starter-also/pretest.dat
deleted file mode 100644
index c7b4f43be..000000000
--- a/testing/tests/ikev1/starter-also/pretest.dat
+++ /dev/null
@@ -1,6 +0,0 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-carol::ipsec start
-moon::ipsec start --debug-all
-carol::sleep 2
-carol::ipsec up home
diff --git a/testing/tests/ikev1/starter-also/test.conf b/testing/tests/ikev1/starter-also/test.conf
deleted file mode 100644
index 9cd583b16..000000000
--- a/testing/tests/ikev1/starter-also/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev1/starter-includes/description.txt b/testing/tests/ikev1/starter-includes/description.txt
deleted file mode 100644
index 6a05c0cca..000000000
--- a/testing/tests/ikev1/starter-includes/description.txt
+++ /dev/null
@@ -1,6 +0,0 @@
-This test is based on the <a href="../mode-config">mode-config</a>
-scenario and demonstrates the multiple use of the <b>include</b>
-parameter in IPsec configuration files. At the top level <b>/etc/ipsec.conf</b>
-defines the config setup section and includes <b>/etc/ipsec.connections</b>
-which in turn includes <b>/etc/ipsec.host</b> and <b>/etc/ipsec.peers/*</b>
-thereby showing the use of wildcards in path definitions.
diff --git a/testing/tests/ikev1/starter-includes/evaltest.dat b/testing/tests/ikev1/starter-includes/evaltest.dat
deleted file mode 100644
index 7de32d681..000000000
--- a/testing/tests/ikev1/starter-includes/evaltest.dat
+++ /dev/null
@@ -1,16 +0,0 @@
-carol::cat /var/log/auth.log::setting virtual IP source address to 10.3.0.1::YES
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::cat /var/log/auth.log::setting virtual IP source address to 10.3.0.2::YES
-dave::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::ipsec status::rw-carol.*STATE_QUICK_R2.*IPsec SA established::YES
-moon::ipsec status::rw-dave.*STATE_QUICK_R2.*IPsec SA established::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
-alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
-alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
-alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
-alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES
diff --git a/testing/tests/ikev1/starter-includes/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/starter-includes/hosts/carol/etc/ipsec.conf
deleted file mode 100755
index 9c75434c2..000000000
--- a/testing/tests/ikev1/starter-includes/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,29 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-
-conn home
-	left=PH_IP_CAROL
-	leftsourceip=%modeconfig
-	leftcert=carolCert.pem
-	leftid=carol@strongswan.org
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightsubnet=10.1.0.0/16
-	rightid=@moon.strongswan.org
-	auto=add
-
-
-
-
diff --git a/testing/tests/ikev1/starter-includes/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/starter-includes/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index 4e7bfc1b4..000000000
--- a/testing/tests/ikev1/starter-includes/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,9 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-include /etc/ipsec.connections
diff --git a/testing/tests/ikev1/starter-includes/hosts/moon/etc/ipsec.connections b/testing/tests/ikev1/starter-includes/hosts/moon/etc/ipsec.connections
deleted file mode 100644
index bd47f9e09..000000000
--- a/testing/tests/ikev1/starter-includes/hosts/moon/etc/ipsec.connections
+++ /dev/null
@@ -1,13 +0,0 @@
-# /etc/ipsec.connections - connection definitions 
-
-conn %default
-        ikelifetime=60m
-        keylife=20m
-        rekeymargin=3m
-        keyingtries=1
-	keyexchange=ikev1
-
-include /etc/ipsec.host
-
-include /etc/ipsec.peers/*
-
diff --git a/testing/tests/ikev1/starter-includes/hosts/moon/etc/ipsec.host b/testing/tests/ikev1/starter-includes/hosts/moon/etc/ipsec.host
deleted file mode 100755
index acf753cc0..000000000
--- a/testing/tests/ikev1/starter-includes/hosts/moon/etc/ipsec.host
+++ /dev/null
@@ -1,11 +0,0 @@
-# /etc/ipsec.host - my host configuration
-
-conn %default
-	left=PH_IP_MOON
-	leftsubnet=10.1.0.0/16
-	leftsourceip=PH_IP_MOON1
-	leftnexthop=%direct
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-	leftfirewall=yes
-
diff --git a/testing/tests/ikev1/starter-includes/hosts/moon/etc/ipsec.peers/ipsec.carol b/testing/tests/ikev1/starter-includes/hosts/moon/etc/ipsec.peers/ipsec.carol
deleted file mode 100644
index 84bedfef6..000000000
--- a/testing/tests/ikev1/starter-includes/hosts/moon/etc/ipsec.peers/ipsec.carol
+++ /dev/null
@@ -1,8 +0,0 @@
-# /etc/ipsec.peers/ipsec.carol - connection from carol 
-
-conn rw-carol
-	right=%any
-	rightid=carol@strongswan.org
-	rightsourceip=PH_IP_CAROL1
-	auto=add
-
diff --git a/testing/tests/ikev1/starter-includes/hosts/moon/etc/ipsec.peers/ipsec.dave b/testing/tests/ikev1/starter-includes/hosts/moon/etc/ipsec.peers/ipsec.dave
deleted file mode 100644
index ee021c9be..000000000
--- a/testing/tests/ikev1/starter-includes/hosts/moon/etc/ipsec.peers/ipsec.dave
+++ /dev/null
@@ -1,8 +0,0 @@
-# /etc/ipsec.peers/ipsec.dave - connection from dave
-
-conn rw-dave
-	right=%any
-	rightid=dave@strongswan.org
-	rightsourceip=PH_IP_DAVE1
-	auto=add
-
diff --git a/testing/tests/ikev1/starter-includes/posttest.dat b/testing/tests/ikev1/starter-includes/posttest.dat
deleted file mode 100644
index ebf7525ef..000000000
--- a/testing/tests/ikev1/starter-includes/posttest.dat
+++ /dev/null
@@ -1,10 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
-carol::ip addr del PH_IP_CAROL1/32 dev eth0
-dave::ip addr del PH_IP_DAVE1/32 dev eth0
-moon::rm /etc/ipsec.connections /etc/ipsec.host
-moon::rm -r /etc/ipsec.peers
diff --git a/testing/tests/ikev1/starter-includes/pretest.dat b/testing/tests/ikev1/starter-includes/pretest.dat
deleted file mode 100644
index b034a0c03..000000000
--- a/testing/tests/ikev1/starter-includes/pretest.dat
+++ /dev/null
@@ -1,11 +0,0 @@
-moon::cat /etc/ipsec.connections /etc/ipsec.host /etc/ipsec.peers/*
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
-carol::ipsec start
-dave::ipsec start
-moon::ipsec start --debug-all
-carol::sleep 2
-carol::ipsec up home
-dave::ipsec up home
-carol::sleep 1
diff --git a/testing/tests/ikev1/starter-includes/test.conf b/testing/tests/ikev1/starter-includes/test.conf
deleted file mode 100644
index 1a8f2a4e0..000000000
--- a/testing/tests/ikev1/starter-includes/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon carol winnetou dave"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w-d.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon alice"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/strong-certs/description.txt b/testing/tests/ikev1/strong-certs/description.txt
deleted file mode 100644
index 8e6e8b4f9..000000000
--- a/testing/tests/ikev1/strong-certs/description.txt
+++ /dev/null
@@ -1,6 +0,0 @@
-This is a remote-access scenario with two roadwarriors <b>carol</b> and <b>dave</b>
-setting up a connection each to the VPN gateway <b>moon</b>. Authentication is
-based on strong X.509 certificates with SHA-2 signatures.
-The X.509 certificate of the gateway <b>moon</b> uses a <b>SHA-224</b> hash in
-its signature whereas the certificates of the roadwarriors <b>carol</b>
-and <b>dave</b> use <b>SHA-384</b> and <b>SHA-512</b>, respectively.
diff --git a/testing/tests/ikev1/strong-certs/evaltest.dat b/testing/tests/ikev1/strong-certs/evaltest.dat
deleted file mode 100644
index 2fe4de76f..000000000
--- a/testing/tests/ikev1/strong-certs/evaltest.dat
+++ /dev/null
@@ -1,10 +0,0 @@
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-dave::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
-
diff --git a/testing/tests/ikev1/strong-certs/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/strong-certs/hosts/carol/etc/ipsec.conf
deleted file mode 100755
index 2a1dad5c6..000000000
--- a/testing/tests/ikev1/strong-certs/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,24 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	strictcrlpolicy=no
-	crlcheckinterval=180
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-
-conn home
-	left=PH_IP_CAROL
-	leftcert=carolCert-sha384.pem
-	leftid=carol@strongswan.org
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-	rightsubnet=10.1.0.0/16
-	auto=add
diff --git a/testing/tests/ikev1/strong-certs/hosts/carol/etc/ipsec.d/certs/carolCert-sha384.pem b/testing/tests/ikev1/strong-certs/hosts/carol/etc/ipsec.d/certs/carolCert-sha384.pem
deleted file mode 100644
index 929f737c8..000000000
--- a/testing/tests/ikev1/strong-certs/hosts/carol/etc/ipsec.d/certs/carolCert-sha384.pem
+++ /dev/null
@@ -1,25 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIEITCCAwmgAwIBAgIBJTANBgkqhkiG9w0BAQwFADBFMQswCQYDVQQGEwJDSDEZ
-MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
-b290IENBMB4XDTExMTAxNzEyNDc1OVoXDTE2MTAxNTEyNDc1OVowWTELMAkGA1UE
-BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xEDAOBgNVBAsTB1NIQS0z
-ODQxHTAbBgNVBAMUFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMIIBIjANBgkqhkiG9w0B
-AQEFAAOCAQ8AMIIBCgKCAQEAuByYUPGv67XSQHjpfFjhuH/l/sMIQGhsFcO4ebYv
-7otSsjbH4gasmAOvEFxoIxkOG9IWFAHP1WyiqG3sOsyyfUg6wHl1FTe4Y3kHWZp0
-DvtT6CWnnxQwKibIhXfB3IPHRTcRG1zGN4J3Vl6IofIRlrl0K3NYUUofn0xMKAoS
-hLjwuqq2eviX5NIQDOTnoga2C5Ed58hIc6/YWXzfg9EpB194tcCWmSj7yfq6ruD9
-xAh32ywd10fsi4tt3F/BWzXjySxBlBhvvh6kL/Nqa6OSWaXsvZqXmrYm+hm4LKkO
-ZLZYzBqJRpRm1rEhYqMg2u0SSSTXsNFuw+027n7Vt8+DzwIDAQABo4IBBjCCAQIw
-CQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYEFPk6ATSleHErWFAYkCZD
-BhDo8X1qMG0GA1UdIwRmMGSAFF2n3XAGUTJ+57Zts7Xl4GDqLk3voUmkRzBFMQsw
-CQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMS
-c3Ryb25nU3dhbiBSb290IENBggEAMB8GA1UdEQQYMBaBFGNhcm9sQHN0cm9uZ3N3
-YW4ub3JnMDkGA1UdHwQyMDAwLqAsoCqGKGh0dHA6Ly9jcmwuc3Ryb25nc3dhbi5v
-cmcvc3Ryb25nc3dhbi5jcmwwDQYJKoZIhvcNAQEMBQADggEBAHiE/MMyXJXuMuhw
-/lu/UwjCHbbJMA9QrBJe++34OwAV0siM98loVLs23vHXk/52QHRIwZgMLO2FF9Pk
-4JkFOvTXCgNPZKrUL28UhHsnJe8EZVOuir5o6yTSti+J/tR4M2YoY67JjW/KeTwU
-BVBtBVH88gf/xm2mSlIrkHxG3/GWqyEdeY7BOaft1sFTTZ1gKKXQlARtWidho1mf
-5Y1lZ//kOuvMjnk+hEWPWESq8lBzLOmQGBk65vaEH3LVZxSQVJbfG2E0dHgPZNgc
-hFOS8Oc6L6AfKlWHAT0ZCR5+1YsxxnlsftHzxiA0ayGCgpn2qcN+OPjfzPCtC80N
-6oXDLZM=
------END CERTIFICATE-----
diff --git a/testing/tests/ikev1/strong-certs/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/ikev1/strong-certs/hosts/carol/etc/ipsec.d/private/carolKey.pem
deleted file mode 100644
index 1c59bcfe5..000000000
--- a/testing/tests/ikev1/strong-certs/hosts/carol/etc/ipsec.d/private/carolKey.pem
+++ /dev/null
@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEpQIBAAKCAQEAuByYUPGv67XSQHjpfFjhuH/l/sMIQGhsFcO4ebYv7otSsjbH
-4gasmAOvEFxoIxkOG9IWFAHP1WyiqG3sOsyyfUg6wHl1FTe4Y3kHWZp0DvtT6CWn
-nxQwKibIhXfB3IPHRTcRG1zGN4J3Vl6IofIRlrl0K3NYUUofn0xMKAoShLjwuqq2
-eviX5NIQDOTnoga2C5Ed58hIc6/YWXzfg9EpB194tcCWmSj7yfq6ruD9xAh32ywd
-10fsi4tt3F/BWzXjySxBlBhvvh6kL/Nqa6OSWaXsvZqXmrYm+hm4LKkOZLZYzBqJ
-RpRm1rEhYqMg2u0SSSTXsNFuw+027n7Vt8+DzwIDAQABAoIBAQCMhpbjwXWLLd5r
-A18DYDv5PPXpvCdCMfG9swPNMnfnVUQrbpCmPn3iEX2/uShrEaapKXNclf1yY1bL
-xAr43mCmK0lcu9fX+A2vLyOjCrbm8IIcwRDt5NTWd3+6D6xSierBM8TE480PdW9s
-5v7WzRMLvkWjHIkekrsMNYozTWzRC6MgO99hzalWzKSeHHxlieoG7sN8KQ0hmwO+
-lMR6XDwrEnENbDbX//rbPjD4gdkqwAzCyf2IMNAHefAJUrjll2t1aQNknGwpDaAS
-g8Il7iAwIxoP2SrJ89K4Wq4Ifq+tLeX1sjwF0IESi41xNZZ/CrLiJbIPZSyBVRvx
-wwzObUPBAoGBAO6Gu2QaUoIZWpIL5TcAbQIGUx4FPKy2FbKWnU6VL9fmw8DGqKC0
-WX/CCSBmYHQyvlozutX4g8PI6YfgbbuPpgt/yJeLO+33PZK2Cps0//0EmEIvZ7ZM
-kOV+PRNuDIlKQNCaD8LdAcp0KSUc8vo3BAYArrjd1WZze85tqgAHmKR/AoGBAMWZ
-YkyQwBE0+W9P5gmGwuc+q2T3SjpGXjtzyo63K6ra892u49xIklfvNZ3PlgNbTSCo
-tTZLfwRu2uRhh2C8ZsjwfdpMAdT0BNCqEXtdp8JBJiNmrvY17NrSJnMginvu26qM
-QbsaF2Q1BV7OMZHvjgYrCqgokUGcJY6A0OlftjixAoGBALa3mPbOvyOP/nRgDl86
-wUZKyAL4Kgl3llluzOP0nmi6Cnwy8dvhK6oVXl5mbj603GJGvDnKnE0vK819WzHR
-kXW/lk6YRvk8avtm3esVB3+vtF8G52CbeGeEc47dv1av/cSOL8KrAAMxRo96hJqt
-6DQc87sDm8RWdKGmGhLZvtFLAoGAA+bJaBWblTtkiWwccKe2hXZZT/8J+iiVh7r7
-juHS/Oah1giz+w97xDy25EzK+3n8Bd8O5OmMsnu12riKQcC2jtUgxwSlLJ080xno
-inUI8O70X9KRNc9Ow+tOUwubcGMA91cZnSYgvBvH5V1Q4T7HoRuMdFGIvLDmlO+6
-MEFxiaECgYEAw7GqJYl2q6be56WANWA9ecNenr4+ekHZImpK0vb1bYD2LinfFNNK
-9jOHK2tK2jV3DgfUEieItz/uWV3iCJkIfErwu3ZS9qnDBu70OHGpsM1nXRUzZ0Ct
-5vOlBr5h6DMrP+ou/95yeraoibqs2kTUrAdkC80Yk5nbEHFDiD6cJcw=
------END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev1/strong-certs/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/strong-certs/hosts/carol/etc/ipsec.secrets
deleted file mode 100644
index fac55d63b..000000000
--- a/testing/tests/ikev1/strong-certs/hosts/carol/etc/ipsec.secrets
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA carolKey.pem
diff --git a/testing/tests/ikev1/strong-certs/hosts/dave/etc/ipsec.d/certs/daveCert-sha512.pem b/testing/tests/ikev1/strong-certs/hosts/dave/etc/ipsec.d/certs/daveCert-sha512.pem
deleted file mode 100644
index fc769c1c9..000000000
--- a/testing/tests/ikev1/strong-certs/hosts/dave/etc/ipsec.d/certs/daveCert-sha512.pem
+++ /dev/null
@@ -1,25 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIEHzCCAwegAwIBAgIBJjANBgkqhkiG9w0BAQ0FADBFMQswCQYDVQQGEwJDSDEZ
-MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
-b290IENBMB4XDTExMTAxNzEyNTAzMFoXDTE2MTAxNTEyNTAzMFowWDELMAkGA1UE
-BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xEDAOBgNVBAsTB1NIQS01
-MTIxHDAaBgNVBAMUE2RhdmVAc3Ryb25nc3dhbi5vcmcwggEiMA0GCSqGSIb3DQEB
-AQUAA4IBDwAwggEKAoIBAQCs5SBCzV3Is/w7CIzfBXRGv6uXwyDivRXXYsczeSRf
-5mw/slRVAEtNbX8rQ8BWLIqiJPCLDek5ODkqKI+hArZVpJqMzZyql2Teosrtnokb
-h/yA8EWtEr0jII2RxQ0xb8r25h+DwBosAM15B1rCAMmJOjbEMMBGmAb7y7N0K8nr
-Z8RctwrRdCGVcg+f+LFrklF1tBLs0zGIrJsk1eB0XbrB+fEPar9Lmn+/q2QHGPCt
-aOlR2ZxRsjqsYJW9yI8r33PVVm2aGmS/19UguEG8FC3owud0boHfP91/NvSIWfhP
-iIuDPjJOBPEJ/I6OYjYXXQuOZYwFGau2WrpNDQioPgedAgMBAAGjggEFMIIBATAJ
-BgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNVHQ4EFgQU5re6olyWAt1HfN2l92Rb
-7DDCnxMwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJ
-BgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJz
-dHJvbmdTd2FuIFJvb3QgQ0GCAQAwHgYDVR0RBBcwFYETZGF2ZUBzdHJvbmdzd2Fu
-Lm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3Jn
-L3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBDQUAA4IBAQAtRPFMSuEnPmqeC2mF
-OE5N26r2p8HfB4FAPwarlg66IIvKvkk1zqn5YfZIXfMU/x5q+85aO31iQmjlAPpo
-KXqRq7V0a0ldjXEr+Tz7xG3jno989dBrD3kQZnwXR57xGt1qTVGY7uQdbgXWzVHM
-GYS6gjUw7Df9vAQcTfUxUpZc5wlDoiRrFkyPc1raFCZF3//Ig9agjO4r1SzPHYw7
-LrHJR1xkd0IWVTW8Z6xB14j452IiimhyK1zAR3zmh1vH9VuHDLHMhyjSl1R+gk5U
-KzDPaqXd4NA7eIQNiAhysYTXfmUYytbFNZw9bamxTxlCmca1snuTIcFM5OYOfxRT
-iKMh
------END CERTIFICATE-----
diff --git a/testing/tests/ikev1/strong-certs/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/tests/ikev1/strong-certs/hosts/dave/etc/ipsec.d/private/daveKey.pem
deleted file mode 100644
index 900f73bac..000000000
--- a/testing/tests/ikev1/strong-certs/hosts/dave/etc/ipsec.d/private/daveKey.pem
+++ /dev/null
@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEogIBAAKCAQEArOUgQs1dyLP8OwiM3wV0Rr+rl8Mg4r0V12LHM3kkX+ZsP7JU
-VQBLTW1/K0PAViyKoiTwiw3pOTg5KiiPoQK2VaSajM2cqpdk3qLK7Z6JG4f8gPBF
-rRK9IyCNkcUNMW/K9uYfg8AaLADNeQdawgDJiTo2xDDARpgG+8uzdCvJ62fEXLcK
-0XQhlXIPn/ixa5JRdbQS7NMxiKybJNXgdF26wfnxD2q/S5p/v6tkBxjwrWjpUdmc
-UbI6rGCVvciPK99z1VZtmhpkv9fVILhBvBQt6MLndG6B3z/dfzb0iFn4T4iLgz4y
-TgTxCfyOjmI2F10LjmWMBRmrtlq6TQ0IqD4HnQIDAQABAoIBAG0+sa3EGdgxcdTT
-SD+7MIdroL7Z+rOKCnz32yp5BzTZYdi1k3fKIcqgv1PVEXjh2A8wDBWxCoavMd+j
-lW2FSzS+NzF00eMwmfnbHyIZpESTHkdSipQbXQsPDKTov7dXDgYHzi3vehoHv80T
-ipM+8BkXgXdh3nw8n10GjzN+X62v73pQxXooC2JrsxKPubB9NkX8UtcYddrmMQpr
-xOixBsk3VwkIh+3CatBPKJH/Ryk/U9rMU7F7KlAi+xHj3UF3iAvUwYVaJWAeWfci
-KP07cFxsar8Vgf2IK+sbZP6LPky1oiYq+VkIrgX6UPtyyrS60Bf7OFIy5I0Hmm8K
-b0rChbkCgYEA2B1IVtBmNBt/rCwqWgRLf4vW86JGgKAOx15hucPdA1NAHygNLdZC
-bcM6OkP1PEp1mpA0mDgYQQdggzsWKYuJjtf8MN9sZwi6SrRI2Y3OCy7SFLsyDNkz
-xkWo6b5/WGH+cEzVRVkD0RU97xjXudXzcwm1PA5goRcGNg1zdvOi0XsCgYEAzM3d
-tbq3txVh5EK3IeCsvtQGY4IFADdjaC2wgTeOlHo/nGoCB8TuFMN32MHqlmAdspJQ
-PojDKVZhhOknJQpBI1iYVYTJTIwtJM5CeY5gwhnrPVru4LJaa8zXTJdIeZ++nJFR
-Dawt5rsJ+f2yTzQWPm2Ywbril8KBVwqD4V9uQ8cCgYBk/foqJ6U7QIZ/TPxVqKAn
-cI/4tqK/xQxi+qYsi20i+qqCZNMT0oakiJETXWKi1CD1I+KQJ9advPbLHLeUnpKf
-4CsII8CivZ9g/bL1h6D79NtTuM8A1het1ivDX7Re9xxSGnWnvJtd/9E7hJ57R5JG
-9ghtkkJxxTKv28VTlzNFNQKBgDuQ4Jv7a3V3ZZpTARp8UyHJXvZQGY4/jcz+BOkA
-NJrgl2Gxv1dtImWtmEzV0Znc6KZIQch+VGzQb9qNSVJPkjRqjxvIXBfEaVjcGJ9s
-Fp49lZqpuPJnTT8vO6tOEMk2+eRlq3JTkqIZ4kPwUo0QtCuCCrzF0yOaca3UJBlH
-fTV/AoGAElXK1jYXzxJLTik9TW3Jl9w45GP572HAYVBc+gpCtvxVvr9V8qsiDST2
-hovbkEcG6o+rCAgHnzdCxpK0Avnb8yyu4yvBGTWowoBqF9Nyv2aZts83gRxEapZC
-Mc8u9QuIB0QCea13jgWWkkMLr9lt7kmVjR+Nch4lcF4RVqagEEE=
------END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev1/strong-certs/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/strong-certs/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index 98d9a8749..000000000
--- a/testing/tests/ikev1/strong-certs/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,23 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	strictcrlpolicy=no
-	crlcheckinterval=180
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-
-conn rw
-	left=PH_IP_MOON
-	leftcert=moonCert-sha224.pem
-	leftid=@moon.strongswan.org
-	leftsubnet=10.1.0.0/16
-	leftfirewall=yes
-	right=%any
-	auto=add
diff --git a/testing/tests/ikev1/strong-certs/hosts/moon/etc/ipsec.d/certs/moonCert-sha224.pem b/testing/tests/ikev1/strong-certs/hosts/moon/etc/ipsec.d/certs/moonCert-sha224.pem
deleted file mode 100644
index bda4f528e..000000000
--- a/testing/tests/ikev1/strong-certs/hosts/moon/etc/ipsec.d/certs/moonCert-sha224.pem
+++ /dev/null
@@ -1,25 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIENDCCAxygAwIBAgIBJDANBgkqhkiG9w0BAQ4FADBFMQswCQYDVQQGEwJDSDEZ
-MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
-b290IENBMB4XDTExMTAxNzEyNDUwN1oXDTE2MTAxNTEyNDUwN1owWDELMAkGA1UE
-BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xEDAOBgNVBAsTB1NIQS0y
-MjQxHDAaBgNVBAMTE21vb24uc3Ryb25nc3dhbi5vcmcwggEiMA0GCSqGSIb3DQEB
-AQUAA4IBDwAwggEKAoIBAQDEPYW1tmcbkgNMcnOHXAKHlgL2k7r1+rVWJ/8NF9vI
-7MpQ8qomHPV3G00CYSQsCDgBVvK71pasiz+dsYdHAY28ihb2m/lsaSquwsb0Fexj
-hJiqaohcLJk0MjTDUdArh6iddvDAYMDkfApM49TaXNxdz0sffV5KOIH0hrQe0wsw
-P2p/SHTATNh3ebTLr8Y7dMKecxFrKQswZc+d7gvIftZXRvjsUprc77dDURGByPw3
-N+/23chuDXNNaxMylWQhmiTUne8tIyg0vtur3do5Dq1IqQKqvxSfBjRL6ZJU0/6l
-KuhChV0cSVd2H2zzovuke5XzHzUsoESWXWYK9qIEj2HRAgMBAAGjggEaMIIBFjAJ
-BgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNVHQ4EFgQUT4FJonJgeZBpFHc8iosc
-WWM+mPswbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJ
-BgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJz
-dHJvbmdTd2FuIFJvb3QgQ0GCAQAwHgYDVR0RBBcwFYITbW9vbi5zdHJvbmdzd2Fu
-Lm9yZzATBgNVHSUEDDAKBggrBgEFBQcDATA5BgNVHR8EMjAwMC6gLKAqhihodHRw
-Oi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEB
-DgUAA4IBAQA60WN0QwQuFVYg/C156POjKENZP9CGF8NyiC/NUYqgbIrGGTTpwTxs
-pW/+YDG1tVtCkqtLGsO0uZRe8Ihs3afNsPMNlCiTCPgrs5erc4ZTv5MB7Ap2lyL5
-NSQ9SggICbQhkHQHP6TINtas9+FrAw10jWIa107DYLLC7Ea77Y5vryL6/ymrpwdL
-Vwm9kAkGYvm0lmzw6YfzPskKc3MpWnjBTraPG42Z8oWTEDJnBtS761k60lNwndKC
-JdRUxoOOegzsKIIzorRz9xCN2zA2CAeChqHMbBpNCRwl0dQ00ztXReONl97iNgw6
-NrdHsqCiH8Q+I2JCxU230Zl6UFKARLo+
------END CERTIFICATE-----
diff --git a/testing/tests/ikev1/strong-certs/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/tests/ikev1/strong-certs/hosts/moon/etc/ipsec.d/private/moonKey.pem
deleted file mode 100644
index 51a33597e..000000000
--- a/testing/tests/ikev1/strong-certs/hosts/moon/etc/ipsec.d/private/moonKey.pem
+++ /dev/null
@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEpQIBAAKCAQEAxD2FtbZnG5IDTHJzh1wCh5YC9pO69fq1Vif/DRfbyOzKUPKq
-Jhz1dxtNAmEkLAg4AVbyu9aWrIs/nbGHRwGNvIoW9pv5bGkqrsLG9BXsY4SYqmqI
-XCyZNDI0w1HQK4eonXbwwGDA5HwKTOPU2lzcXc9LH31eSjiB9Ia0HtMLMD9qf0h0
-wEzYd3m0y6/GO3TCnnMRaykLMGXPne4LyH7WV0b47FKa3O+3Q1ERgcj8Nzfv9t3I
-bg1zTWsTMpVkIZok1J3vLSMoNL7bq93aOQ6tSKkCqr8UnwY0S+mSVNP+pSroQoVd
-HElXdh9s86L7pHuV8x81LKBEll1mCvaiBI9h0QIDAQABAoIBAEnZeTMb9ItslG81
-dwKOfqk1q+HNUIN3GLzWimYL/3sKmUyDNcLoDPwIux9VHT6wzRq79Nb5d3RxZrxa
-bbUsAYHdWazun5vLq/Nee26pvW7qHGWtd6lwYytAZZjHdhabk7nGY+2Ru6WAhIPR
-DW4rmgZ3lya/kDdQMp+p/ajH9SLvYdo8rc3e2a5pJJitR3iU9rFO8PRSD6is7ldr
-FxYDMWv+Latkscpku4fww8X6XlHo3u7usogs5FHjNePeJjNkzdj5X958OmzxN4JJ
-jKheFALXJuMYY/9MLWaygkZgWuD1yr8chBtH+kxJLqbv9/pBaQqehEDfGOgfPnQi
-OxccUS0CgYEA4VL/hsJvhziqd+MHryrYvPQgHZJf+ksMpRelD/zEJRjAGnyT2hDQ
-R1H9jKP689E6lhCire9ag79rkF4lOvVWpM4f1XOPwX9Oap93dRn5PZLCMKfmnuo7
-RSC3qsGRdzIB0j0e9XQXW3tzoSVJtASd0X7qMTujaWQef7hNPW/To9MCgYEA3vTk
-YQGARsJIjvF1xu7ut1NC1GyQbvDShylmrOBPTBRgzIEjWnifDH79BAXr9yTigqR/
-qHZhWC0bPPY2x6iFi4dTa30vNGqP61GU4HouQDZ/Lf7TXL7pTHRSihL3x9f2nIu+
-nyEhfrYomt0M960OHS5izXP/27vXItLTazshMUsCgYEAn3lOwOH8bYf9nrxgQ+nf
-XFysHkHrDArx+Caz/Iy5hkfuLtDdFAmyX8f33AJzKv16qZs8iD5Poc9pIdSAJSpf
-GGWKwlf39stThMM4mPi5HoswRZ+P6gl9yX9OftxhSCtsfpAjyTVREr5dKEBr2a0q
-xYs91XqQPZdOvraCdGkhMWECgYEAiQFTlYimmtSoYa5fAW+xoVW4q3BLEOFLfWMj
-hPgRwl6DXSe94cpdcgBW2jIJXkV8K2uKRqr4BocxRbTG1MnpxmPSDytN5pfU+HWZ
-Vpe99BeI72q31zY5hpG0ZsRhHpzHHkuBR6fEPWkSapeLcGcXVTc736R4hT5YZT3I
-TQx4ySECgYEArIxFy2zEbQH8znJoRwshSSanGovSCRxpoP+j5WHlccMQAjDhoFMg
-KLCXbbnNyM4qlvwHG4Z27Fgexvk5dPHYnQlW9A4YP4o6SFf6RnxW1ZdR/Kc4aY/6
-rXxt+Q0rf4qRKbTh90yDnc2YQj11g9BgvFliIM2GOTq8NUtjQVRgNm4=
------END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev1/strong-certs/posttest.dat b/testing/tests/ikev1/strong-certs/posttest.dat
deleted file mode 100644
index fc0fbeb38..000000000
--- a/testing/tests/ikev1/strong-certs/posttest.dat
+++ /dev/null
@@ -1,12 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
-moon::rm /etc/ipsec.d/private/*
-carol::rm /etc/ipsec.d/private/*
-dave::rm /etc/ipsec.d/private/*
-moon::rm /etc/ipsec.d/certs/*
-carol::rm /etc/ipsec.d/certs/*
-dave::rm /etc/ipsec.d/certs/*
diff --git a/testing/tests/ikev1/strong-certs/pretest.dat b/testing/tests/ikev1/strong-certs/pretest.dat
deleted file mode 100644
index de51ccdfa..000000000
--- a/testing/tests/ikev1/strong-certs/pretest.dat
+++ /dev/null
@@ -1,10 +0,0 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
-carol::sleep 1
-carol::ipsec up home
-dave::ipsec up home
-carol::sleep 1 
diff --git a/testing/tests/ikev1/strong-certs/test.conf b/testing/tests/ikev1/strong-certs/test.conf
deleted file mode 100644
index 70416826e..000000000
--- a/testing/tests/ikev1/strong-certs/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon carol winnetou dave"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w-d.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/virtual-ip-swapped/description.txt b/testing/tests/ikev1/virtual-ip-swapped/description.txt
deleted file mode 100644
index 230906c5d..000000000
--- a/testing/tests/ikev1/virtual-ip-swapped/description.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-Same scenario as test <a href="../virtual-ip/"><b>virtual-ip</b></a> but with
-swapped end definitions:  <b>right</b> denotes the <b>local</b> side whereas
-<b>left</b> stands for the <b>remote</b> peer.
diff --git a/testing/tests/ikev1/virtual-ip-swapped/evaltest.dat b/testing/tests/ikev1/virtual-ip-swapped/evaltest.dat
deleted file mode 100644
index 23e109838..000000000
--- a/testing/tests/ikev1/virtual-ip-swapped/evaltest.dat
+++ /dev/null
@@ -1,9 +0,0 @@
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-carol::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES
-moon::ping -c 1 PH_IP_CAROL1::64 bytes from PH_IP_CAROL1: icmp_seq=1::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
-alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
diff --git a/testing/tests/ikev1/virtual-ip-swapped/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/virtual-ip-swapped/hosts/carol/etc/ipsec.conf
deleted file mode 100755
index 4dfa345f4..000000000
--- a/testing/tests/ikev1/virtual-ip-swapped/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,29 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-
-conn home
-	right=PH_IP_CAROL
-	rightsourceip=PH_IP_CAROL1
-	rightcert=carolCert.pem
-	rightid=carol@strongswan.org
-	rightfirewall=yes
-	left=PH_IP_MOON
-	leftsubnet=10.1.0.0/16
-	leftid=@moon.strongswan.org
-	auto=add
-
-
-
-
diff --git a/testing/tests/ikev1/virtual-ip-swapped/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/virtual-ip-swapped/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index b65d7a690..000000000
--- a/testing/tests/ikev1/virtual-ip-swapped/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-
-conn rw
-	right=PH_IP_MOON
-	rightsourceip=PH_IP_MOON1
-	rightcert=moonCert.pem
-	rightid=@moon.strongswan.org
-	rightsubnet=10.1.0.0/16
-	rightfirewall=yes
-	leftsubnetwithin=10.3.0.0/16
-	left=%any
-	auto=add
diff --git a/testing/tests/ikev1/virtual-ip-swapped/posttest.dat b/testing/tests/ikev1/virtual-ip-swapped/posttest.dat
deleted file mode 100644
index 2116e86e0..000000000
--- a/testing/tests/ikev1/virtual-ip-swapped/posttest.dat
+++ /dev/null
@@ -1,5 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-carol::ip addr del PH_IP_CAROL1/32 dev eth0
diff --git a/testing/tests/ikev1/virtual-ip-swapped/pretest.dat b/testing/tests/ikev1/virtual-ip-swapped/pretest.dat
deleted file mode 100644
index 4fe0ee90b..000000000
--- a/testing/tests/ikev1/virtual-ip-swapped/pretest.dat
+++ /dev/null
@@ -1,6 +0,0 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-carol::ipsec start
-moon::ipsec start
-carol::sleep 2
-carol::ipsec up home
diff --git a/testing/tests/ikev1/virtual-ip-swapped/test.conf b/testing/tests/ikev1/virtual-ip-swapped/test.conf
deleted file mode 100644
index f106524e2..000000000
--- a/testing/tests/ikev1/virtual-ip-swapped/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon alice"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev1/virtual-ip/description.txt b/testing/tests/ikev1/virtual-ip/description.txt
index 4ec6021ea..c16b70b70 100644
--- a/testing/tests/ikev1/virtual-ip/description.txt
+++ b/testing/tests/ikev1/virtual-ip/description.txt
@@ -1,8 +1,14 @@
-The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>. Both <b>carol</b>
-and <b>moon</b> define a static virtual IP using the <b>leftsourceip</b> parameter.
-<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that let pass
-the tunneled traffic. In order to test the tunnel, <b>carol</b> pings the client <b>alice</b>
-behind the gateway <b>moon</b> as well as the inner interface of the gateway. The source IP
-of the two pings will be the virtual IP <b>carol1</b>. Also thanks to its virtual IP <b>moon1</b>
-the gateway <b>moon</b> is able to ping <b>carol1</b> by using the existing subnet-subnet IPsec
-tunnel.
+The roadwarriors <b>carol</b> and <b>dave</b> both set up a connection to gateway <b>moon</b>.
+The roadwarriors each unilaterally define a static virtual IP using the <b>leftsourceip</b>
+parameter. In order to detect potential address conflicts, the roadwarriors send
+their virtual IPs embedded in an IKEv1 Mode Config payload to <b>moon</b> for verification.
+In our scenario <b>moon</b> accepts the address choices thus allowing <b>carol</b> and
+<b>dave</b> to install their respective virtual IP addresses.
+<p>
+In order to test the tunnels both <b>carol</b> and <b>dave</b> ping the client <b>alice</b>
+behind the gateway <b>moon</b> as well as the inner interface of the gateway.
+The latter ping requires access to the gateway itself which is granted by the
+directive <b>lefthostaccess=yes</b>. The source IP of the two pings will be the virtual
+IP addresses <b>carol1</b> and <b>dave1</b>, respectively. Also thanks to the automatically
+configured source route entries, <b>moon</b> is able to ping both roadwarriors by using the
+established net-net IPsec tunnels.
diff --git a/testing/tests/ikev1/virtual-ip/evaltest.dat b/testing/tests/ikev1/virtual-ip/evaltest.dat
index 23e109838..0f5df71d7 100644
--- a/testing/tests/ikev1/virtual-ip/evaltest.dat
+++ b/testing/tests/ikev1/virtual-ip/evaltest.dat
@@ -1,9 +1,31 @@
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-carol::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES
-moon::ping -c 1 PH_IP_CAROL1::64 bytes from PH_IP_CAROL1: icmp_seq=1::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
+moon:: cat /var/log/daemon.log::peer requested virtual IP PH_IP_CAROL1::YES
+moon:: cat /var/log/daemon.log::peer requested virtual IP PH_IP_DAVE1::YES
+moon:: cat /var/log/daemon.log::assigning virtual IP PH_IP_CAROL1 to peer::YES
+moon:: cat /var/log/daemon.log::assigning virtual IP PH_IP_DAVE1 to peer::YES
+carol::ip addr list dev eth0::PH_IP_CAROL1::YES
+carol::ip route list table 220::src PH_IP_CAROL1::YES
+dave:: ip addr list dev eth0::PH_IP_DAVE1::YES
+dave:: ip route list table 220::src PH_IP_DAVE1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+carol::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_req=1::YES
+moon:: ping -c 1 PH_IP_CAROL1::64 bytes from PH_IP_CAROL1: icmp_req=1::YES
+moon:: ping -c 1 PH_IP_DAVE1::64 bytes from PH_IP_DAVE1: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
 alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
 alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
+alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES
+
diff --git a/testing/tests/ikev1/virtual-ip/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/virtual-ip/hosts/carol/etc/ipsec.conf
index e0ef16930..862f43606 100755..100644
--- a/testing/tests/ikev1/virtual-ip/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/virtual-ip/hosts/carol/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -23,7 +19,3 @@ conn home
 	rightsubnet=10.1.0.0/16
 	rightid=@moon.strongswan.org
 	auto=add
-
-
-
-
diff --git a/testing/tests/ikev1/virtual-ip/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/virtual-ip/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..dc937641c
--- /dev/null
+++ b/testing/tests/ikev1/virtual-ip/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/af-alg-ikev1/rw-cert/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/virtual-ip/hosts/dave/etc/ipsec.conf
index 73167caad..5ba2b347a 100755..100644
--- a/testing/tests/af-alg-ikev1/rw-cert/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev1/virtual-ip/hosts/dave/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-	plutodebug=control
 
 conn %default
 	ikelifetime=60m
@@ -12,14 +8,14 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev1
-	ike=aes256-sha256-modp2048!
 
 conn home
 	left=PH_IP_DAVE
+	leftsourceip=PH_IP_DAVE1
 	leftcert=daveCert.pem
 	leftid=dave@strongswan.org
 	leftfirewall=yes
 	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
 	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
 	auto=add
diff --git a/testing/tests/ikev1/virtual-ip/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/virtual-ip/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..dc937641c
--- /dev/null
+++ b/testing/tests/ikev1/virtual-ip/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev1/virtual-ip/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/virtual-ip/hosts/moon/etc/ipsec.conf
index 63a8c92b5..4f3fd61f8 100755..100644
--- a/testing/tests/ikev1/virtual-ip/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/virtual-ip/hosts/moon/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -15,11 +11,11 @@ conn %default
 
 conn rw
 	left=PH_IP_MOON
-	leftsourceip=PH_IP_MOON1
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 	leftsubnet=10.1.0.0/16
 	leftfirewall=yes
-	rightsubnetwithin=10.3.0.0/16
+	lefthostaccess=yes
 	right=%any
+	rightsourceip=%config
 	auto=add
diff --git a/testing/tests/ikev1/virtual-ip/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/virtual-ip/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..dc937641c
--- /dev/null
+++ b/testing/tests/ikev1/virtual-ip/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev1/virtual-ip/posttest.dat b/testing/tests/ikev1/virtual-ip/posttest.dat
index 2116e86e0..1865a1c60 100644
--- a/testing/tests/ikev1/virtual-ip/posttest.dat
+++ b/testing/tests/ikev1/virtual-ip/posttest.dat
@@ -1,5 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-carol::ip addr del PH_IP_CAROL1/32 dev eth0
+dave::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/virtual-ip/pretest.dat b/testing/tests/ikev1/virtual-ip/pretest.dat
index 0b2ae8d2b..1765a83cd 100644
--- a/testing/tests/ikev1/virtual-ip/pretest.dat
+++ b/testing/tests/ikev1/virtual-ip/pretest.dat
@@ -1,7 +1,9 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 carol::ipsec start
+dave::ipsec start
 moon::ipsec start
-carol::sleep 2
+carol::sleep 1 
 carol::ipsec up home
-carol::sleep 1
+dave::ipsec up home
diff --git a/testing/tests/ikev1/virtual-ip/test.conf b/testing/tests/ikev1/virtual-ip/test.conf
index f106524e2..164b07ff9 100644
--- a/testing/tests/ikev1/virtual-ip/test.conf
+++ b/testing/tests/ikev1/virtual-ip/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
-DIAGRAM="a-m-c-w.png"
+DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon alice"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
-IPSECHOSTS="moon carol"
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/wildcards/description.txt b/testing/tests/ikev1/wildcards/description.txt
deleted file mode 100644
index e485f7066..000000000
--- a/testing/tests/ikev1/wildcards/description.txt
+++ /dev/null
@@ -1,8 +0,0 @@
-The VPN gateway <b>moon</b> controls the access to the hosts <b>alice</b> and
-<b>venus</b> by means of wildcard parameters that must match the subject
-<b>Distinguished Name</b> contained in the peer's X.509 certificate. Access to
-<b>alice</b> is granted for DNs containing a OU=Research field whereas <b>venus</b>
-can only be reached with a DN containing OU=Accounting. The roadwarriors
-<b>carol</b> and <b>dave</b> belong to the departments 'Research' and 'Accounting',
-respectively. Therefore <b>carol</b> can access <b>alice</b> and <b>dave</b>
-can reach <b>venus</b>.
diff --git a/testing/tests/ikev1/wildcards/evaltest.dat b/testing/tests/ikev1/wildcards/evaltest.dat
deleted file mode 100644
index cbc94b75a..000000000
--- a/testing/tests/ikev1/wildcards/evaltest.dat
+++ /dev/null
@@ -1,8 +0,0 @@
-carol::ipsec status::alice.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::alice.*PH_IP_CAROL.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ipsec status::venus.*STATE_QUICK_I2.*IPsec SA established::NO
-moon::ipsec status::venus.*PH_IP_CAROL.*STATE_QUICK_R2.*IPsec SA established::NO
-dave::ipsec status::venus.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::venus.*PH_IP_DAVE.*STATE_QUICK_R2.*IPsec SA established::YES
-dave::ipsec status::alice.*STATE_QUICK_I2.*IPsec SA established::NO
-moon::ipsec status::alice.*PH_IP_DAVE.*STATE_QUICK_R2.*IPsec SA established::NO
diff --git a/testing/tests/ikev1/wildcards/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/wildcards/hosts/carol/etc/ipsec.conf
deleted file mode 100755
index cf93bb231..000000000
--- a/testing/tests/ikev1/wildcards/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,31 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	left=PH_IP_CAROL
-	leftcert=carolCert.pem
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-
-conn alice
-	rightsubnet=PH_IP_ALICE/32
-	auto=add
-	
-conn venus
-	rightsubnet=PH_IP_VENUS/32
-	auto=add
-
-
-
-
-
diff --git a/testing/tests/ikev1/wildcards/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/wildcards/hosts/dave/etc/ipsec.conf
deleted file mode 100755
index 5f04445d2..000000000
--- a/testing/tests/ikev1/wildcards/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,31 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	left=PH_IP_DAVE
-	leftcert=daveCert.pem
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-
-conn alice
-	rightsubnet=PH_IP_ALICE/32
-	auto=add
-	
-conn venus
-	rightsubnet=PH_IP_VENUS/32
-	auto=add
-
-
-
-
-
diff --git a/testing/tests/ikev1/wildcards/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/wildcards/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index 39b031551..000000000
--- a/testing/tests/ikev1/wildcards/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,29 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	left=PH_IP_MOON
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-
-conn alice
-	leftsubnet=PH_IP_ALICE/32
-	right=%any
-	rightid="C=CH, O=Linux strongSwan, OU=Research, CN=*"
-	auto=add
-
-conn venus
-	leftsubnet=PH_IP_VENUS/32
-	right=%any
-	rightid="C=CH, O=Linux strongSwan, OU=Accounting, CN=*"
-	auto=add
diff --git a/testing/tests/ikev1/wildcards/posttest.dat b/testing/tests/ikev1/wildcards/posttest.dat
deleted file mode 100644
index ed530f6d9..000000000
--- a/testing/tests/ikev1/wildcards/posttest.dat
+++ /dev/null
@@ -1,3 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
diff --git a/testing/tests/ikev1/wildcards/pretest.dat b/testing/tests/ikev1/wildcards/pretest.dat
deleted file mode 100644
index 67c50c2ef..000000000
--- a/testing/tests/ikev1/wildcards/pretest.dat
+++ /dev/null
@@ -1,9 +0,0 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
-carol::ipsec start
-dave::ipsec start
-moon::ipsec start
-carol::sleep 2
-carol::ipsec up alice
-carol::ipsec up venus
-dave::ipsec up venus
-dave::ipsec up alice
diff --git a/testing/tests/ikev1/wildcards/test.conf b/testing/tests/ikev1/wildcards/test.conf
deleted file mode 100644
index 08e5cc145..000000000
--- a/testing/tests/ikev1/wildcards/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice venus moon carol winnetou dave"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-v-m-c-w-d.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS=""
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/wlan/description.txt b/testing/tests/ikev1/wlan/description.txt
deleted file mode 100644
index e018148bd..000000000
--- a/testing/tests/ikev1/wlan/description.txt
+++ /dev/null
@@ -1,15 +0,0 @@
-The WLAN clients <b>alice</b> and <b>venus</b> secure all their wireless traffic
-by setting up an IPsec tunnel to gateway <b>moon</b>. The VPN network mask is
-<b>0.0.0.0/0</b>. Traffic with destination outside the protected 10.1.0.0/10 network
-is NAT-ed by router <b>moon</b>. The IPsec connections are tested by pings from
-<b>alice</b> to <b>venus</b> tunneled  via <b>moon</b> and to both the internal
-and external interface of gateway <b>moon</b>. Access to the gateway is
-set up by <b>lefthostaccess=yes</b> in conjunction with <b>leftfirewall=yes</b>.
-At last <b>alice</b> and <b>venus</b> ping the external host <b>sun</b> via the NAT router.
-<p>
-The host system controls the UML instances <b>alice</b> and <b>carol</b> via
-ssh commands sent over the virtual <b>tap1</b> interface. In order to keep up 
-the control flow in the presence of the all-encompassing 0.0.0.0/0 tunnel
-to the gateway <b>moon</b> an auxiliary <b>passthrough</b> eroute restricted
-to the ssh port is statically set up by <b>conn system</b>.
-
diff --git a/testing/tests/ikev1/wlan/evaltest.dat b/testing/tests/ikev1/wlan/evaltest.dat
deleted file mode 100644
index 079ac4429..000000000
--- a/testing/tests/ikev1/wlan/evaltest.dat
+++ /dev/null
@@ -1,11 +0,0 @@
-alice::ipsec status::wlan.*STATE_QUICK_I2.*IPsec SA established::YES
-venus::ipsec status::wlan.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::alice.*STATE_QUICK_R2.*IPsec SA established::YES
-moon::ipsec status::venus.*STATE_QUICK_R2.*IPsec SA established::YES
-alice::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
-alice::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES
-alice::ping -c 1 PH_IP_MOON::64 bytes from PH_IP_MOON: icmp_seq=1::YES
-alice::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_seq=1::YES
-venus::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_seq=1::YES
-moon::tcpdump::ESP::YES
-sun::tcpdump::ICMP::YES
diff --git a/testing/tests/ikev1/wlan/hosts/alice/etc/init.d/iptables b/testing/tests/ikev1/wlan/hosts/alice/etc/init.d/iptables
deleted file mode 100755
index 86a76e2db..000000000
--- a/testing/tests/ikev1/wlan/hosts/alice/etc/init.d/iptables
+++ /dev/null
@@ -1,73 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-        # allow esp
-        iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-        iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-        iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-        iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-			
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev1/wlan/hosts/alice/etc/ipsec.conf b/testing/tests/ikev1/wlan/hosts/alice/etc/ipsec.conf
deleted file mode 100755
index e3cf9b15d..000000000
--- a/testing/tests/ikev1/wlan/hosts/alice/etc/ipsec.conf
+++ /dev/null
@@ -1,35 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	nat_traversal=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-
-conn system
-	left=PH_IP_ALICE
-	leftprotoport=tcp/ssh
-	authby=never
-	type=passthrough
-	right=10.1.0.254
-	rightprotoport=tcp
-	auto=route
-
-conn wlan 
-	left=PH_IP_ALICE
-	leftcert=aliceCert.pem
-	leftid=alice@strongswan.org
-	leftfirewall=yes
-	right=PH_IP_MOON1
-	rightid=@moon.strongswan.org
-	rightsubnet=0.0.0.0/0
-	auto=add
-
diff --git a/testing/tests/ikev1/wlan/hosts/moon/etc/init.d/iptables b/testing/tests/ikev1/wlan/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index e95ef44c6..000000000
--- a/testing/tests/ikev1/wlan/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,82 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth1 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth1 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p udp --dport 500 --sport 500 -j ACCEPT
-
-        # allow crl fetch from winnetou
-	iptables -A INPUT   -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A FORWARD -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A FORWARD -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT  -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-	
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# enable SNAT
-	iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p icmp -j SNAT --to-source PH_IP_MOON
-	iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp  -j SNAT --to-source PH_IP_MOON:2000-2100
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev1/wlan/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/wlan/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index 61ce28e6b..000000000
--- a/testing/tests/ikev1/wlan/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,36 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	nat_traversal=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-
-conn alice
-	right=PH_IP_ALICE
-	rightid=alice@strongswan.org
-	also=wlan
-	auto=add
-
-conn venus
-	right=PH_IP_VENUS
-	rightid=@venus.strongswan.org
-	also=wlan
-	auto=add
-
-conn wlan
-        left=PH_IP_MOON1
-	leftsubnet=0.0.0.0/0
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-	leftfirewall=yes
-	lefthostaccess=yes
-
diff --git a/testing/tests/ikev1/wlan/hosts/venus/etc/init.d/iptables b/testing/tests/ikev1/wlan/hosts/venus/etc/init.d/iptables
deleted file mode 100755
index 6f95e7576..000000000
--- a/testing/tests/ikev1/wlan/hosts/venus/etc/init.d/iptables
+++ /dev/null
@@ -1,73 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-				
-				# allow IKE
-        iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-        iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-			
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev1/wlan/hosts/venus/etc/ipsec.conf b/testing/tests/ikev1/wlan/hosts/venus/etc/ipsec.conf
deleted file mode 100755
index fa2dc953e..000000000
--- a/testing/tests/ikev1/wlan/hosts/venus/etc/ipsec.conf
+++ /dev/null
@@ -1,35 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	nat_traversal=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-
-conn system
-	left=PH_IP_VENUS
-	leftprotoport=tcp/ssh
-	authby=never
-	type=passthrough
-	right=10.1.0.254
-	rightprotoport=tcp
-	auto=route
-
-conn wlan 
-	left=PH_IP_VENUS
-	leftcert=venusCert.pem
-	leftid=@venus.strongswan.org
-	leftfirewall=yes
-	right=PH_IP_MOON1
-	rightid=@moon.strongswan.org
-	rightsubnet=0.0.0.0/0
-	auto=add
-
diff --git a/testing/tests/ikev1/wlan/posttest.dat b/testing/tests/ikev1/wlan/posttest.dat
deleted file mode 100644
index 6bd2379d8..000000000
--- a/testing/tests/ikev1/wlan/posttest.dat
+++ /dev/null
@@ -1,8 +0,0 @@
-moon::iptables -t nat -v -n -L POSTROUTING
-moon::ipsec stop
-alice::ipsec stop
-venus::ipsec stop
-alice::/etc/init.d/iptables stop 2> /dev/null
-venus::/etc/init.d/iptables stop 2> /dev/null
-moon::/etc/init.d/iptables stop 2> /dev/null
-moon::conntrack -F
diff --git a/testing/tests/ikev1/wlan/pretest.dat b/testing/tests/ikev1/wlan/pretest.dat
deleted file mode 100644
index de4a6ad31..000000000
--- a/testing/tests/ikev1/wlan/pretest.dat
+++ /dev/null
@@ -1,11 +0,0 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-alice::/etc/init.d/iptables start 2> /dev/null
-venus::/etc/init.d/iptables start 2> /dev/null
-moon::ipsec start
-alice::ipsec start
-venus::ipsec start
-alice::sleep 2 
-alice::ipsec up wlan 
-venus::sleep 2 
-venus::ipsec up wlan
-venus::sleep 2
diff --git a/testing/tests/ikev1/wlan/test.conf b/testing/tests/ikev1/wlan/test.conf
deleted file mode 100644
index b141c4f1b..000000000
--- a/testing/tests/ikev1/wlan/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice venus moon winnetou sun"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-v-m-w-s-b.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon:eth1 sun"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="alice venus moon"
diff --git a/testing/tests/ikev1/xauth-id-psk-mode-config/description.txt b/testing/tests/ikev1/xauth-id-psk-config/description.txt
index 191011747..fc417e416 100644
--- a/testing/tests/ikev1/xauth-id-psk-mode-config/description.txt
+++ b/testing/tests/ikev1/xauth-id-psk-config/description.txt
@@ -2,7 +2,7 @@ The roadwarriors <b>carol</b> and <b>dave</b> set up a connection to gateway <b>
 The authentication is based on Pre-Shared Keys (<b>PSK</b>)
 followed by extended authentication (<b>XAUTH</b>) of <b>carol</b> and <b>dave</b>
 based on user names and passwords. Next <b>carol</b> and <b>dave</b> request a
-<b>virtual IP</b> via the IKE Mode Config protocol by using the <b>leftsourceip=%modeconfig</b>
+<b>virtual IP</b> via the IKE Mode Config protocol by using the <b>leftsourceip=%config</b>
 parameter. The virtual IP addresses are registered under the users' XAUTH identity. 
 <p>
 Upon the successful establishment of the IPsec tunnel, leftfirewall=yes automatically
diff --git a/testing/tests/ikev1/xauth-id-psk-config/evaltest.dat b/testing/tests/ikev1/xauth-id-psk-config/evaltest.dat
new file mode 100644
index 000000000..cd4ebd8ec
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-psk-config/evaltest.dat
@@ -0,0 +1,24 @@
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*\[192.168.0.100].*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*\[192.168.0.200].*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*\[192.168.0.100]::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*\[192.168.0.200]::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
+moon:: cat /var/log/daemon.log::XAuth authentication of.*carol.*successful::YES
+moon:: cat /var/log/daemon.log::XAuth authentication of.*dave.*successful::YES
+moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.1 to peer.*carol::YES
+moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.2 to peer.*dave::YES
+carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES
+dave:: cat /var/log/daemon.log::installing new virtual IP 10.3.0.2::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
+alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES
diff --git a/testing/tests/ikev1/xauth-id-psk/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/xauth-id-psk-config/hosts/carol/etc/ipsec.conf
index da1a10513..f557eb961 100644
--- a/testing/tests/ikev1/xauth-id-psk/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-id-psk-config/hosts/carol/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -12,12 +8,17 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev1
-	authby=xauthpsk
 
 conn home
 	left=PH_IP_CAROL
+	leftid=PH_IP_CAROL
+	leftsourceip=%config
+	leftauth=psk
+	leftauth2=xauth
 	leftfirewall=yes
 	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
 	rightsubnet=10.1.0.0/16
+	rightauth=psk
 	xauth_identity=carol
 	auto=add
diff --git a/testing/tests/ikev1/xauth-id-psk-config/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/xauth-id-psk-config/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..e2cea4e3d
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-psk-config/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,9 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+@dave.strongswan.org : PSK 0sqc1FhzwoUSbpjYUSp8I6qUdxDacxLCTq
+
+@moon.strongswan.org : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
+
+@sun.strongswan.org :  PSK 0sR64pR6y0S5d6d8rNhUIM7aPbdjND4st5
+
+carol : XAUTH "4iChxLT3" 
diff --git a/testing/tests/ikev1/xauth-id-psk-config/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-psk-config/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..1fb5d14b1
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-psk-config/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = sha1 sha2 md5 aes des hmac gmp random nonce xauth-generic resolve kernel-netlink socket-default stroke updown
+}
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/xauth-id-psk-config/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/xauth-id-psk-config/hosts/dave/etc/ipsec.conf
new file mode 100644
index 000000000..ea707b50b
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-psk-config/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+
+conn home
+	left=PH_IP_DAVE
+	leftid=PH_IP_DAVE
+	leftsourceip=%config
+	leftauth=psk
+	leftauth2=xauth
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	rightauth=psk
+	xauth_identity=dave
+	auto=add
diff --git a/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev1/xauth-id-psk-config/hosts/dave/etc/ipsec.secrets
index 25e8c2796..25e8c2796 100644
--- a/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/dave/etc/ipsec.secrets
+++ b/testing/tests/ikev1/xauth-id-psk-config/hosts/dave/etc/ipsec.secrets
diff --git a/testing/tests/ikev1/xauth-id-psk-config/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-psk-config/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..1fb5d14b1
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-psk-config/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = sha1 sha2 md5 aes des hmac gmp random nonce xauth-generic resolve kernel-netlink socket-default stroke updown
+}
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/xauth-id-psk-config/hosts/moon/etc/ipsec.conf
index 452187f11..8b3524219 100644
--- a/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-id-psk-config/hosts/moon/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -12,14 +8,15 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev1
-	authby=xauthpsk
-	xauth=server
 
 conn rw
 	left=PH_IP_MOON
 	leftid=@moon.strongswan.org
 	leftsubnet=10.1.0.0/16
+	leftauth=psk
 	leftfirewall=yes
 	right=%any
 	rightsourceip=10.3.0.0/24
+	rightauth=psk
+	rightauth2=xauth
 	auto=add
diff --git a/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/xauth-id-psk-config/hosts/moon/etc/ipsec.secrets
index 20d8e0269..20d8e0269 100644
--- a/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/moon/etc/ipsec.secrets
+++ b/testing/tests/ikev1/xauth-id-psk-config/hosts/moon/etc/ipsec.secrets
diff --git a/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-psk-config/hosts/moon/etc/strongswan.conf
index 089467da4..422538cec 100644
--- a/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-id-psk-config/hosts/moon/etc/strongswan.conf
@@ -1,13 +1,11 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
-pluto {
-  load = sha1 sha2 md5 aes des hmac gmp random xauth attr kernel-netlink
+charon {
+  load = sha1 sha2 md5 aes des hmac gmp random nonce xauth-generic attr kernel-netlink socket-default stroke updown
   dns1 = 192.168.0.150
   dns2 = 10.1.0.20
 }
 
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
 libstrongswan {
   dh_exponent_ansi_x9_42 = no
 }
diff --git a/testing/tests/ikev1/xauth-id-psk-config/posttest.dat b/testing/tests/ikev1/xauth-id-psk-config/posttest.dat
new file mode 100644
index 000000000..b757d8b15
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-psk-config/posttest.dat
@@ -0,0 +1,6 @@
+carol::ipsec stop
+dave::ipsec stop
+moon::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/xauth-id-psk/pretest.dat b/testing/tests/ikev1/xauth-id-psk-config/pretest.dat
index 95a6be131..88a91ae86 100644
--- a/testing/tests/ikev1/xauth-id-psk/pretest.dat
+++ b/testing/tests/ikev1/xauth-id-psk-config/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::rm /etc/ipsec.d/cacerts/*
 carol::rm /etc/ipsec.d/cacerts/*
 dave::rm /etc/ipsec.d/cacerts/*
diff --git a/testing/tests/ikev1/xauth-id-psk-config/test.conf b/testing/tests/ikev1/xauth-id-psk-config/test.conf
new file mode 100644
index 000000000..9b1ec0b54
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-psk-config/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="alice moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/xauth-id-psk-mode-config/evaltest.dat b/testing/tests/ikev1/xauth-id-psk-mode-config/evaltest.dat
deleted file mode 100644
index 4552cfe61..000000000
--- a/testing/tests/ikev1/xauth-id-psk-mode-config/evaltest.dat
+++ /dev/null
@@ -1,16 +0,0 @@
-carol::cat /var/log/auth.log::extended authentication was successful::YES
-dave::cat /var/log/auth.log::extended authentication was successful::YES
-moon::ipsec leases rw 10.3.0.1::carol::YES
-moon::ipsec leases rw 10.3.0.2::dave::YES
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-dave::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
-alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
-alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
-alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
-alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES
diff --git a/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/carol/etc/ipsec.conf
deleted file mode 100644
index b7402d24b..000000000
--- a/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,26 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	authby=xauthpsk
-
-conn home
-	left=PH_IP_CAROL
-	leftid=carol@strongswan.org
-	leftsourceip=%modeconfig
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-	rightsubnet=10.1.0.0/16
-	xauth_identity=carol
-	auto=add
diff --git a/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/carol/etc/ipsec.secrets
deleted file mode 100644
index e5adf3e8e..000000000
--- a/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/carol/etc/ipsec.secrets
+++ /dev/null
@@ -1,9 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-carol@strongswan.org @dave.strongswan.org : PSK 0sqc1FhzwoUSbpjYUSp8I6qUdxDacxLCTq
-
-carol@strongswan.org @moon.strongswan.org : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
-
-carol@strongswan.org @sun.strongswan.org :  PSK 0sR64pR6y0S5d6d8rNhUIM7aPbdjND4st5
-
-carol : XAUTH "4iChxLT3" 
diff --git a/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/carol/etc/strongswan.conf
deleted file mode 100644
index e3f377d18..000000000
--- a/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = sha1 sha2 md5 aes des hmac gmp random xauth resolve kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-}
diff --git a/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/dave/etc/ipsec.conf
deleted file mode 100644
index 8f9226dd1..000000000
--- a/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,26 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	authby=xauthpsk
-
-conn home
-	left=PH_IP_DAVE
-	leftid=dave@strongswan.org
-	leftsourceip=%modeconfig
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-	rightsubnet=10.1.0.0/16
-	xauth_identity=dave
-	auto=add
diff --git a/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/dave/etc/strongswan.conf
deleted file mode 100644
index e3f377d18..000000000
--- a/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/dave/etc/strongswan.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = sha1 sha2 md5 aes des hmac gmp random xauth resolve kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-}
diff --git a/testing/tests/ikev1/xauth-id-psk-mode-config/posttest.dat b/testing/tests/ikev1/xauth-id-psk-mode-config/posttest.dat
deleted file mode 100644
index f90d222b5..000000000
--- a/testing/tests/ikev1/xauth-id-psk-mode-config/posttest.dat
+++ /dev/null
@@ -1,8 +0,0 @@
-carol::ipsec stop
-dave::ipsec stop
-moon::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
-carol::ip addr del PH_IP_CAROL1/32 dev eth0
-dave::ip addr del PH_IP_DAVE1/32 dev eth0
diff --git a/testing/tests/ikev1/xauth-id-psk-mode-config/test.conf b/testing/tests/ikev1/xauth-id-psk-mode-config/test.conf
deleted file mode 100644
index 75510b295..000000000
--- a/testing/tests/ikev1/xauth-id-psk-mode-config/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon carol winnetou dave"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w-d.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="alice moon"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/xauth-id-psk/description.txt b/testing/tests/ikev1/xauth-id-psk/description.txt
deleted file mode 100644
index 0ac2043c2..000000000
--- a/testing/tests/ikev1/xauth-id-psk/description.txt
+++ /dev/null
@@ -1,9 +0,0 @@
-The roadwarriors <b>carol</b> and <b>dave</b> set up a connection to gateway <b>moon</b>.
-The authentication is based on Pre-Shared Keys (<b>PSK</b>)
-followed by extended authentication (<b>XAUTH</b>) of <b>carol</b> and <b>dave</b>
-based on user names and passwords.
-<p>
-Upon the successful establishment of the IPsec tunnel, leftfirewall=yes automatically
-inserts iptables-based firewall rules that let pass the tunneled traffic.
-In order to test both tunnel and firewall, <b>carol</b> and <b>dave</b> ping the client
-<b>alice</b> behind the gateway <b>moon</b>.
diff --git a/testing/tests/ikev1/xauth-id-psk/evaltest.dat b/testing/tests/ikev1/xauth-id-psk/evaltest.dat
deleted file mode 100644
index b019f8d76..000000000
--- a/testing/tests/ikev1/xauth-id-psk/evaltest.dat
+++ /dev/null
@@ -1,14 +0,0 @@
-carol::cat /var/log/auth.log::extended authentication was successful::YES
-dave::cat /var/log/auth.log::extended authentication was successful::YES
-moon::cat /var/log/auth.log::xauth user name is .*carol::YES
-moon::cat /var/log/auth.log::xauth user name is .*dave::YES
-moon::cat /var/log/auth.log::extended authentication was successful::YES
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-dave::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/xauth-id-psk/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/xauth-id-psk/hosts/carol/etc/ipsec.secrets
deleted file mode 100644
index 7a272a371..000000000
--- a/testing/tests/ikev1/xauth-id-psk/hosts/carol/etc/ipsec.secrets
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
-
-carol : XAUTH "4iChxLT3" 
diff --git a/testing/tests/ikev1/xauth-id-psk/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-psk/hosts/carol/etc/strongswan.conf
deleted file mode 100644
index c9eb0bc97..000000000
--- a/testing/tests/ikev1/xauth-id-psk/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = sha1 sha2 md5 aes des hmac gmp random xauth kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-}
diff --git a/testing/tests/ikev1/xauth-id-psk/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev1/xauth-id-psk/hosts/dave/etc/ipsec.secrets
deleted file mode 100644
index 25e8c2796..000000000
--- a/testing/tests/ikev1/xauth-id-psk/hosts/dave/etc/ipsec.secrets
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
-
-dave : XAUTH "ryftzG4A" 
diff --git a/testing/tests/ikev1/xauth-id-psk/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-psk/hosts/dave/etc/strongswan.conf
deleted file mode 100644
index c9eb0bc97..000000000
--- a/testing/tests/ikev1/xauth-id-psk/hosts/dave/etc/strongswan.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = sha1 sha2 md5 aes des hmac gmp random xauth kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-}
diff --git a/testing/tests/ikev1/xauth-id-psk/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/xauth-id-psk/hosts/moon/etc/ipsec.secrets
deleted file mode 100644
index 3f86fa594..000000000
--- a/testing/tests/ikev1/xauth-id-psk/hosts/moon/etc/ipsec.secrets
+++ /dev/null
@@ -1,7 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-PH_IP_MOON %any : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
-
-carol : XAUTH "4iChxLT3"
-
-dave  : XAUTH "ryftzG4A"
diff --git a/testing/tests/ikev1/xauth-id-psk/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-psk/hosts/moon/etc/strongswan.conf
deleted file mode 100644
index c9eb0bc97..000000000
--- a/testing/tests/ikev1/xauth-id-psk/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = sha1 sha2 md5 aes des hmac gmp random xauth kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-}
diff --git a/testing/tests/ikev1/xauth-id-psk/posttest.dat b/testing/tests/ikev1/xauth-id-psk/posttest.dat
deleted file mode 100644
index 7cebd7f25..000000000
--- a/testing/tests/ikev1/xauth-id-psk/posttest.dat
+++ /dev/null
@@ -1,6 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev1/xauth-id-psk/test.conf b/testing/tests/ikev1/xauth-id-psk/test.conf
deleted file mode 100644
index 70416826e..000000000
--- a/testing/tests/ikev1/xauth-id-psk/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon carol winnetou dave"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w-d.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/xauth-id-rsa/description.txt b/testing/tests/ikev1/xauth-id-rsa-aggressive/description.txt
index 9483c8f39..90209c266 100644
--- a/testing/tests/ikev1/xauth-id-rsa/description.txt
+++ b/testing/tests/ikev1/xauth-id-rsa-aggressive/description.txt
@@ -1,4 +1,5 @@
-The roadwarriors <b>carol</b> and <b>dave</b> set up a connection to gateway <b>moon</b>.
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection to gateway <b>moon</b>
+using <b>IKEv1 Aggressive Mode</b>.
 The authentication is based on RSA signatures (<b>RSASIG</b>) using X.509 certificates
 followed by extended authentication (<b>XAUTH</b>) of <b>carol</b> and <b>dave</b>
 based on user names defined by the <b>xauth_identity</b> parameter (<b>carol</b> and <b>dave</b>,
diff --git a/testing/tests/ikev1/xauth-id-rsa-aggressive/evaltest.dat b/testing/tests/ikev1/xauth-id-rsa-aggressive/evaltest.dat
new file mode 100644
index 000000000..34c124c95
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-rsa-aggressive/evaltest.dat
@@ -0,0 +1,16 @@
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave.strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
+moon:: cat /var/log/daemon.log::XAuth authentication of.*carol.*successful::YES
+moon:: cat /var/log/daemon.log::XAuth authentication of.*dave.*successful::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/xauth-id-rsa/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/carol/etc/ipsec.conf
index be62c2b8f..09308efad 100644
--- a/testing/tests/ikev1/xauth-id-rsa/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/carol/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -12,15 +8,18 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev1
-	authby=xauthrsasig
+	aggressive=yes
 
 conn home
 	left=PH_IP_CAROL
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
+	leftauth=pubkey
+	leftauth2=xauth
 	leftfirewall=yes
 	right=PH_IP_MOON
 	rightsubnet=10.1.0.0/16
 	rightid=@moon.strongswan.org
+	rightauth=pubkey
 	xauth_identity=carol
 	auto=add
diff --git a/testing/tests/ikev1/xauth-id-rsa/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/carol/etc/ipsec.secrets
index 29492b5f9..29492b5f9 100644
--- a/testing/tests/ikev1/xauth-id-rsa/hosts/carol/etc/ipsec.secrets
+++ b/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/carol/etc/ipsec.secrets
diff --git a/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..5cd9bf11e
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random nonce curl xauth-generic kernel-netlink socket-default updown stroke
+}
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/xauth-id-rsa/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/dave/etc/ipsec.conf
index c09fb3c2c..8cc9f68dc 100644
--- a/testing/tests/ikev1/xauth-id-rsa/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/dave/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -12,15 +8,18 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev1
-	authby=xauthrsasig
+	aggressive=yes
 
 conn home
 	left=PH_IP_DAVE
 	leftcert=daveCert.pem
 	leftid=dave@strongswan.org
+	leftauth=pubkey
+	leftauth2=xauth
 	leftfirewall=yes
 	right=PH_IP_MOON
 	rightsubnet=10.1.0.0/16
 	rightid=@moon.strongswan.org
+	rightauth=pubkey
 	xauth_identity=dave
 	auto=add
diff --git a/testing/tests/ikev1/xauth-id-rsa/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/dave/etc/ipsec.secrets
index 8cf7db530..8cf7db530 100644
--- a/testing/tests/ikev1/xauth-id-rsa/hosts/dave/etc/ipsec.secrets
+++ b/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/dave/etc/ipsec.secrets
diff --git a/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..5cd9bf11e
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random nonce curl xauth-generic kernel-netlink socket-default updown stroke
+}
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/rw-psk-rsa-mixed/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/moon/etc/ipsec.conf
index 02270e004..2a27145c8 100755..100644
--- a/testing/tests/ikev1/rw-psk-rsa-mixed/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/moon/etc/ipsec.conf
@@ -1,8 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -10,17 +8,16 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev1
+	aggressive=yes
+
+conn rw
 	left=PH_IP_MOON
+	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 	leftsubnet=10.1.0.0/16
+	leftauth=pubkey
 	leftfirewall=yes
 	right=%any
-	
-conn rw-rsasig
-	authby=rsasig
-	leftcert=moonCert.pem
-	auto=add
-
-conn rw-psk
-	authby=secret
+	rightauth=pubkey
+	rightauth2=xauth
 	auto=add
diff --git a/testing/tests/ikev1/xauth-rsa-fail/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/moon/etc/ipsec.secrets
index 2586f5f39..bd9b0dbfb 100644
--- a/testing/tests/ikev1/xauth-rsa-fail/hosts/moon/etc/ipsec.secrets
+++ b/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/moon/etc/ipsec.secrets
@@ -2,4 +2,6 @@
 
 : RSA moonKey.pem
 
-carol@strongswan.org : XAUTH "4iChxLT3" 
+carol : XAUTH "4iChxLT3"
+
+dave : XAUTH "ryftzG4A"
diff --git a/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..5cd9bf11e
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random nonce curl xauth-generic kernel-netlink socket-default updown stroke
+}
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/xauth-id-rsa-aggressive/posttest.dat b/testing/tests/ikev1/xauth-id-rsa-aggressive/posttest.dat
new file mode 100644
index 000000000..1865a1c60
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-rsa-aggressive/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/xauth-id-rsa-aggressive/pretest.dat b/testing/tests/ikev1/xauth-id-rsa-aggressive/pretest.dat
new file mode 100644
index 000000000..e5a06d44c
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-rsa-aggressive/pretest.dat
@@ -0,0 +1,9 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 2
+carol::ipsec up home
+dave::ipsec up home
diff --git a/testing/tests/ikev1/xauth-id-rsa-aggressive/test.conf b/testing/tests/ikev1/xauth-id-rsa-aggressive/test.conf
new file mode 100644
index 000000000..f29298850
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-rsa-aggressive/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/xauth-rsa-mode-config/description.txt b/testing/tests/ikev1/xauth-id-rsa-config/description.txt
index aa2b31542..feb154d49 100644
--- a/testing/tests/ikev1/xauth-rsa-mode-config/description.txt
+++ b/testing/tests/ikev1/xauth-id-rsa-config/description.txt
@@ -1,9 +1,10 @@
 The roadwarriors <b>carol</b> and <b>dave</b> set up a connection to gateway <b>moon</b>.
 The authentication is based on RSA signatures (<b>RSASIG</b>) using X.509 certificates
 followed by extended authentication (<b>XAUTH</b>) of <b>carol</b> and <b>dave</b>
-based on user names and passwords. Next both <b>carol</b> and <b>dave</b> request a
-<b>virtual IP</b> via the IKE Mode Config protocol by using the
-<b>leftsourceip=%modeconfig</b> parameter.
+based on user names defined by the <b>xauth_identity</b> parameter (<b>carol</b> and <b>dave</b>,
+respectively) and corresponding user passwords defined and stored in ipsec.secrets.
+Next both <b>carol</b> and <b>dave</b> request a <b>virtual IP</b> via the IKE Mode Config
+protocol by using the <b>leftsourceip=%config</b> parameter.
 <p>
 Upon the successful establishment of the IPsec tunnel, leftfirewall=yes automatically
 inserts iptables-based firewall rules that let pass the tunneled traffic.
diff --git a/testing/tests/ikev1/xauth-id-rsa-config/evaltest.dat b/testing/tests/ikev1/xauth-id-rsa-config/evaltest.dat
new file mode 100644
index 000000000..7604a1527
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-rsa-config/evaltest.dat
@@ -0,0 +1,20 @@
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw-carol.*ESTABLISHED.*moon.strongswan.org.*carol.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw-dave.*ESTABLISHED.*moon.strongswan.org.*dave.strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw-carol.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw-dave.*INSTALLED, TUNNEL::YES
+moon:: cat /var/log/daemon.log::XAuth authentication of.*carol.*successful::YES
+moon:: cat /var/log/daemon.log::XAuth authentication of.*dave.*successful::YES
+moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.1 to peer.*carol::YES
+moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.2 to peer.*dave::YES
+carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES
+dave:: cat /var/log/daemon.log::installing new virtual IP 10.3.0.2::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/ip-pool-db-push/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/xauth-id-rsa-config/hosts/carol/etc/ipsec.conf
index 5e7cc89a7..ddb043278 100755..100644
--- a/testing/tests/ikev1/ip-pool-db-push/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-id-rsa-config/hosts/carol/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-	plutodebug=control
 
 conn %default
 	ikelifetime=60m
@@ -12,15 +8,18 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev1
-	modeconfig=push
 
 conn home
 	left=PH_IP_CAROL
 	leftsourceip=%config
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
+	leftauth=pubkey
+	leftauth2=xauth
 	leftfirewall=yes
+	xauth_identity=carol
 	right=PH_IP_MOON
 	rightsubnet=10.1.0.0/16
 	rightid=@moon.strongswan.org
+	rightauth=pubkey
 	auto=add
diff --git a/testing/tests/ikev1/xauth-rsa-fail/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/xauth-id-rsa-config/hosts/carol/etc/ipsec.secrets
index 13e6e0656..29492b5f9 100644
--- a/testing/tests/ikev1/xauth-rsa-fail/hosts/carol/etc/ipsec.secrets
+++ b/testing/tests/ikev1/xauth-id-rsa-config/hosts/carol/etc/ipsec.secrets
@@ -2,4 +2,4 @@
 
 : RSA carolKey.pem "nH5ZQEWtku0RJEZ6"
 
-carol@strongswan.org : XAUTH "4iChxLT8" 
+carol : XAUTH "4iChxLT3" 
diff --git a/testing/tests/ikev1/xauth-id-rsa-config/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-rsa-config/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..5cd9bf11e
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-rsa-config/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random nonce curl xauth-generic kernel-netlink socket-default updown stroke
+}
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/xauth-id-rsa-config/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/xauth-id-rsa-config/hosts/dave/etc/ipsec.conf
new file mode 100644
index 000000000..69950dc6d
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-rsa-config/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+
+conn home
+	left=PH_IP_DAVE
+	leftsourceip=%config
+	leftcert=daveCert.pem
+	leftid=dave@strongswan.org
+	leftauth=pubkey
+	leftauth2=xauth
+	leftfirewall=yes
+	xauth_identity=dave
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	rightauth=pubkey
+	auto=add
diff --git a/testing/tests/ikev1/strong-certs/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev1/xauth-id-rsa-config/hosts/dave/etc/ipsec.secrets
index 9031f323a..8cf7db530 100644
--- a/testing/tests/ikev1/strong-certs/hosts/dave/etc/ipsec.secrets
+++ b/testing/tests/ikev1/xauth-id-rsa-config/hosts/dave/etc/ipsec.secrets
@@ -1,3 +1,5 @@
 # /etc/ipsec.secrets - strongSwan IPsec secrets file
 
 : RSA daveKey.pem
+
+dave : XAUTH "ryftzG4A" 
diff --git a/testing/tests/ikev1/xauth-id-rsa-config/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-rsa-config/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..5cd9bf11e
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-rsa-config/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random nonce curl xauth-generic kernel-netlink socket-default updown stroke
+}
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/xauth-id-rsa-config/hosts/moon/etc/ipsec.conf
index 0a65acb5d..d9fcc27c4 100644
--- a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-id-rsa-config/hosts/moon/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug="control"
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -12,14 +8,15 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev1
-	authby=xauthrsasig
-	xauth=server
 	left=PH_IP_MOON
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 	leftsubnet=10.1.0.0/16
+	leftauth=pubkey
 	leftfirewall=yes
 	right=%any
+	rightauth=pubkey
+	rightauth2=xauth
 	auto=add
 
 conn rw-carol
@@ -27,5 +24,5 @@ conn rw-carol
 	rightsourceip=PH_IP_CAROL1
 
 conn rw-dave
-	rightid=dave@strongswan.org
-	rightsourceip=PH_IP_DAVE1
+ 	rightid=dave@strongswan.org
+ 	rightsourceip=PH_IP_DAVE1
diff --git a/testing/tests/ikev1/xauth-id-rsa/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/xauth-id-rsa-config/hosts/moon/etc/ipsec.secrets
index fef50218a..fef50218a 100644
--- a/testing/tests/ikev1/xauth-id-rsa/hosts/moon/etc/ipsec.secrets
+++ b/testing/tests/ikev1/xauth-id-rsa-config/hosts/moon/etc/ipsec.secrets
diff --git a/testing/tests/ikev1/xauth-id-rsa-config/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-rsa-config/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..5cd9bf11e
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-rsa-config/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random nonce curl xauth-generic kernel-netlink socket-default updown stroke
+}
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/xauth-id-rsa-config/posttest.dat b/testing/tests/ikev1/xauth-id-rsa-config/posttest.dat
new file mode 100644
index 000000000..1865a1c60
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-rsa-config/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/xauth-id-rsa-config/pretest.dat b/testing/tests/ikev1/xauth-id-rsa-config/pretest.dat
new file mode 100644
index 000000000..e5a06d44c
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-rsa-config/pretest.dat
@@ -0,0 +1,9 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 2
+carol::ipsec up home
+dave::ipsec up home
diff --git a/testing/tests/ikev1/xauth-id-rsa-config/test.conf b/testing/tests/ikev1/xauth-id-rsa-config/test.conf
new file mode 100644
index 000000000..f29298850
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-rsa-config/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/xauth-id-rsa-hybrid/description.txt b/testing/tests/ikev1/xauth-id-rsa-hybrid/description.txt
new file mode 100644
index 000000000..88351ffda
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-rsa-hybrid/description.txt
@@ -0,0 +1,11 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection to gateway <b>moon</b>
+using <b>IKEv1 Hybrid Mode</b>.
+The authentication of <b>moon</b> is based on an RSA signature combined with a X.509 certificate,
+followed by an extended authentication (<b>XAUTH</b>) of <b>carol</b> and <b>dave</b>
+based on user names defined by the <b>xauth_identity</b> parameter (<b>carol</b> and <b>dave</b>,
+respectively) and corresponding user passwords defined and stored in ipsec.secrets.
+<p>
+Upon the successful establishment of the IPsec tunnel, leftfirewall=yes automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, <b>carol</b> and <b>dave</b> ping the client
+<b>alice</b> behind the gateway <b>moon</b>.
diff --git a/testing/tests/ikev1/xauth-id-rsa-hybrid/evaltest.dat b/testing/tests/ikev1/xauth-id-rsa-hybrid/evaltest.dat
new file mode 100644
index 000000000..34c124c95
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-rsa-hybrid/evaltest.dat
@@ -0,0 +1,16 @@
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave.strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
+moon:: cat /var/log/daemon.log::XAuth authentication of.*carol.*successful::YES
+moon:: cat /var/log/daemon.log::XAuth authentication of.*dave.*successful::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/rw-psk-rsa-mixed/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/carol/etc/ipsec.conf
index f2a15af0a..e12cefa65 100755..100644
--- a/testing/tests/ikev1/rw-psk-rsa-mixed/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/carol/etc/ipsec.conf
@@ -1,8 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -10,14 +8,15 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev1
-	ike=aes128,serpent128,twofish128,3des
-	
+
 conn home
-	authby=secret
 	left=PH_IP_CAROL
 	leftid=carol@strongswan.org
+	leftauth=xauth
 	leftfirewall=yes
 	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
 	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	rightauth=pubkey
+	xauth_identity=carol
 	auto=add
diff --git a/testing/tests/ikev1/crl-revoked/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/carol/etc/ipsec.secrets
index 8e31be4cb..cf2178e9b 100644
--- a/testing/tests/ikev1/crl-revoked/hosts/carol/etc/ipsec.secrets
+++ b/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/carol/etc/ipsec.secrets
@@ -1,3 +1,3 @@
 # /etc/ipsec.secrets - strongSwan IPsec secrets file
 
-: RSA carolRevokedKey.pem
+carol : XAUTH "4iChxLT3" 
diff --git a/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..5cd9bf11e
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random nonce curl xauth-generic kernel-netlink socket-default updown stroke
+}
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/xauth-id-psk/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/dave/etc/ipsec.conf
index 3a4b75af6..03b29f6c9 100644
--- a/testing/tests/ikev1/xauth-id-psk/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/dave/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -12,12 +8,15 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev1
-	authby=xauthpsk
 
 conn home
 	left=PH_IP_DAVE
+	leftid=dave@strongswan.org
+	leftauth=xauth
 	leftfirewall=yes
 	right=PH_IP_MOON
 	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	rightauth=pubkey
 	xauth_identity=dave
 	auto=add
diff --git a/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/dave/etc/ipsec.secrets
new file mode 100644
index 000000000..19d918630
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/dave/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+dave : XAUTH "ryftzG4A" 
diff --git a/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..5cd9bf11e
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random nonce curl xauth-generic kernel-netlink socket-default updown stroke
+}
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..d76dec16d
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,21 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+
+conn rw
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	leftauth=pubkey
+	leftfirewall=yes
+	right=%any
+	rightauth=xauth
+	auto=add
diff --git a/testing/tests/ikev1/rw-psk-rsa-mixed/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/moon/etc/ipsec.secrets
index fd33507a7..bd9b0dbfb 100644
--- a/testing/tests/ikev1/rw-psk-rsa-mixed/hosts/moon/etc/ipsec.secrets
+++ b/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/moon/etc/ipsec.secrets
@@ -1,5 +1,7 @@
 # /etc/ipsec.secrets - strongSwan IPsec secrets file
 
-: PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
-
 : RSA moonKey.pem
+
+carol : XAUTH "4iChxLT3"
+
+dave : XAUTH "ryftzG4A"
diff --git a/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..5cd9bf11e
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random nonce curl xauth-generic kernel-netlink socket-default updown stroke
+}
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/xauth-id-rsa-hybrid/posttest.dat b/testing/tests/ikev1/xauth-id-rsa-hybrid/posttest.dat
new file mode 100644
index 000000000..1865a1c60
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-rsa-hybrid/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/xauth-id-rsa-hybrid/pretest.dat b/testing/tests/ikev1/xauth-id-rsa-hybrid/pretest.dat
new file mode 100644
index 000000000..e5a06d44c
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-rsa-hybrid/pretest.dat
@@ -0,0 +1,9 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 2
+carol::ipsec up home
+dave::ipsec up home
diff --git a/testing/tests/ikev1/xauth-id-rsa-hybrid/test.conf b/testing/tests/ikev1/xauth-id-rsa-hybrid/test.conf
new file mode 100644
index 000000000..f29298850
--- /dev/null
+++ b/testing/tests/ikev1/xauth-id-rsa-hybrid/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/xauth-id-rsa/evaltest.dat b/testing/tests/ikev1/xauth-id-rsa/evaltest.dat
deleted file mode 100644
index b019f8d76..000000000
--- a/testing/tests/ikev1/xauth-id-rsa/evaltest.dat
+++ /dev/null
@@ -1,14 +0,0 @@
-carol::cat /var/log/auth.log::extended authentication was successful::YES
-dave::cat /var/log/auth.log::extended authentication was successful::YES
-moon::cat /var/log/auth.log::xauth user name is .*carol::YES
-moon::cat /var/log/auth.log::xauth user name is .*dave::YES
-moon::cat /var/log/auth.log::extended authentication was successful::YES
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-dave::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/xauth-id-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-rsa/hosts/carol/etc/strongswan.conf
deleted file mode 100644
index de1cbb134..000000000
--- a/testing/tests/ikev1/xauth-id-rsa/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-}
diff --git a/testing/tests/ikev1/xauth-id-rsa/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-rsa/hosts/dave/etc/strongswan.conf
deleted file mode 100644
index de1cbb134..000000000
--- a/testing/tests/ikev1/xauth-id-rsa/hosts/dave/etc/strongswan.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-}
diff --git a/testing/tests/ikev1/xauth-id-rsa/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/xauth-id-rsa/hosts/moon/etc/ipsec.conf
deleted file mode 100644
index 251041443..000000000
--- a/testing/tests/ikev1/xauth-id-rsa/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	authby=xauthrsasig
-	xauth=server
-
-conn rw
-	left=PH_IP_MOON
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-	leftsubnet=10.1.0.0/16
-	leftfirewall=yes
-	right=%any
-	auto=add
diff --git a/testing/tests/ikev1/xauth-id-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-rsa/hosts/moon/etc/strongswan.conf
deleted file mode 100644
index de1cbb134..000000000
--- a/testing/tests/ikev1/xauth-id-rsa/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-}
diff --git a/testing/tests/ikev1/xauth-id-rsa/posttest.dat b/testing/tests/ikev1/xauth-id-rsa/posttest.dat
deleted file mode 100644
index 7cebd7f25..000000000
--- a/testing/tests/ikev1/xauth-id-rsa/posttest.dat
+++ /dev/null
@@ -1,6 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev1/xauth-id-rsa/pretest.dat b/testing/tests/ikev1/xauth-id-rsa/pretest.dat
deleted file mode 100644
index 78e2d57f8..000000000
--- a/testing/tests/ikev1/xauth-id-rsa/pretest.dat
+++ /dev/null
@@ -1,9 +0,0 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
-carol::sleep 2
-carol::ipsec up home
-dave::ipsec up home
diff --git a/testing/tests/ikev1/xauth-id-rsa/test.conf b/testing/tests/ikev1/xauth-id-rsa/test.conf
deleted file mode 100644
index 70416826e..000000000
--- a/testing/tests/ikev1/xauth-id-rsa/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon carol winnetou dave"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w-d.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/xauth-psk/evaltest.dat b/testing/tests/ikev1/xauth-psk/evaltest.dat
index 786043065..c6637cbfe 100644
--- a/testing/tests/ikev1/xauth-psk/evaltest.dat
+++ b/testing/tests/ikev1/xauth-psk/evaltest.dat
@@ -1,13 +1,15 @@
-carol::cat /var/log/auth.log::extended authentication was successful::YES
-dave::cat /var/log/auth.log::extended authentication was successful::YES
-moon::cat /var/log/auth.log::xauth user name is .*carol@strongswan.org::YES
-moon::cat /var/log/auth.log::xauth user name is .*dave@strongswan.org::YES
-moon::cat /var/log/auth.log::extended authentication was successful::YES
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-dave::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave.strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
+moon:: cat /var/log/daemon.log::XAuth authentication of.*carol@strongswan.org.*successful::YES
+moon:: cat /var/log/daemon.log::XAuth authentication of.*dave@strongswan.org.*successful::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/xauth-psk/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/xauth-psk/hosts/carol/etc/ipsec.conf
index 1c7d7002e..a6bba5b04 100644
--- a/testing/tests/ikev1/xauth-psk/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-psk/hosts/carol/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -12,13 +8,15 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev1
-	authby=xauthpsk
 
 conn home
 	left=PH_IP_CAROL
 	leftid=carol@strongswan.org
+	leftauth=psk
+	leftauth2=xauth
 	leftfirewall=yes
 	right=PH_IP_MOON
-	rightid=moon.strongswan.org
 	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	rightauth=psk
 	auto=add
diff --git a/testing/tests/ikev1/xauth-psk/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-psk/hosts/carol/etc/strongswan.conf
index c9eb0bc97..61260f891 100644
--- a/testing/tests/ikev1/xauth-psk/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-psk/hosts/carol/etc/strongswan.conf
@@ -1,11 +1,9 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
-pluto {
-  load = sha1 sha2 md5 aes des hmac gmp random xauth kernel-netlink
+charon {
+  load = sha1 sha2 md5 aes des hmac gmp random nonce xauth-generic kernel-netlink socket-default updown stroke
 }
 
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
 libstrongswan {
   dh_exponent_ansi_x9_42 = no
 }
diff --git a/testing/tests/ikev1/xauth-psk/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/xauth-psk/hosts/dave/etc/ipsec.conf
index 782c160c9..5b80edb9f 100644
--- a/testing/tests/ikev1/xauth-psk/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-psk/hosts/dave/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -12,13 +8,15 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev1
-	authby=xauthpsk
 
 conn home
 	left=PH_IP_DAVE
 	leftid=dave@strongswan.org
 	leftfirewall=yes
+	leftauth=psk
+	leftauth2=xauth
 	right=PH_IP_MOON
-	rightid=moon.strongswan.org
 	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	rightauth=psk
 	auto=add
diff --git a/testing/tests/ikev1/xauth-psk/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/xauth-psk/hosts/dave/etc/strongswan.conf
index c9eb0bc97..61260f891 100644
--- a/testing/tests/ikev1/xauth-psk/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-psk/hosts/dave/etc/strongswan.conf
@@ -1,11 +1,9 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
-pluto {
-  load = sha1 sha2 md5 aes des hmac gmp random xauth kernel-netlink
+charon {
+  load = sha1 sha2 md5 aes des hmac gmp random nonce xauth-generic kernel-netlink socket-default updown stroke
 }
 
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
 libstrongswan {
   dh_exponent_ansi_x9_42 = no
 }
diff --git a/testing/tests/ikev1/xauth-psk/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/xauth-psk/hosts/moon/etc/ipsec.conf
index 595e6588c..7e79c11f8 100644
--- a/testing/tests/ikev1/xauth-psk/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-psk/hosts/moon/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -12,13 +8,14 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev1
-	authby=xauthpsk
-	xauth=server
 
 conn rw
 	left=PH_IP_MOON
-	leftid=moon.strongswan.org
+	leftid=@moon.strongswan.org
 	leftsubnet=10.1.0.0/16
+	leftauth=psk
 	leftfirewall=yes
 	right=%any
+	rightauth=psk
+	rightauth2=xauth
 	auto=add
diff --git a/testing/tests/ikev1/xauth-psk/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-psk/hosts/moon/etc/strongswan.conf
index c9eb0bc97..61260f891 100644
--- a/testing/tests/ikev1/xauth-psk/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-psk/hosts/moon/etc/strongswan.conf
@@ -1,11 +1,9 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
-pluto {
-  load = sha1 sha2 md5 aes des hmac gmp random xauth kernel-netlink
+charon {
+  load = sha1 sha2 md5 aes des hmac gmp random nonce xauth-generic kernel-netlink socket-default updown stroke
 }
 
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
 libstrongswan {
   dh_exponent_ansi_x9_42 = no
 }
diff --git a/testing/tests/ikev1/xauth-psk/posttest.dat b/testing/tests/ikev1/xauth-psk/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/ikev1/xauth-psk/posttest.dat
+++ b/testing/tests/ikev1/xauth-psk/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/xauth-psk/pretest.dat b/testing/tests/ikev1/xauth-psk/pretest.dat
index 95a6be131..88a91ae86 100644
--- a/testing/tests/ikev1/xauth-psk/pretest.dat
+++ b/testing/tests/ikev1/xauth-psk/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::rm /etc/ipsec.d/cacerts/*
 carol::rm /etc/ipsec.d/cacerts/*
 dave::rm /etc/ipsec.d/cacerts/*
diff --git a/testing/tests/ikev1/xauth-psk/test.conf b/testing/tests/ikev1/xauth-psk/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/ikev1/xauth-psk/test.conf
+++ b/testing/tests/ikev1/xauth-psk/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/description.txt b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/description.txt
new file mode 100644
index 000000000..a586a14cb
--- /dev/null
+++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/description.txt
@@ -0,0 +1,8 @@
+The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
+The authentication is based on RSA signatures (<b>RSASIG</b>) using X.509 certificates
+followed by extended authentication (<b>XAUTH</b>) of <b>carol</b> based on a user name
+equal to the <b>IKEv1</b> identity (<b>carol@strongswan.org</b>) and a user password
+defined and stored by <b>carol</b> in ipsec.secrets. Gateway <b>moon</b> starts
+an EAP-RADIUS connection with AAA server <b>alice</b> and uses <b>carol</b>'s 
+forwarded XAUTH user credentials for an EAP-MD5 based client authentication with
+<b>alice</b>.
diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/evaltest.dat b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/evaltest.dat
new file mode 100644
index 000000000..d568273d1
--- /dev/null
+++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/evaltest.dat
@@ -0,0 +1,10 @@
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA successful::YES
+moon:: cat /var/log/daemon.log::RADIUS authentication of 'carol@strongswan.org' successful::YES
+moon:: cat /var/log/daemon.log::XAuth authentication of 'carol@strongswan.org' successful::YES
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/raddb/eap.conf b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/eap.conf
index 623f42904..623f42904 100644
--- a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/raddb/eap.conf
+++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/eap.conf
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/proxy.conf b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/proxy.conf
index 23cba8d11..23cba8d11 100644
--- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/proxy.conf
+++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/proxy.conf
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/raddb/sites-available/default b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/sites-available/default
index 802fcfd8d..dd0825858 100644
--- a/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/raddb/sites-available/default
+++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/sites-available/default
@@ -41,4 +41,3 @@ pre-proxy {
 post-proxy {
   eap
 }
-
diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/users b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/users
new file mode 100644
index 000000000..4fb07b912
--- /dev/null
+++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/users
@@ -0,0 +1 @@
+carol	Cleartext-Password := "4iChxLT3"
diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..2fdd60f00
--- /dev/null
+++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+
+conn home
+	left=PH_IP_CAROL
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	leftauth=pubkey
+	leftauth2=xauth
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	rightauth=pubkey
+	auto=add
diff --git a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/carol/etc/ipsec.secrets
index 4a77c3b97..4a77c3b97 100644
--- a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/carol/etc/ipsec.secrets
+++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/carol/etc/ipsec.secrets
diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..5cd9bf11e
--- /dev/null
+++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random nonce curl xauth-generic kernel-netlink socket-default updown stroke
+}
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..5701b7a82
--- /dev/null
+++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+
+conn rw
+	left=PH_IP_MOON
+	leftsubnet=10.1.0.0/16
+	leftid=@moon.strongswan.org
+	leftcert=moonCert.pem
+	leftauth=pubkey
+	leftfirewall=yes
+	right=%any
+	rightauth=pubkey
+	rightauth2=xauth-eap
+	auto=add
diff --git a/testing/tests/ikev1/strong-certs/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/moon/etc/ipsec.secrets
index e86d6aa5c..e86d6aa5c 100644
--- a/testing/tests/ikev1/strong-certs/hosts/moon/etc/ipsec.secrets
+++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/moon/etc/ipsec.secrets
diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/moon/etc/iptables.rules b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..1eb755354
--- /dev/null
+++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/moon/etc/iptables.rules
@@ -0,0 +1,32 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# allow RADIUS protocol with alice
+-A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..e2e2164ae
--- /dev/null
+++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default fips-prf eap-radius eap-md5 xauth-eap updown
+  plugins {
+    eap-radius {
+      secret = gv6URkSs 
+      server = PH_IP_ALICE
+    }
+  }
+}
diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/posttest.dat b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/posttest.dat
new file mode 100644
index 000000000..181949fb5
--- /dev/null
+++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/posttest.dat
@@ -0,0 +1,5 @@
+moon::ipsec stop
+carol::ipsec stop
+alice::killall radiusd
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/pretest.dat b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/pretest.dat
new file mode 100644
index 000000000..9adc43d3e
--- /dev/null
+++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/pretest.dat
@@ -0,0 +1,8 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+alice::radiusd
+moon::ipsec start
+carol::ipsec start
+carol::sleep 1
+carol::ipsec up home
+carol::sleep 1
diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/test.conf b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/test.conf
new file mode 100644
index 000000000..eb1e15dd2
--- /dev/null
+++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/test.conf
@@ -0,0 +1,26 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice carol moon"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
+
+# Guest instances on which FreeRadius is started
+#
+RADIUSHOSTS="alice"
+
diff --git a/testing/tests/ikev1/xauth-rsa-fail/description.txt b/testing/tests/ikev1/xauth-rsa-fail/description.txt
deleted file mode 100644
index 98d85f30b..000000000
--- a/testing/tests/ikev1/xauth-rsa-fail/description.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
-The authentication is based on RSA signatures (<b>RSASIG</b>) using X.509
-certificates followed by extended authentication (<b>XAUTH</b>) based
-on user name and password. Because user <b>carol</b> presents a wrong
-XAUTH password the IKE negotiation is aborted and the ISAKMP SA is deleted.
diff --git a/testing/tests/ikev1/xauth-rsa-fail/evaltest.dat b/testing/tests/ikev1/xauth-rsa-fail/evaltest.dat
deleted file mode 100644
index 0bcef388d..000000000
--- a/testing/tests/ikev1/xauth-rsa-fail/evaltest.dat
+++ /dev/null
@@ -1,4 +0,0 @@
-carol::cat /var/log/auth.log::extended authentication failed::YES
-moon::cat /var/log/auth.log::extended authentication failed::YES
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::NO
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::NO
diff --git a/testing/tests/ikev1/xauth-rsa-fail/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa-fail/hosts/carol/etc/ipsec.conf
deleted file mode 100755
index 186d8e121..000000000
--- a/testing/tests/ikev1/xauth-rsa-fail/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	authby=xauthrsasig
-
-conn home
-	left=PH_IP_CAROL
-	leftcert=carolCert.pem
-	leftid=carol@strongswan.org
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightsubnet=10.1.0.0/16
-	rightid=@moon.strongswan.org
-	auto=add
diff --git a/testing/tests/ikev1/xauth-rsa-fail/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa-fail/hosts/carol/etc/strongswan.conf
deleted file mode 100644
index de1cbb134..000000000
--- a/testing/tests/ikev1/xauth-rsa-fail/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-}
diff --git a/testing/tests/ikev1/xauth-rsa-fail/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa-fail/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index 251041443..000000000
--- a/testing/tests/ikev1/xauth-rsa-fail/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	authby=xauthrsasig
-	xauth=server
-
-conn rw
-	left=PH_IP_MOON
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-	leftsubnet=10.1.0.0/16
-	leftfirewall=yes
-	right=%any
-	auto=add
diff --git a/testing/tests/ikev1/xauth-rsa-fail/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa-fail/hosts/moon/etc/strongswan.conf
deleted file mode 100644
index de1cbb134..000000000
--- a/testing/tests/ikev1/xauth-rsa-fail/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-}
diff --git a/testing/tests/ikev1/xauth-rsa-fail/posttest.dat b/testing/tests/ikev1/xauth-rsa-fail/posttest.dat
deleted file mode 100644
index c6d6235f9..000000000
--- a/testing/tests/ikev1/xauth-rsa-fail/posttest.dat
+++ /dev/null
@@ -1,2 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
diff --git a/testing/tests/ikev1/xauth-rsa-fail/pretest.dat b/testing/tests/ikev1/xauth-rsa-fail/pretest.dat
deleted file mode 100644
index 4ac57ab16..000000000
--- a/testing/tests/ikev1/xauth-rsa-fail/pretest.dat
+++ /dev/null
@@ -1,5 +0,0 @@
-carol::ipsec start
-moon::ipsec start
-carol::sleep 2 
-carol::ipsec up home
-carol::sleep 1
diff --git a/testing/tests/ikev1/xauth-rsa-fail/test.conf b/testing/tests/ikev1/xauth-rsa-fail/test.conf
deleted file mode 100644
index 5442565f8..000000000
--- a/testing/tests/ikev1/xauth-rsa-fail/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS=""
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev1/xauth-rsa-mode-config/evaltest.dat b/testing/tests/ikev1/xauth-rsa-mode-config/evaltest.dat
deleted file mode 100644
index 15dd054a0..000000000
--- a/testing/tests/ikev1/xauth-rsa-mode-config/evaltest.dat
+++ /dev/null
@@ -1,18 +0,0 @@
-carol::cat /var/log/auth.log::extended authentication was successful::YES
-dave::cat /var/log/auth.log::extended authentication was successful::YES
-moon::cat /var/log/auth.log::carol.*extended authentication was successful::YES
-moon::cat /var/log/auth.log::dave.*extended authentication was successful::YES
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-dave::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::carol.*STATE_QUICK_R2.*IPsec SA established::YES
-moon::ipsec status::dave.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
-alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
-alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
-alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
-alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES
diff --git a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/carol/etc/ipsec.conf
deleted file mode 100644
index ca2df4b28..000000000
--- a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,26 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	authby=xauthrsasig
-
-conn home
-	left=PH_IP_CAROL
-	leftsourceip=%modeconfig
-	leftcert=carolCert.pem
-	leftid=carol@strongswan.org
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightsubnet=10.1.0.0/16
-	rightid=@moon.strongswan.org
-	auto=add
diff --git a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/carol/etc/strongswan.conf
deleted file mode 100644
index de1cbb134..000000000
--- a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-}
diff --git a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/dave/etc/ipsec.conf
deleted file mode 100644
index 079c6b0d5..000000000
--- a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,26 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	authby=xauthrsasig
-
-conn home
-	left=PH_IP_DAVE
-	leftsourceip=%modeconfig
-	leftcert=daveCert.pem
-	leftid=dave@strongswan.org
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightsubnet=10.1.0.0/16
-	rightid=@moon.strongswan.org
-	auto=add
diff --git a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/dave/etc/ipsec.secrets
deleted file mode 100644
index 1c0248b84..000000000
--- a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/dave/etc/ipsec.secrets
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA daveKey.pem
-
-dave@strongswan.org : XAUTH "ryftzG4A" 
diff --git a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/dave/etc/strongswan.conf
deleted file mode 100644
index de1cbb134..000000000
--- a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/dave/etc/strongswan.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-}
diff --git a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/moon/etc/strongswan.conf
deleted file mode 100644
index de1cbb134..000000000
--- a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-}
diff --git a/testing/tests/ikev1/xauth-rsa-mode-config/posttest.dat b/testing/tests/ikev1/xauth-rsa-mode-config/posttest.dat
deleted file mode 100644
index f90d222b5..000000000
--- a/testing/tests/ikev1/xauth-rsa-mode-config/posttest.dat
+++ /dev/null
@@ -1,8 +0,0 @@
-carol::ipsec stop
-dave::ipsec stop
-moon::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
-carol::ip addr del PH_IP_CAROL1/32 dev eth0
-dave::ip addr del PH_IP_DAVE1/32 dev eth0
diff --git a/testing/tests/ikev1/xauth-rsa-mode-config/pretest.dat b/testing/tests/ikev1/xauth-rsa-mode-config/pretest.dat
deleted file mode 100644
index 78e2d57f8..000000000
--- a/testing/tests/ikev1/xauth-rsa-mode-config/pretest.dat
+++ /dev/null
@@ -1,9 +0,0 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
-carol::sleep 2
-carol::ipsec up home
-dave::ipsec up home
diff --git a/testing/tests/ikev1/xauth-rsa-mode-config/test.conf b/testing/tests/ikev1/xauth-rsa-mode-config/test.conf
deleted file mode 100644
index 75510b295..000000000
--- a/testing/tests/ikev1/xauth-rsa-mode-config/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon carol winnetou dave"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w-d.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="alice moon"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/xauth-rsa-nosecret/description.txt b/testing/tests/ikev1/xauth-rsa-nosecret/description.txt
deleted file mode 100644
index a6fe82330..000000000
--- a/testing/tests/ikev1/xauth-rsa-nosecret/description.txt
+++ /dev/null
@@ -1,6 +0,0 @@
-The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
-The authentication is based on RSA signatures (<b>RSASIG</b>) using X.509
-certificates followed by extended authentication (<b>XAUTH</b>) based
-on user name and password. Because user <b>carol</b> cannot find her 
-XAUTH credentials in ipsec.secrets, the IKE negotiation is aborted and the
-ISAKMP SA is deleted.
diff --git a/testing/tests/ikev1/xauth-rsa-nosecret/evaltest.dat b/testing/tests/ikev1/xauth-rsa-nosecret/evaltest.dat
deleted file mode 100644
index ddbb3ae2d..000000000
--- a/testing/tests/ikev1/xauth-rsa-nosecret/evaltest.dat
+++ /dev/null
@@ -1,4 +0,0 @@
-carol::cat /var/log/auth.log::xauth user credentials not found::YES
-moon::cat /var/log/auth.log::received FAIL status in XAUTH reply::YES
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::NO
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::NO
diff --git a/testing/tests/ikev1/xauth-rsa-nosecret/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa-nosecret/hosts/carol/etc/ipsec.conf
deleted file mode 100755
index fc86bab41..000000000
--- a/testing/tests/ikev1/xauth-rsa-nosecret/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug="control controlmore"
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	authby=xauthrsasig
-
-conn home
-	left=PH_IP_CAROL
-	leftcert=carolCert.pem
-	leftid=carol@strongswan.org
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightsubnet=10.1.0.0/16
-	rightid=@moon.strongswan.org
-	auto=add
diff --git a/testing/tests/ikev1/xauth-rsa-nosecret/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa-nosecret/hosts/carol/etc/strongswan.conf
deleted file mode 100644
index de1cbb134..000000000
--- a/testing/tests/ikev1/xauth-rsa-nosecret/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-}
diff --git a/testing/tests/ikev1/xauth-rsa-nosecret/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa-nosecret/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index e2709cdf1..000000000
--- a/testing/tests/ikev1/xauth-rsa-nosecret/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	plutodebug="control controlmore"
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	authby=xauthrsasig
-	xauth=server
-
-conn rw
-	left=PH_IP_MOON
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-	leftsubnet=10.1.0.0/16
-	leftfirewall=yes
-	right=%any
-	auto=add
diff --git a/testing/tests/ikev1/xauth-rsa-nosecret/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa-nosecret/hosts/moon/etc/strongswan.conf
deleted file mode 100644
index de1cbb134..000000000
--- a/testing/tests/ikev1/xauth-rsa-nosecret/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-}
diff --git a/testing/tests/ikev1/xauth-rsa-nosecret/posttest.dat b/testing/tests/ikev1/xauth-rsa-nosecret/posttest.dat
deleted file mode 100644
index c6d6235f9..000000000
--- a/testing/tests/ikev1/xauth-rsa-nosecret/posttest.dat
+++ /dev/null
@@ -1,2 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
diff --git a/testing/tests/ikev1/xauth-rsa-nosecret/test.conf b/testing/tests/ikev1/xauth-rsa-nosecret/test.conf
deleted file mode 100644
index 5442565f8..000000000
--- a/testing/tests/ikev1/xauth-rsa-nosecret/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon carol winnetou"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS=""
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev1/xauth-rsa-radius/description.txt b/testing/tests/ikev1/xauth-rsa-radius/description.txt
new file mode 100644
index 000000000..fb30d163e
--- /dev/null
+++ b/testing/tests/ikev1/xauth-rsa-radius/description.txt
@@ -0,0 +1,7 @@
+The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
+The authentication is based on RSA signatures (<b>RSASIG</b>) using X.509 certificates
+followed by extended authentication (<b>XAUTH</b>) of <b>carol</b> based on a user name
+equal to the <b>IKEv1</b> identity (<b>carol@strongswan.org</b>) and a user password
+defined and stored by <b>carol</b> in ipsec.secrets. Gateway <b>moon</b> verifies
+<b>carol</b>'s XAUTH user credentials using a RADIUS connection with AAA server
+<b>alice</b>.
diff --git a/testing/tests/ikev1/xauth-rsa-radius/evaltest.dat b/testing/tests/ikev1/xauth-rsa-radius/evaltest.dat
new file mode 100644
index 000000000..ee60292a3
--- /dev/null
+++ b/testing/tests/ikev1/xauth-rsa-radius/evaltest.dat
@@ -0,0 +1,9 @@
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA successful::YES
+moon:: cat /var/log/daemon.log::XAuth authentication of 'carol@strongswan.org' successful::YES
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/raddb/eap.conf b/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/eap.conf
index 623f42904..623f42904 100644
--- a/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/raddb/eap.conf
+++ b/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/eap.conf
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/raddb/proxy.conf b/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/proxy.conf
index 23cba8d11..23cba8d11 100644
--- a/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/raddb/proxy.conf
+++ b/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/proxy.conf
diff --git a/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/sites-available/default
new file mode 100644
index 000000000..929b6cd74
--- /dev/null
+++ b/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/sites-available/default
@@ -0,0 +1,39 @@
+authorize {
+  suffix
+  files
+}
+
+authenticate {
+  pap
+}
+
+preacct {
+  preprocess
+  acct_unique
+  suffix
+  files
+}
+
+accounting {
+  detail
+  unix
+  radutmp
+  attr_filter.accounting_response
+}
+
+session {
+  radutmp
+}
+
+post-auth {
+  exec
+  Post-Auth-Type REJECT {
+    attr_filter.access_reject
+  }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+}
diff --git a/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/users b/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/users
new file mode 100644
index 000000000..4fb07b912
--- /dev/null
+++ b/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/users
@@ -0,0 +1 @@
+carol	Cleartext-Password := "4iChxLT3"
diff --git a/testing/tests/ikev1/xauth-rsa-radius/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa-radius/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..2fdd60f00
--- /dev/null
+++ b/testing/tests/ikev1/xauth-rsa-radius/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+
+conn home
+	left=PH_IP_CAROL
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	leftauth=pubkey
+	leftauth2=xauth
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	rightauth=pubkey
+	auto=add
diff --git a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/xauth-rsa-radius/hosts/carol/etc/ipsec.secrets
index 1ba66971a..d66f3fc24 100644
--- a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/moon/etc/ipsec.secrets
+++ b/testing/tests/ikev1/xauth-rsa-radius/hosts/carol/etc/ipsec.secrets
@@ -1,7 +1,5 @@
 # /etc/ipsec.secrets - strongSwan IPsec secrets file
 
-: RSA moonKey.pem
+: RSA carolKey.pem "nH5ZQEWtku0RJEZ6"
 
 carol@strongswan.org : XAUTH "4iChxLT3"
-
-dave@strongswan.org  : XAUTH "ryftzG4A"
diff --git a/testing/tests/ikev1/xauth-rsa-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa-radius/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..5cd9bf11e
--- /dev/null
+++ b/testing/tests/ikev1/xauth-rsa-radius/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random nonce curl xauth-generic kernel-netlink socket-default updown stroke
+}
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev1/xauth-rsa-radius/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa-radius/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..f4ee067d5
--- /dev/null
+++ b/testing/tests/ikev1/xauth-rsa-radius/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+
+conn rw
+	left=PH_IP_MOON
+	leftsubnet=10.1.0.0/16
+	leftid=@moon.strongswan.org
+	leftcert=moonCert.pem
+	leftauth=pubkey
+	leftfirewall=yes
+	right=%any
+	rightauth=pubkey
+	rightauth2=xauth-radius
+	auto=add
diff --git a/testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/xauth-rsa-radius/hosts/moon/etc/ipsec.secrets
index afb1ff927..e86d6aa5c 100644
--- a/testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/ipsec.secrets
+++ b/testing/tests/ikev1/xauth-rsa-radius/hosts/moon/etc/ipsec.secrets
@@ -1,3 +1,3 @@
 # /etc/ipsec.secrets - strongSwan IPsec secrets file
 
-: RSA moonKey.asc
+: RSA moonKey.pem
diff --git a/testing/tests/ikev1/xauth-rsa-radius/hosts/moon/etc/iptables.rules b/testing/tests/ikev1/xauth-rsa-radius/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..1eb755354
--- /dev/null
+++ b/testing/tests/ikev1/xauth-rsa-radius/hosts/moon/etc/iptables.rules
@@ -0,0 +1,32 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# allow RADIUS protocol with alice
+-A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev1/xauth-rsa-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa-radius/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..77266cfa0
--- /dev/null
+++ b/testing/tests/ikev1/xauth-rsa-radius/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default fips-prf eap-radius updown
+  plugins {
+    eap-radius {
+      secret = gv6URkSs
+      server = PH_IP_ALICE
+    }
+  }
+}
diff --git a/testing/tests/ikev1/xauth-rsa-radius/posttest.dat b/testing/tests/ikev1/xauth-rsa-radius/posttest.dat
new file mode 100644
index 000000000..181949fb5
--- /dev/null
+++ b/testing/tests/ikev1/xauth-rsa-radius/posttest.dat
@@ -0,0 +1,5 @@
+moon::ipsec stop
+carol::ipsec stop
+alice::killall radiusd
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/xauth-rsa-radius/pretest.dat b/testing/tests/ikev1/xauth-rsa-radius/pretest.dat
new file mode 100644
index 000000000..9adc43d3e
--- /dev/null
+++ b/testing/tests/ikev1/xauth-rsa-radius/pretest.dat
@@ -0,0 +1,8 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+alice::radiusd
+moon::ipsec start
+carol::ipsec start
+carol::sleep 1
+carol::ipsec up home
+carol::sleep 1
diff --git a/testing/tests/ikev1/xauth-rsa-radius/test.conf b/testing/tests/ikev1/xauth-rsa-radius/test.conf
new file mode 100644
index 000000000..b4088e8b4
--- /dev/null
+++ b/testing/tests/ikev1/xauth-rsa-radius/test.conf
@@ -0,0 +1,25 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice carol moon"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
+
+# Guest instances on which FreeRadius is started
+#
+RADIUSHOSTS="alice"
diff --git a/testing/tests/ikev1/xauth-rsa/evaltest.dat b/testing/tests/ikev1/xauth-rsa/evaltest.dat
index 786043065..c6637cbfe 100644
--- a/testing/tests/ikev1/xauth-rsa/evaltest.dat
+++ b/testing/tests/ikev1/xauth-rsa/evaltest.dat
@@ -1,13 +1,15 @@
-carol::cat /var/log/auth.log::extended authentication was successful::YES
-dave::cat /var/log/auth.log::extended authentication was successful::YES
-moon::cat /var/log/auth.log::xauth user name is .*carol@strongswan.org::YES
-moon::cat /var/log/auth.log::xauth user name is .*dave@strongswan.org::YES
-moon::cat /var/log/auth.log::extended authentication was successful::YES
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-dave::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave.strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
+moon:: cat /var/log/daemon.log::XAuth authentication of.*carol@strongswan.org.*successful::YES
+moon:: cat /var/log/daemon.log::XAuth authentication of.*dave@strongswan.org.*successful::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/ipsec.conf
index 186d8e121..2fdd60f00 100644
--- a/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -12,14 +8,16 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev1
-	authby=xauthrsasig
 
 conn home
 	left=PH_IP_CAROL
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
+	leftauth=pubkey
+	leftauth2=xauth
 	leftfirewall=yes
 	right=PH_IP_MOON
 	rightsubnet=10.1.0.0/16
 	rightid=@moon.strongswan.org
+	rightauth=pubkey
 	auto=add
diff --git a/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/strongswan.conf
index de1cbb134..5cd9bf11e 100644
--- a/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/strongswan.conf
@@ -1,11 +1,9 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
-pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth kernel-netlink
+charon {
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random nonce curl xauth-generic kernel-netlink socket-default updown stroke
 }
 
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
 libstrongswan {
   dh_exponent_ansi_x9_42 = no
 }
diff --git a/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/ipsec.conf
index 478e732ae..36f0c581f 100644
--- a/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -12,14 +8,16 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev1
-	authby=xauthrsasig
 
 conn home
 	left=PH_IP_DAVE
 	leftcert=daveCert.pem
 	leftid=dave@strongswan.org
+	leftauth=pubkey
+	leftauth2=xauth
 	leftfirewall=yes
 	right=PH_IP_MOON
 	rightsubnet=10.1.0.0/16
 	rightid=@moon.strongswan.org
+	rightauth=pubkey
 	auto=add
diff --git a/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/strongswan.conf
index de1cbb134..5cd9bf11e 100644
--- a/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/strongswan.conf
@@ -1,11 +1,9 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
-pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth kernel-netlink
+charon {
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random nonce curl xauth-generic kernel-netlink socket-default updown stroke
 }
 
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
 libstrongswan {
   dh_exponent_ansi_x9_42 = no
 }
diff --git a/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/ipsec.conf
index 251041443..3c6944910 100644
--- a/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -12,14 +8,15 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev1
-	authby=xauthrsasig
-	xauth=server
 
 conn rw
 	left=PH_IP_MOON
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 	leftsubnet=10.1.0.0/16
+	leftauth=pubkey
 	leftfirewall=yes
 	right=%any
+	rightauth=pubkey
+	rightauth2=xauth
 	auto=add
diff --git a/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/strongswan.conf
index de1cbb134..5cd9bf11e 100644
--- a/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/strongswan.conf
@@ -1,11 +1,9 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
-pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth kernel-netlink
+charon {
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random nonce curl xauth-generic kernel-netlink socket-default updown stroke
 }
 
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
 libstrongswan {
   dh_exponent_ansi_x9_42 = no
 }
diff --git a/testing/tests/ikev1/xauth-rsa/posttest.dat b/testing/tests/ikev1/xauth-rsa/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/ikev1/xauth-rsa/posttest.dat
+++ b/testing/tests/ikev1/xauth-rsa/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/xauth-rsa/pretest.dat b/testing/tests/ikev1/xauth-rsa/pretest.dat
index 78e2d57f8..e5a06d44c 100644
--- a/testing/tests/ikev1/xauth-rsa/pretest.dat
+++ b/testing/tests/ikev1/xauth-rsa/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/ikev1/xauth-rsa/test.conf b/testing/tests/ikev1/xauth-rsa/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/ikev1/xauth-rsa/test.conf
+++ b/testing/tests/ikev1/xauth-rsa/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/after-2038-certs/evaltest.dat b/testing/tests/ikev2/after-2038-certs/evaltest.dat
index 1bb9c105f..427aa74da 100644
--- a/testing/tests/ikev2/after-2038-certs/evaltest.dat
+++ b/testing/tests/ikev2/after-2038-certs/evaltest.dat
@@ -1,6 +1,8 @@
-moon::ipsec statusall::rw.*ESTABLISHED::YES
-carol::ipsec statusall::home.*ESTABLISHED::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 
diff --git a/testing/tests/ikev2/after-2038-certs/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/after-2038-certs/hosts/carol/etc/ipsec.conf
index bcdb8641b..e72f78742 100755..100644
--- a/testing/tests/ikev2/after-2038-certs/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/after-2038-certs/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/after-2038-certs/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/after-2038-certs/hosts/carol/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/after-2038-certs/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/after-2038-certs/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/after-2038-certs/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/after-2038-certs/hosts/moon/etc/ipsec.conf
index 274521386..1ee751360 100755..100644
--- a/testing/tests/ikev2/after-2038-certs/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/after-2038-certs/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/after-2038-certs/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/after-2038-certs/hosts/moon/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/after-2038-certs/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/after-2038-certs/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/after-2038-certs/posttest.dat b/testing/tests/ikev2/after-2038-certs/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/ikev2/after-2038-certs/posttest.dat
+++ b/testing/tests/ikev2/after-2038-certs/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/after-2038-certs/pretest.dat b/testing/tests/ikev2/after-2038-certs/pretest.dat
index 4921d5097..baacc1605 100644
--- a/testing/tests/ikev2/after-2038-certs/pretest.dat
+++ b/testing/tests/ikev2/after-2038-certs/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1
diff --git a/testing/tests/ikev2/after-2038-certs/test.conf b/testing/tests/ikev2/after-2038-certs/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/ikev2/after-2038-certs/test.conf
+++ b/testing/tests/ikev2/after-2038-certs/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/alg-3des-md5/evaltest.dat b/testing/tests/ikev2/alg-3des-md5/evaltest.dat
index 6f598c6f3..abd29e97e 100644
--- a/testing/tests/ikev2/alg-3des-md5/evaltest.dat
+++ b/testing/tests/ikev2/alg-3des-md5/evaltest.dat
@@ -1,13 +1,15 @@
-moon::ipsec statusall::rw.*INSTALLED::YES
-carol::ipsec statusall::home.*INSTALLED::YES
-moon::ipsec statusall::rw.*IKE proposal.*3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024::YES
-carol::ipsec statusall::home.*IKE proposal.*3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024::YES
-carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES
-moon::ipsec statusall::rw.*3DES_CBC/HMAC_MD5_96,::YES
-carol::ipsec statusall::home.*3DES_CBC/HMAC_MD5_96,::YES
-moon::ip xfrm state::enc cbc(des3_ede)::YES
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED::YES
+moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024::YES
+carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon:: ipsec statusall 2> /dev/null::rw.*3DES_CBC/HMAC_MD5_96,::YES
+carol::ipsec statusall 2> /dev/null::home.*3DES_CBC/HMAC_MD5_96,::YES
+moon:: ip xfrm state::enc cbc(des3_ede)::YES
 carol::ip xfrm state::enc cbc(des3_ede)::YES
-moon::ip xfrm state::auth hmac(md5)::YES
-carol::ip xfrm state::auth hmac(md5)::YES
+moon:: ip xfrm state::auth-trunc hmac(md5)::YES
+carol::ip xfrm state::auth-trunc hmac(md5)::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 180::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 180::YES
diff --git a/testing/tests/ikev2/alg-3des-md5/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/alg-3des-md5/hosts/carol/etc/ipsec.conf
index f2c71061d..1be5f1d8f 100755..100644
--- a/testing/tests/ikev2/alg-3des-md5/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/alg-3des-md5/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=yes
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/alg-3des-md5/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/alg-3des-md5/hosts/carol/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/alg-3des-md5/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/alg-3des-md5/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/alg-3des-md5/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/alg-3des-md5/hosts/moon/etc/ipsec.conf
index c4fd80fc0..e961f081d 100755..100644
--- a/testing/tests/ikev2/alg-3des-md5/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/alg-3des-md5/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=yes
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/alg-3des-md5/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/alg-3des-md5/hosts/moon/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/alg-3des-md5/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/alg-3des-md5/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/alg-3des-md5/posttest.dat b/testing/tests/ikev2/alg-3des-md5/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/ikev2/alg-3des-md5/posttest.dat
+++ b/testing/tests/ikev2/alg-3des-md5/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/alg-3des-md5/pretest.dat b/testing/tests/ikev2/alg-3des-md5/pretest.dat
index f360351e1..4fc25772b 100644
--- a/testing/tests/ikev2/alg-3des-md5/pretest.dat
+++ b/testing/tests/ikev2/alg-3des-md5/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1 
diff --git a/testing/tests/ikev2/alg-3des-md5/test.conf b/testing/tests/ikev2/alg-3des-md5/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/ikev2/alg-3des-md5/test.conf
+++ b/testing/tests/ikev2/alg-3des-md5/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/alg-aes-ccm/evaltest.dat b/testing/tests/ikev2/alg-aes-ccm/evaltest.dat
index 0834a8db0..5a14b98d6 100644
--- a/testing/tests/ikev2/alg-aes-ccm/evaltest.dat
+++ b/testing/tests/ikev2/alg-aes-ccm/evaltest.dat
@@ -1,11 +1,13 @@
-moon::ipsec statusall::rw.*INSTALLED::YES
-carol::ipsec statusall::home.*INSTALLED::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::ipsec statusall::IKE proposal: AES_CCM_12_128::YES
-carol::ipsec statusall::IKE proposal: AES_CCM_12_128::YES
-moon::ipsec statusall::AES_CCM_12_128,::YES
-carol::ipsec statusall::AES_CCM_12_128,::YES
-moon::ip xfrm state::aead rfc4309(ccm(aes))::YES
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon:: ipsec statusall 2> /dev/null::IKE proposal: AES_CCM_12_128::YES
+carol::ipsec statusall 2> /dev/null::IKE proposal: AES_CCM_12_128::YES
+moon:: ipsec statusall 2> /dev/null::AES_CCM_12_128,::YES
+carol::ipsec statusall 2> /dev/null::AES_CCM_12_128,::YES
+moon:: ip xfrm state::aead rfc4309(ccm(aes))::YES
 carol::ip xfrm state::aead rfc4309(ccm(aes))::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 180::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 180::YES
diff --git a/testing/tests/ikev2/alg-aes-ccm/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/alg-aes-ccm/hosts/carol/etc/ipsec.conf
index 6bcfbc28d..03707f89f 100755..100644
--- a/testing/tests/ikev2/alg-aes-ccm/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/alg-aes-ccm/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=yes
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/alg-aes-ccm/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/alg-aes-ccm/hosts/carol/etc/strongswan.conf
index db2c09bae..d70d7b989 100644
--- a/testing/tests/ikev2/alg-aes-ccm/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/alg-aes-ccm/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc ccm stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc ccm stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/alg-aes-ccm/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/alg-aes-ccm/hosts/moon/etc/ipsec.conf
index 1d6f13861..d7ed92f7e 100755..100644
--- a/testing/tests/ikev2/alg-aes-ccm/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/alg-aes-ccm/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=yes
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/alg-aes-ccm/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/alg-aes-ccm/hosts/moon/etc/strongswan.conf
index db2c09bae..d70d7b989 100644
--- a/testing/tests/ikev2/alg-aes-ccm/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/alg-aes-ccm/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc ccm stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc ccm stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/alg-aes-ccm/posttest.dat b/testing/tests/ikev2/alg-aes-ccm/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/ikev2/alg-aes-ccm/posttest.dat
+++ b/testing/tests/ikev2/alg-aes-ccm/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/alg-aes-ccm/pretest.dat b/testing/tests/ikev2/alg-aes-ccm/pretest.dat
index f360351e1..4fc25772b 100644
--- a/testing/tests/ikev2/alg-aes-ccm/pretest.dat
+++ b/testing/tests/ikev2/alg-aes-ccm/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1 
diff --git a/testing/tests/ikev2/alg-aes-ccm/test.conf b/testing/tests/ikev2/alg-aes-ccm/test.conf
index acb73b06f..11423f723 100644
--- a/testing/tests/ikev2/alg-aes-ccm/test.conf
+++ b/testing/tests/ikev2/alg-aes-ccm/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+VIRTHOSTS="moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/alg-aes-ctr/evaltest.dat b/testing/tests/ikev2/alg-aes-ctr/evaltest.dat
index 522ce6088..6a5203a2d 100644
--- a/testing/tests/ikev2/alg-aes-ctr/evaltest.dat
+++ b/testing/tests/ikev2/alg-aes-ctr/evaltest.dat
@@ -1,11 +1,13 @@
-moon::ipsec statusall::rw.*INSTALLED::YES
-carol::ipsec statusall::home.*INSTALLED::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::ipsec statusall::IKE proposal: AES_CTR_128::YES
-carol::ipsec statusall::IKE proposal: AES_CTR_128::YES
-moon::ipsec statusall::AES_CTR_128/AES_XCBC_96,::YES
-carol::ipsec statusall::AES_CTR_128/AES_XCBC_96,::YES
-moon::ip xfrm state::rfc3686(ctr(aes))::YES
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon:: ipsec statusall 2> /dev/null::IKE proposal: AES_CTR_128::YES
+carol::ipsec statusall 2> /dev/null::IKE proposal: AES_CTR_128::YES
+moon:: ipsec statusall 2> /dev/null::AES_CTR_128/AES_XCBC_96,::YES
+carol::ipsec statusall 2> /dev/null::AES_CTR_128/AES_XCBC_96,::YES
+moon:: ip xfrm state::rfc3686(ctr(aes))::YES
 carol::ip xfrm state::rfc3686(ctr(aes))::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 180::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 180::YES
diff --git a/testing/tests/ikev2/alg-aes-ctr/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/alg-aes-ctr/hosts/carol/etc/ipsec.conf
index 70c482835..3be20c613 100755..100644
--- a/testing/tests/ikev2/alg-aes-ctr/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/alg-aes-ctr/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=yes
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/alg-aes-ctr/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/alg-aes-ctr/hosts/carol/etc/strongswan.conf
index be46d6d3e..e607bbae7 100644
--- a/testing/tests/ikev2/alg-aes-ctr/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/alg-aes-ctr/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc ctr stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc ctr stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/alg-aes-ctr/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/alg-aes-ctr/hosts/moon/etc/ipsec.conf
index bf103742f..1cf16ee38 100755..100644
--- a/testing/tests/ikev2/alg-aes-ctr/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/alg-aes-ctr/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=yes
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/alg-aes-ctr/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/alg-aes-ctr/hosts/moon/etc/strongswan.conf
index be46d6d3e..e607bbae7 100644
--- a/testing/tests/ikev2/alg-aes-ctr/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/alg-aes-ctr/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc ctr stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc ctr stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/alg-aes-ctr/posttest.dat b/testing/tests/ikev2/alg-aes-ctr/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/ikev2/alg-aes-ctr/posttest.dat
+++ b/testing/tests/ikev2/alg-aes-ctr/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/alg-aes-ctr/pretest.dat b/testing/tests/ikev2/alg-aes-ctr/pretest.dat
index f360351e1..4fc25772b 100644
--- a/testing/tests/ikev2/alg-aes-ctr/pretest.dat
+++ b/testing/tests/ikev2/alg-aes-ctr/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1 
diff --git a/testing/tests/ikev2/alg-aes-ctr/test.conf b/testing/tests/ikev2/alg-aes-ctr/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/ikev2/alg-aes-ctr/test.conf
+++ b/testing/tests/ikev2/alg-aes-ctr/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/alg-aes-gcm/evaltest.dat b/testing/tests/ikev2/alg-aes-gcm/evaltest.dat
index 9cd3e8e15..ce27fcc05 100644
--- a/testing/tests/ikev2/alg-aes-gcm/evaltest.dat
+++ b/testing/tests/ikev2/alg-aes-gcm/evaltest.dat
@@ -1,11 +1,13 @@
-moon::ipsec statusall::rw.*INSTALLED::YES
-carol::ipsec statusall::home.*INSTALLED::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::ipsec statusall::IKE proposal: AES_GCM_16_256::YES
-carol::ipsec statusall::IKE proposal: AES_GCM_16_256::YES
-moon::ipsec statusall::AES_GCM_16_256,::YES
-carol::ipsec statusall::AES_GCM_16_256,::YES
-moon::ip xfrm state::aead rfc4106(gcm(aes))::YES
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon:: ipsec statusall 2> /dev/null::IKE proposal: AES_GCM_16_256::YES
+carol::ipsec statusall 2> /dev/null::IKE proposal: AES_GCM_16_256::YES
+moon:: ipsec statusall 2> /dev/null::AES_GCM_16_256,::YES
+carol::ipsec statusall 2> /dev/null::AES_GCM_16_256,::YES
+moon:: ip xfrm state::aead rfc4106(gcm(aes))::YES
 carol::ip xfrm state::aead rfc4106(gcm(aes))::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 184::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 184::YES
diff --git a/testing/tests/ikev2/alg-aes-gcm/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/alg-aes-gcm/hosts/carol/etc/ipsec.conf
index e3f19aff8..7a808ff65 100755..100644
--- a/testing/tests/ikev2/alg-aes-gcm/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/alg-aes-gcm/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=yes
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/alg-aes-gcm/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/alg-aes-gcm/hosts/carol/etc/strongswan.conf
index 7fe7619f1..e063e446a 100644
--- a/testing/tests/ikev2/alg-aes-gcm/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/alg-aes-gcm/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc gcm stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc gcm stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/alg-aes-gcm/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/alg-aes-gcm/hosts/moon/etc/ipsec.conf
index 0d51a3ea8..12a35cb8a 100755..100644
--- a/testing/tests/ikev2/alg-aes-gcm/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/alg-aes-gcm/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=yes
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/alg-aes-gcm/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/alg-aes-gcm/hosts/moon/etc/strongswan.conf
index 7fe7619f1..e063e446a 100644
--- a/testing/tests/ikev2/alg-aes-gcm/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/alg-aes-gcm/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc gcm stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc gcm stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/alg-aes-gcm/posttest.dat b/testing/tests/ikev2/alg-aes-gcm/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/ikev2/alg-aes-gcm/posttest.dat
+++ b/testing/tests/ikev2/alg-aes-gcm/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/alg-aes-gcm/pretest.dat b/testing/tests/ikev2/alg-aes-gcm/pretest.dat
index f360351e1..4fc25772b 100644
--- a/testing/tests/ikev2/alg-aes-gcm/pretest.dat
+++ b/testing/tests/ikev2/alg-aes-gcm/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1 
diff --git a/testing/tests/ikev2/alg-aes-gcm/test.conf b/testing/tests/ikev2/alg-aes-gcm/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/ikev2/alg-aes-gcm/test.conf
+++ b/testing/tests/ikev2/alg-aes-gcm/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/alg-aes-xcbc/evaltest.dat b/testing/tests/ikev2/alg-aes-xcbc/evaltest.dat
index 24e36eb77..f11018347 100644
--- a/testing/tests/ikev2/alg-aes-xcbc/evaltest.dat
+++ b/testing/tests/ikev2/alg-aes-xcbc/evaltest.dat
@@ -1,12 +1,14 @@
-moon::ipsec statusall::rw.*INSTALLED::YES
-carol::ipsec statusall::home.*INSTALLED::YES
-moon::ipsec statusall::rw.*IKE proposal.*AES_CBC_128/AES_XCBC_96/PRF_AES128_XCBC/MODP_2048::YES
-carol::ipsec statusall::home.*IKE proposal.*AES_CBC_128/AES_XCBC_96/PRF_AES128_XCBC/MODP_2048::YES
-carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES
-moon::ipsec statusall::rw.*AES_CBC_128/AES_XCBC_96,::YES
-carol::ipsec statusall::home.*AES_CBC_128/AES_XCBC_96,::YES
-moon::ip xfrm state::auth xcbc(aes)::YES
-carol::ip xfrm state::auth xcbc(aes)::YES
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_128/AES_XCBC_96/PRF_AES128_XCBC/MODP_2048::YES
+carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_128/AES_XCBC_96/PRF_AES128_XCBC/MODP_2048::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon:: ipsec statusall 2> /dev/null::rw.*AES_CBC_128/AES_XCBC_96,::YES
+carol::ipsec statusall 2> /dev/null::home.*AES_CBC_128/AES_XCBC_96,::YES
+moon:: ip xfrm state::auth-trunc xcbc(aes)::YES
+carol::ip xfrm state::auth-trunc xcbc(aes)::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 196::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 196::YES
 
diff --git a/testing/tests/ikev2/alg-aes-xcbc/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/alg-aes-xcbc/hosts/carol/etc/ipsec.conf
index 33e6a842b..74668e7fb 100755..100644
--- a/testing/tests/ikev2/alg-aes-xcbc/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/alg-aes-xcbc/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=yes
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/alg-aes-xcbc/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/alg-aes-xcbc/hosts/carol/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/alg-aes-xcbc/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/alg-aes-xcbc/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/alg-aes-xcbc/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/alg-aes-xcbc/hosts/moon/etc/ipsec.conf
index 208477deb..3cda72935 100755..100644
--- a/testing/tests/ikev2/alg-aes-xcbc/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/alg-aes-xcbc/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=yes
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/alg-aes-xcbc/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/alg-aes-xcbc/hosts/moon/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/alg-aes-xcbc/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/alg-aes-xcbc/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/alg-aes-xcbc/posttest.dat b/testing/tests/ikev2/alg-aes-xcbc/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/ikev2/alg-aes-xcbc/posttest.dat
+++ b/testing/tests/ikev2/alg-aes-xcbc/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/alg-aes-xcbc/pretest.dat b/testing/tests/ikev2/alg-aes-xcbc/pretest.dat
index f360351e1..4fc25772b 100644
--- a/testing/tests/ikev2/alg-aes-xcbc/pretest.dat
+++ b/testing/tests/ikev2/alg-aes-xcbc/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1 
diff --git a/testing/tests/ikev2/alg-aes-xcbc/test.conf b/testing/tests/ikev2/alg-aes-xcbc/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/ikev2/alg-aes-xcbc/test.conf
+++ b/testing/tests/ikev2/alg-aes-xcbc/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/alg-blowfish/evaltest.dat b/testing/tests/ikev2/alg-blowfish/evaltest.dat
index f1b33895b..f76522c5c 100644
--- a/testing/tests/ikev2/alg-blowfish/evaltest.dat
+++ b/testing/tests/ikev2/alg-blowfish/evaltest.dat
@@ -1,14 +1,15 @@
-moon::ipsec statusall::rw.*ESTABLISHED::YES
-carol::ipsec statusall::home.*ESTABLISHED::YES
-carol::ipsec statusall::IKE proposal: BLOWFISH_CBC_256/HMAC_SHA2_512_256::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
-carol::ipsec statusall::BLOWFISH_CBC_192/HMAC_SHA2_256_128,::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+carol::ipsec statusall 2> /dev/null::IKE proposal: BLOWFISH_CBC_256/HMAC_SHA2_512_256::YES
+dave:: ipsec statusall 2> /dev/null::IKE proposal: BLOWFISH_CBC_128/HMAC_SHA2_256_128::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
+carol::ipsec statusall 2> /dev/null::BLOWFISH_CBC_192/HMAC_SHA2_256_128,::YES
+dave:: ipsec statusall 2> /dev/null::BLOWFISH_CBC_128/HMAC_SHA1_96,::YES
 carol::ip -s xfrm state::enc cbc(blowfish).*(192 bits)::YES
-dave::ipsec statusall::home.*ESTABLISHED::YES
-dave::ipsec statusall::IKE proposal: BLOWFISH_CBC_128/HMAC_SHA2_256_128::YES
-dave::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::ipsec statusall::BLOWFISH_CBC_128/HMAC_SHA1_96,::YES
-dave::ip -s xfrm state::enc cbc(blowfish).*(128 bits)::YES
+dave:: ip -s xfrm state::enc cbc(blowfish).*(128 bits)::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 184::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 184::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP.*length 180::YES
diff --git a/testing/tests/ikev2/alg-blowfish/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/alg-blowfish/hosts/carol/etc/ipsec.conf
index a78724926..89674b2a1 100755..100644
--- a/testing/tests/ikev2/alg-blowfish/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/alg-blowfish/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 	charondebug="cfg 2"
 
 conn %default
diff --git a/testing/tests/ikev2/alg-blowfish/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/alg-blowfish/hosts/carol/etc/strongswan.conf
index fed4f5ece..1f0fd41a8 100644
--- a/testing/tests/ikev2/alg-blowfish/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/alg-blowfish/hosts/carol/etc/strongswan.conf
@@ -2,5 +2,5 @@
 
 charon {
   dh_exponent_ansi_x9_42 = no
-  load = aes des blowfish md5 sha1 sha2 pem pkcs1 gmp curl random x509 revocation hmac stroke kernel-netlink socket-default updown
+  load = aes des blowfish md5 sha1 sha2 pem pkcs1 gmp curl random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/alg-blowfish/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/alg-blowfish/hosts/dave/etc/ipsec.conf
index 26f3f3a04..df3242d61 100755..100644
--- a/testing/tests/ikev2/alg-blowfish/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev2/alg-blowfish/hosts/dave/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/alg-blowfish/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/alg-blowfish/hosts/dave/etc/strongswan.conf
index fed4f5ece..1f0fd41a8 100644
--- a/testing/tests/ikev2/alg-blowfish/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/alg-blowfish/hosts/dave/etc/strongswan.conf
@@ -2,5 +2,5 @@
 
 charon {
   dh_exponent_ansi_x9_42 = no
-  load = aes des blowfish md5 sha1 sha2 pem pkcs1 gmp curl random x509 revocation hmac stroke kernel-netlink socket-default updown
+  load = aes des blowfish md5 sha1 sha2 pem pkcs1 gmp curl random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/alg-blowfish/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/alg-blowfish/hosts/moon/etc/ipsec.conf
index 5183e26d2..82804a0fe 100755..100644
--- a/testing/tests/ikev2/alg-blowfish/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/alg-blowfish/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 	charondebug="cfg 2"
 
 conn %default
diff --git a/testing/tests/ikev2/alg-blowfish/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/alg-blowfish/hosts/moon/etc/strongswan.conf
index fed4f5ece..1f0fd41a8 100644
--- a/testing/tests/ikev2/alg-blowfish/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/alg-blowfish/hosts/moon/etc/strongswan.conf
@@ -2,5 +2,5 @@
 
 charon {
   dh_exponent_ansi_x9_42 = no
-  load = aes des blowfish md5 sha1 sha2 pem pkcs1 gmp curl random x509 revocation hmac stroke kernel-netlink socket-default updown
+  load = aes des blowfish md5 sha1 sha2 pem pkcs1 gmp curl random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/alg-blowfish/posttest.dat b/testing/tests/ikev2/alg-blowfish/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/ikev2/alg-blowfish/posttest.dat
+++ b/testing/tests/ikev2/alg-blowfish/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/alg-blowfish/pretest.dat b/testing/tests/ikev2/alg-blowfish/pretest.dat
index 42e9d7c24..8bbea1412 100644
--- a/testing/tests/ikev2/alg-blowfish/pretest.dat
+++ b/testing/tests/ikev2/alg-blowfish/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/ikev2/alg-blowfish/test.conf b/testing/tests/ikev2/alg-blowfish/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/ikev2/alg-blowfish/test.conf
+++ b/testing/tests/ikev2/alg-blowfish/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/alg-modp-subgroup/evaltest.dat b/testing/tests/ikev2/alg-modp-subgroup/evaltest.dat
index 80df206bf..5e4ab98b3 100644
--- a/testing/tests/ikev2/alg-modp-subgroup/evaltest.dat
+++ b/testing/tests/ikev2/alg-modp-subgroup/evaltest.dat
@@ -1,13 +1,17 @@
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[4]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
 carol::cat /var/log/daemon.log::DH group MODP_2048_224.*MODP_1024_160::YES
-dave::cat /var/log/daemon.log::DH group MODP_2048_224.*MODP_2048_256::YES
-moon::ipsec statusall::rw.*ESTABLISHED.*carol@strongswan.org::YES
-moon::ipsec statusall::rw.*ESTABLISHED.*dave@strongswan.org::YES
-carol::ipsec statusall::home.*ESTABLISHED::YES
-carol::ipsec statusall::home.*AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024_160::YES
-dave::ipsec statusall::home.*ESTABLISHED::YES
-dave::ipsec statusall::home.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048_256::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave:: cat /var/log/daemon.log::DH group MODP_2048_224.*MODP_2048_256::YES
+carol::ipsec statusall 2> /dev/null::home.*AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024_160::YES
+dave:: ipsec statusall 2> /dev/null::home.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048_256::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/alg-modp-subgroup/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/alg-modp-subgroup/hosts/carol/etc/ipsec.conf
index 257923d02..84c9c8c7c 100755..100644
--- a/testing/tests/ikev2/alg-modp-subgroup/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/alg-modp-subgroup/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/alg-modp-subgroup/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/alg-modp-subgroup/hosts/carol/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/alg-modp-subgroup/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/alg-modp-subgroup/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/alg-modp-subgroup/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/alg-modp-subgroup/hosts/dave/etc/ipsec.conf
index 9b5247973..5402f24f3 100755..100644
--- a/testing/tests/ikev2/alg-modp-subgroup/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev2/alg-modp-subgroup/hosts/dave/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/alg-modp-subgroup/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/alg-modp-subgroup/hosts/dave/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/alg-modp-subgroup/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/alg-modp-subgroup/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/alg-modp-subgroup/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/alg-modp-subgroup/hosts/moon/etc/ipsec.conf
index 2b66e3400..84b3d6880 100755..100644
--- a/testing/tests/ikev2/alg-modp-subgroup/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/alg-modp-subgroup/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/alg-modp-subgroup/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/alg-modp-subgroup/hosts/moon/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/alg-modp-subgroup/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/alg-modp-subgroup/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/alg-modp-subgroup/posttest.dat b/testing/tests/ikev2/alg-modp-subgroup/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/ikev2/alg-modp-subgroup/posttest.dat
+++ b/testing/tests/ikev2/alg-modp-subgroup/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/alg-modp-subgroup/pretest.dat b/testing/tests/ikev2/alg-modp-subgroup/pretest.dat
index 42e9d7c24..8bbea1412 100644
--- a/testing/tests/ikev2/alg-modp-subgroup/pretest.dat
+++ b/testing/tests/ikev2/alg-modp-subgroup/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/ikev2/alg-modp-subgroup/test.conf b/testing/tests/ikev2/alg-modp-subgroup/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/ikev2/alg-modp-subgroup/test.conf
+++ b/testing/tests/ikev2/alg-modp-subgroup/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/alg-sha256-96/evaltest.dat b/testing/tests/ikev2/alg-sha256-96/evaltest.dat
index 7ec47aadf..6c4e23710 100644
--- a/testing/tests/ikev2/alg-sha256-96/evaltest.dat
+++ b/testing/tests/ikev2/alg-sha256-96/evaltest.dat
@@ -1,13 +1,15 @@
-moon::cat /var/log/daemon.log::received strongSwan vendor id::YES
-carol::cat /var/log/daemon.log::received strongSwan vendor id::YES
-moon::ipsec statusall::rw.*INSTALLED::YES
-carol::ipsec statusall::home.*INSTALLED::YES
-moon::ipsec statusall::rw.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048::YES
-carol::ipsec statusall::home.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048::YES
-carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES
-moon::ipsec statusall::rw.*AES_CBC_128/HMAC_SHA2_256_96,::YES
-carol::ipsec statusall::home.*AES_CBC_128/HMAC_SHA2_256_96,::YES
-moon::ip xfrm state::auth hmac(sha256)::YES
-carol::ip xfrm state::auth hmac(sha256)::YES
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: cat /var/log/daemon.log::received strongSwan vendor ID::YES
+carol::cat /var/log/daemon.log::received strongSwan vendor ID::YES
+moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048::YES
+carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon:: ipsec statusall 2> /dev/null::rw.*AES_CBC_128/HMAC_SHA2_256_96,::YES
+carol::ipsec statusall 2> /dev/null::home.*AES_CBC_128/HMAC_SHA2_256_96,::YES
+moon:: ip xfrm state::auth-trunc hmac(sha256)::YES
+carol::ip xfrm state::auth-trunc hmac(sha256)::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 196::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 196::YES
diff --git a/testing/tests/ikev2/alg-sha256-96/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/alg-sha256-96/hosts/carol/etc/ipsec.conf
index 47cf1e12c..0d3b9fd45 100755..100644
--- a/testing/tests/ikev2/alg-sha256-96/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/alg-sha256-96/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=yes
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/alg-sha256-96/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/alg-sha256-96/hosts/carol/etc/strongswan.conf
index 53061a59b..eacadc544 100644
--- a/testing/tests/ikev2/alg-sha256-96/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/alg-sha256-96/hosts/carol/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
   send_vendor_id = yes
 }
diff --git a/testing/tests/ikev2/alg-sha256-96/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/alg-sha256-96/hosts/moon/etc/ipsec.conf
index d340aaf70..b0a5c4616 100755..100644
--- a/testing/tests/ikev2/alg-sha256-96/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/alg-sha256-96/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=yes
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/alg-sha256-96/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/alg-sha256-96/hosts/moon/etc/strongswan.conf
index 53061a59b..eacadc544 100644
--- a/testing/tests/ikev2/alg-sha256-96/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/alg-sha256-96/hosts/moon/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
   send_vendor_id = yes
 }
diff --git a/testing/tests/ikev2/alg-sha256-96/posttest.dat b/testing/tests/ikev2/alg-sha256-96/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/ikev2/alg-sha256-96/posttest.dat
+++ b/testing/tests/ikev2/alg-sha256-96/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/alg-sha256-96/pretest.dat b/testing/tests/ikev2/alg-sha256-96/pretest.dat
index f360351e1..4fc25772b 100644
--- a/testing/tests/ikev2/alg-sha256-96/pretest.dat
+++ b/testing/tests/ikev2/alg-sha256-96/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1 
diff --git a/testing/tests/ikev2/alg-sha256-96/test.conf b/testing/tests/ikev2/alg-sha256-96/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/ikev2/alg-sha256-96/test.conf
+++ b/testing/tests/ikev2/alg-sha256-96/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/alg-sha256/evaltest.dat b/testing/tests/ikev2/alg-sha256/evaltest.dat
index 2d1cc92bb..eba856742 100644
--- a/testing/tests/ikev2/alg-sha256/evaltest.dat
+++ b/testing/tests/ikev2/alg-sha256/evaltest.dat
@@ -1,11 +1,13 @@
-moon::ipsec statusall::rw.*INSTALLED::YES
-carol::ipsec statusall::home.*INSTALLED::YES
-moon::ipsec statusall::rw.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048::YES
-carol::ipsec statusall::home.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048::YES
-carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES
-moon::ipsec statusall::rw.*AES_CBC_128/HMAC_SHA2_256_128,::YES
-carol::ipsec statusall::home.*AES_CBC_128/HMAC_SHA2_256_128,::YES
-moon::ip xfrm state::auth hmac(sha256)::YES
-carol::ip xfrm state::auth hmac(sha256)::YES
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048::YES
+carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon:: ipsec statusall 2> /dev/null::rw.*AES_CBC_128/HMAC_SHA2_256_128,::YES
+carol::ipsec statusall 2> /dev/null::home.*AES_CBC_128/HMAC_SHA2_256_128,::YES
+moon:: ip xfrm state::auth-trunc hmac(sha256)::YES
+carol::ip xfrm state::auth-trunc hmac(sha256)::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 200::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 200::YES
diff --git a/testing/tests/ikev2/alg-sha256/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/alg-sha256/hosts/carol/etc/ipsec.conf
index d2b763a1b..22d2cd38a 100755..100644
--- a/testing/tests/ikev2/alg-sha256/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/alg-sha256/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=yes
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/alg-sha256/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/alg-sha256/hosts/carol/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/alg-sha256/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/alg-sha256/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/alg-sha256/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/alg-sha256/hosts/moon/etc/ipsec.conf
index 0e38bbb84..543374d76 100755..100644
--- a/testing/tests/ikev2/alg-sha256/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/alg-sha256/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=yes
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/alg-sha256/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/alg-sha256/hosts/moon/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/alg-sha256/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/alg-sha256/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/alg-sha256/posttest.dat b/testing/tests/ikev2/alg-sha256/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/ikev2/alg-sha256/posttest.dat
+++ b/testing/tests/ikev2/alg-sha256/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/alg-sha256/pretest.dat b/testing/tests/ikev2/alg-sha256/pretest.dat
index f360351e1..4fc25772b 100644
--- a/testing/tests/ikev2/alg-sha256/pretest.dat
+++ b/testing/tests/ikev2/alg-sha256/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1 
diff --git a/testing/tests/ikev2/alg-sha256/test.conf b/testing/tests/ikev2/alg-sha256/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/ikev2/alg-sha256/test.conf
+++ b/testing/tests/ikev2/alg-sha256/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/alg-sha384/evaltest.dat b/testing/tests/ikev2/alg-sha384/evaltest.dat
index 31bb64c5e..3b24217c5 100644
--- a/testing/tests/ikev2/alg-sha384/evaltest.dat
+++ b/testing/tests/ikev2/alg-sha384/evaltest.dat
@@ -1,11 +1,13 @@
-moon::ipsec statusall::rw.*INSTALLED::YES
-carol::ipsec statusall::home.*INSTALLED::YES
-moon::ipsec statusall::rw.*IKE proposal.*AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_3072::YES
-carol::ipsec statusall::home.*IKE proposal.*AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_3072::YES
-carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES
-moon::ipsec statusall::rw.*AES_CBC_192/HMAC_SHA2_384_192,::YES
-carol::ipsec statusall::home.*AES_CBC_192/HMAC_SHA2_384_192,::YES
-moon::ip xfrm state::auth hmac(sha384)::YES
-carol::ip xfrm state::auth hmac(sha384)::YES
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_3072::YES
+carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_3072::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon:: ipsec statusall 2> /dev/null::rw.*AES_CBC_192/HMAC_SHA2_384_192,::YES
+carol::ipsec statusall 2> /dev/null::home.*AES_CBC_192/HMAC_SHA2_384_192,::YES
+moon:: ip xfrm state::auth-trunc hmac(sha384)::YES
+carol::ip xfrm state::auth-trunc hmac(sha384)::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 208::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 208::YES
diff --git a/testing/tests/ikev2/alg-sha384/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/alg-sha384/hosts/carol/etc/ipsec.conf
index d38b7dfcf..e02d90b78 100755..100644
--- a/testing/tests/ikev2/alg-sha384/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/alg-sha384/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=yes
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/alg-sha384/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/alg-sha384/hosts/carol/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/alg-sha384/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/alg-sha384/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/alg-sha384/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/alg-sha384/hosts/moon/etc/ipsec.conf
index ea84cd8a4..990fce1d0 100755..100644
--- a/testing/tests/ikev2/alg-sha384/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/alg-sha384/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=yes
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/alg-sha384/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/alg-sha384/hosts/moon/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/alg-sha384/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/alg-sha384/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/alg-sha384/posttest.dat b/testing/tests/ikev2/alg-sha384/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/ikev2/alg-sha384/posttest.dat
+++ b/testing/tests/ikev2/alg-sha384/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/alg-sha384/pretest.dat b/testing/tests/ikev2/alg-sha384/pretest.dat
index f360351e1..4fc25772b 100644
--- a/testing/tests/ikev2/alg-sha384/pretest.dat
+++ b/testing/tests/ikev2/alg-sha384/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1 
diff --git a/testing/tests/ikev2/alg-sha384/test.conf b/testing/tests/ikev2/alg-sha384/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/ikev2/alg-sha384/test.conf
+++ b/testing/tests/ikev2/alg-sha384/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/alg-sha512/evaltest.dat b/testing/tests/ikev2/alg-sha512/evaltest.dat
index e0f5fb7a3..6bdceeb44 100644
--- a/testing/tests/ikev2/alg-sha512/evaltest.dat
+++ b/testing/tests/ikev2/alg-sha512/evaltest.dat
@@ -1,11 +1,13 @@
-moon::ipsec statusall::rw.*INSTALLED::YES
-carol::ipsec statusall::home.*INSTALLED::YES
-moon::ipsec statusall::rw.*IKE proposal.*AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_4096::YES
-carol::ipsec statusall::home.*IKE proposal.*AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_4096::YES
-carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES
-moon::ipsec statusall::rw.*AES_CBC_256/HMAC_SHA2_512_256,::YES
-carol::ipsec statusall::home.*AES_CBC_256/HMAC_SHA2_512_256,::YES
-moon::ip xfrm state::auth hmac(sha512)::YES
-carol::ip xfrm state::auth hmac(sha512)::YES
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_4096::YES
+carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_4096::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon:: ipsec statusall 2> /dev/null::rw.*AES_CBC_256/HMAC_SHA2_512_256,::YES
+carol::ipsec statusall 2> /dev/null::home.*AES_CBC_256/HMAC_SHA2_512_256,::YES
+moon:: ip xfrm state::auth-trunc hmac(sha512)::YES
+carol::ip xfrm state::auth-trunc hmac(sha512)::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 216::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 216::YES
diff --git a/testing/tests/ikev2/alg-sha512/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/alg-sha512/hosts/carol/etc/ipsec.conf
index 583522d1b..13ab244bb 100755..100644
--- a/testing/tests/ikev2/alg-sha512/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/alg-sha512/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=yes
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/alg-sha512/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/alg-sha512/hosts/carol/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/alg-sha512/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/alg-sha512/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/alg-sha512/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/alg-sha512/hosts/moon/etc/ipsec.conf
index 40fec93c0..e6d410442 100755..100644
--- a/testing/tests/ikev2/alg-sha512/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/alg-sha512/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=yes
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/alg-sha512/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/alg-sha512/hosts/moon/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/alg-sha512/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/alg-sha512/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/alg-sha512/posttest.dat b/testing/tests/ikev2/alg-sha512/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/ikev2/alg-sha512/posttest.dat
+++ b/testing/tests/ikev2/alg-sha512/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/alg-sha512/pretest.dat b/testing/tests/ikev2/alg-sha512/pretest.dat
index f360351e1..4fc25772b 100644
--- a/testing/tests/ikev2/alg-sha512/pretest.dat
+++ b/testing/tests/ikev2/alg-sha512/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1 
diff --git a/testing/tests/ikev2/alg-sha512/test.conf b/testing/tests/ikev2/alg-sha512/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/ikev2/alg-sha512/test.conf
+++ b/testing/tests/ikev2/alg-sha512/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/any-interface/evaltest.dat b/testing/tests/ikev2/any-interface/evaltest.dat
index f475ba70b..800ae4353 100644
--- a/testing/tests/ikev2/any-interface/evaltest.dat
+++ b/testing/tests/ikev2/any-interface/evaltest.dat
@@ -1,10 +1,17 @@
-moon::cat /var/log/daemon.log::creating acquire job::YES
-bob::cat /var/log/daemon.log::creating acquire job::YES
-moon::ipsec statusall::alice.*INSTALLED, TRANSPORT::YES
-moon::ipsec statusall::sun.*INSTALLED, TRANSPORT::YES
-alice::ipsec statusall::remote.*INSTALLED, TRANSPORT::YES
-sun::ipsec statusall::remote.*INSTALLED, TRANSPORT::YES
-bob::ipsec statusall::sun.*INSTALLED, TRANSPORT::YES
+moon:: cat /var/log/daemon.log::creating acquire job::YES
+bob::  cat /var/log/daemon.log::creating acquire job::YES
+moon:: ipsec status 2> /dev/null::alice.*ESTABLISHED.*CN=moon.strongswan.org.*CN=alice@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::sun.*ESTABLISHED.*CN=moon.strongswan.org.*CN=sun.strongswan.org::YES
+alice::ipsec status 2> /dev/null::remote.*ESTABLISHED.*CN=alice@strongswan.org.*CN=moon.strongswan.org::YES
+sun::  ipsec status 2> /dev/null::remote\[1]: ESTABLISHED.*CN=sun.strongswan.org.*CN=moon.strongswan.org::YES
+sun::  ipsec status 2> /dev/null::remote\[2]: ESTABLISHED.*CN=sun.strongswan.org.*CN=bob@strongswan.org::YES
+bob::  ipsec status 2> /dev/null::sun.*ESTABLISHED.*CN=bob@strongswan.org.*CN=sun.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::alice.*INSTALLED, TRANSPORT::YES
+moon:: ipsec status 2> /dev/null::sun.*INSTALLED, TRANSPORT::YES
+alice::ipsec status 2> /dev/null::remote.*INSTALLED, TRANSPORT::YES
+sun::  ipsec status 2> /dev/null::remote[{]1}.*INSTALLED, TRANSPORT::YES
+sun::  ipsec status 2> /dev/null::remote[{]2}.*INSTALLED, TRANSPORT::YES
+bob::  ipsec status 2> /dev/null::sun.*INSTALLED, TRANSPORT::YES
 alice::tcpdump::IP moon1.strongswan.org > alice.strongswan.org: ESP::YES
 alice::tcpdump::IP alice.strongswan.org > moon1.strongswan.org: ESP::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/any-interface/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2/any-interface/hosts/alice/etc/ipsec.conf
index eb7dfe848..4f2c78fd3 100755..100644
--- a/testing/tests/ikev2/any-interface/hosts/alice/etc/ipsec.conf
+++ b/testing/tests/ikev2/any-interface/hosts/alice/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/any-interface/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/any-interface/hosts/alice/etc/strongswan.conf
index cb1485446..a14fc560c 100644
--- a/testing/tests/ikev2/any-interface/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/ikev2/any-interface/hosts/alice/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
   multiple_authentication = no
 }
diff --git a/testing/tests/ikev2/any-interface/hosts/bob/etc/ipsec.conf b/testing/tests/ikev2/any-interface/hosts/bob/etc/ipsec.conf
index 40d029b3e..c232c4332 100755..100644
--- a/testing/tests/ikev2/any-interface/hosts/bob/etc/ipsec.conf
+++ b/testing/tests/ikev2/any-interface/hosts/bob/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/any-interface/hosts/bob/etc/strongswan.conf b/testing/tests/ikev2/any-interface/hosts/bob/etc/strongswan.conf
index cb1485446..a14fc560c 100644
--- a/testing/tests/ikev2/any-interface/hosts/bob/etc/strongswan.conf
+++ b/testing/tests/ikev2/any-interface/hosts/bob/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
   multiple_authentication = no
 }
diff --git a/testing/tests/ikev2/any-interface/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/any-interface/hosts/moon/etc/ipsec.conf
index ab0534331..17fcf0a7a 100755..100644
--- a/testing/tests/ikev2/any-interface/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/any-interface/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/any-interface/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/any-interface/hosts/moon/etc/strongswan.conf
index cb1485446..a14fc560c 100644
--- a/testing/tests/ikev2/any-interface/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/any-interface/hosts/moon/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
   multiple_authentication = no
 }
diff --git a/testing/tests/ikev2/any-interface/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/any-interface/hosts/sun/etc/ipsec.conf
index 71699b08e..fce24ef25 100755..100644
--- a/testing/tests/ikev2/any-interface/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev2/any-interface/hosts/sun/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/any-interface/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/any-interface/hosts/sun/etc/strongswan.conf
index cb1485446..a14fc560c 100644
--- a/testing/tests/ikev2/any-interface/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/any-interface/hosts/sun/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
   multiple_authentication = no
 }
diff --git a/testing/tests/ikev2/any-interface/pretest.dat b/testing/tests/ikev2/any-interface/pretest.dat
index b8e91194e..0a6ce8be4 100644
--- a/testing/tests/ikev2/any-interface/pretest.dat
+++ b/testing/tests/ikev2/any-interface/pretest.dat
@@ -1,5 +1,3 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
-sun::echo 1 > /proc/sys/net/ipv4/ip_forward
 winnetou::ip route add 10.1.0.0/16 via PH_IP_MOON
 winnetou::ip route add 10.2.0.0/16 via PH_IP_SUN
 alice::ipsec start
diff --git a/testing/tests/ikev2/any-interface/test.conf b/testing/tests/ikev2/any-interface/test.conf
index 25e5cd872..cc04d45e6 100644
--- a/testing/tests/ikev2/any-interface/test.conf
+++ b/testing/tests/ikev2/any-interface/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b.png"
  
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="alice sun bob"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="alice moon sun bob"
diff --git a/testing/tests/ikev2/compress/evaltest.dat b/testing/tests/ikev2/compress/evaltest.dat
index 22dd94866..b989a7774 100644
--- a/testing/tests/ikev2/compress/evaltest.dat
+++ b/testing/tests/ikev2/compress/evaltest.dat
@@ -1,8 +1,10 @@
-moon::cat /var/log/daemon.log::IKE_AUTH request.*N(IPCOMP_SUP)::YES
-moon::cat /var/log/daemon.log::IKE_AUTH response.*N(IPCOMP_SUP)::YES
-carol::ipsec status::home.*INSTALLED::YES
-moon::ipsec status::rw.*INSTALLED::YES
-moon::ip xfrm state::proto comp spi::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL.*IPCOMP::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL.*IPCOMP::YES
+moon:: cat /var/log/daemon.log::IKE_AUTH request.*N(IPCOMP_SUP)::YES
+moon:: cat /var/log/daemon.log::IKE_AUTH response.*N(IPCOMP_SUP)::YES
+moon:: ip xfrm state::proto comp spi::YES
 carol::ip xfrm state::proto comp spi::YES
 carol::ping -n -c 2 -s 8184 -p deadbeef PH_IP_ALICE::8192 bytes from PH_IP_ALICE::YES
 moon::tcpdump::carol.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/compress/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/compress/hosts/carol/etc/ipsec.conf
index 670a50c00..7502175e7 100755..100644
--- a/testing/tests/ikev2/compress/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/compress/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/compress/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/compress/hosts/carol/etc/strongswan.conf
index 88f162098..85d8c191f 100644
--- a/testing/tests/ikev2/compress/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/compress/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/compress/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/compress/hosts/moon/etc/ipsec.conf
index 91abfd4da..aa1be047e 100755..100644
--- a/testing/tests/ikev2/compress/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/compress/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/compress/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/compress/hosts/moon/etc/strongswan.conf
index 88f162098..85d8c191f 100644
--- a/testing/tests/ikev2/compress/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/compress/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/compress/pretest.dat b/testing/tests/ikev2/compress/pretest.dat
index 7d077c126..f5aa989fe 100644
--- a/testing/tests/ikev2/compress/pretest.dat
+++ b/testing/tests/ikev2/compress/pretest.dat
@@ -1,4 +1,3 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
 carol::ipsec start
 moon::ipsec start
 carol::sleep 2
diff --git a/testing/tests/ikev2/compress/test.conf b/testing/tests/ikev2/compress/test.conf
index 6abbb89a9..d7b71426c 100644
--- a/testing/tests/ikev2/compress/test.conf
+++ b/testing/tests/ikev2/compress/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/config-payload-swapped/evaltest.dat b/testing/tests/ikev2/config-payload-swapped/evaltest.dat
index 73d5ea206..b6a1c96a6 100644
--- a/testing/tests/ikev2/config-payload-swapped/evaltest.dat
+++ b/testing/tests/ikev2/config-payload-swapped/evaltest.dat
@@ -1,15 +1,19 @@
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 carol::cat /var/log/daemon.log::installing new virtual IP PH_IP_CAROL1::YES
 carol::ip addr list dev eth0::PH_IP_CAROL1::YES
 carol::ip route list table 220::10.1.0.0/16.*src PH_IP_CAROL1::YES
-carol::ipsec status::home.*INSTALLED::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES
-dave::ip addr list dev eth0::PH_IP_DAVE1::YES
-dave::ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES
-dave::ipsec status::home.*INSTALLED::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::ipsec status::rw-carol.*INSTALLED::YES
-moon::ipsec status::rw-dave.*INSTALLED::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES
+dave:: ip addr list dev eth0::PH_IP_DAVE1::YES
+dave:: ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon:: ipsec status 2> /dev/null::rw-carol.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw-dave.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw-carol.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw-dave.*INSTALLED, TUNNEL::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/config-payload-swapped/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/config-payload-swapped/hosts/carol/etc/ipsec.conf
index 6894a952c..c453475e0 100755..100644
--- a/testing/tests/ikev2/config-payload-swapped/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/config-payload-swapped/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/config-payload-swapped/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/config-payload-swapped/hosts/carol/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/config-payload-swapped/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/config-payload-swapped/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/config-payload-swapped/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/config-payload-swapped/hosts/dave/etc/ipsec.conf
index cefbc8270..9da73d9a2 100755..100644
--- a/testing/tests/ikev2/config-payload-swapped/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev2/config-payload-swapped/hosts/dave/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/config-payload-swapped/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/config-payload-swapped/hosts/dave/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/config-payload-swapped/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/config-payload-swapped/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/config-payload-swapped/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/config-payload-swapped/hosts/moon/etc/ipsec.conf
index 222673704..ef974c98f 100755..100644
--- a/testing/tests/ikev2/config-payload-swapped/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/config-payload-swapped/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/config-payload-swapped/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/config-payload-swapped/hosts/moon/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/config-payload-swapped/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/config-payload-swapped/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/config-payload-swapped/posttest.dat b/testing/tests/ikev2/config-payload-swapped/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/ikev2/config-payload-swapped/posttest.dat
+++ b/testing/tests/ikev2/config-payload-swapped/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/config-payload-swapped/pretest.dat b/testing/tests/ikev2/config-payload-swapped/pretest.dat
index 014e80517..3864bdac3 100644
--- a/testing/tests/ikev2/config-payload-swapped/pretest.dat
+++ b/testing/tests/ikev2/config-payload-swapped/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 carol::ipsec start
 dave::ipsec start
 moon::ipsec start
diff --git a/testing/tests/ikev2/config-payload-swapped/test.conf b/testing/tests/ikev2/config-payload-swapped/test.conf
index 1a8f2a4e0..164b07ff9 100644
--- a/testing/tests/ikev2/config-payload-swapped/test.conf
+++ b/testing/tests/ikev2/config-payload-swapped/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon alice"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/config-payload/evaltest.dat b/testing/tests/ikev2/config-payload/evaltest.dat
index 3451112cc..b46dfddf6 100644
--- a/testing/tests/ikev2/config-payload/evaltest.dat
+++ b/testing/tests/ikev2/config-payload/evaltest.dat
@@ -1,17 +1,21 @@
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 carol::cat /var/log/daemon.log::installing new virtual IP PH_IP_CAROL1::YES
 carol::ip addr list dev eth0::PH_IP_CAROL1::YES
 carol::ip route list table 220::10.1.0.0/16.*src PH_IP_CAROL1::YES
 carol::cat /etc/resolv.conf::nameserver PH_IP_WINNETOU .*from moon.strongswan.org::YES
 carol::cat /etc/resolv.conf::nameserver PH_IP_VENUS .*from moon.strongswan.org::YES
-carol::ipsec status::home.*INSTALLED::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES
-dave::ip addr list dev eth0::PH_IP_DAVE1::YES
-dave::ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES
-dave::ipsec status::home.*INSTALLED::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::ipsec status::rw-carol.*INSTALLED::YES
-moon::ipsec status::rw-dave.*INSTALLED::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES
+dave:: ip addr list dev eth0::PH_IP_DAVE1::YES
+dave:: ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon:: ipsec status 2> /dev/null::rw-carol.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw-dave.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw-carol.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw-dave.*INSTALLED, TUNNEL::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/config-payload/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/config-payload/hosts/carol/etc/ipsec.conf
index a19f6cfae..8c6c28bd6 100755..100644
--- a/testing/tests/ikev2/config-payload/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/config-payload/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/config-payload/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/config-payload/hosts/carol/etc/strongswan.conf
index cb5f6406b..0e4e57729 100644
--- a/testing/tests/ikev2/config-payload/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/config-payload/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown resolve
 }
diff --git a/testing/tests/ikev2/config-payload/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/config-payload/hosts/dave/etc/ipsec.conf
index 1a89f4e5d..72b8a59c0 100755..100644
--- a/testing/tests/ikev2/config-payload/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev2/config-payload/hosts/dave/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/config-payload/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/config-payload/hosts/dave/etc/strongswan.conf
index cb5f6406b..0e4e57729 100644
--- a/testing/tests/ikev2/config-payload/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/config-payload/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown resolve
 }
diff --git a/testing/tests/ikev2/config-payload/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/config-payload/hosts/moon/etc/ipsec.conf
index bb558fe25..a8cf08544 100755..100644
--- a/testing/tests/ikev2/config-payload/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/config-payload/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/config-payload/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/config-payload/hosts/moon/etc/strongswan.conf
index f763e3ef1..002166a54 100644
--- a/testing/tests/ikev2/config-payload/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/config-payload/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,8 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown attr
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown attr
+
   dns1 = PH_IP_WINNETOU
   dns2 = PH_IP_VENUS
 }
diff --git a/testing/tests/ikev2/config-payload/posttest.dat b/testing/tests/ikev2/config-payload/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/ikev2/config-payload/posttest.dat
+++ b/testing/tests/ikev2/config-payload/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/config-payload/pretest.dat b/testing/tests/ikev2/config-payload/pretest.dat
index 014e80517..3864bdac3 100644
--- a/testing/tests/ikev2/config-payload/pretest.dat
+++ b/testing/tests/ikev2/config-payload/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 carol::ipsec start
 dave::ipsec start
 moon::ipsec start
diff --git a/testing/tests/ikev2/config-payload/test.conf b/testing/tests/ikev2/config-payload/test.conf
index 1a8f2a4e0..164b07ff9 100644
--- a/testing/tests/ikev2/config-payload/test.conf
+++ b/testing/tests/ikev2/config-payload/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon alice"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/critical-extension/evaltest.dat b/testing/tests/ikev2/critical-extension/evaltest.dat
index 8c2f8ec9d..05c2c2f4d 100644
--- a/testing/tests/ikev2/critical-extension/evaltest.dat
+++ b/testing/tests/ikev2/critical-extension/evaltest.dat
@@ -1,6 +1,8 @@
+moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED::NO
+sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED::NO
 moon::cat /var/log/daemon.log::sending end entity cert::YES
 moon::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES
-sun::cat /var/log/daemon.log::critical 'strongSwan' extension not supported::YES
-sun::cat /var/log/daemon.log::building CRED_CERTIFICATE - ANY failed::YES
-sun::cat /var/log/daemon.log::loading certificate from 'sunCert.der' failed::YES
-sun::cat /var/log/daemon.log::building CRED_CERTIFICATE - X509 failed::YES
+sun:: cat /var/log/daemon.log::critical 'strongSwan' extension not supported::YES
+sun:: cat /var/log/daemon.log::building CRED_CERTIFICATE - ANY failed::YES
+sun:: cat /var/log/daemon.log::loading certificate from 'sunCert.der' failed::YES
+sun:: cat /var/log/daemon.log::building CRED_CERTIFICATE - X509 failed::YES
diff --git a/testing/tests/ikev2/critical-extension/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/critical-extension/hosts/moon/etc/ipsec.conf
index 2e3c9dde4..3b065774f 100755..100644
--- a/testing/tests/ikev2/critical-extension/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/critical-extension/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/critical-extension/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/critical-extension/hosts/moon/etc/strongswan.conf
index bfc83ab4d..c393b298a 100644
--- a/testing/tests/ikev2/critical-extension/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/critical-extension/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
   multiple_authentication = no
 }
 
diff --git a/testing/tests/ikev2/critical-extension/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/critical-extension/hosts/sun/etc/ipsec.conf
index 19e197131..2b4406d75 100755..100644
--- a/testing/tests/ikev2/critical-extension/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev2/critical-extension/hosts/sun/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/critical-extension/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/critical-extension/hosts/sun/etc/strongswan.conf
index cb17a9e07..8e685c862 100644
--- a/testing/tests/ikev2/critical-extension/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/critical-extension/hosts/sun/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
   multiple_authentication = no
 }
diff --git a/testing/tests/ikev2/critical-extension/posttest.dat b/testing/tests/ikev2/critical-extension/posttest.dat
index a4c96e10f..837738fc6 100644
--- a/testing/tests/ikev2/critical-extension/posttest.dat
+++ b/testing/tests/ikev2/critical-extension/posttest.dat
@@ -1,5 +1,5 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
 
diff --git a/testing/tests/ikev2/critical-extension/pretest.dat b/testing/tests/ikev2/critical-extension/pretest.dat
index 2d7a78acb..c724e5df8 100644
--- a/testing/tests/ikev2/critical-extension/pretest.dat
+++ b/testing/tests/ikev2/critical-extension/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 sun::ipsec start
 moon::sleep 1 
diff --git a/testing/tests/ikev2/critical-extension/test.conf b/testing/tests/ikev2/critical-extension/test.conf
index 41ee3037e..b286ef6eb 100644
--- a/testing/tests/ikev2/critical-extension/test.conf
+++ b/testing/tests/ikev2/critical-extension/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b.png"
  
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev2/crl-from-cache/evaltest.dat b/testing/tests/ikev2/crl-from-cache/evaltest.dat
index 2f4cf7afa..2d649bbee 100644
--- a/testing/tests/ikev2/crl-from-cache/evaltest.dat
+++ b/testing/tests/ikev2/crl-from-cache/evaltest.dat
@@ -1,10 +1,12 @@
-moon::cat /var/log/daemon.log::loaded crl from::YES
-moon::cat /var/log/daemon.log::crl is valid::YES
-moon::cat /var/log/daemon.log::certificate status is good::YES
-moon::ipsec listcrls:: ok::YES
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: cat /var/log/daemon.log::loaded crl from::YES
+moon:: cat /var/log/daemon.log::crl is valid::YES
+moon:: cat /var/log/daemon.log::certificate status is good::YES
+moon:: cat /var/log/daemon.log::using cached crl::YES
+moon:: ipsec listcrls 2> /dev/null:: ok::YES
 carol::cat /var/log/daemon.log::loaded crl from::YES
 carol::cat /var/log/daemon.log::crl is valid::YES
 carol::cat /var/log/daemon.log::certificate status is good::YES
-carol::ipsec listcrls:: ok::YES
-moon::ipsec status::rw.*ESTABLISHED::YES
-carol::ipsec status::home.*ESTABLISHED::YES
+carol::cat /var/log/daemon.log::using cached crl::YES
+carol::ipsec listcrls 2> /dev/null:: ok::YES
diff --git a/testing/tests/ikev2/crl-from-cache/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/crl-from-cache/hosts/carol/etc/ipsec.conf
index 4d47c831c..17a58545c 100755..100644
--- a/testing/tests/ikev2/crl-from-cache/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/crl-from-cache/hosts/carol/etc/ipsec.conf
@@ -1,10 +1,8 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
 	strictcrlpolicy=yes
 	cachecrls=yes
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/crl-from-cache/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/crl-from-cache/hosts/carol/etc/strongswan.conf
index 88f162098..85d8c191f 100644
--- a/testing/tests/ikev2/crl-from-cache/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/crl-from-cache/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/crl-from-cache/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/crl-from-cache/hosts/moon/etc/ipsec.conf
index 9488a6822..3314f7538 100755..100644
--- a/testing/tests/ikev2/crl-from-cache/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/crl-from-cache/hosts/moon/etc/ipsec.conf
@@ -1,10 +1,8 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
 	strictcrlpolicy=yes
 	cachecrls=yes
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/crl-from-cache/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/crl-from-cache/hosts/moon/etc/strongswan.conf
index 88f162098..85d8c191f 100644
--- a/testing/tests/ikev2/crl-from-cache/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/crl-from-cache/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/crl-from-cache/test.conf b/testing/tests/ikev2/crl-from-cache/test.conf
index 2b240d895..892f51cd9 100644
--- a/testing/tests/ikev2/crl-from-cache/test.conf
+++ b/testing/tests/ikev2/crl-from-cache/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+VIRTHOSTS="moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/crl-ldap/evaltest.dat b/testing/tests/ikev2/crl-ldap/evaltest.dat
index 5ab094401..b0774c64d 100644
--- a/testing/tests/ikev2/crl-ldap/evaltest.dat
+++ b/testing/tests/ikev2/crl-ldap/evaltest.dat
@@ -1,12 +1,12 @@
-moon::cat /var/log/daemon.log::loaded crl from::YES
-moon::cat /var/log/daemon.log::crl is stale::YES
-moon::cat /var/log/daemon.log::fetching crl from.*ldap::YES
-moon::cat /var/log/daemon.log::crl is valid::YES
-moon::cat /var/log/daemon.log::certificate status is good::YES
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: cat /var/log/daemon.log::loaded crl from::YES
+moon:: cat /var/log/daemon.log::crl is stale::YES
+moon:: cat /var/log/daemon.log::fetching crl from.*ldap::YES
+moon:: cat /var/log/daemon.log::crl is valid::YES
+moon:: cat /var/log/daemon.log::certificate status is good::YES
 carol::cat /var/log/daemon.log::loaded crl from::YES
 carol::cat /var/log/daemon.log::crl is stale::YES
 carol::cat /var/log/daemon.log::fetching crl from.*ldap::YES
 carol::cat /var/log/daemon.log::crl is valid::YES
 carol::cat /var/log/daemon.log::certificate status is good::YES
-moon::ipsec status::rw.*ESTABLISHED::YES
-carol::ipsec status::home.*ESTABLISHED::YES
diff --git a/testing/tests/ikev2/crl-ldap/hosts/carol/etc/init.d/iptables b/testing/tests/ikev2/crl-ldap/hosts/carol/etc/init.d/iptables
deleted file mode 100755
index 999d0d183..000000000
--- a/testing/tests/ikev2/crl-ldap/hosts/carol/etc/init.d/iptables
+++ /dev/null
@@ -1,77 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ldap crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 389 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 389 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/crl-ldap/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/crl-ldap/hosts/carol/etc/ipsec.conf
index 26d34de47..69ba4205f 100755..100644
--- a/testing/tests/ikev2/crl-ldap/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/crl-ldap/hosts/carol/etc/ipsec.conf
@@ -1,10 +1,8 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
 	strictcrlpolicy=yes
 	cachecrls=yes
-	plutostart=no
 
 ca strongswan
 	cacert=strongswanCert.pem
diff --git a/testing/tests/ikev2/crl-ldap/hosts/carol/etc/iptables.rules b/testing/tests/ikev2/crl-ldap/hosts/carol/etc/iptables.rules
new file mode 100644
index 000000000..debcc2181
--- /dev/null
+++ b/testing/tests/ikev2/crl-ldap/hosts/carol/etc/iptables.rules
@@ -0,0 +1,28 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow ldap crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 389 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 389 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/crl-ldap/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/crl-ldap/hosts/carol/etc/strongswan.conf
index cccd6ae27..d0c3f8c49 100644
--- a/testing/tests/ikev2/crl-ldap/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/crl-ldap/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = ldap aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = ldap aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/crl-ldap/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/crl-ldap/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 4f4f3228b..000000000
--- a/testing/tests/ikev2/crl-ldap/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,80 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ldap crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 389 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 389 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/crl-ldap/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/crl-ldap/hosts/moon/etc/ipsec.conf
index 1d2a68528..25656cbda 100755..100644
--- a/testing/tests/ikev2/crl-ldap/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/crl-ldap/hosts/moon/etc/ipsec.conf
@@ -1,10 +1,8 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
 	strictcrlpolicy=yes
 	cachecrls=yes
-	plutostart=no
 
 ca strongswan
 	cacert=strongswanCert.pem
diff --git a/testing/tests/ikev2/crl-ldap/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/crl-ldap/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..debcc2181
--- /dev/null
+++ b/testing/tests/ikev2/crl-ldap/hosts/moon/etc/iptables.rules
@@ -0,0 +1,28 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow ldap crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 389 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 389 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/crl-ldap/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/crl-ldap/hosts/moon/etc/strongswan.conf
index cccd6ae27..d0c3f8c49 100644
--- a/testing/tests/ikev2/crl-ldap/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/crl-ldap/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = ldap aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = ldap aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/crl-ldap/posttest.dat b/testing/tests/ikev2/crl-ldap/posttest.dat
index bddd87424..8474bd3aa 100644
--- a/testing/tests/ikev2/crl-ldap/posttest.dat
+++ b/testing/tests/ikev2/crl-ldap/posttest.dat
@@ -1,7 +1,7 @@
 moon::ipsec stop
 carol::ipsec stop
 winnetou::/etc/init.d/slapd stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
 moon::rm /etc/ipsec.d/crls/*
 carol::rm /etc/ipsec.d/crls/*
diff --git a/testing/tests/ikev2/crl-ldap/pretest.dat b/testing/tests/ikev2/crl-ldap/pretest.dat
index 64fa8116b..8ffa9d3ed 100644
--- a/testing/tests/ikev2/crl-ldap/pretest.dat
+++ b/testing/tests/ikev2/crl-ldap/pretest.dat
@@ -1,6 +1,6 @@
 winnetou::/etc/init.d/slapd start
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 2
diff --git a/testing/tests/ikev2/crl-ldap/test.conf b/testing/tests/ikev2/crl-ldap/test.conf
index 2b240d895..892f51cd9 100644
--- a/testing/tests/ikev2/crl-ldap/test.conf
+++ b/testing/tests/ikev2/crl-ldap/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+VIRTHOSTS="moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/crl-revoked/evaltest.dat b/testing/tests/ikev2/crl-revoked/evaltest.dat
index 62ed8676a..4f3e10ba1 100644
--- a/testing/tests/ikev2/crl-revoked/evaltest.dat
+++ b/testing/tests/ikev2/crl-revoked/evaltest.dat
@@ -1,4 +1,4 @@
-moon::cat /var/log/daemon.log::certificate was revoked::YES
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED::NO
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED::NO
+moon:: cat /var/log/daemon.log::certificate was revoked::YES
 carol::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES
-moon::ipsec status::rw.*ESTABLISHED::NO
-carol::ipsec status::home.*ESTABLISHED::NO
diff --git a/testing/tests/ikev2/crl-revoked/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/crl-revoked/hosts/carol/etc/ipsec.conf
index cbab29414..95cd144ba 100755..100644
--- a/testing/tests/ikev2/crl-revoked/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/crl-revoked/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,7 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
 	strictcrlpolicy=yes
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/crl-revoked/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/crl-revoked/hosts/carol/etc/strongswan.conf
index 88f162098..85d8c191f 100644
--- a/testing/tests/ikev2/crl-revoked/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/crl-revoked/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/crl-revoked/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/crl-revoked/hosts/moon/etc/ipsec.conf
index dd50c335b..918d97413 100755..100644
--- a/testing/tests/ikev2/crl-revoked/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/crl-revoked/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,7 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
 	strictcrlpolicy=yes
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/crl-revoked/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/crl-revoked/hosts/moon/etc/strongswan.conf
index 88f162098..85d8c191f 100644
--- a/testing/tests/ikev2/crl-revoked/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/crl-revoked/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/crl-revoked/test.conf b/testing/tests/ikev2/crl-revoked/test.conf
index 2b240d895..892f51cd9 100644
--- a/testing/tests/ikev2/crl-revoked/test.conf
+++ b/testing/tests/ikev2/crl-revoked/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+VIRTHOSTS="moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/crl-to-cache/evaltest.dat b/testing/tests/ikev2/crl-to-cache/evaltest.dat
index afc8f67e4..fe6a55aae 100644
--- a/testing/tests/ikev2/crl-to-cache/evaltest.dat
+++ b/testing/tests/ikev2/crl-to-cache/evaltest.dat
@@ -1,4 +1,4 @@
-moon::ipsec status::rw.*ESTABLISHED::YES
-carol::ipsec status::home.*ESTABLISHED::YES
-moon::cat /var/log/daemon.log::written crl .*/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl::YES
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: cat /var/log/daemon.log::written crl .*/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl::YES
 carol::cat /var/log/daemon.log::written crl .*/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl::YES
diff --git a/testing/tests/ikev2/crl-to-cache/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/crl-to-cache/hosts/carol/etc/ipsec.conf
index 4d47c831c..17a58545c 100755..100644
--- a/testing/tests/ikev2/crl-to-cache/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/crl-to-cache/hosts/carol/etc/ipsec.conf
@@ -1,10 +1,8 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
 	strictcrlpolicy=yes
 	cachecrls=yes
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/crl-to-cache/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/crl-to-cache/hosts/carol/etc/strongswan.conf
index 88f162098..85d8c191f 100644
--- a/testing/tests/ikev2/crl-to-cache/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/crl-to-cache/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/crl-to-cache/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/crl-to-cache/hosts/moon/etc/ipsec.conf
index 9488a6822..3314f7538 100755..100644
--- a/testing/tests/ikev2/crl-to-cache/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/crl-to-cache/hosts/moon/etc/ipsec.conf
@@ -1,10 +1,8 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
 	strictcrlpolicy=yes
 	cachecrls=yes
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/crl-to-cache/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/crl-to-cache/hosts/moon/etc/strongswan.conf
index 88f162098..85d8c191f 100644
--- a/testing/tests/ikev2/crl-to-cache/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/crl-to-cache/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/crl-to-cache/test.conf b/testing/tests/ikev2/crl-to-cache/test.conf
index 2b240d895..892f51cd9 100644
--- a/testing/tests/ikev2/crl-to-cache/test.conf
+++ b/testing/tests/ikev2/crl-to-cache/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+VIRTHOSTS="moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/default-keys/description.txt b/testing/tests/ikev2/default-keys/description.txt
index 639e909da..889f8297a 100644
--- a/testing/tests/ikev2/default-keys/description.txt
+++ b/testing/tests/ikev2/default-keys/description.txt
@@ -1,8 +1,8 @@
 Because of the missing <b>/etc/ipsec.secrets</b> file, roadwarrior <b>carol</b>
 and gateway <b>moon</b> each automatically generate a PKCS#1 RSA private key
-and a self-signed X.509 certificate. Because the UML testing environment does
-not offer enough entropy, the non-blocking /dev/urandom device is used in place
-of /dev/random for generating the random primes.
+and a self-signed X.509 certificate. Because the virtual testing environment
+does not offer enough entropy, the non-blocking /dev/urandom device is used in
+place of /dev/random for generating the random primes.
 <p>
 The self-signed certificates are then distributed to the peers via scp
 and are used to set up a road warrior connection initiated by <b>carol</b> 
diff --git a/testing/tests/ikev2/default-keys/evaltest.dat b/testing/tests/ikev2/default-keys/evaltest.dat
index 2c1e11c97..4df2d1e11 100644
--- a/testing/tests/ikev2/default-keys/evaltest.dat
+++ b/testing/tests/ikev2/default-keys/evaltest.dat
@@ -1,7 +1,9 @@
 carol::cat /var/log/auth.log::scepclient::YES
-moon::cat /var/log/auth.log::scepclient::YES
-carol::ipsec statusall::home.*ESTABLISHED::YES
-moon::ipsec statusall::carol.*ESTABLISHED::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon:: cat /var/log/auth.log::scepclient::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*CN=carol.*CN=moon::YES
+moon:: ipsec status 2> /dev/null::carol.*ESTABLISHED.*CN=moon.*CN=carol::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::carol.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/default-keys/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/default-keys/hosts/carol/etc/ipsec.conf
index 9574f18bb..15aba18e5 100755..100644
--- a/testing/tests/ikev2/default-keys/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/default-keys/hosts/carol/etc/ipsec.conf
@@ -1,8 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/default-keys/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/default-keys/hosts/carol/etc/strongswan.conf
index eabe265ca..5a243caab 100644
--- a/testing/tests/ikev2/default-keys/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/default-keys/hosts/carol/etc/strongswan.conf
@@ -1,9 +1,9 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
 
 scepclient {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random nonce
 }
diff --git a/testing/tests/ikev2/default-keys/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/default-keys/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 5a262c084..000000000
--- a/testing/tests/ikev2/default-keys/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,82 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A INPUT  -p tcp --sport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/default-keys/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/default-keys/hosts/moon/etc/ipsec.conf
index 5b2c4e3f4..278943d28 100755..100644
--- a/testing/tests/ikev2/default-keys/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/default-keys/hosts/moon/etc/ipsec.conf
@@ -1,8 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/default-keys/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/default-keys/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..72a1c17c3
--- /dev/null
+++ b/testing/tests/ikev2/default-keys/hosts/moon/etc/iptables.rules
@@ -0,0 +1,30 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --sport 22 -j ACCEPT
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+-A OUTPUT -p tcp --dport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/default-keys/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/default-keys/hosts/moon/etc/strongswan.conf
index eabe265ca..5a243caab 100644
--- a/testing/tests/ikev2/default-keys/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/default-keys/hosts/moon/etc/strongswan.conf
@@ -1,9 +1,9 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
 
 scepclient {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random nonce
 }
diff --git a/testing/tests/ikev2/default-keys/posttest.dat b/testing/tests/ikev2/default-keys/posttest.dat
index 8cada5e7e..25f737ecc 100644
--- a/testing/tests/ikev2/default-keys/posttest.dat
+++ b/testing/tests/ikev2/default-keys/posttest.dat
@@ -1,7 +1,7 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
 carol::rm /etc/ipsec.d/private/*
 carol::rm /etc/ipsec.d/certs/*
 moon::rm /etc/ipsec.d/private/*
diff --git a/testing/tests/ikev2/default-keys/pretest.dat b/testing/tests/ikev2/default-keys/pretest.dat
index 88f9a2ca9..ef5f67097 100644
--- a/testing/tests/ikev2/default-keys/pretest.dat
+++ b/testing/tests/ikev2/default-keys/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 carol::rm /etc/ipsec.secrets
 carol::rm /etc/ipsec.d/private/*
 carol::rm /etc/ipsec.d/certs/*
@@ -10,9 +10,10 @@ moon::rm /etc/ipsec.d/private/*
 moon::rm /etc/ipsec.d/certs/*
 moon::rm /etc/ipsec.d/cacerts/*
 moon::ipsec start
-moon::sleep 5 
+moon::sleep 5
 moon::scp /etc/ipsec.d/certs/selfCert.der carol:/etc/ipsec.d/certs/peerCert.der
 moon::scp carol:/etc/ipsec.d/certs/selfCert.der /etc/ipsec.d/certs/peerCert.der
-moon::ipsec reload 
-carol::ipsec reload 
+moon::ipsec reload
+carol::ipsec reload
+carol::sleep 1
 carol::ipsec up home
diff --git a/testing/tests/ikev2/default-keys/test.conf b/testing/tests/ikev2/default-keys/test.conf
index 0baa48d90..ce84ce41a 100644
--- a/testing/tests/ikev2/default-keys/test.conf
+++ b/testing/tests/ikev2/default-keys/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol"
+VIRTHOSTS="alice moon carol"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/dhcp-dynamic/evaltest.dat b/testing/tests/ikev2/dhcp-dynamic/evaltest.dat
index b3814084f..9e536870e 100644
--- a/testing/tests/ikev2/dhcp-dynamic/evaltest.dat
+++ b/testing/tests/ikev2/dhcp-dynamic/evaltest.dat
@@ -1,21 +1,25 @@
-carol::ipsec status::home.*INSTALLED::YES
-alice::ping -c 1 10.1.0.50::64 bytes from 10.1.0.50: icmp_seq=1::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::ipsec status::home.*INSTALLED::YES
-alice::ping -c 1 10.1.0.51::64 bytes from 10.1.0.51: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::ipsec status::rw{.*10.1.0.0/16 === 10.1.0.50/32::YES
-moon::ipsec status::rw{.*10.1.0.0/16 === 10.1.0.51/32::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+alice::ping -c 1 10.1.0.50::64 bytes from 10.1.0.50: icmp_req=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+alice::ping -c 1 10.1.0.51::64 bytes from 10.1.0.51: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*10.1.0.0/16 === 10.1.0.50/32::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*10.1.0.0/16 === 10.1.0.51/32::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
-alice::tcpdump::arp reply carol3.strongswan.org is-at fe:fd:0a:01:00:01::YES
+alice::tcpdump::ARP, Reply carol3.strongswan.org is-at 52:54:00:43:e3:35::YES
 alice::tcpdump::IP alice.strongswan.org > carol3.strongswan.org: ICMP echo request::YES
 alice::tcpdump::IP carol3.strongswan.org > alice.strongswan.org: ICMP echo reply::YES
 alice::tcpdump::IP carol3.strongswan.org > alice.strongswan.org: ICMP echo request::YES
 alice::tcpdump::IP alice.strongswan.org > carol3.strongswan.org: ICMP echo reply::YES
-alice::tcpdump::arp reply dave3.strongswan.org is-at fe:fd:0a:01:00:01::YES
+alice::tcpdump::ARP, Reply dave3.strongswan.org is-at 52:54:00:43:e3:35::YES
 alice::tcpdump::IP alice.strongswan.org > dave3.strongswan.org: ICMP echo request::YES
 alice::tcpdump::IP dave3.strongswan.org > alice.strongswan.org: ICMP echo reply::YES
 alice::tcpdump::IP dave3.strongswan.org > alice.strongswan.org: ICMP echo request::YES
diff --git a/testing/tests/ikev2/dhcp-dynamic/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/dhcp-dynamic/hosts/carol/etc/ipsec.conf
index a19f6cfae..8c6c28bd6 100755..100644
--- a/testing/tests/ikev2/dhcp-dynamic/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/dhcp-dynamic/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/dhcp-dynamic/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/dhcp-dynamic/hosts/carol/etc/strongswan.conf
index cb5f6406b..bd19ffe3d 100644
--- a/testing/tests/ikev2/dhcp-dynamic/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/dhcp-dynamic/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve
 }
diff --git a/testing/tests/ikev2/dhcp-dynamic/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/dhcp-dynamic/hosts/dave/etc/ipsec.conf
index 1a89f4e5d..72b8a59c0 100755..100644
--- a/testing/tests/ikev2/dhcp-dynamic/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev2/dhcp-dynamic/hosts/dave/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/dhcp-dynamic/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/dhcp-dynamic/hosts/dave/etc/strongswan.conf
index cb5f6406b..bd19ffe3d 100644
--- a/testing/tests/ikev2/dhcp-dynamic/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/dhcp-dynamic/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve
 }
diff --git a/testing/tests/ikev2/dhcp-dynamic/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/dhcp-dynamic/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 058bebb2d..000000000
--- a/testing/tests/ikev2/dhcp-dynamic/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,91 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow bootpc and bootps
-	iptables -A OUTPUT -p udp --sport bootpc --dport bootps -j ACCEPT
-	iptables -A INPUT  -p udp --sport bootps --dport bootps -j ACCEPT
-
-	# allow broadcasts from eth1
-	iptables -A INPUT -i eth1 -d 10.1.255.255 -j ACCEPT
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-        # log dropped packets
-        iptables -A INPUT  -j LOG --log-prefix " IN: "
-        iptables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/dhcp-dynamic/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/dhcp-dynamic/hosts/moon/etc/ipsec.conf
index 3868a7a38..a774f2a76 100755..100644
--- a/testing/tests/ikev2/dhcp-dynamic/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/dhcp-dynamic/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/dhcp-dynamic/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/dhcp-dynamic/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..2d9a466b0
--- /dev/null
+++ b/testing/tests/ikev2/dhcp-dynamic/hosts/moon/etc/iptables.rules
@@ -0,0 +1,39 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow bootpc and bootps
+-A OUTPUT -p udp --sport bootpc --dport bootps -j ACCEPT
+-A INPUT  -p udp --sport bootps --dport bootps -j ACCEPT
+
+# allow broadcasts from eth1
+-A INPUT -i eth1 -d 10.1.255.255 -j ACCEPT
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# log dropped packets
+-A INPUT  -j LOG --log-prefix " IN: "
+-A OUTPUT -j LOG --log-prefix " OUT: "
+
+COMMIT
diff --git a/testing/tests/ikev2/dhcp-dynamic/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/dhcp-dynamic/hosts/moon/etc/strongswan.conf
index 317e4ddc0..609d35754 100644
--- a/testing/tests/ikev2/dhcp-dynamic/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/dhcp-dynamic/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown attr farp dhcp
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown attr farp dhcp
   plugins {
     dhcp {
       server = 10.1.255.255
diff --git a/testing/tests/ikev2/dhcp-dynamic/hosts/venus/etc/dhcpd.conf b/testing/tests/ikev2/dhcp-dynamic/hosts/venus/etc/dhcp/dhcpd.conf
index 2176af702..7a178505f 100644
--- a/testing/tests/ikev2/dhcp-dynamic/hosts/venus/etc/dhcpd.conf
+++ b/testing/tests/ikev2/dhcp-dynamic/hosts/venus/etc/dhcp/dhcpd.conf
@@ -4,11 +4,11 @@ ddns-update-style none;
 
 subnet 10.1.0.0 netmask 255.255.0.0 {
   option domain-name          "strongswan.org";
-  option domain-name-servers   10.1.0.20;
-  option netbios-name-servers  10.1.0.10;
-  option routers               10.1.0.1;
+  option domain-name-servers   PH_IP_VENUS;
+  option netbios-name-servers  PH_IP_ALICE;
+  option routers               PH_IP_MOON1;
   option broadcast-address     10.1.255.255;
-  next-server                  10.1.0.20;
+  next-server                  PH_IP_VENUS;
 
   range 10.1.0.50 10.1.0.60;
 }
diff --git a/testing/tests/ikev2/dhcp-dynamic/hosts/venus/etc/dnsmasq.conf b/testing/tests/ikev2/dhcp-dynamic/hosts/venus/etc/dnsmasq.conf
index 2d35dfd64..ec8c945a7 100644
--- a/testing/tests/ikev2/dhcp-dynamic/hosts/venus/etc/dnsmasq.conf
+++ b/testing/tests/ikev2/dhcp-dynamic/hosts/venus/etc/dnsmasq.conf
@@ -1,7 +1,7 @@
 interface=eth0
 dhcp-range=10.1.0.50,10.1.0.60,255.255.0.0,10.1.255.255
-dhcp-option=option:router,10.1.0.1
-dhcp-option=option:dns-server,10.1.0.20
-dhcp-option=option:netbios-ns,10.1.0.10
+dhcp-option=option:router,PH_IP_MOON1
+dhcp-option=option:dns-server,PH_IP_VENUS
+dhcp-option=option:netbios-ns,PH_IP_ALICE
 dhcp-option=option:domain-name,strongswan.org
 log-dhcp
diff --git a/testing/tests/ikev2/dhcp-dynamic/hosts/venus/etc/init.d/dhcpd b/testing/tests/ikev2/dhcp-dynamic/hosts/venus/etc/init.d/dhcpd
deleted file mode 100755
index 4044dcc35..000000000
--- a/testing/tests/ikev2/dhcp-dynamic/hosts/venus/etc/init.d/dhcpd
+++ /dev/null
@@ -1,24 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop"
-
-depend() {
-	need net
-	need logger
-}
-
-start() {
-	ebegin "Starting DHCP server"
-	start-stop-daemon --start --quiet --exec /usr/sbin/dhcpd
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping DHCP server"
-	start-stop-daemon --stop --quiet --pidfile /var/run/dhcpd.pid
-	rm -f /var/state/dhcp/dhcpd.leases
-	touch /var/state/dhcp/dhcpd.leases
-	eend $?
-}
diff --git a/testing/tests/ikev2/dhcp-dynamic/posttest.dat b/testing/tests/ikev2/dhcp-dynamic/posttest.dat
index 1f5487596..f783127bf 100644
--- a/testing/tests/ikev2/dhcp-dynamic/posttest.dat
+++ b/testing/tests/ikev2/dhcp-dynamic/posttest.dat
@@ -2,9 +2,9 @@ moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
 venus::cat /var/state/dhcp/dhcpd.leases
-venus::/etc/init.d/dhcpd stop 2> /dev/null
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+venus::/etc/init.d/isc-dhcp-server stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
 alice::arp -d 10.1.0.50
 alice::arp -d 10.1.0.51
diff --git a/testing/tests/ikev2/dhcp-dynamic/pretest.dat b/testing/tests/ikev2/dhcp-dynamic/pretest.dat
index bd36b4fe3..5670a2e89 100644
--- a/testing/tests/ikev2/dhcp-dynamic/pretest.dat
+++ b/testing/tests/ikev2/dhcp-dynamic/pretest.dat
@@ -1,12 +1,12 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
-venus::cat /etc/dhcpd.conf
-venus::/etc/init.d/dhcpd start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+venus::cat /etc/dhcp/dhcpd.conf
+venus::/etc/init.d/isc-dhcp-server start 2> /dev/null
 carol::ipsec start
 dave::ipsec start
 moon::ipsec start
-carol::sleep 2 
+carol::sleep 2
 carol::ipsec up home
 dave::ipsec up home
 carol::sleep 1
diff --git a/testing/tests/ikev2/dhcp-dynamic/test.conf b/testing/tests/ikev2/dhcp-dynamic/test.conf
index a2ad7b25f..fd8a59c90 100644
--- a/testing/tests/ikev2/dhcp-dynamic/test.conf
+++ b/testing/tests/ikev2/dhcp-dynamic/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon carol winnetou dave"
+VIRTHOSTS="alice venus moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon alice"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/dhcp-static-client-id/evaltest.dat b/testing/tests/ikev2/dhcp-static-client-id/evaltest.dat
index 8abd2416a..c95b69a11 100644
--- a/testing/tests/ikev2/dhcp-static-client-id/evaltest.dat
+++ b/testing/tests/ikev2/dhcp-static-client-id/evaltest.dat
@@ -1,21 +1,25 @@
-carol::ipsec status::home.*INSTALLED::YES
-alice::ping -c 1 10.1.0.30::64 bytes from 10.1.0.30: icmp_seq=1::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::ipsec status::home.*INSTALLED::YES
-alice::ping -c 1 10.1.0.40::64 bytes from 10.1.0.40: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::ipsec status::rw{.*10.1.0.0/16 === 10.1.0.30/32::YES
-moon::ipsec status::rw{.*10.1.0.0/16 === 10.1.0.40/32::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+alice::ping -c 1 10.1.0.30::64 bytes from 10.1.0.30: icmp_req=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+alice::ping -c 1 10.1.0.40::64 bytes from 10.1.0.40: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*10.1.0.0/16 === 10.1.0.30/32::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*10.1.0.0/16 === 10.1.0.40/32::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
-alice::tcpdump::arp reply carol2.strongswan.org is-at fe:fd:0a:01:00:01::YES
+alice::tcpdump::ARP, Reply carol2.strongswan.org is-at 52:54:00:43:e3:35::YES
 alice::tcpdump::IP alice.strongswan.org > carol2.strongswan.org: ICMP echo request::YES
 alice::tcpdump::IP carol2.strongswan.org > alice.strongswan.org: ICMP echo reply::YES
 alice::tcpdump::IP carol2.strongswan.org > alice.strongswan.org: ICMP echo request::YES
 alice::tcpdump::IP alice.strongswan.org > carol2.strongswan.org: ICMP echo reply::YES
-alice::tcpdump::arp reply dave2.strongswan.org is-at fe:fd:0a:01:00:01::YES
+alice::tcpdump::ARP, Reply dave2.strongswan.org is-at 52:54:00:43:e3:35::YES
 alice::tcpdump::IP alice.strongswan.org > dave2.strongswan.org: ICMP echo request::YES
 alice::tcpdump::IP dave2.strongswan.org > alice.strongswan.org: ICMP echo reply::YES
 alice::tcpdump::IP dave2.strongswan.org > alice.strongswan.org: ICMP echo request::YES
diff --git a/testing/tests/ikev2/dhcp-static-client-id/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/dhcp-static-client-id/hosts/carol/etc/ipsec.conf
index a19f6cfae..8c6c28bd6 100755..100644
--- a/testing/tests/ikev2/dhcp-static-client-id/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/dhcp-static-client-id/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/dhcp-static-client-id/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/dhcp-static-client-id/hosts/carol/etc/strongswan.conf
index cb5f6406b..bd19ffe3d 100644
--- a/testing/tests/ikev2/dhcp-static-client-id/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/dhcp-static-client-id/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve
 }
diff --git a/testing/tests/ikev2/dhcp-static-client-id/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/dhcp-static-client-id/hosts/dave/etc/ipsec.conf
index 1a89f4e5d..72b8a59c0 100755..100644
--- a/testing/tests/ikev2/dhcp-static-client-id/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev2/dhcp-static-client-id/hosts/dave/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/dhcp-static-client-id/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/dhcp-static-client-id/hosts/dave/etc/strongswan.conf
index cb5f6406b..bd19ffe3d 100644
--- a/testing/tests/ikev2/dhcp-static-client-id/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/dhcp-static-client-id/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve
 }
diff --git a/testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 058bebb2d..000000000
--- a/testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,91 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow bootpc and bootps
-	iptables -A OUTPUT -p udp --sport bootpc --dport bootps -j ACCEPT
-	iptables -A INPUT  -p udp --sport bootps --dport bootps -j ACCEPT
-
-	# allow broadcasts from eth1
-	iptables -A INPUT -i eth1 -d 10.1.255.255 -j ACCEPT
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-        # log dropped packets
-        iptables -A INPUT  -j LOG --log-prefix " IN: "
-        iptables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/ipsec.conf
index 3868a7a38..a774f2a76 100755..100644
--- a/testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..2d9a466b0
--- /dev/null
+++ b/testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/iptables.rules
@@ -0,0 +1,39 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow bootpc and bootps
+-A OUTPUT -p udp --sport bootpc --dport bootps -j ACCEPT
+-A INPUT  -p udp --sport bootps --dport bootps -j ACCEPT
+
+# allow broadcasts from eth1
+-A INPUT -i eth1 -d 10.1.255.255 -j ACCEPT
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# log dropped packets
+-A INPUT  -j LOG --log-prefix " IN: "
+-A OUTPUT -j LOG --log-prefix " OUT: "
+
+COMMIT
diff --git a/testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/strongswan.conf
index 317e4ddc0..609d35754 100644
--- a/testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown attr farp dhcp
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown attr farp dhcp
   plugins {
     dhcp {
       server = 10.1.255.255
diff --git a/testing/tests/ikev2/dhcp-static-client-id/hosts/venus/etc/dhcpd.conf b/testing/tests/ikev2/dhcp-static-client-id/hosts/venus/etc/dhcp/dhcpd.conf
index 44ee681b6..334ea30e2 100644
--- a/testing/tests/ikev2/dhcp-static-client-id/hosts/venus/etc/dhcpd.conf
+++ b/testing/tests/ikev2/dhcp-static-client-id/hosts/venus/etc/dhcp/dhcpd.conf
@@ -4,11 +4,11 @@ ddns-update-style none;
 
 subnet 10.1.0.0 netmask 255.255.0.0 {
   option domain-name            "strongswan.org";
-  option domain-name-servers     10.1.0.20;
-  option netbios-name-servers    10.1.0.10;
-  option routers                 10.1.0.1;
+  option domain-name-servers     PH_IP_VENUS;
+  option netbios-name-servers    PH_IP_ALICE;
+  option routers                 PH_IP_MOON1;
   option broadcast-address       10.1.255.255;
-  next-server                    10.1.0.20;
+  next-server                    PH_IP_VENUS;
 
   range 10.1.0.50 10.1.0.60;
 }
@@ -22,4 +22,3 @@ host dave {
   option dhcp-client-identifier "dave@strongswan.org";
   fixed-address                  10.1.0.40;
 }
-
diff --git a/testing/tests/ikev2/dhcp-static-client-id/hosts/venus/etc/dnsmasq.conf b/testing/tests/ikev2/dhcp-static-client-id/hosts/venus/etc/dnsmasq.conf
index 5672236a0..aca225955 100644
--- a/testing/tests/ikev2/dhcp-static-client-id/hosts/venus/etc/dnsmasq.conf
+++ b/testing/tests/ikev2/dhcp-static-client-id/hosts/venus/etc/dnsmasq.conf
@@ -2,8 +2,8 @@ interface=eth0
 dhcp-range=10.1.0.50,10.1.0.60,255.255.0.0,10.1.255.255
 dhcp-host=id:carol@strongswan.org,10.1.0.30
 dhcp-host=id:dave@strongswan.org,10.1.0.40
-dhcp-option=option:router,10.1.0.1
-dhcp-option=option:dns-server,10.1.0.20
-dhcp-option=option:netbios-ns,10.1.0.10
+dhcp-option=option:router,PH_IP_MOON1
+dhcp-option=option:dns-server,PH_IP_VENUS
+dhcp-option=option:netbios-ns,PH_IP_ALICE
 dhcp-option=option:domain-name,strongswan.org
 log-dhcp
diff --git a/testing/tests/ikev2/dhcp-static-client-id/hosts/venus/etc/init.d/dhcpd b/testing/tests/ikev2/dhcp-static-client-id/hosts/venus/etc/init.d/dhcpd
deleted file mode 100755
index 4044dcc35..000000000
--- a/testing/tests/ikev2/dhcp-static-client-id/hosts/venus/etc/init.d/dhcpd
+++ /dev/null
@@ -1,24 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop"
-
-depend() {
-	need net
-	need logger
-}
-
-start() {
-	ebegin "Starting DHCP server"
-	start-stop-daemon --start --quiet --exec /usr/sbin/dhcpd
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping DHCP server"
-	start-stop-daemon --stop --quiet --pidfile /var/run/dhcpd.pid
-	rm -f /var/state/dhcp/dhcpd.leases
-	touch /var/state/dhcp/dhcpd.leases
-	eend $?
-}
diff --git a/testing/tests/ikev2/dhcp-static-client-id/posttest.dat b/testing/tests/ikev2/dhcp-static-client-id/posttest.dat
index e1aadc618..7fff9981b 100644
--- a/testing/tests/ikev2/dhcp-static-client-id/posttest.dat
+++ b/testing/tests/ikev2/dhcp-static-client-id/posttest.dat
@@ -1,9 +1,9 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-venus::/etc/init.d/dhcpd stop 2> /dev/null
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+venus::/etc/init.d/isc-dhcp-server stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
 alice::arp -d 10.1.0.30
 alice::arp -d 10.1.0.40
diff --git a/testing/tests/ikev2/dhcp-static-client-id/pretest.dat b/testing/tests/ikev2/dhcp-static-client-id/pretest.dat
index bd36b4fe3..5670a2e89 100644
--- a/testing/tests/ikev2/dhcp-static-client-id/pretest.dat
+++ b/testing/tests/ikev2/dhcp-static-client-id/pretest.dat
@@ -1,12 +1,12 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
-venus::cat /etc/dhcpd.conf
-venus::/etc/init.d/dhcpd start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+venus::cat /etc/dhcp/dhcpd.conf
+venus::/etc/init.d/isc-dhcp-server start 2> /dev/null
 carol::ipsec start
 dave::ipsec start
 moon::ipsec start
-carol::sleep 2 
+carol::sleep 2
 carol::ipsec up home
 dave::ipsec up home
 carol::sleep 1
diff --git a/testing/tests/ikev2/dhcp-static-client-id/test.conf b/testing/tests/ikev2/dhcp-static-client-id/test.conf
index a2ad7b25f..fd8a59c90 100644
--- a/testing/tests/ikev2/dhcp-static-client-id/test.conf
+++ b/testing/tests/ikev2/dhcp-static-client-id/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon carol winnetou dave"
+VIRTHOSTS="alice venus moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon alice"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/dhcp-static-mac/evaltest.dat b/testing/tests/ikev2/dhcp-static-mac/evaltest.dat
index 8abd2416a..c95b69a11 100644
--- a/testing/tests/ikev2/dhcp-static-mac/evaltest.dat
+++ b/testing/tests/ikev2/dhcp-static-mac/evaltest.dat
@@ -1,21 +1,25 @@
-carol::ipsec status::home.*INSTALLED::YES
-alice::ping -c 1 10.1.0.30::64 bytes from 10.1.0.30: icmp_seq=1::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::ipsec status::home.*INSTALLED::YES
-alice::ping -c 1 10.1.0.40::64 bytes from 10.1.0.40: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::ipsec status::rw{.*10.1.0.0/16 === 10.1.0.30/32::YES
-moon::ipsec status::rw{.*10.1.0.0/16 === 10.1.0.40/32::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+alice::ping -c 1 10.1.0.30::64 bytes from 10.1.0.30: icmp_req=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+alice::ping -c 1 10.1.0.40::64 bytes from 10.1.0.40: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*10.1.0.0/16 === 10.1.0.30/32::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*10.1.0.0/16 === 10.1.0.40/32::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
-alice::tcpdump::arp reply carol2.strongswan.org is-at fe:fd:0a:01:00:01::YES
+alice::tcpdump::ARP, Reply carol2.strongswan.org is-at 52:54:00:43:e3:35::YES
 alice::tcpdump::IP alice.strongswan.org > carol2.strongswan.org: ICMP echo request::YES
 alice::tcpdump::IP carol2.strongswan.org > alice.strongswan.org: ICMP echo reply::YES
 alice::tcpdump::IP carol2.strongswan.org > alice.strongswan.org: ICMP echo request::YES
 alice::tcpdump::IP alice.strongswan.org > carol2.strongswan.org: ICMP echo reply::YES
-alice::tcpdump::arp reply dave2.strongswan.org is-at fe:fd:0a:01:00:01::YES
+alice::tcpdump::ARP, Reply dave2.strongswan.org is-at 52:54:00:43:e3:35::YES
 alice::tcpdump::IP alice.strongswan.org > dave2.strongswan.org: ICMP echo request::YES
 alice::tcpdump::IP dave2.strongswan.org > alice.strongswan.org: ICMP echo reply::YES
 alice::tcpdump::IP dave2.strongswan.org > alice.strongswan.org: ICMP echo request::YES
diff --git a/testing/tests/ikev2/dhcp-static-mac/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/dhcp-static-mac/hosts/carol/etc/ipsec.conf
index a19f6cfae..8c6c28bd6 100755..100644
--- a/testing/tests/ikev2/dhcp-static-mac/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/dhcp-static-mac/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/dhcp-static-mac/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/dhcp-static-mac/hosts/carol/etc/strongswan.conf
index cb5f6406b..bd19ffe3d 100644
--- a/testing/tests/ikev2/dhcp-static-mac/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/dhcp-static-mac/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve
 }
diff --git a/testing/tests/ikev2/dhcp-static-mac/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/dhcp-static-mac/hosts/dave/etc/ipsec.conf
index 1a89f4e5d..72b8a59c0 100755..100644
--- a/testing/tests/ikev2/dhcp-static-mac/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev2/dhcp-static-mac/hosts/dave/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/dhcp-static-mac/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/dhcp-static-mac/hosts/dave/etc/strongswan.conf
index cb5f6406b..bd19ffe3d 100644
--- a/testing/tests/ikev2/dhcp-static-mac/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/dhcp-static-mac/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve
 }
diff --git a/testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 058bebb2d..000000000
--- a/testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,91 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow bootpc and bootps
-	iptables -A OUTPUT -p udp --sport bootpc --dport bootps -j ACCEPT
-	iptables -A INPUT  -p udp --sport bootps --dport bootps -j ACCEPT
-
-	# allow broadcasts from eth1
-	iptables -A INPUT -i eth1 -d 10.1.255.255 -j ACCEPT
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-        # log dropped packets
-        iptables -A INPUT  -j LOG --log-prefix " IN: "
-        iptables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/ipsec.conf
index 3868a7a38..a774f2a76 100755..100644
--- a/testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..2d9a466b0
--- /dev/null
+++ b/testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/iptables.rules
@@ -0,0 +1,39 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow bootpc and bootps
+-A OUTPUT -p udp --sport bootpc --dport bootps -j ACCEPT
+-A INPUT  -p udp --sport bootps --dport bootps -j ACCEPT
+
+# allow broadcasts from eth1
+-A INPUT -i eth1 -d 10.1.255.255 -j ACCEPT
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# log dropped packets
+-A INPUT  -j LOG --log-prefix " IN: "
+-A OUTPUT -j LOG --log-prefix " OUT: "
+
+COMMIT
diff --git a/testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/strongswan.conf
index ecfc51d44..75c605f60 100644
--- a/testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown attr farp dhcp
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown attr farp dhcp
   plugins {
     dhcp {
       server = 10.1.255.255
diff --git a/testing/tests/ikev2/dhcp-static-mac/hosts/venus/etc/dhcpd.conf b/testing/tests/ikev2/dhcp-static-mac/hosts/venus/etc/dhcp/dhcpd.conf
index 20666f701..97c5efac6 100644
--- a/testing/tests/ikev2/dhcp-static-mac/hosts/venus/etc/dhcpd.conf
+++ b/testing/tests/ikev2/dhcp-static-mac/hosts/venus/etc/dhcp/dhcpd.conf
@@ -4,22 +4,21 @@ ddns-update-style none;
 
 subnet 10.1.0.0 netmask 255.255.0.0 {
   option domain-name          "strongswan.org";
-  option domain-name-servers   10.1.0.20;
-  option netbios-name-servers  10.1.0.10;
-  option routers               10.1.0.1;
+  option domain-name-servers   PH_IP_VENUS;
+  option netbios-name-servers  PH_IP_ALICE;
+  option routers               PH_IP_MOON1;
   option broadcast-address     10.1.255.255;
-  next-server                  10.1.0.20;
+  next-server                  PH_IP_VENUS;
 
   range 10.1.0.50 10.1.0.60;
 }
 
 host carol {
-  hardware ethernet            7a:a7:8f:fc:db:3b;
+  hardware ethernet            7a:a7:51:cc:22:4a;
   fixed-address                10.1.0.30;
 }
 
 host dave {
-  hardware ethernet            7a:a7:35:78:bc:85;
+  hardware ethernet            7a:a7:93:70:2b:21;
   fixed-address                10.1.0.40;
 }
-
diff --git a/testing/tests/ikev2/dhcp-static-mac/hosts/venus/etc/dnsmasq.conf b/testing/tests/ikev2/dhcp-static-mac/hosts/venus/etc/dnsmasq.conf
index e3729081f..ed28c69ac 100644
--- a/testing/tests/ikev2/dhcp-static-mac/hosts/venus/etc/dnsmasq.conf
+++ b/testing/tests/ikev2/dhcp-static-mac/hosts/venus/etc/dnsmasq.conf
@@ -1,9 +1,9 @@
 interface=eth0
 dhcp-range=10.1.0.50,10.1.0.60,255.255.0.0,10.1.255.255
-dhcp-host=7a:a7:8f:fc:db:3b,10.1.0.30
-dhcp-host=7a:a7:35:78:bc:85,10.1.0.40
-dhcp-option=option:router,10.1.0.1
-dhcp-option=option:dns-server,10.1.0.20
-dhcp-option=option:netbios-ns,10.1.0.10
+dhcp-host=7a:a7:51:cc:22:4a,10.1.0.30
+dhcp-host=7a:a7:93:70:2b:21,10.1.0.40
+dhcp-option=option:router,PH_IP_MOON1
+dhcp-option=option:dns-server,PH_IP_VENUS
+dhcp-option=option:netbios-ns,PH_IP_ALICE
 dhcp-option=option:domain-name,strongswan.org
 log-dhcp
diff --git a/testing/tests/ikev2/dhcp-static-mac/hosts/venus/etc/init.d/dhcpd b/testing/tests/ikev2/dhcp-static-mac/hosts/venus/etc/init.d/dhcpd
deleted file mode 100755
index 4044dcc35..000000000
--- a/testing/tests/ikev2/dhcp-static-mac/hosts/venus/etc/init.d/dhcpd
+++ /dev/null
@@ -1,24 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop"
-
-depend() {
-	need net
-	need logger
-}
-
-start() {
-	ebegin "Starting DHCP server"
-	start-stop-daemon --start --quiet --exec /usr/sbin/dhcpd
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping DHCP server"
-	start-stop-daemon --stop --quiet --pidfile /var/run/dhcpd.pid
-	rm -f /var/state/dhcp/dhcpd.leases
-	touch /var/state/dhcp/dhcpd.leases
-	eend $?
-}
diff --git a/testing/tests/ikev2/dhcp-static-mac/posttest.dat b/testing/tests/ikev2/dhcp-static-mac/posttest.dat
index e1aadc618..7fff9981b 100644
--- a/testing/tests/ikev2/dhcp-static-mac/posttest.dat
+++ b/testing/tests/ikev2/dhcp-static-mac/posttest.dat
@@ -1,9 +1,9 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-venus::/etc/init.d/dhcpd stop 2> /dev/null
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+venus::/etc/init.d/isc-dhcp-server stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
 alice::arp -d 10.1.0.30
 alice::arp -d 10.1.0.40
diff --git a/testing/tests/ikev2/dhcp-static-mac/pretest.dat b/testing/tests/ikev2/dhcp-static-mac/pretest.dat
index bd36b4fe3..5670a2e89 100644
--- a/testing/tests/ikev2/dhcp-static-mac/pretest.dat
+++ b/testing/tests/ikev2/dhcp-static-mac/pretest.dat
@@ -1,12 +1,12 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
-venus::cat /etc/dhcpd.conf
-venus::/etc/init.d/dhcpd start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+venus::cat /etc/dhcp/dhcpd.conf
+venus::/etc/init.d/isc-dhcp-server start 2> /dev/null
 carol::ipsec start
 dave::ipsec start
 moon::ipsec start
-carol::sleep 2 
+carol::sleep 2
 carol::ipsec up home
 dave::ipsec up home
 carol::sleep 1
diff --git a/testing/tests/ikev2/dhcp-static-mac/test.conf b/testing/tests/ikev2/dhcp-static-mac/test.conf
index a2ad7b25f..fd8a59c90 100644
--- a/testing/tests/ikev2/dhcp-static-mac/test.conf
+++ b/testing/tests/ikev2/dhcp-static-mac/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon carol winnetou dave"
+VIRTHOSTS="alice venus moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon alice"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/double-nat-net/evaltest.dat b/testing/tests/ikev2/double-nat-net/evaltest.dat
index aa69dabfa..52c561964 100644
--- a/testing/tests/ikev2/double-nat-net/evaltest.dat
+++ b/testing/tests/ikev2/double-nat-net/evaltest.dat
@@ -1,5 +1,7 @@
-alice::ipsec statusall::nat-t.*INSTALLED::YES
-bob::ipsec statusall::nat-t.*INSTALLED::YES
-alice::ping -c 1 PH_IP_SUN1::64 bytes from PH_IP_SUN1: icmp_seq=1::YES
-moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.ipsec-nat-t: UDP::YES
-moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.*: UDP::YES
+alice::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*alice@strongswan.org.*bob@strongswan.org::YES
+bob::  ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*bob@strongswan.org.*alice@strongswan.org::YES
+alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES
+bob::  ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES
+alice::ping -c 1 PH_IP_SUN1::64 bytes from PH_IP_SUN1: icmp_req=1::YES
+moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.4500: UDP::YES
+moon::tcpdump::IP sun.strongswan.org.4500 > moon.strongswan.org.*: UDP::YES
diff --git a/testing/tests/ikev2/double-nat-net/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2/double-nat-net/hosts/alice/etc/ipsec.conf
index c8aa460cf..38629d12a 100755..100644
--- a/testing/tests/ikev2/double-nat-net/hosts/alice/etc/ipsec.conf
+++ b/testing/tests/ikev2/double-nat-net/hosts/alice/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/double-nat-net/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/double-nat-net/hosts/alice/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/double-nat-net/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/ikev2/double-nat-net/hosts/alice/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/double-nat-net/hosts/bob/etc/ipsec.conf b/testing/tests/ikev2/double-nat-net/hosts/bob/etc/ipsec.conf
index f0c5b6f15..1c4a80769 100755..100644
--- a/testing/tests/ikev2/double-nat-net/hosts/bob/etc/ipsec.conf
+++ b/testing/tests/ikev2/double-nat-net/hosts/bob/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/double-nat-net/hosts/bob/etc/iptables.rules b/testing/tests/ikev2/double-nat-net/hosts/bob/etc/iptables.rules
new file mode 100644
index 000000000..ae8f9a61e
--- /dev/null
+++ b/testing/tests/ikev2/double-nat-net/hosts/bob/etc/iptables.rules
@@ -0,0 +1,24 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/double-nat-net/hosts/bob/etc/strongswan.conf b/testing/tests/ikev2/double-nat-net/hosts/bob/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/double-nat-net/hosts/bob/etc/strongswan.conf
+++ b/testing/tests/ikev2/double-nat-net/hosts/bob/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/double-nat-net/posttest.dat b/testing/tests/ikev2/double-nat-net/posttest.dat
index 484297418..63d4f98e7 100644
--- a/testing/tests/ikev2/double-nat-net/posttest.dat
+++ b/testing/tests/ikev2/double-nat-net/posttest.dat
@@ -1,7 +1,7 @@
 bob::ipsec stop
 alice::ipsec stop
-alice::/etc/init.d/iptables stop 2> /dev/null
-bob::/etc/init.d/iptables stop 2> /dev/null
+alice::iptables-restore < /etc/iptables.flush
+bob::iptables-restore < /etc/iptables.flush
 moon::iptables -t nat -F
 sun::iptables -t nat -F
 moon::conntrack -F
diff --git a/testing/tests/ikev2/double-nat-net/pretest.dat b/testing/tests/ikev2/double-nat-net/pretest.dat
index 41b69aed6..17a4fe5eb 100644
--- a/testing/tests/ikev2/double-nat-net/pretest.dat
+++ b/testing/tests/ikev2/double-nat-net/pretest.dat
@@ -1,8 +1,5 @@
-alice::/etc/init.d/iptables start 2> /dev/null
-bob::/etc/init.d/iptables start 2> /dev/null
-bob::echo 1 > /proc/sys/net/ipv4/ip_forward
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
-sun::echo 1 > /proc/sys/net/ipv4/ip_forward
+alice::iptables-restore < /etc/iptables.rules
+bob::iptables-restore < /etc/iptables.rules
 moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100
 moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100
 sun::iptables -t nat -A POSTROUTING -o eth0 -s 10.2.0.0/16 -p tcp -j SNAT --to-source PH_IP_SUN:2000-2100
diff --git a/testing/tests/ikev2/double-nat-net/test.conf b/testing/tests/ikev2/double-nat-net/test.conf
index 1ca2ffe5a..d2e31d257 100644
--- a/testing/tests/ikev2/double-nat-net/test.conf
+++ b/testing/tests/ikev2/double-nat-net/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="alice bob"
diff --git a/testing/tests/ikev2/double-nat/evaltest.dat b/testing/tests/ikev2/double-nat/evaltest.dat
index 77deea2a7..9ddad2de5 100644
--- a/testing/tests/ikev2/double-nat/evaltest.dat
+++ b/testing/tests/ikev2/double-nat/evaltest.dat
@@ -1,5 +1,7 @@
-alice::ipsec statusall::nat-t.*INSTALLED::YES
-bob::ipsec statusall::nat-t.*INSTALLED::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.ipsec-nat-t: UDP::YES
-moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.*: UDP::YES
+alice::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*alice@strongswan.org.*bob@strongswan.org::YES
+bob::  ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*bob@strongswan.org.*alice@strongswan.org::YES
+alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES
+bob::  ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.4500: UDP::YES
+moon::tcpdump::IP sun.strongswan.org.4500 > moon.strongswan.org.*: UDP::YES
diff --git a/testing/tests/ikev2/double-nat/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2/double-nat/hosts/alice/etc/ipsec.conf
index 26830f390..fe5b5f299 100755..100644
--- a/testing/tests/ikev2/double-nat/hosts/alice/etc/ipsec.conf
+++ b/testing/tests/ikev2/double-nat/hosts/alice/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/double-nat/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/double-nat/hosts/alice/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/double-nat/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/ikev2/double-nat/hosts/alice/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/double-nat/hosts/bob/etc/ipsec.conf b/testing/tests/ikev2/double-nat/hosts/bob/etc/ipsec.conf
index b4a24cb1f..1004ee971 100755..100644
--- a/testing/tests/ikev2/double-nat/hosts/bob/etc/ipsec.conf
+++ b/testing/tests/ikev2/double-nat/hosts/bob/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/double-nat/hosts/bob/etc/iptables.rules b/testing/tests/ikev2/double-nat/hosts/bob/etc/iptables.rules
new file mode 100644
index 000000000..ae8f9a61e
--- /dev/null
+++ b/testing/tests/ikev2/double-nat/hosts/bob/etc/iptables.rules
@@ -0,0 +1,24 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/double-nat/hosts/bob/etc/strongswan.conf b/testing/tests/ikev2/double-nat/hosts/bob/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/double-nat/hosts/bob/etc/strongswan.conf
+++ b/testing/tests/ikev2/double-nat/hosts/bob/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/double-nat/posttest.dat b/testing/tests/ikev2/double-nat/posttest.dat
index 5d39e406d..aa806bfc9 100644
--- a/testing/tests/ikev2/double-nat/posttest.dat
+++ b/testing/tests/ikev2/double-nat/posttest.dat
@@ -1,7 +1,7 @@
 bob::ipsec stop
 alice::ipsec stop
-alice::/etc/init.d/iptables stop 2> /dev/null
-bob::/etc/init.d/iptables stop 2> /dev/null
+alice::iptables-restore < /etc/iptables.flush
+bob::iptables-restore < /etc/iptables.flush
 moon::iptables -t nat -F
 sun::iptables -t nat -F
 moon::conntrack -F
diff --git a/testing/tests/ikev2/double-nat/pretest.dat b/testing/tests/ikev2/double-nat/pretest.dat
index 10ba6d735..65f18b756 100644
--- a/testing/tests/ikev2/double-nat/pretest.dat
+++ b/testing/tests/ikev2/double-nat/pretest.dat
@@ -1,7 +1,5 @@
-alice::/etc/init.d/iptables start 2> /dev/null
-bob::/etc/init.d/iptables start 2> /dev/null
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
-sun::echo 1 > /proc/sys/net/ipv4/ip_forward
+alice::iptables-restore < /etc/iptables.rules
+bob::iptables-restore < /etc/iptables.rules
 moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100
 moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100
 sun::iptables -t nat -A POSTROUTING -o eth0 -s 10.2.0.0/16 -p tcp -j SNAT --to-source PH_IP_SUN:2000-2100
diff --git a/testing/tests/ikev2/double-nat/test.conf b/testing/tests/ikev2/double-nat/test.conf
index 1ca2ffe5a..d2e31d257 100644
--- a/testing/tests/ikev2/double-nat/test.conf
+++ b/testing/tests/ikev2/double-nat/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="alice bob"
diff --git a/testing/tests/ikev2/dpd-clear/evaltest.dat b/testing/tests/ikev2/dpd-clear/evaltest.dat
index 86c0227bd..c1a271903 100644
--- a/testing/tests/ikev2/dpd-clear/evaltest.dat
+++ b/testing/tests/ikev2/dpd-clear/evaltest.dat
@@ -1,6 +1,8 @@
-carol::ipsec statusall::home.*INSTALLED::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
 carol::iptables -A INPUT -i eth0 -s PH_IP_MOON -j DROP::no output expected::NO
-moon::sleep 180::no output expected::NO
-moon::cat /var/log/daemon.log::sending DPD request::YES
-moon::cat /var/log/daemon.log::retransmit.*of request::YES
-moon::cat /var/log/daemon.log::giving up after 5 retransmits::YES
+moon:: sleep 180::no output expected::NO
+moon:: cat /var/log/daemon.log::sending DPD request::YES
+moon:: cat /var/log/daemon.log::retransmit.*of request::YES
+moon:: cat /var/log/daemon.log::giving up after 5 retransmits::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED::NO
diff --git a/testing/tests/ikev2/dpd-clear/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/dpd-clear/hosts/carol/etc/ipsec.conf
index bcdb8641b..e72f78742 100755..100644
--- a/testing/tests/ikev2/dpd-clear/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/dpd-clear/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/dpd-clear/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/dpd-clear/hosts/carol/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/dpd-clear/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/dpd-clear/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/dpd-clear/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/dpd-clear/hosts/moon/etc/ipsec.conf
index cdb40d72d..75b377f5f 100755..100644
--- a/testing/tests/ikev2/dpd-clear/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/dpd-clear/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/dpd-clear/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/dpd-clear/hosts/moon/etc/strongswan.conf
index 88f162098..85d8c191f 100644
--- a/testing/tests/ikev2/dpd-clear/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/dpd-clear/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/dpd-clear/test.conf b/testing/tests/ikev2/dpd-clear/test.conf
index 2b240d895..892f51cd9 100644
--- a/testing/tests/ikev2/dpd-clear/test.conf
+++ b/testing/tests/ikev2/dpd-clear/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+VIRTHOSTS="moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/dpd-hold/evaltest.dat b/testing/tests/ikev2/dpd-hold/evaltest.dat
index 2cf063762..4c035a6e9 100644
--- a/testing/tests/ikev2/dpd-hold/evaltest.dat
+++ b/testing/tests/ikev2/dpd-hold/evaltest.dat
@@ -1,14 +1,14 @@
-carol::ipsec statusall::home.*INSTALLED::YES
-moon::ipsec statusall::rw.*INSTALLED::YES
-moon::iptables -A INPUT -i eth0 -s PH_IP_CAROL -j DROP::no output expected::NO
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
+moon:: iptables -A INPUT -i eth0 -s PH_IP_CAROL -j DROP::no output expected::NO
 carol::iptables -A INPUT -i eth0 -s PH_IP_MOON -j DROP::no output expected::NO
 carol::sleep 180::no output expected::NO
 carol::cat /var/log/daemon.log::sending DPD request::YES
 carol::cat /var/log/daemon.log::retransmit.*of request::YES
 carol::cat /var/log/daemon.log::giving up after 5 retransmits::YES
 carol::iptables -D INPUT -i eth0 -s PH_IP_MOON -j DROP::no output expected::NO
-moon::iptables -D INPUT -i eth0 -s PH_IP_CAROL -j DROP::no output expected::NO
+moon:: iptables -D INPUT -i eth0 -s PH_IP_CAROL -j DROP::no output expected::NO
 carol::ping -c 1 PH_IP_ALICE::trigger route::NO
 carol::sleep 2::no output expected::NO
-carol::ipsec statusall::home.*INSTALLED::YES
-moon::ipsec statusall::rw.*INSTALLED::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
diff --git a/testing/tests/ikev2/dpd-hold/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/dpd-hold/hosts/carol/etc/ipsec.conf
index bfc8ac34c..aa1a05169 100755..100644
--- a/testing/tests/ikev2/dpd-hold/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/dpd-hold/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/dpd-hold/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/dpd-hold/hosts/carol/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/dpd-hold/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/dpd-hold/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/dpd-hold/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/dpd-hold/hosts/moon/etc/ipsec.conf
index cdb40d72d..75b377f5f 100755..100644
--- a/testing/tests/ikev2/dpd-hold/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/dpd-hold/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/dpd-hold/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/dpd-hold/hosts/moon/etc/strongswan.conf
index 88f162098..85d8c191f 100644
--- a/testing/tests/ikev2/dpd-hold/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/dpd-hold/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/dpd-hold/test.conf b/testing/tests/ikev2/dpd-hold/test.conf
index 5442565f8..f8b62b953 100644
--- a/testing/tests/ikev2/dpd-hold/test.conf
+++ b/testing/tests/ikev2/dpd-hold/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/dpd-restart/evaltest.dat b/testing/tests/ikev2/dpd-restart/evaltest.dat
index 28edd4823..962bd0636 100644
--- a/testing/tests/ikev2/dpd-restart/evaltest.dat
+++ b/testing/tests/ikev2/dpd-restart/evaltest.dat
@@ -1,13 +1,13 @@
-carol::ipsec statusall::home.*INSTALLED::YES
-moon::ipsec statusall::rw.*INSTALLED::YES
-moon::iptables -A INPUT -i eth0 -s PH_IP_CAROL -j DROP::no output expected::NO
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
+moon:: iptables -A INPUT -i eth0 -s PH_IP_CAROL -j DROP::no output expected::NO
 carol::iptables -A INPUT -i eth0 -s PH_IP_MOON -j DROP::no output expected::NO
 carol::sleep 180::no output expected::NO
 carol::cat /var/log/daemon.log::sending DPD request::YES
 carol::cat /var/log/daemon.log::retransmit.*of request::YES
 carol::cat /var/log/daemon.log::giving up after 5 retransmits::YES
 carol::iptables -D INPUT -i eth0 -s PH_IP_MOON -j DROP::no output expected::NO
-moon::iptables -D INPUT -i eth0 -s PH_IP_CAROL -j DROP::no output expected::NO
+moon:: iptables -D INPUT -i eth0 -s PH_IP_CAROL -j DROP::no output expected::NO
 carol::sleep 10::no output expected::NO
-carol::ipsec statusall::home.*INSTALLED::YES
-moon::ipsec statusall::rw.*INSTALLED::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
diff --git a/testing/tests/ikev2/dpd-restart/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/dpd-restart/hosts/carol/etc/ipsec.conf
index 631eac9b6..dfc77a43a 100755..100644
--- a/testing/tests/ikev2/dpd-restart/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/dpd-restart/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/dpd-restart/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/dpd-restart/hosts/carol/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/dpd-restart/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/dpd-restart/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/dpd-restart/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/dpd-restart/hosts/moon/etc/ipsec.conf
index cdb40d72d..75b377f5f 100755..100644
--- a/testing/tests/ikev2/dpd-restart/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/dpd-restart/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/dpd-restart/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/dpd-restart/hosts/moon/etc/strongswan.conf
index 88f162098..85d8c191f 100644
--- a/testing/tests/ikev2/dpd-restart/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/dpd-restart/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/dpd-restart/test.conf b/testing/tests/ikev2/dpd-restart/test.conf
index 2b240d895..892f51cd9 100644
--- a/testing/tests/ikev2/dpd-restart/test.conf
+++ b/testing/tests/ikev2/dpd-restart/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+VIRTHOSTS="moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/dynamic-initiator/description.txt b/testing/tests/ikev2/dynamic-initiator/description.txt
new file mode 100644
index 000000000..e74ee1569
--- /dev/null
+++ b/testing/tests/ikev2/dynamic-initiator/description.txt
@@ -0,0 +1,12 @@
+The peers <b>carol</b> and <b>moon</b> both have dynamic IP addresses, so that the remote end
+is defined symbolically by <b>right=&lt;hostname&gt;</b>. The ipsec starter resolves the
+fully-qualified hostname into the current IP address via a DNS lookup (simulated by an
+/etc/hosts entry). Since the peer IP addresses are expected to change over time, the option
+<b>rightallowany=yes</b> will allow an IKE_SA rekeying to arrive from an arbitrary
+IP address under the condition that the peer identity remains unchanged. When this happens
+the old tunnel is replaced by an IPsec connection to the new origin.
+<p>
+In this scenario <b>carol</b> first initiates a tunnel to <b>moon</b>. After some time <b>carol</b>
+suddenly changes her IP address and restarts the connection to <b>moon</b> without deleting the
+old tunnel first (simulated by iptables blocking IKE packets to and from
+<b>carol</b> and starting the connection from host <b>dave</b> using <b>carol</b>'s identity). 
diff --git a/testing/tests/ikev2/dynamic-initiator/evaltest.dat b/testing/tests/ikev2/dynamic-initiator/evaltest.dat
new file mode 100644
index 000000000..3db70be71
--- /dev/null
+++ b/testing/tests/ikev2/dynamic-initiator/evaltest.dat
@@ -0,0 +1,10 @@
+carol::ipsec status 2> /dev/null::moon.*ESTABLISHED.*carol.strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::moon.*ESTABLISHED.*carol.strongswan.org.*moon.strongswan.org::YES
+carol::ipsec status 2> /dev/null::moon.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::moon.*INSTALLED, TUNNEL::YES
+moon:: cat /var/log/auth.log::IKE_SA carol\[1] established.*PH_IP_CAROL::YES
+moon:: cat /var/log/daemon.log::destroying duplicate IKE_SA for.*carol@strongswan.org.*received INITIAL_CONTACT::YES
+moon:: cat /var/log/auth.log::IKE_SA carol\[2] established.*PH_IP_DAVE::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
diff --git a/testing/tests/ikev2/dynamic-initiator/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/dynamic-initiator/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..6fca045f6
--- /dev/null
+++ b/testing/tests/ikev2/dynamic-initiator/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,21 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn moon 
+	left=%any
+	leftsourceip=%config
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	leftfirewall=yes
+	right=%moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add
diff --git a/testing/tests/ikev2/dynamic-initiator/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/dynamic-initiator/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..bad10ca43
--- /dev/null
+++ b/testing/tests/ikev2/dynamic-initiator/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+}
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev2/dynamic-initiator/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/dynamic-initiator/hosts/dave/etc/ipsec.conf
new file mode 100644
index 000000000..6fca045f6
--- /dev/null
+++ b/testing/tests/ikev2/dynamic-initiator/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,21 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn moon 
+	left=%any
+	leftsourceip=%config
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	leftfirewall=yes
+	right=%moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add
diff --git a/testing/tests/ikev1/attr-cert/hosts/moon/etc/openac/carolCert.pem b/testing/tests/ikev2/dynamic-initiator/hosts/dave/etc/ipsec.d/certs/carolCert.pem
index 6c41df9c7..6c41df9c7 100644
--- a/testing/tests/ikev1/attr-cert/hosts/moon/etc/openac/carolCert.pem
+++ b/testing/tests/ikev2/dynamic-initiator/hosts/dave/etc/ipsec.d/certs/carolCert.pem
diff --git a/testing/tests/ikev2/dynamic-initiator/hosts/dave/etc/ipsec.d/private/carolKey.pem b/testing/tests/ikev2/dynamic-initiator/hosts/dave/etc/ipsec.d/private/carolKey.pem
new file mode 100644
index 000000000..41a139954
--- /dev/null
+++ b/testing/tests/ikev2/dynamic-initiator/hosts/dave/etc/ipsec.d/private/carolKey.pem
@@ -0,0 +1,30 @@
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: AES-128-CBC,01290773006220E4E96C2975C52D2429
+
+mSt4HT52dsYkDwk6DVYm+Uij1PnFAnYzJD7Jx6EJIA9HuWKfyHPSjtqEcCwZoKHq
+i18EuCZHkdMBc8+lY0iEpNwbs3UbCP73lGn+IIjlOrS0xi4PP9iV1jxg/k+WF4rH
+jhIUhi3wc1cAaFLLj8bBvnx6t4mF3nTZZ119wSsa5ewy5RZGWcdN8NKtyNgFYTFx
+m5ACRErFuq8aFmcKVgwzLZH+e9fd7xKHS7XoP9vla7+iKkW5bzfkGP5E8irbOqce
+pyUE81FrD8irD0uK4mnrMRDDGrD02mYNSMGyhT5o1RDQJbaRupih9nU+SaTR2Kxq
+J/ScYak4EwmCIXixwuhwokDPTB1EuyQ1h5ywarkgt1TCZKoI2odqoILB2Dbrsmdf
+dKLqI8Q/kR4h5meCc0e3401VXIaOJWk5GMbxz+6641uWnTdLKedzC5gWCI7QIDFB
+h5n5m3tsSe6LRksqJpgPL/+vV/r+OrNEi4KGK9NxETZxeb/7gBSVFWbDXH5AO+wC
+/RlPYHaoDt+peRm3LUDBGQBPtvZUDiDHlW4v8wtgCEZXAPZPdaFRUSDYMYdbbebY
+EsxWa6G00Gau08EOPSgFIReGuACRkP4diiSE4ZTiC9HD2cuUN/D01ck+SD6UgdHV
+pyf6tHej/AdVG3HD5dRCmCCyfucW0gS7R+/+C4DzVHwZKAXJRSxmXLOHT0Gk8Woe
+sM8gbHOoV8OfLAfZDwibvnDq7rc82q5sSiGOKH7Fg5LYIjRB0UazCToxGVtxfWMz
+kPrzZiQT45QDa3gQdkHzF21s+fNpx/cZ1V1Mv+1E3KAX9XsAm/sNl0NAZ6G0AbFk
+gHIWoseiKxouTCDGNe/gC40r9XNhZdFCEzzJ9A77eScu0aTa5FHrC2w9YO2wHcja
+OT2AyZrVqOWB1/hIwAqk8ApXA3FwJbnQE0FxyLcYiTvCNM+XYIPLstD09axLFb53
+D4DXEncmvW4+axDg8G3s84olPGLgJL3E8pTFPYWHKsJgqsloAc/GD2Qx0PCinySM
+bVQckgzpVL3SvxeRRfx8SHl9F9z+GS4gZtM/gT9cDgcVOpVQpOcln5AR/mF/aoyo
+BW96LSmEk5l4yeBBba63Qcz1HRr2NSvXJuqdjw6qTZNBWtjmSxHywKZYRlSqzNZx
+7B6DGHTIOfGNhcy2wsd4cuftVYByGxfFjw7bHIDa4/ySdDykL7J+REfg8QidlCJB
+UN/2VjaNipQo38RczWLUfloMkMMrWYpXOm9koes+Vldm7Bco+eCONIS50DJDOhZs
+H037A+UMElXmtCrHPJGxQf8k1Qirn6BWOuRmXg8sXqeblIrPlZU+DghYXzA/nRxB
+y+nUx+Ipbj022uJNVtFwhP70TIqYm/O6Ol/zRbo6yRsR6uEnnb4wRi5IxHnM/iGA
+zWPzLRDSeVPkhu2pZ7JygabCiXbbgFTN1enJvLWvIAcB0LS8wQz0yKQ7oj32T0Ty
+AD3c/qS8kmsrZDe3H+lEfMCcJRnHUrR/SBChSdx7LF9mnLlWuJLLHmrz87x7Z2o6
+nuRU15U5aQTniVikvFWchnwGy+23lgv5He9X99jxEu/U1pA4egejfMs3g070AY3J
+-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev1/xauth-rsa-nosecret/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/dynamic-initiator/hosts/dave/etc/ipsec.secrets
index 6a2aea811..6a2aea811 100644
--- a/testing/tests/ikev1/xauth-rsa-nosecret/hosts/carol/etc/ipsec.secrets
+++ b/testing/tests/ikev2/dynamic-initiator/hosts/dave/etc/ipsec.secrets
diff --git a/testing/tests/ikev2/dynamic-initiator/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/dynamic-initiator/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..bad10ca43
--- /dev/null
+++ b/testing/tests/ikev2/dynamic-initiator/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+}
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev2/dynamic-initiator/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/dynamic-initiator/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..2e5f01a06
--- /dev/null
+++ b/testing/tests/ikev2/dynamic-initiator/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,21 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn carol
+	left=%any
+	leftsubnet=10.1.0.0/16
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftfirewall=yes
+	right=%carol.strongswan.org
+	rightid=carol@strongswan.org
+	rightsourceip=PH_IP_CAROL1
+	auto=add
diff --git a/testing/tests/ikev2/dynamic-initiator/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/dynamic-initiator/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..bad10ca43
--- /dev/null
+++ b/testing/tests/ikev2/dynamic-initiator/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+}
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev2/dynamic-initiator/posttest.dat b/testing/tests/ikev2/dynamic-initiator/posttest.dat
new file mode 100644
index 000000000..83063a23f
--- /dev/null
+++ b/testing/tests/ikev2/dynamic-initiator/posttest.dat
@@ -0,0 +1,9 @@
+dave::ipsec stop
+carol::ipsec stop
+dave::sleep 1
+moon::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
+dave::rm /etc/ipsec.d/certs/*
+dave::rm /etc/ipsec.d/private/*
diff --git a/testing/tests/ikev2/dynamic-initiator/pretest.dat b/testing/tests/ikev2/dynamic-initiator/pretest.dat
new file mode 100644
index 000000000..3e1cfce77
--- /dev/null
+++ b/testing/tests/ikev2/dynamic-initiator/pretest.dat
@@ -0,0 +1,13 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+carol::ipsec start
+dave::ipsec start
+moon::ipsec start
+carol::sleep 2
+carol::ipsec up moon
+carol::sleep 1
+carol::iptables -D INPUT  -i eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+carol::iptables -D OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+dave::ipsec up moon
+dave::sleep 2 
diff --git a/testing/tests/ikev2/dynamic-initiator/test.conf b/testing/tests/ikev2/dynamic-initiator/test.conf
new file mode 100644
index 000000000..164b07ff9
--- /dev/null
+++ b/testing/tests/ikev2/dynamic-initiator/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon alice"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/dynamic-two-peers/description.txt b/testing/tests/ikev2/dynamic-two-peers/description.txt
new file mode 100644
index 000000000..a1616011e
--- /dev/null
+++ b/testing/tests/ikev2/dynamic-two-peers/description.txt
@@ -0,0 +1,14 @@
+The peers <b>carol</b>, <b>dave</b>, and <b>moon</b> all have dynamic IP addresses,
+so that the remote end is defined symbolically by <b>right=%&lt;hostname&gt;</b>.
+The ipsec starter resolves the fully-qualified hostname into the current IP address
+via a DNS lookup (simulated by an /etc/hosts entry). Since the peer IP addresses are
+expected to change over time, the prefix '%' is used as an implicit alternative to the
+explicit <b>rightallowany=yes</b> option which will allow an IKE_SA rekeying to arrive
+from an arbitrary IP address under the condition that the peer identity remains unchanged.
+When this happens the old tunnel is replaced by an IPsec connection to the new origin.
+<p>
+In this scenario both <b>carol</b> and <b>dave</b> initiate a tunnel to
+<b>moon</b> which has a named connection definition for each peer. Although
+the IP addresses of both <b>carol</b> and <b>dave</b> are stale, thanks to
+the '%' prefix <b>moon</b> will accept the IKE negotiations from the actual IP addresses.
+
diff --git a/testing/tests/ikev2/dynamic-two-peers/evaltest.dat b/testing/tests/ikev2/dynamic-two-peers/evaltest.dat
new file mode 100644
index 000000000..82d2e7318
--- /dev/null
+++ b/testing/tests/ikev2/dynamic-two-peers/evaltest.dat
@@ -0,0 +1,14 @@
+carol::ipsec status 2> /dev/null::moon.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::moon.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::carol.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::dave.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+carol::ipsec status 2> /dev/null::moon.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::moon.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::carol.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::dave.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
+alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES
diff --git a/testing/tests/ikev2/dynamic-two-peers/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/dynamic-two-peers/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..6fca045f6
--- /dev/null
+++ b/testing/tests/ikev2/dynamic-two-peers/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,21 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn moon 
+	left=%any
+	leftsourceip=%config
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	leftfirewall=yes
+	right=%moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add
diff --git a/testing/tests/ikev2/dynamic-two-peers/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/dynamic-two-peers/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..bad10ca43
--- /dev/null
+++ b/testing/tests/ikev2/dynamic-two-peers/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+}
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev2/dynamic-two-peers/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/dynamic-two-peers/hosts/dave/etc/ipsec.conf
new file mode 100644
index 000000000..6493ce0b1
--- /dev/null
+++ b/testing/tests/ikev2/dynamic-two-peers/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,21 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn moon
+	left=%any
+	leftsourceip=%config
+	leftcert=daveCert.pem
+	leftid=dave@strongswan.org
+	leftfirewall=yes
+	right=%moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add
diff --git a/testing/tests/ikev2/dynamic-two-peers/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/dynamic-two-peers/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..bad10ca43
--- /dev/null
+++ b/testing/tests/ikev2/dynamic-two-peers/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+}
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev2/dynamic-two-peers/hosts/moon/etc/hosts.stale b/testing/tests/ikev2/dynamic-two-peers/hosts/moon/etc/hosts.stale
new file mode 100644
index 000000000..ebff4ec25
--- /dev/null
+++ b/testing/tests/ikev2/dynamic-two-peers/hosts/moon/etc/hosts.stale
@@ -0,0 +1,67 @@
+# /etc/hosts:  This file describes a number of hostname-to-address
+#              mappings for the TCP/IP subsystem.  It is mostly
+#              used at boot time, when no name servers are running.
+#              On small systems, this file can be used instead of a
+#              "named" name server.  Just add the names, addresses
+#              and any aliases to this file...
+#
+
+127.0.0.1	localhost
+
+192.168.0.254	uml0.strongswan.org	uml0
+10.1.0.254	uml1.strongswan.org	uml1
+10.2.0.254	uml1.strongswan.org	uml2
+
+10.1.0.10	alice.strongswan.org	alice
+10.1.0.20	venus.strongswan.org	venus
+10.1.0.1	moon1.strongswan.org	moon1
+192.168.0.1	moon.strongswan.org	moon
+192.168.0.110	carol.strongswan.org	carol
+10.3.0.1	carol1.strongswan.org	carol1
+192.168.0.150	winnetou.strongswan.org	winnetou crl.strongswan.org ocsp.strongswan.org ldap.strongswan.org
+192.168.0.220	dave.strongswan.org	dave
+10.3.0.2	dave1.strongswan.org	dave1
+192.168.0.2	sun.strongswan.org	sun
+10.2.0.1	sun1.strongswan.org	sun1
+10.2.0.10	bob.strongswan.org	bob
+
+# IPv6 versions of localhost and co
+::1 ip6-localhost ip6-loopback
+fe00::0 ip6-localnet
+ff00::0 ip6-mcastprefix
+ff02::1 ip6-allnodes
+ff02::2 ip6-allrouters
+ff02::3 ip6-allhosts
+
+# IPv6 solicited-node multicast addresses
+ff02::1:ff00:1	ip6-mcast-1
+ff02::1:ff00:2	ip6-mcast-2
+ff02::1:ff00:10	ip6-mcast-10
+ff02::1:ff00:15	ip6-mcast-15
+ff02::1:ff00:20	ip6-mcast-20
+
+# IPv6 site-local addresses
+fec1::10	ip6-alice.strongswan.org    ip6-alice
+fec1::20	ip6-venus.strongswan.org    ip6-venus
+fec1::1 	ip6-moon1.strongswan.org    ip6-moon1
+fec0::1 	ip6-moon.strongswan.org     ip6-moon
+fec0::10	ip6-carol.strongswan.org    ip6-carol
+fec3::1 	ip6-carol1.strongswan.org   ip6-carol1
+fec0::15	ip6-winnetou.strongswan.org ip6-winnetou 
+fec0::20	ip6-dave.strongswan.org     ip6-dave
+fec3::2 	ip6-dave1.strongswan.org    ip6-dave1
+fec0::2 	ip6-sun.strongswan.org      ip6-sun
+fec2::1 	ip6-sun1.strongswan.org     ip6-sun1
+fec2::10	ip6-bob.strongswan.org      ip6-bob
+
+# IPv6 link-local HW derived addresses
+fe80::fcfd:0aff:fe01:14	ip6-hw-venus.strongswan.org    ip6-hw-venus
+fe80::fcfd:0aff:fe01:0a	ip6-hw-alice.strongswan.org    ip6-hw-alice
+fe80::fcfd:0aff:fe01:01	ip6-hw-moon1.strongswan.org    ip6-hw-moon1
+fe80::fcfd:c0ff:fea8:01 ip6-hw-moon.strongswan.org     ip6-hw-moon
+fe80::fcfd:c0ff:fea8:64	ip6-hw-carol.strongswan.org    ip6-hw-carol
+fe80::fcfd:c0ff:fea8:96 ip6-hw-winnetou.strongswan.org ip6-hw-winnetou
+fe80::fcfd:c0ff:fea8:c8	ip6-hw-dave.strongswan.org     ip6-hw-dave
+fe80::fcfd:c0ff:fea8:02	ip6-hw-sun.strongswan.org      ip6-hw-sun
+fe80::fcfd:0aff:fe02:01	ip6-hw-sun1.strongswan.org     ip6-hw-sun1
+fe80::fcfd:0aff:fe02:0a ip6-hw-bob.strongswan.org      ip6-hw-bob
diff --git a/testing/tests/ikev1/mode-config-push/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/dynamic-two-peers/hosts/moon/etc/ipsec.conf
index 8b125ab80..d510e2e0c 100755..100644
--- a/testing/tests/ikev1/mode-config-push/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/dynamic-two-peers/hosts/moon/etc/ipsec.conf
@@ -1,33 +1,27 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
-	keyexchange=ikev1
-	modeconfig=push
-	left=PH_IP_MOON
+	keyexchange=ikev2
+	left=%any
 	leftsubnet=10.1.0.0/16
-	leftsourceip=PH_IP_MOON1
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 	leftfirewall=yes
 
-conn rw-carol
-	right=%any
+conn carol
+	right=%carol.strongswan.org
 	rightid=carol@strongswan.org
 	rightsourceip=PH_IP_CAROL1
 	auto=add
 
-conn rw-dave
-	right=%any
+conn dave
+	right=%dave.strongswan.org
 	rightid=dave@strongswan.org
 	rightsourceip=PH_IP_DAVE1
 	auto=add
diff --git a/testing/tests/ikev2/dynamic-two-peers/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/dynamic-two-peers/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..bad10ca43
--- /dev/null
+++ b/testing/tests/ikev2/dynamic-two-peers/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+}
+
+libstrongswan {
+  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/tests/ikev2/dynamic-two-peers/posttest.dat b/testing/tests/ikev2/dynamic-two-peers/posttest.dat
new file mode 100644
index 000000000..7b2609846
--- /dev/null
+++ b/testing/tests/ikev2/dynamic-two-peers/posttest.dat
@@ -0,0 +1,8 @@
+carol::ipsec stop
+dave::ipsec stop
+moon::sleep 1
+moon::ipsec stop
+moon::mv /etc/hosts.ori /etc/hosts
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/dynamic-two-peers/pretest.dat b/testing/tests/ikev2/dynamic-two-peers/pretest.dat
new file mode 100644
index 000000000..4bb2a4686
--- /dev/null
+++ b/testing/tests/ikev2/dynamic-two-peers/pretest.dat
@@ -0,0 +1,12 @@
+moon::mv /etc/hosts /etc/hosts.ori
+moon::mv /etc/hosts.stale /etc/hosts
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+carol::ipsec start
+dave::ipsec start
+moon::ipsec start
+carol::sleep 2
+carol::ipsec up moon
+dave::ipsec up moon
+carol::sleep 1
diff --git a/testing/tests/ikev2/dynamic-two-peers/test.conf b/testing/tests/ikev2/dynamic-two-peers/test.conf
new file mode 100644
index 000000000..164b07ff9
--- /dev/null
+++ b/testing/tests/ikev2/dynamic-two-peers/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon alice"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/esp-alg-aes-gmac/evaltest.dat b/testing/tests/ikev2/esp-alg-aes-gmac/evaltest.dat
index 9377d9fd2..d5d3bc0d3 100644
--- a/testing/tests/ikev2/esp-alg-aes-gmac/evaltest.dat
+++ b/testing/tests/ikev2/esp-alg-aes-gmac/evaltest.dat
@@ -1,9 +1,11 @@
-moon::ipsec statusall::rw.*INSTALLED::YES
-carol::ipsec statusall::home.*INSTALLED::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::ipsec statusall::NULL_AES_GMAC_256::YES
-carol::ipsec statusall::NULL_AES_GMAC_256::YES
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon:: ipsec statusall 2> /dev/null::NULL_AES_GMAC_256::YES
+carol::ipsec statusall 2> /dev/null::NULL_AES_GMAC_256::YES
 carol::ip xfrm state::aead rfc4543(gcm(aes))::YES
-moon::ip xfrm state::aead rfc4543(gcm(aes))::YES
+moon:: ip xfrm state::aead rfc4543(gcm(aes))::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 184::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 184::YES
diff --git a/testing/tests/ikev2/esp-alg-aes-gmac/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/esp-alg-aes-gmac/hosts/carol/etc/ipsec.conf
index f3a266c7d..8f5b77cac 100755..100644
--- a/testing/tests/ikev2/esp-alg-aes-gmac/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/esp-alg-aes-gmac/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=yes
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/esp-alg-aes-gmac/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-aes-gmac/hosts/carol/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/esp-alg-aes-gmac/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/esp-alg-aes-gmac/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/esp-alg-aes-gmac/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/esp-alg-aes-gmac/hosts/moon/etc/ipsec.conf
index bbdb38301..d41ba72e8 100755..100644
--- a/testing/tests/ikev2/esp-alg-aes-gmac/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/esp-alg-aes-gmac/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=yes
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/esp-alg-aes-gmac/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-aes-gmac/hosts/moon/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/esp-alg-aes-gmac/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/esp-alg-aes-gmac/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/esp-alg-aes-gmac/posttest.dat b/testing/tests/ikev2/esp-alg-aes-gmac/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/ikev2/esp-alg-aes-gmac/posttest.dat
+++ b/testing/tests/ikev2/esp-alg-aes-gmac/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/esp-alg-aes-gmac/pretest.dat b/testing/tests/ikev2/esp-alg-aes-gmac/pretest.dat
index f360351e1..4fc25772b 100644
--- a/testing/tests/ikev2/esp-alg-aes-gmac/pretest.dat
+++ b/testing/tests/ikev2/esp-alg-aes-gmac/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1 
diff --git a/testing/tests/ikev2/esp-alg-aes-gmac/test.conf b/testing/tests/ikev2/esp-alg-aes-gmac/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/ikev2/esp-alg-aes-gmac/test.conf
+++ b/testing/tests/ikev2/esp-alg-aes-gmac/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/esp-alg-md5-128/evaltest.dat b/testing/tests/ikev2/esp-alg-md5-128/evaltest.dat
index d65d71240..366539936 100644
--- a/testing/tests/ikev2/esp-alg-md5-128/evaltest.dat
+++ b/testing/tests/ikev2/esp-alg-md5-128/evaltest.dat
@@ -1,9 +1,11 @@
-moon::ipsec statusall::rw.*INSTALLED::YES
-carol::ipsec statusall::home.*INSTALLED::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::ipsec statusall::3DES_CBC/HMAC_MD5_128::YES
-carol::ipsec statusall::3DES_CBC/HMAC_MD5_128::YES
-moon::ip xfrm state::auth hmac(md5)::YES
-carol::ip xfrm state::auth hmac(md5)::YES
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon:: ipsec statusall 2> /dev/null::3DES_CBC/HMAC_MD5_128::YES
+carol::ipsec statusall 2> /dev/null::3DES_CBC/HMAC_MD5_128::YES
+moon:: ip xfrm state::auth-trunc hmac(md5)::YES
+carol::ip xfrm state::auth-trunc hmac(md5)::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 184::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 184::YES
diff --git a/testing/tests/ikev2/esp-alg-md5-128/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/esp-alg-md5-128/hosts/carol/etc/ipsec.conf
index 09797799f..a85034243 100755..100644
--- a/testing/tests/ikev2/esp-alg-md5-128/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/esp-alg-md5-128/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=yes
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/esp-alg-md5-128/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-md5-128/hosts/carol/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/esp-alg-md5-128/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/esp-alg-md5-128/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/esp-alg-md5-128/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/esp-alg-md5-128/hosts/moon/etc/ipsec.conf
index ae83aaf58..13908da14 100755..100644
--- a/testing/tests/ikev2/esp-alg-md5-128/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/esp-alg-md5-128/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=yes
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/esp-alg-md5-128/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-md5-128/hosts/moon/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/esp-alg-md5-128/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/esp-alg-md5-128/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/esp-alg-md5-128/posttest.dat b/testing/tests/ikev2/esp-alg-md5-128/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/ikev2/esp-alg-md5-128/posttest.dat
+++ b/testing/tests/ikev2/esp-alg-md5-128/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/esp-alg-md5-128/pretest.dat b/testing/tests/ikev2/esp-alg-md5-128/pretest.dat
index 3c3df0196..886fdf55c 100644
--- a/testing/tests/ikev2/esp-alg-md5-128/pretest.dat
+++ b/testing/tests/ikev2/esp-alg-md5-128/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1 
diff --git a/testing/tests/ikev2/esp-alg-md5-128/test.conf b/testing/tests/ikev2/esp-alg-md5-128/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/ikev2/esp-alg-md5-128/test.conf
+++ b/testing/tests/ikev2/esp-alg-md5-128/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/esp-alg-null/evaltest.dat b/testing/tests/ikev2/esp-alg-null/evaltest.dat
index bebca1f61..1b9c6c27e 100644
--- a/testing/tests/ikev2/esp-alg-null/evaltest.dat
+++ b/testing/tests/ikev2/esp-alg-null/evaltest.dat
@@ -1,9 +1,11 @@
-moon::ipsec statusall::rw.*INSTALLED::YES
-carol::ipsec statusall::home.*INSTALLED::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::ipsec statusall::NULL/HMAC_SHA1_96::YES
-carol::ipsec statusall::NULL/HMAC_SHA1_96::YES
-moon::ip xfrm state::enc ecb(cipher_null)::YES
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon:: ipsec statusall 2> /dev/null::NULL/HMAC_SHA1_96::YES
+carol::ipsec statusall 2> /dev/null::NULL/HMAC_SHA1_96::YES
+moon:: ip xfrm state::enc ecb(cipher_null)::YES
 carol::ip xfrm state::enc ecb(cipher_null)::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 172::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 172::YES
diff --git a/testing/tests/ikev2/esp-alg-null/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/esp-alg-null/hosts/carol/etc/ipsec.conf
index 5640d74fc..1d8509115 100755..100644
--- a/testing/tests/ikev2/esp-alg-null/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/esp-alg-null/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=yes
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/esp-alg-null/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-null/hosts/carol/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/esp-alg-null/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/esp-alg-null/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/esp-alg-null/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/esp-alg-null/hosts/moon/etc/ipsec.conf
index 91f4a7c7f..38f8bd619 100755..100644
--- a/testing/tests/ikev2/esp-alg-null/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/esp-alg-null/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=yes
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/esp-alg-null/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-null/hosts/moon/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/esp-alg-null/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/esp-alg-null/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/esp-alg-null/posttest.dat b/testing/tests/ikev2/esp-alg-null/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/ikev2/esp-alg-null/posttest.dat
+++ b/testing/tests/ikev2/esp-alg-null/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/esp-alg-null/pretest.dat b/testing/tests/ikev2/esp-alg-null/pretest.dat
index 3c3df0196..886fdf55c 100644
--- a/testing/tests/ikev2/esp-alg-null/pretest.dat
+++ b/testing/tests/ikev2/esp-alg-null/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1 
diff --git a/testing/tests/ikev2/esp-alg-null/test.conf b/testing/tests/ikev2/esp-alg-null/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/ikev2/esp-alg-null/test.conf
+++ b/testing/tests/ikev2/esp-alg-null/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/esp-alg-sha1-160/evaltest.dat b/testing/tests/ikev2/esp-alg-sha1-160/evaltest.dat
index b0277271d..00c353686 100644
--- a/testing/tests/ikev2/esp-alg-sha1-160/evaltest.dat
+++ b/testing/tests/ikev2/esp-alg-sha1-160/evaltest.dat
@@ -1,9 +1,11 @@
-moon::ipsec statusall::rw.*INSTALLED::YES
-carol::ipsec statusall::home.*INSTALLED::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::ipsec statusall::AES_CBC_128/HMAC_SHA1_160::YES
-carol::ipsec statusall::AES_CBC_128/HMAC_SHA1_160::YES
-moon::ip xfrm state::auth hmac(sha1)::YES
-carol::ip xfrm state::auth hmac(sha1)::YES
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon:: ipsec statusall 2> /dev/null::AES_CBC_128/HMAC_SHA1_160::YES
+carol::ipsec statusall 2> /dev/null::AES_CBC_128/HMAC_SHA1_160::YES
+moon:: ip xfrm state::auth-trunc hmac(sha1)::YES
+carol::ip xfrm state::auth-trunc hmac(sha1)::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 204::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 204::YES
diff --git a/testing/tests/ikev2/esp-alg-sha1-160/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/esp-alg-sha1-160/hosts/carol/etc/ipsec.conf
index 3991d517d..52629873e 100755..100644
--- a/testing/tests/ikev2/esp-alg-sha1-160/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/esp-alg-sha1-160/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=yes
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/esp-alg-sha1-160/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-sha1-160/hosts/carol/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/esp-alg-sha1-160/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/esp-alg-sha1-160/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/esp-alg-sha1-160/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/esp-alg-sha1-160/hosts/moon/etc/ipsec.conf
index 893419585..d4cc3fbaf 100755..100644
--- a/testing/tests/ikev2/esp-alg-sha1-160/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/esp-alg-sha1-160/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=yes
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/esp-alg-sha1-160/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-sha1-160/hosts/moon/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/esp-alg-sha1-160/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/esp-alg-sha1-160/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/esp-alg-sha1-160/posttest.dat b/testing/tests/ikev2/esp-alg-sha1-160/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/ikev2/esp-alg-sha1-160/posttest.dat
+++ b/testing/tests/ikev2/esp-alg-sha1-160/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/esp-alg-sha1-160/pretest.dat b/testing/tests/ikev2/esp-alg-sha1-160/pretest.dat
index 3c3df0196..886fdf55c 100644
--- a/testing/tests/ikev2/esp-alg-sha1-160/pretest.dat
+++ b/testing/tests/ikev2/esp-alg-sha1-160/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1 
diff --git a/testing/tests/ikev2/esp-alg-sha1-160/test.conf b/testing/tests/ikev2/esp-alg-sha1-160/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/ikev2/esp-alg-sha1-160/test.conf
+++ b/testing/tests/ikev2/esp-alg-sha1-160/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/farp/evaltest.dat b/testing/tests/ikev2/farp/evaltest.dat
index d48812f47..891ec20d5 100644
--- a/testing/tests/ikev2/farp/evaltest.dat
+++ b/testing/tests/ikev2/farp/evaltest.dat
@@ -1,21 +1,25 @@
-carol::ipsec status::home.*INSTALLED::YES
-alice::ping -c 1 10.1.0.30::64 bytes from 10.1.0.30: icmp_seq=1::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::ipsec status::home.*INSTALLED::YES
-alice::ping -c 1 10.1.0.40::64 bytes from 10.1.0.40: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::ipsec status::rw-carol.*INSTALLED::YES
-moon::ipsec status::rw-dave.*INSTALLED::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+alice::ping -c 1 10.1.0.30::64 bytes from 10.1.0.30: icmp_req=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+alice::ping -c 1 10.1.0.40::64 bytes from 10.1.0.40: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon:: ipsec status 2> /dev/null::rw-carol.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw-dave.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw-carol.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw-dave.*INSTALLED, TUNNEL::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
-alice::tcpdump::arp reply carol2.strongswan.org is-at fe:fd:0a:01:00:01::YES
+alice::tcpdump::ARP, Reply carol2.strongswan.org is-at 52:54:00:43:e3:35::YES
 alice::tcpdump::IP alice.strongswan.org > carol2.strongswan.org: ICMP echo request::YES
 alice::tcpdump::IP carol2.strongswan.org > alice.strongswan.org: ICMP echo reply::YES
 alice::tcpdump::IP carol2.strongswan.org > alice.strongswan.org: ICMP echo request::YES
 alice::tcpdump::IP alice.strongswan.org > carol2.strongswan.org: ICMP echo reply::YES
-alice::tcpdump::arp reply dave2.strongswan.org is-at fe:fd:0a:01:00:01::YES
+alice::tcpdump::ARP, Reply dave2.strongswan.org is-at 52:54:00:43:e3:35::YES
 alice::tcpdump::IP alice.strongswan.org > dave2.strongswan.org: ICMP echo request::YES
 alice::tcpdump::IP dave2.strongswan.org > alice.strongswan.org: ICMP echo reply::YES
 alice::tcpdump::IP dave2.strongswan.org > alice.strongswan.org: ICMP echo request::YES
diff --git a/testing/tests/ikev2/farp/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/farp/hosts/carol/etc/ipsec.conf
index a19f6cfae..8c6c28bd6 100755..100644
--- a/testing/tests/ikev2/farp/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/farp/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/farp/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/farp/hosts/carol/etc/strongswan.conf
index cb5f6406b..bd19ffe3d 100644
--- a/testing/tests/ikev2/farp/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/farp/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve
 }
diff --git a/testing/tests/ikev2/farp/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/farp/hosts/dave/etc/ipsec.conf
index 1a89f4e5d..72b8a59c0 100755..100644
--- a/testing/tests/ikev2/farp/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev2/farp/hosts/dave/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/farp/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/farp/hosts/dave/etc/strongswan.conf
index cb5f6406b..bd19ffe3d 100644
--- a/testing/tests/ikev2/farp/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/farp/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve
 }
diff --git a/testing/tests/ikev2/farp/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/farp/hosts/moon/etc/ipsec.conf
index 19dd5d3e6..25ec162fe 100755..100644
--- a/testing/tests/ikev2/farp/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/farp/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/farp/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/farp/hosts/moon/etc/strongswan.conf
index 379edeefc..56eaebfc0 100644
--- a/testing/tests/ikev2/farp/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/farp/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown attr farp
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown attr farp
   dns1 = PH_IP_WINNETOU
   dns2 = PH_IP_VENUS
 }
diff --git a/testing/tests/ikev2/farp/posttest.dat b/testing/tests/ikev2/farp/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/ikev2/farp/posttest.dat
+++ b/testing/tests/ikev2/farp/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/farp/pretest.dat b/testing/tests/ikev2/farp/pretest.dat
index 709931e1b..f0254da6c 100644
--- a/testing/tests/ikev2/farp/pretest.dat
+++ b/testing/tests/ikev2/farp/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 alice::arp -d 10.1.0.30
 alice::arp -d 10.1.0.40
 carol::ipsec start
diff --git a/testing/tests/ikev2/farp/test.conf b/testing/tests/ikev2/farp/test.conf
index 1a8f2a4e0..164b07ff9 100644
--- a/testing/tests/ikev2/farp/test.conf
+++ b/testing/tests/ikev2/farp/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon alice"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/force-udp-encaps/evaltest.dat b/testing/tests/ikev2/force-udp-encaps/evaltest.dat
index 35f01d491..36af646d2 100644
--- a/testing/tests/ikev2/force-udp-encaps/evaltest.dat
+++ b/testing/tests/ikev2/force-udp-encaps/evaltest.dat
@@ -1,6 +1,8 @@
+alice::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*alice@strongswan.org.*sun.strongswan.org::YES
+sun::  ipsec status 2> /dev/null::nat.t.*ESTABLISHED.*sun.strongswan.org.*alice@strongswan.org::YES
+alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL::YES
+sun::  ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL::YES
 alice::cat /var/log/daemon.log::faking NAT situation to enforce UDP encapsulation::YES
-alice::ipsec statusall::nat-t.*INSTALLED::YES
-sun::ipsec statusall::nat-t.*INSTALLED::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-moon::tcpdump::IP alice.strongswan.org.* > sun.strongswan.org.ipsec-nat-t: UDP::YES
-moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > alice.strongswan.org.*: UDP::YES
+alice:: ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+moon::tcpdump::IP alice.strongswan.org.* > sun.strongswan.org.4500: UDP::YES
+moon::tcpdump::IP sun.strongswan.org.4500 > alice.strongswan.org.*: UDP::YES
diff --git a/testing/tests/ikev2/force-udp-encaps/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2/force-udp-encaps/hosts/alice/etc/ipsec.conf
index 2074646cc..3e10155a3 100755..100644
--- a/testing/tests/ikev2/force-udp-encaps/hosts/alice/etc/ipsec.conf
+++ b/testing/tests/ikev2/force-udp-encaps/hosts/alice/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/force-udp-encaps/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/force-udp-encaps/hosts/alice/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/force-udp-encaps/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/ikev2/force-udp-encaps/hosts/alice/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/force-udp-encaps/hosts/sun/etc/init.d/iptables b/testing/tests/ikev2/force-udp-encaps/hosts/sun/etc/init.d/iptables
deleted file mode 100755
index 5bb63f5ac..000000000
--- a/testing/tests/ikev2/force-udp-encaps/hosts/sun/etc/init.d/iptables
+++ /dev/null
@@ -1,76 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT
-
-        # allow NAT-T 
-	iptables -A INPUT  -i eth0 -p udp --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/force-udp-encaps/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/force-udp-encaps/hosts/sun/etc/ipsec.conf
index a2c168601..3f00d6e1a 100755..100644
--- a/testing/tests/ikev2/force-udp-encaps/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev2/force-udp-encaps/hosts/sun/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/force-udp-encaps/hosts/sun/etc/iptables.rules b/testing/tests/ikev2/force-udp-encaps/hosts/sun/etc/iptables.rules
new file mode 100644
index 000000000..ae8f9a61e
--- /dev/null
+++ b/testing/tests/ikev2/force-udp-encaps/hosts/sun/etc/iptables.rules
@@ -0,0 +1,24 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/force-udp-encaps/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/force-udp-encaps/hosts/sun/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/force-udp-encaps/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/force-udp-encaps/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/force-udp-encaps/posttest.dat b/testing/tests/ikev2/force-udp-encaps/posttest.dat
index 979f2fcd0..03edb42cb 100644
--- a/testing/tests/ikev2/force-udp-encaps/posttest.dat
+++ b/testing/tests/ikev2/force-udp-encaps/posttest.dat
@@ -1,6 +1,6 @@
 alice::ipsec stop
 sun::ipsec stop
-alice::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+alice::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
 sun::ip route del 10.1.0.0/16 via PH_IP_MOON
 winnetou::ip route del 10.1.0.0/16 via PH_IP_MOON
diff --git a/testing/tests/ikev2/force-udp-encaps/pretest.dat b/testing/tests/ikev2/force-udp-encaps/pretest.dat
index 6f00cd387..7be66867a 100644
--- a/testing/tests/ikev2/force-udp-encaps/pretest.dat
+++ b/testing/tests/ikev2/force-udp-encaps/pretest.dat
@@ -1,8 +1,7 @@
-alice::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+alice::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 sun::ip route add 10.1.0.0/16 via PH_IP_MOON
 winnetou::ip route add 10.1.0.0/16 via PH_IP_MOON
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
 alice::ipsec start
 sun::ipsec start
 alice::sleep 4
diff --git a/testing/tests/ikev2/force-udp-encaps/test.conf b/testing/tests/ikev2/force-udp-encaps/test.conf
index d84149aaf..42fa97190 100644
--- a/testing/tests/ikev2/force-udp-encaps/test.conf
+++ b/testing/tests/ikev2/force-udp-encaps/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="alice sun"
diff --git a/testing/tests/ikev2/host2host-cert/evaltest.dat b/testing/tests/ikev2/host2host-cert/evaltest.dat
index 8d5d8167a..3305f4558 100644
--- a/testing/tests/ikev2/host2host-cert/evaltest.dat
+++ b/testing/tests/ikev2/host2host-cert/evaltest.dat
@@ -1,5 +1,7 @@
-moon::ipsec statusall::host-host.*ESTABLISHED::YES
-sun::ipsec statusall::host-host.*ESTABLISHED::YES
-moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_seq=1::YES
+moon::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun:: ipsec status 2> /dev/null::host-host.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon::ipsec status 2> /dev/null::host-host.*INSTALLED, TUNNEL::YES
+sun:: ipsec status 2> /dev/null::host-host.*INSTALLED, TUNNEL::YES
+moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/host2host-cert/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/host2host-cert/hosts/moon/etc/ipsec.conf
index ec9ac5b80..1f4843f7d 100755..100644
--- a/testing/tests/ikev2/host2host-cert/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/host2host-cert/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/host2host-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/host2host-cert/hosts/moon/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/host2host-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/host2host-cert/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/host2host-cert/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/host2host-cert/hosts/sun/etc/ipsec.conf
index 484eb995f..2b2b26097 100755..100644
--- a/testing/tests/ikev2/host2host-cert/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev2/host2host-cert/hosts/sun/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/host2host-cert/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/host2host-cert/hosts/sun/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/host2host-cert/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/host2host-cert/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/host2host-cert/posttest.dat b/testing/tests/ikev2/host2host-cert/posttest.dat
index 5a9150bc8..1f7aa73a1 100644
--- a/testing/tests/ikev2/host2host-cert/posttest.dat
+++ b/testing/tests/ikev2/host2host-cert/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/host2host-cert/pretest.dat b/testing/tests/ikev2/host2host-cert/pretest.dat
index 1fa70177c..3bce9f6e5 100644
--- a/testing/tests/ikev2/host2host-cert/pretest.dat
+++ b/testing/tests/ikev2/host2host-cert/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 sun::ipsec start
 moon::sleep 1 
diff --git a/testing/tests/ikev2/host2host-cert/test.conf b/testing/tests/ikev2/host2host-cert/test.conf
index 305a67316..55d6e9fd6 100644
--- a/testing/tests/ikev2/host2host-cert/test.conf
+++ b/testing/tests/ikev2/host2host-cert/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="moon winnetou sun"
+VIRTHOSTS="moon winnetou sun"
 
 # Corresponding block diagram
 #
 DIAGRAM="m-w-s.png"
  
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev2/host2host-swapped/evaltest.dat b/testing/tests/ikev2/host2host-swapped/evaltest.dat
index 8d5d8167a..3305f4558 100644
--- a/testing/tests/ikev2/host2host-swapped/evaltest.dat
+++ b/testing/tests/ikev2/host2host-swapped/evaltest.dat
@@ -1,5 +1,7 @@
-moon::ipsec statusall::host-host.*ESTABLISHED::YES
-sun::ipsec statusall::host-host.*ESTABLISHED::YES
-moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_seq=1::YES
+moon::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun:: ipsec status 2> /dev/null::host-host.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon::ipsec status 2> /dev/null::host-host.*INSTALLED, TUNNEL::YES
+sun:: ipsec status 2> /dev/null::host-host.*INSTALLED, TUNNEL::YES
+moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/host2host-swapped/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/host2host-swapped/hosts/moon/etc/ipsec.conf
index 981c7f073..d8ef0c7be 100755..100644
--- a/testing/tests/ikev2/host2host-swapped/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/host2host-swapped/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/host2host-swapped/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/host2host-swapped/hosts/moon/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/host2host-swapped/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/host2host-swapped/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/host2host-swapped/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/host2host-swapped/hosts/sun/etc/ipsec.conf
index e3fc2b728..517bb3d41 100755..100644
--- a/testing/tests/ikev2/host2host-swapped/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev2/host2host-swapped/hosts/sun/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/host2host-swapped/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/host2host-swapped/hosts/sun/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/host2host-swapped/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/host2host-swapped/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/host2host-swapped/posttest.dat b/testing/tests/ikev2/host2host-swapped/posttest.dat
index 5a9150bc8..1f7aa73a1 100644
--- a/testing/tests/ikev2/host2host-swapped/posttest.dat
+++ b/testing/tests/ikev2/host2host-swapped/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/host2host-swapped/pretest.dat b/testing/tests/ikev2/host2host-swapped/pretest.dat
index 1fa70177c..3bce9f6e5 100644
--- a/testing/tests/ikev2/host2host-swapped/pretest.dat
+++ b/testing/tests/ikev2/host2host-swapped/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 sun::ipsec start
 moon::sleep 1 
diff --git a/testing/tests/ikev2/host2host-swapped/test.conf b/testing/tests/ikev2/host2host-swapped/test.conf
index 305a67316..55d6e9fd6 100644
--- a/testing/tests/ikev2/host2host-swapped/test.conf
+++ b/testing/tests/ikev2/host2host-swapped/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="moon winnetou sun"
+VIRTHOSTS="moon winnetou sun"
 
 # Corresponding block diagram
 #
 DIAGRAM="m-w-s.png"
  
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev2/host2host-transport/evaltest.dat b/testing/tests/ikev2/host2host-transport/evaltest.dat
index b3cade48c..fc49e57d8 100644
--- a/testing/tests/ikev2/host2host-transport/evaltest.dat
+++ b/testing/tests/ikev2/host2host-transport/evaltest.dat
@@ -1,8 +1,7 @@
-moon::cat /var/log/daemon.log::parsed IKE_AUTH response.*N(USE_TRANSP)::YES
-moon::ipsec status::host-host.*INSTALLED.*TRANSPORT::YES
-sun::ipsec status::host-host.*INSTALLED.*TRANSPORT::YES
-moon::ip xfrm state::mode transport::YES
-sun::ip xfrm state::mode transport::YES
-moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_seq=1::YES
+moon::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun:: ipsec status 2> /dev/null::host-host.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon::ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES
+sun:: ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES
+moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/host2host-transport/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/host2host-transport/hosts/moon/etc/ipsec.conf
index 7f6c5a58a..de273e53a 100755..100644
--- a/testing/tests/ikev2/host2host-transport/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/host2host-transport/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/host2host-transport/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/host2host-transport/hosts/moon/etc/strongswan.conf
index cb17a9e07..8e685c862 100644
--- a/testing/tests/ikev2/host2host-transport/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/host2host-transport/hosts/moon/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
   multiple_authentication = no
 }
diff --git a/testing/tests/ikev2/host2host-transport/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/host2host-transport/hosts/sun/etc/ipsec.conf
index af52fb22b..e96c1ca2e 100755..100644
--- a/testing/tests/ikev2/host2host-transport/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev2/host2host-transport/hosts/sun/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/host2host-transport/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/host2host-transport/hosts/sun/etc/strongswan.conf
index cb17a9e07..8e685c862 100644
--- a/testing/tests/ikev2/host2host-transport/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/host2host-transport/hosts/sun/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
   multiple_authentication = no
 }
diff --git a/testing/tests/ikev2/host2host-transport/posttest.dat b/testing/tests/ikev2/host2host-transport/posttest.dat
index 5a9150bc8..1f7aa73a1 100644
--- a/testing/tests/ikev2/host2host-transport/posttest.dat
+++ b/testing/tests/ikev2/host2host-transport/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/host2host-transport/pretest.dat b/testing/tests/ikev2/host2host-transport/pretest.dat
index e2d98f2eb..99789b90f 100644
--- a/testing/tests/ikev2/host2host-transport/pretest.dat
+++ b/testing/tests/ikev2/host2host-transport/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 sun::ipsec start
 moon::sleep 2
diff --git a/testing/tests/ikev2/host2host-transport/test.conf b/testing/tests/ikev2/host2host-transport/test.conf
index cf2e704fd..5a286c84f 100644
--- a/testing/tests/ikev2/host2host-transport/test.conf
+++ b/testing/tests/ikev2/host2host-transport/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="moon winnetou sun"
+VIRTHOSTS="moon winnetou sun"
  
 # Corresponding block diagram
 #
 DIAGRAM="m-w-s.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev2/inactivity-timeout/evaltest.dat b/testing/tests/ikev2/inactivity-timeout/evaltest.dat
index a8975481f..221c59318 100644
--- a/testing/tests/ikev2/inactivity-timeout/evaltest.dat
+++ b/testing/tests/ikev2/inactivity-timeout/evaltest.dat
@@ -1,8 +1,8 @@
-moon::ipsec statusall::rw.*INSTALLED::YES
-carol::ipsec statusall::home.*INSTALLED::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
 carol::sleep 15::NO
 carol::cat /var/log/daemon.log::deleting CHILD_SA after 10 seconds of inactivity::YES
-moon::ipsec statusall::rw.*INSTALLED::NO
-carol::ipsec statusall::home.*INSTALLED::NO
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::NO
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED::NO
+carol::ipsec status 2> /dev/null::home.*INSTALLED::NO
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::NO
diff --git a/testing/tests/ikev2/inactivity-timeout/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/inactivity-timeout/hosts/carol/etc/ipsec.conf
index 5fbb99617..a7a53a4b7 100755..100644
--- a/testing/tests/ikev2/inactivity-timeout/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/inactivity-timeout/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=yes
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/inactivity-timeout/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/inactivity-timeout/hosts/carol/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/inactivity-timeout/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/inactivity-timeout/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/inactivity-timeout/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/inactivity-timeout/hosts/moon/etc/ipsec.conf
index c3d417302..efc5b6cbd 100755..100644
--- a/testing/tests/ikev2/inactivity-timeout/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/inactivity-timeout/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=yes
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/inactivity-timeout/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/inactivity-timeout/hosts/moon/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/inactivity-timeout/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/inactivity-timeout/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/inactivity-timeout/posttest.dat b/testing/tests/ikev2/inactivity-timeout/posttest.dat
index 94a400606..6ca9c5b35 100644
--- a/testing/tests/ikev2/inactivity-timeout/posttest.dat
+++ b/testing/tests/ikev2/inactivity-timeout/posttest.dat
@@ -1,4 +1,3 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/inactivity-timeout/pretest.dat b/testing/tests/ikev2/inactivity-timeout/pretest.dat
index 3c3df0196..b949aaeaf 100644
--- a/testing/tests/ikev2/inactivity-timeout/pretest.dat
+++ b/testing/tests/ikev2/inactivity-timeout/pretest.dat
@@ -1,7 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
-carol::sleep 1 
+carol::sleep 1
 carol::ipsec up home
 carol::sleep 1
diff --git a/testing/tests/ikev2/inactivity-timeout/test.conf b/testing/tests/ikev2/inactivity-timeout/test.conf
index acb73b06f..11423f723 100644
--- a/testing/tests/ikev2/inactivity-timeout/test.conf
+++ b/testing/tests/ikev2/inactivity-timeout/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+VIRTHOSTS="moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/ip-pool-db/evaltest.dat b/testing/tests/ikev2/ip-pool-db/evaltest.dat
index f9d0cbb37..42e353084 100644
--- a/testing/tests/ikev2/ip-pool-db/evaltest.dat
+++ b/testing/tests/ikev2/ip-pool-db/evaltest.dat
@@ -4,26 +4,30 @@ carol::cat /var/log/daemon.log::installing DNS server PH_IP_VENUS::YES
 carol::cat /var/log/daemon.log::handling INTERNAL_IP4_NBNS attribute failed::YES
 carol::ip addr list dev eth0::PH_IP_CAROL1::YES
 carol::ip route list table 220::10.1.0.0/16.*src PH_IP_CAROL1::YES
-carol::ipsec status::home.*INSTALLED::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES
-dave::cat /var/log/daemon.log::installing DNS server PH_IP_WINNETOU::YES
-dave::cat /var/log/daemon.log::installing DNS server PH_IP_VENUS::YES
-dave::cat /var/log/daemon.log::handling INTERNAL_IP4_NBNS attribute failed::YES
-dave::ip addr list dev eth0::PH_IP_DAVE1::YES
-dave::ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES
-dave::ipsec status::home.*INSTALLED::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::cat /var/log/daemon.log::peer requested virtual IP %any::YES
-moon::cat /var/log/daemon.log::acquired new lease for address.*in pool.*bigpool::YES
-moon::cat /var/log/daemon.log::assigning virtual IP::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES
+dave:: cat /var/log/daemon.log::installing DNS server PH_IP_WINNETOU::YES
+dave:: cat /var/log/daemon.log::installing DNS server PH_IP_VENUS::YES
+dave:: cat /var/log/daemon.log::handling INTERNAL_IP4_NBNS attribute failed::YES
+dave:: ip addr list dev eth0::PH_IP_DAVE1::YES
+dave:: ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon:: cat /var/log/daemon.log::peer requested virtual IP %any::YES
+moon:: cat /var/log/daemon.log::acquired new lease for address.*in pool.*bigpool::YES
+moon:: cat /var/log/daemon.log::assigning virtual IP::YES
 moon::ipsec pool --status 2> /dev/null::dns servers: PH_IP_WINNETOU PH_IP_VENUS::YES
 moon::ipsec pool --status 2> /dev/null::nbns servers: PH_IP_VENUS::YES
 moon::ipsec pool --status 2> /dev/null::bigpool.*10.3.0.1.*10.3.3.232.*static.*2::YES
 moon::ipsec pool --leases --filter pool=bigpool,addr=10.3.0.1,id=carol@strongswan.org 2> /dev/null::online::YES
 moon::ipsec pool --leases --filter pool=bigpool,addr=10.3.0.2,id=dave@strongswan.org 2> /dev/null::online::YES
-moon::ipsec status::rw.*ESTABLISHED.*carol@strongswan.org::YES
-moon::ipsec status::rw.*ESTABLISHED.*dave@strongswan.org::YES
+moon::ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon::ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+moon::ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon::ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/ip-pool-db/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ip-pool-db/hosts/carol/etc/ipsec.conf
index a19f6cfae..8c6c28bd6 100755..100644
--- a/testing/tests/ikev2/ip-pool-db/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/ip-pool-db/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/ip-pool-db/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ip-pool-db/hosts/carol/etc/strongswan.conf
index cb5f6406b..bd19ffe3d 100644
--- a/testing/tests/ikev2/ip-pool-db/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-pool-db/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve
 }
diff --git a/testing/tests/ikev2/ip-pool-db/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/ip-pool-db/hosts/dave/etc/ipsec.conf
index 1a89f4e5d..72b8a59c0 100755..100644
--- a/testing/tests/ikev2/ip-pool-db/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev2/ip-pool-db/hosts/dave/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/ip-pool-db/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/ip-pool-db/hosts/dave/etc/strongswan.conf
index cb5f6406b..bd19ffe3d 100644
--- a/testing/tests/ikev2/ip-pool-db/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-pool-db/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve
 }
diff --git a/testing/tests/ikev2/ip-pool-db/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/ip-pool-db/hosts/moon/etc/ipsec.conf
index b3413830f..606b1500a 100755..100644
--- a/testing/tests/ikev2/ip-pool-db/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/ip-pool-db/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/ip-pool-db/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-pool-db/hosts/moon/etc/strongswan.conf
index e907021ce..04ffaf64d 100644
--- a/testing/tests/ikev2/ip-pool-db/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-pool-db/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default sqlite attr-sql updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default sqlite attr-sql updown
 }
 
 libhydra {
diff --git a/testing/tests/ikev2/ip-pool-db/posttest.dat b/testing/tests/ikev2/ip-pool-db/posttest.dat
index 5b88b2163..c99f347e3 100644
--- a/testing/tests/ikev2/ip-pool-db/posttest.dat
+++ b/testing/tests/ikev2/ip-pool-db/posttest.dat
@@ -1,9 +1,9 @@
 carol::ipsec stop
 dave::ipsec stop
 moon::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
 moon::ipsec pool --del bigpool 2> /dev/null
 moon::ipsec pool --del dns 2> /dev/null
 moon::ipsec pool --del nbns 2> /dev/null
diff --git a/testing/tests/ikev2/ip-pool-db/pretest.dat b/testing/tests/ikev2/ip-pool-db/pretest.dat
index 4a2add194..fce551c69 100644
--- a/testing/tests/ikev2/ip-pool-db/pretest.dat
+++ b/testing/tests/ikev2/ip-pool-db/pretest.dat
@@ -4,9 +4,9 @@ moon::ipsec pool --add bigpool --start 10.3.0.1 --end 10.3.3.232 --timeout 0 2>
 moon::ipsec pool --addattr dns  --server PH_IP_WINNETOU 2> /dev/null
 moon::ipsec pool --addattr dns  --server PH_IP_VENUS 2> /dev/null
 moon::ipsec pool --addattr nbns --server PH_IP_VENUS 2> /dev/null
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 carol::ipsec start
 dave::ipsec start
 moon::ipsec start
diff --git a/testing/tests/ikev2/ip-pool-db/test.conf b/testing/tests/ikev2/ip-pool-db/test.conf
index 1a8f2a4e0..164b07ff9 100644
--- a/testing/tests/ikev2/ip-pool-db/test.conf
+++ b/testing/tests/ikev2/ip-pool-db/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon alice"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/ip-pool-wish/evaltest.dat b/testing/tests/ikev2/ip-pool-wish/evaltest.dat
index d02d422ab..44310cd16 100644
--- a/testing/tests/ikev2/ip-pool-wish/evaltest.dat
+++ b/testing/tests/ikev2/ip-pool-wish/evaltest.dat
@@ -1,18 +1,22 @@
 carol::cat /var/log/daemon.log::installing new virtual IP PH_IP_CAROL1::YES
 carol::ip addr list dev eth0::PH_IP_CAROL1::YES
 carol::ip route list table 220::10.1.0.0/16.*src PH_IP_CAROL1::YES
-carol::ipsec status::home.*INSTALLED::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES
-dave::ip addr list dev eth0::PH_IP_DAVE1::YES
-dave::ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES
-dave::ipsec status::home.*INSTALLED::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::cat /var/log/daemon.log::adding virtual IP address pool::YES
-moon::cat /var/log/daemon.log::peer requested virtual IP PH_IP_CAROL1::YES
-moon::cat /var/log/daemon.log::assigning virtual IP::YES
-moon::ipsec status::rw.*ESTABLISHED.*carol@strongswan.org::YES
-moon::ipsec status::rw.*ESTABLISHED.*dave@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES
+dave:: ip addr list dev eth0::PH_IP_DAVE1::YES
+dave:: ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org.::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon:: cat /var/log/daemon.log::adding virtual IP address pool::YES
+moon:: cat /var/log/daemon.log::peer requested virtual IP PH_IP_CAROL1::YES
+moon:: cat /var/log/daemon.log::assigning virtual IP::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/ip-pool-wish/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ip-pool-wish/hosts/carol/etc/ipsec.conf
index c9867c7d4..62c30cf28 100755..100644
--- a/testing/tests/ikev2/ip-pool-wish/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/ip-pool-wish/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/ip-pool-wish/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ip-pool-wish/hosts/carol/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/ip-pool-wish/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-pool-wish/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/ip-pool-wish/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/ip-pool-wish/hosts/dave/etc/ipsec.conf
index 98dd99271..fa99a4c86 100755..100644
--- a/testing/tests/ikev2/ip-pool-wish/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev2/ip-pool-wish/hosts/dave/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/ip-pool-wish/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/ip-pool-wish/hosts/dave/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/ip-pool-wish/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-pool-wish/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/ip-pool-wish/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/ip-pool-wish/hosts/moon/etc/ipsec.conf
index 0b4cded6c..85c48a7bb 100755..100644
--- a/testing/tests/ikev2/ip-pool-wish/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/ip-pool-wish/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/ip-pool-wish/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-pool-wish/hosts/moon/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/ip-pool-wish/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-pool-wish/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/ip-pool-wish/posttest.dat b/testing/tests/ikev2/ip-pool-wish/posttest.dat
index 1777f439f..b757d8b15 100644
--- a/testing/tests/ikev2/ip-pool-wish/posttest.dat
+++ b/testing/tests/ikev2/ip-pool-wish/posttest.dat
@@ -1,6 +1,6 @@
 carol::ipsec stop
 dave::ipsec stop
 moon::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/ip-pool-wish/pretest.dat b/testing/tests/ikev2/ip-pool-wish/pretest.dat
index 1f4ff286a..1466fd2f2 100644
--- a/testing/tests/ikev2/ip-pool-wish/pretest.dat
+++ b/testing/tests/ikev2/ip-pool-wish/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 carol::ipsec start
 dave::ipsec start
 moon::ipsec start
diff --git a/testing/tests/ikev2/ip-pool-wish/test.conf b/testing/tests/ikev2/ip-pool-wish/test.conf
index 1a8f2a4e0..164b07ff9 100644
--- a/testing/tests/ikev2/ip-pool-wish/test.conf
+++ b/testing/tests/ikev2/ip-pool-wish/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon alice"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/ip-pool/evaltest.dat b/testing/tests/ikev2/ip-pool/evaltest.dat
index b130d4565..8ea7960b5 100644
--- a/testing/tests/ikev2/ip-pool/evaltest.dat
+++ b/testing/tests/ikev2/ip-pool/evaltest.dat
@@ -1,21 +1,25 @@
 carol::cat /var/log/daemon.log::installing new virtual IP PH_IP_CAROL1::YES
 carol::ip addr list dev eth0::PH_IP_CAROL1::YES
 carol::ip route list table 220::10.1.0.0/16.*src PH_IP_CAROL1::YES
-carol::ipsec status::home.*INSTALLED::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES
-dave::ip addr list dev eth0::PH_IP_DAVE1::YES
-dave::ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES
-dave::ipsec status::home.*INSTALLED::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::cat /var/log/daemon.log::adding virtual IP address pool::YES
-moon::cat /var/log/daemon.log::peer requested virtual IP %any::YES
-moon::cat /var/log/daemon.log::assigning virtual IP::YES
-moon::ipsec leases rw::2/15, 2 online::YES
-moon::ipsec leases rw 10.3.0.1::carol@strongswan.org::YES
-moon::ipsec leases rw 10.3.0.2::dave@strongswan.org::YES
-moon::ipsec status::rw.*ESTABLISHED.*carol@strongswan.org::YES
-moon::ipsec status::rw.*ESTABLISHED.*dave@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES
+dave:: ip addr list dev eth0::PH_IP_DAVE1::YES
+dave:: ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon:: cat /var/log/daemon.log::adding virtual IP address pool::YES
+moon:: cat /var/log/daemon.log::peer requested virtual IP %any::YES
+moon:: cat /var/log/daemon.log::assigning virtual IP::YES
+moon:: ipsec leases 10.3.0.0/28 2> /dev/null::2/14, 2 online::YES
+moon:: ipsec leases 10.3.0.0/28 PH_IP_CAROL1 2> /dev/null::carol@strongswan.org::YES
+moon:: ipsec leases 10.3.0.0/28 PH_IP_DAVE1 2> /dev/null::dave@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::ESP
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::ESP
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/ip-pool/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ip-pool/hosts/carol/etc/ipsec.conf
index a19f6cfae..8c6c28bd6 100755..100644
--- a/testing/tests/ikev2/ip-pool/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/ip-pool/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/ip-pool/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ip-pool/hosts/carol/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/ip-pool/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-pool/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/ip-pool/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/ip-pool/hosts/dave/etc/ipsec.conf
index 1a89f4e5d..72b8a59c0 100755..100644
--- a/testing/tests/ikev2/ip-pool/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev2/ip-pool/hosts/dave/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/ip-pool/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/ip-pool/hosts/dave/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/ip-pool/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-pool/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/ip-pool/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/ip-pool/hosts/moon/etc/ipsec.conf
index 0b4cded6c..85c48a7bb 100755..100644
--- a/testing/tests/ikev2/ip-pool/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/ip-pool/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/ip-pool/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-pool/hosts/moon/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/ip-pool/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-pool/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/ip-pool/posttest.dat b/testing/tests/ikev2/ip-pool/posttest.dat
index 1777f439f..b757d8b15 100644
--- a/testing/tests/ikev2/ip-pool/posttest.dat
+++ b/testing/tests/ikev2/ip-pool/posttest.dat
@@ -1,6 +1,6 @@
 carol::ipsec stop
 dave::ipsec stop
 moon::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/ip-pool/pretest.dat b/testing/tests/ikev2/ip-pool/pretest.dat
index 014e80517..3864bdac3 100644
--- a/testing/tests/ikev2/ip-pool/pretest.dat
+++ b/testing/tests/ikev2/ip-pool/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 carol::ipsec start
 dave::ipsec start
 moon::ipsec start
diff --git a/testing/tests/ikev2/ip-pool/test.conf b/testing/tests/ikev2/ip-pool/test.conf
index 1a8f2a4e0..164b07ff9 100644
--- a/testing/tests/ikev2/ip-pool/test.conf
+++ b/testing/tests/ikev2/ip-pool/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon alice"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/ip-split-pools-db/evaltest.dat b/testing/tests/ikev2/ip-split-pools-db/evaltest.dat
index 8fd47dc34..60a537b02 100644
--- a/testing/tests/ikev2/ip-split-pools-db/evaltest.dat
+++ b/testing/tests/ikev2/ip-split-pools-db/evaltest.dat
@@ -1,15 +1,19 @@
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES
-carol::ipsec status::home.*INSTALLED::YES
-dave::cat /var/log/daemon.log::installing new virtual IP 10.3.1.1::YES
-dave::ipsec status::home.*INSTALLED::YES
-moon::cat /var/log/daemon.log::acquired new lease for address 10.3.0.1 in pool.*pool0::YES
-moon::cat /var/log/daemon.log::assigning virtual IP 10.3.0.1 to peer::YES
-moon::cat /var/log/daemon.log::no available address found in pool.*pool0::YES
-moon::cat /var/log/daemon.log::acquired new lease for address 10.3.1.1 in pool.*pool1::YES
-moon::cat /var/log/daemon.log::assigning virtual IP 10.3.1.1 to peer::YES
-moon::ipsec pool --status 2> /dev/null::pool0.*10.3.0.1.*10.3.0.1.*48h.*1 .*1 .*1 ::YES
-moon::ipsec pool --status 2> /dev/null::pool1.*10.3.1.1.*10.3.1.1.*48h.*1 .*1 .*1 ::YES
-moon::ipsec pool --leases --filter pool=pool0,addr=10.3.0.1,id=carol@strongswan.org 2> /dev/null::online::YES
-moon::ipsec pool --leases --filter pool=pool1,addr=10.3.1.1,id=dave@strongswan.org 2> /dev/null::online::YES
-moon::ipsec status::rw.*ESTABLISHED.*carol@strongswan.org::YES
-moon::ipsec status::rw.*ESTABLISHED.*dave@strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: cat /var/log/daemon.log::installing new virtual IP 10.3.1.1::YES
+moon:: cat /var/log/daemon.log::acquired new lease for address 10.3.0.1 in pool.*pool0::YES
+moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.1 to peer::YES
+moon:: cat /var/log/daemon.log::no available address found in pool.*pool0::YES
+moon:: cat /var/log/daemon.log::acquired new lease for address 10.3.1.1 in pool.*pool1::YES
+moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.1.1 to peer::YES
+moon:: ipsec pool --status 2> /dev/null::pool0.*10.3.0.1.*10.3.0.1.*48h.*1 .*1 .*1 ::YES
+moon:: ipsec pool --status 2> /dev/null::pool1.*10.3.1.1.*10.3.1.1.*48h.*1 .*1 .*1 ::YES
+moon:: ipsec pool --leases --filter pool=pool0,addr=10.3.0.1,id=carol@strongswan.org 2> /dev/null::online::YES
+moon:: ipsec pool --leases --filter pool=pool1,addr=10.3.1.1,id=dave@strongswan.org 2> /dev/null::online::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
diff --git a/testing/tests/ikev2/ip-split-pools-db/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ip-split-pools-db/hosts/carol/etc/ipsec.conf
index a19f6cfae..8c6c28bd6 100755..100644
--- a/testing/tests/ikev2/ip-split-pools-db/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/ip-split-pools-db/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/ip-split-pools-db/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ip-split-pools-db/hosts/carol/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/ip-split-pools-db/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-split-pools-db/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/ip-split-pools-db/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/ip-split-pools-db/hosts/dave/etc/ipsec.conf
index 1a89f4e5d..72b8a59c0 100755..100644
--- a/testing/tests/ikev2/ip-split-pools-db/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev2/ip-split-pools-db/hosts/dave/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/ip-split-pools-db/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/ip-split-pools-db/hosts/dave/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/ip-split-pools-db/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-split-pools-db/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/ip-split-pools-db/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/ip-split-pools-db/hosts/moon/etc/ipsec.conf
index c0f9756e4..136022d5c 100755..100644
--- a/testing/tests/ikev2/ip-split-pools-db/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/ip-split-pools-db/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
@@ -19,5 +16,5 @@ conn rw
 	leftid=@moon.strongswan.org
 	leftfirewall=yes
 	right=%any
-	rightsourceip=%pool0,pool1
+	rightsourceip=%pool0,%pool1
 	auto=add
diff --git a/testing/tests/ikev2/ip-split-pools-db/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-split-pools-db/hosts/moon/etc/strongswan.conf
index e907021ce..04ffaf64d 100644
--- a/testing/tests/ikev2/ip-split-pools-db/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-split-pools-db/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default sqlite attr-sql updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default sqlite attr-sql updown
 }
 
 libhydra {
diff --git a/testing/tests/ikev2/ip-split-pools-db/test.conf b/testing/tests/ikev2/ip-split-pools-db/test.conf
index 1a8f2a4e0..164b07ff9 100644
--- a/testing/tests/ikev2/ip-split-pools-db/test.conf
+++ b/testing/tests/ikev2/ip-split-pools-db/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon alice"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/ip-two-pools-db/evaltest.dat b/testing/tests/ikev2/ip-two-pools-db/evaltest.dat
index ba2b07a10..fdc3d4d3f 100644
--- a/testing/tests/ikev2/ip-two-pools-db/evaltest.dat
+++ b/testing/tests/ikev2/ip-two-pools-db/evaltest.dat
@@ -1,29 +1,37 @@
-carol::ipsec status::home.*INSTALLED::YES
-dave::ipsec status::home.*INSTALLED::YES
-alice::ipsec status::home.*INSTALLED::YES
-venus::ipsec status::home.*INSTALLED::YES
-moon::ipsec status::ext.*ESTABLISHED.*carol@strongswan.org::YES
-moon::ipsec status::ext.*ESTABLISHED.*dave@strongswan.org::YES
-moon::ipsec status::int.*ESTABLISHED.*alice@strongswan.org::YES
-moon::ipsec status::int.*ESTABLISHED.*venus.strongswan.org::YES
-moon::ipsec pool --status 2> /dev/null::extpool.*10.3.0.1.*10.3.1.244.*48h.*2::YES
-moon::ipsec pool --status 2> /dev/null::intpool.*10.4.0.1.*10.4.1.244.*static.*2::YES
-moon::ipsec pool --leases --filter pool=extpool,addr=10.3.0.1,id=carol@strongswan.org 2> /dev/null::online::YES
-moon::ipsec pool --leases --filter pool=extpool,addr=10.3.0.2,id=dave@strongswan.org 2> /dev/null::online::YES
-moon::ipsec pool --leases --filter pool=intpool,addr=10.4.0.1,id=alice@strongswan.org 2> /dev/null::online::YES
-moon::ipsec pool --leases --filter pool=intpool,addr=10.4.0.2,id=venus.strongswan.org 2> /dev/null::online::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+alice::ipsec status 2> /dev/null::home.*ESTABLISHED.*alice@strongswan.org.*moon.strongswan.org::YES
+venus::ipsec status 2> /dev/null::home.*ESTABLISHED.*venus.strongswan.org.*moon.strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+alice::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+venus::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::ext\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::ext\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::int\[3]: ESTABLISHED.*moon.strongswan.org.*alice@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::int\[4]: ESTABLISHED.*moon.strongswan.org.*venus.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::ext[{]1}.*INSTALLED. TUNNEL::YES
+moon:: ipsec status 2> /dev/null::ext[{]2}.*INSTALLED. TUNNEL::YES
+moon:: ipsec status 2> /dev/null::int[{]3}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::int[{]4}.*INSTALLED, TUNNEL::YES
+moon:: ipsec pool --status 2> /dev/null::extpool.*10.3.0.1.*10.3.1.244.*48h.*2::YES
+moon:: ipsec pool --status 2> /dev/null::intpool.*10.4.0.1.*10.4.1.244.*static.*2::YES
+moon:: ipsec pool --leases --filter pool=extpool,addr=10.3.0.1,id=carol@strongswan.org 2> /dev/null::online::YES
+moon:: ipsec pool --leases --filter pool=extpool,addr=10.3.0.2,id=dave@strongswan.org 2> /dev/null::online::YES
+moon:: ipsec pool --leases --filter pool=intpool,addr=10.4.0.1,id=alice@strongswan.org 2> /dev/null::online::YES
+moon:: ipsec pool --leases --filter pool=intpool,addr=10.4.0.2,id=venus.strongswan.org 2> /dev/null::online::YES
 carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES
-dave::cat /var/log/daemon.log::installing new virtual IP 10.3.0.2::YES
+dave:: cat /var/log/daemon.log::installing new virtual IP 10.3.0.2::YES
 alice::cat /var/log/daemon.log::installing new virtual IP 10.4.0.1::YES
 venus::cat /var/log/daemon.log::installing new virtual IP 10.4.0.2::YES
 carol::cat /var/log/daemon.log::installing DNS server PH_IP_WINNETOU to /etc/resolv.conf::YES
-dave::cat /var/log/daemon.log::installing DNS server PH_IP_WINNETOU to /etc/resolv.conf::YES
+dave:: cat /var/log/daemon.log::installing DNS server PH_IP_WINNETOU to /etc/resolv.conf::YES
 alice::cat /var/log/daemon.log::installing DNS server PH_IP_ALICE to /etc/resolv.conf::YES
 venus::cat /var/log/daemon.log::installing DNS server PH_IP_VENUS to /etc/resolv.conf::YES
-alice::ping -c 1 PH_IP_CAROL1::64 bytes from PH_IP_CAROL1: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_CAROL1::64 bytes from PH_IP_CAROL1: icmp_seq=1::YES
-alice::ping -c 1 10.4.0.2::64 bytes from 10.4.0.2: icmp_seq=1::YES
-dave::ping -c 1 10.4.0.2::64 bytes from 10.4.0.2: icmp_seq=1::YES
+alice::ping -c 1 PH_IP_CAROL1::64 bytes from PH_IP_CAROL1: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_CAROL1::64 bytes from PH_IP_CAROL1: icmp_req=1::YES
+alice::ping -c 1 10.4.0.2::64 bytes from 10.4.0.2: icmp_req=1::YES
+dave:: ping -c 1 10.4.0.2::64 bytes from 10.4.0.2: icmp_req=1::YES
 alice::tcpdump::IP alice.strongswan.org > moon1.strongswan.org: ESP::YES
 alice::tcpdump::IP moon1.strongswan.org > alice.strongswan.org: ESP::YES
 dave::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/ip-two-pools-db/hosts/alice/etc/init.d/iptables b/testing/tests/ikev2/ip-two-pools-db/hosts/alice/etc/init.d/iptables
deleted file mode 100755
index 97b773645..000000000
--- a/testing/tests/ikev2/ip-two-pools-db/hosts/alice/etc/init.d/iptables
+++ /dev/null
@@ -1,78 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-        # allow ESP 
-        iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-        iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-        iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-        iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-			
-	# allow MOBIKE 
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/ip-two-pools-db/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2/ip-two-pools-db/hosts/alice/etc/ipsec.conf
index d925a2564..19cd1c8cd 100755..100644
--- a/testing/tests/ikev2/ip-two-pools-db/hosts/alice/etc/ipsec.conf
+++ b/testing/tests/ikev2/ip-two-pools-db/hosts/alice/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/ip-two-pools-db/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-db/hosts/alice/etc/strongswan.conf
index cb5f6406b..bd19ffe3d 100644
--- a/testing/tests/ikev2/ip-two-pools-db/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-two-pools-db/hosts/alice/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve
 }
diff --git a/testing/tests/ikev2/ip-two-pools-db/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ip-two-pools-db/hosts/carol/etc/ipsec.conf
index 2b673ec4d..c891c643c 100755..100644
--- a/testing/tests/ikev2/ip-two-pools-db/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/ip-two-pools-db/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/ip-two-pools-db/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-db/hosts/carol/etc/strongswan.conf
index cb5f6406b..bd19ffe3d 100644
--- a/testing/tests/ikev2/ip-two-pools-db/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-two-pools-db/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve
 }
diff --git a/testing/tests/ikev2/ip-two-pools-db/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/ip-two-pools-db/hosts/dave/etc/ipsec.conf
index 22f9b6634..4066549e8 100755..100644
--- a/testing/tests/ikev2/ip-two-pools-db/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev2/ip-two-pools-db/hosts/dave/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/ip-two-pools-db/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-db/hosts/dave/etc/strongswan.conf
index cb5f6406b..bd19ffe3d 100644
--- a/testing/tests/ikev2/ip-two-pools-db/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-two-pools-db/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve
 }
diff --git a/testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index bb9d03acd..000000000
--- a/testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,91 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-        iptables -A INPUT  -i eth1 -p 50 -j ACCEPT
-        iptables -A OUTPUT -o eth1 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-        iptables -A INPUT  -i eth1 -p udp --sport 500 --dport 500 -j ACCEPT
-        iptables -A OUTPUT -o eth1 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-        iptables -A INPUT  -i eth1 -p udp --sport 4500 --dport 4500 -j ACCEPT
-        iptables -A OUTPUT -o eth1 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-	iptables -A FORWARD -i eth0 -o eth1 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A FORWARD -o eth0 -i eth1 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# masquerade crl fetches to winnetou
-	iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -d PH_IP_WINNETOU -j MASQUERADE
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/ipsec.conf
index a4c37e117..651642b04 100755..100644
--- a/testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..a0ed9f0e6
--- /dev/null
+++ b/testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/iptables.rules
@@ -0,0 +1,43 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+-A INPUT  -i eth1 -p 50 -j ACCEPT
+-A OUTPUT -o eth1 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+-A INPUT  -i eth1 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+-A INPUT  -i eth1 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+-A FORWARD -i eth0 -o eth1 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A FORWARD -o eth0 -i eth1 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+COMMIT
+
+*nat
+
+# masquerade crl fetches to winnetou
+-A POSTROUTING -o eth0 -s 10.1.0.0/16 -d PH_IP_WINNETOU -j MASQUERADE
+
+COMMIT
diff --git a/testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/strongswan.conf
index e44a3e251..2dc6a3a87 100644
--- a/testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke sqlite attr-sql kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke sqlite attr-sql kernel-netlink socket-default updown
 }
 
 libhydra {
diff --git a/testing/tests/ikev2/ip-two-pools-db/hosts/venus/etc/init.d/iptables b/testing/tests/ikev2/ip-two-pools-db/hosts/venus/etc/init.d/iptables
deleted file mode 100755
index 97b773645..000000000
--- a/testing/tests/ikev2/ip-two-pools-db/hosts/venus/etc/init.d/iptables
+++ /dev/null
@@ -1,78 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-        # allow ESP 
-        iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-        iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-        iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-        iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-			
-	# allow MOBIKE 
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/ip-two-pools-db/hosts/venus/etc/ipsec.conf b/testing/tests/ikev2/ip-two-pools-db/hosts/venus/etc/ipsec.conf
index 2dbd84fe7..b8f01bd15 100755..100644
--- a/testing/tests/ikev2/ip-two-pools-db/hosts/venus/etc/ipsec.conf
+++ b/testing/tests/ikev2/ip-two-pools-db/hosts/venus/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/ip-two-pools-db/hosts/venus/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-db/hosts/venus/etc/strongswan.conf
index cb5f6406b..bd19ffe3d 100644
--- a/testing/tests/ikev2/ip-two-pools-db/hosts/venus/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-two-pools-db/hosts/venus/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve
 }
diff --git a/testing/tests/ikev2/ip-two-pools-db/posttest.dat b/testing/tests/ikev2/ip-two-pools-db/posttest.dat
index 7b0393ebd..9c0bb5cae 100644
--- a/testing/tests/ikev2/ip-two-pools-db/posttest.dat
+++ b/testing/tests/ikev2/ip-two-pools-db/posttest.dat
@@ -3,11 +3,11 @@ venus::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
 moon::ipsec stop
-alice::/etc/init.d/iptables stop 2> /dev/null
-venus::/etc/init.d/iptables stop 2> /dev/null
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+alice::iptables-restore < /etc/iptables.flush
+venus::iptables-restore < /etc/iptables.flush
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
 moon::ip route del 10.3.0.0/16 via PH_IP_MOON
 moon::ip route del 10.4.0.0/16 via PH_IP_MOON1
 moon::conntrack -F
diff --git a/testing/tests/ikev2/ip-two-pools-db/pretest.dat b/testing/tests/ikev2/ip-two-pools-db/pretest.dat
index e4eb8b0b9..3aba87994 100644
--- a/testing/tests/ikev2/ip-two-pools-db/pretest.dat
+++ b/testing/tests/ikev2/ip-two-pools-db/pretest.dat
@@ -8,11 +8,11 @@ moon::ipsec pool --addattr dns --server PH_IP_WINNETOU --pool extpool 2> /dev/nu
 moon::ipsec pool --statusattr 2> /dev/null
 moon::ip route add 10.3.0.0/16 via PH_IP_MOON
 moon::ip route add 10.4.0.0/16 via PH_IP_MOON1
-alice::/etc/init.d/iptables start 2> /dev/null
-venus::/etc/init.d/iptables start 2> /dev/null
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+alice::iptables-restore < /etc/iptables.rules
+venus::iptables-restore < /etc/iptables.rules
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 alice::ipsec start
 venus::ipsec start
 carol::ipsec start
diff --git a/testing/tests/ikev2/ip-two-pools-db/test.conf b/testing/tests/ikev2/ip-two-pools-db/test.conf
index ea1307b16..c88e11d28 100644
--- a/testing/tests/ikev2/ip-two-pools-db/test.conf
+++ b/testing/tests/ikev2/ip-two-pools-db/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="alice venus carol dave"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="alice venus moon carol dave"
diff --git a/testing/tests/ikev2/ip-two-pools-mixed/evaltest.dat b/testing/tests/ikev2/ip-two-pools-mixed/evaltest.dat
index 1505de751..0d7a36452 100644
--- a/testing/tests/ikev2/ip-two-pools-mixed/evaltest.dat
+++ b/testing/tests/ikev2/ip-two-pools-mixed/evaltest.dat
@@ -1,16 +1,20 @@
-carol::ipsec status::home.*INSTALLED::YES
-alice::ipsec status::home.*INSTALLED::YES
-moon::ipsec status::ext.*ESTABLISHED.*carol@strongswan.org::YES
-moon::ipsec status::int.*ESTABLISHED.*alice@strongswan.org::YES
-moon::cat /var/log/daemon.log::adding virtual IP address pool.*ext.*10.3.0.0/28::YES
-moon::ipsec leases ext::1/15, 1 online::YES
-moon::ipsec leases ext 10.3.0.1::carol@strongswan.org::YES
-moon::ipsec pool --status 2> /dev/null::intpool.*10.4.0.1.*10.4.1.244.*static.*1::YES
-moon::ipsec pool --leases --filter pool=intpool,addr=10.4.0.1,id=alice@strongswan.org 2> /dev/null::online::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+alice::ipsec status 2> /dev/null::home.*ESTABLISHED.*alice@strongswan.org.*moon.strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+alice::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::ext.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::int.*ESTABLISHED.*moon.strongswan.org.*alice@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::ext.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::int.*INSTALLED, TUNNEL::YES
+moon:: cat /var/log/daemon.log::adding virtual IP address pool.*10.3.0.0/28::YES
+moon:: ipsec leases 10.3.0.0/28 2> /dev/null::1/14, 1 online::YES
+moon:: ipsec leases 10.3.0.0/28 10.3.0.1 2> /dev/null::carol@strongswan.org::YES
+moon:: ipsec pool --status 2> /dev/null::intpool.*10.4.0.1.*10.4.1.244.*static.*1::YES
+moon:: ipsec pool --leases --filter pool=intpool,addr=10.4.0.1,id=alice@strongswan.org 2> /dev/null::online::YES
 carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES
 alice::cat /var/log/daemon.log::installing new virtual IP 10.4.0.1::YES
-carol::ping -c 1 PH_IP_MOON::64 bytes from PH_IP_MOON: icmp_seq=1::YES
-alice::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_MOON::64 bytes from PH_IP_MOON: icmp_req=1::YES
+alice::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_req=1::YES
 carol::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 carol::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 alice::tcpdump::IP alice.strongswan.org > moon1.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/ip-two-pools-mixed/hosts/alice/etc/init.d/iptables b/testing/tests/ikev2/ip-two-pools-mixed/hosts/alice/etc/init.d/iptables
deleted file mode 100755
index 97b773645..000000000
--- a/testing/tests/ikev2/ip-two-pools-mixed/hosts/alice/etc/init.d/iptables
+++ /dev/null
@@ -1,78 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-        # allow ESP 
-        iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-        iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-        iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-        iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-			
-	# allow MOBIKE 
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/ip-two-pools-mixed/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2/ip-two-pools-mixed/hosts/alice/etc/ipsec.conf
index f5ce1687e..180226eaa 100755..100644
--- a/testing/tests/ikev2/ip-two-pools-mixed/hosts/alice/etc/ipsec.conf
+++ b/testing/tests/ikev2/ip-two-pools-mixed/hosts/alice/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/ip-two-pools-mixed/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-mixed/hosts/alice/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/ip-two-pools-mixed/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-two-pools-mixed/hosts/alice/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/ip-two-pools-mixed/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ip-two-pools-mixed/hosts/carol/etc/ipsec.conf
index e647f1e36..63509bc16 100755..100644
--- a/testing/tests/ikev2/ip-two-pools-mixed/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/ip-two-pools-mixed/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/ip-two-pools-mixed/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-mixed/hosts/carol/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/ip-two-pools-mixed/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-two-pools-mixed/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index bb9d03acd..000000000
--- a/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,91 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-        iptables -A INPUT  -i eth1 -p 50 -j ACCEPT
-        iptables -A OUTPUT -o eth1 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-        iptables -A INPUT  -i eth1 -p udp --sport 500 --dport 500 -j ACCEPT
-        iptables -A OUTPUT -o eth1 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-        iptables -A INPUT  -i eth1 -p udp --sport 4500 --dport 4500 -j ACCEPT
-        iptables -A OUTPUT -o eth1 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-	iptables -A FORWARD -i eth0 -o eth1 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A FORWARD -o eth0 -i eth1 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# masquerade crl fetches to winnetou
-	iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -d PH_IP_WINNETOU -j MASQUERADE
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/ipsec.conf
index d80bb5305..649d567c4 100755..100644
--- a/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..a0ed9f0e6
--- /dev/null
+++ b/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/iptables.rules
@@ -0,0 +1,43 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+-A INPUT  -i eth1 -p 50 -j ACCEPT
+-A OUTPUT -o eth1 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+-A INPUT  -i eth1 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+-A INPUT  -i eth1 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+-A FORWARD -i eth0 -o eth1 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A FORWARD -o eth0 -i eth1 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+COMMIT
+
+*nat
+
+# masquerade crl fetches to winnetou
+-A POSTROUTING -o eth0 -s 10.1.0.0/16 -d PH_IP_WINNETOU -j MASQUERADE
+
+COMMIT
diff --git a/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/strongswan.conf
index e44a3e251..2dc6a3a87 100644
--- a/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke sqlite attr-sql kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke sqlite attr-sql kernel-netlink socket-default updown
 }
 
 libhydra {
diff --git a/testing/tests/ikev2/ip-two-pools-mixed/posttest.dat b/testing/tests/ikev2/ip-two-pools-mixed/posttest.dat
index db5e6237f..a3924b2f6 100644
--- a/testing/tests/ikev2/ip-two-pools-mixed/posttest.dat
+++ b/testing/tests/ikev2/ip-two-pools-mixed/posttest.dat
@@ -1,9 +1,9 @@
 carol::ipsec stop
 alice::ipsec stop
 moon::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-alice::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+alice::iptables-restore < /etc/iptables.flush
 moon::conntrack -F
 moon::ipsec pool --del intpool 2> /dev/null
 moon::rm /etc/ipsec.d/ipsec.*
diff --git a/testing/tests/ikev2/ip-two-pools-mixed/pretest.dat b/testing/tests/ikev2/ip-two-pools-mixed/pretest.dat
index b579464f2..b74c1e07a 100644
--- a/testing/tests/ikev2/ip-two-pools-mixed/pretest.dat
+++ b/testing/tests/ikev2/ip-two-pools-mixed/pretest.dat
@@ -1,9 +1,9 @@
 moon::cat /etc/ipsec.d/tables.sql > /etc/ipsec.d/ipsec.sql
 moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 moon::ipsec pool --add intpool --start 10.4.0.1 --end 10.4.1.244 --timeout  0 2> /dev/null
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-alice::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+alice::iptables-restore < /etc/iptables.rules
 carol::ipsec start
 moon::ipsec start
 alice::ipsec start
diff --git a/testing/tests/ikev2/ip-two-pools-mixed/test.conf b/testing/tests/ikev2/ip-two-pools-mixed/test.conf
index 329774c0a..1ed3473ab 100644
--- a/testing/tests/ikev2/ip-two-pools-mixed/test.conf
+++ b/testing/tests/ikev2/ip-two-pools-mixed/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="alice carol"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="alice moon carol"
diff --git a/testing/tests/ikev2/ip-two-pools-v4v6-db/description.txt b/testing/tests/ikev2/ip-two-pools-v4v6-db/description.txt
new file mode 100644
index 000000000..7e8e7a69b
--- /dev/null
+++ b/testing/tests/ikev2/ip-two-pools-v4v6-db/description.txt
@@ -0,0 +1,5 @@
+The host <b>carol</b> sets up a tunnel connection to gateway <b>moon</b>. It requests
+both an IPv4 and an IPv6 <b>virtual IP</b> via the IKEv2 configuration payload by using
+<b>leftsourceip=%config4,%config6</b>. Gateway <b>moon</b> assigns virtual IPs addresses
+from persistent pools stored in an SQL database using the <b>rightsourceip</b> option.
+The established tunnel carries both IPv4 and IPv6 in an IPv4 encapsulated tunnel.
diff --git a/testing/tests/ikev2/ip-two-pools-v4v6-db/evaltest.dat b/testing/tests/ikev2/ip-two-pools-v4v6-db/evaltest.dat
new file mode 100644
index 000000000..0bf3500b5
--- /dev/null
+++ b/testing/tests/ikev2/ip-two-pools-v4v6-db/evaltest.dat
@@ -0,0 +1,9 @@
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
+carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES
+carol::cat /var/log/daemon.log::installing new virtual IP fec3:\:1::YES
+carol::cat /var/log/daemon.log::TS 10.3.0.1/32 fec3:\:1/128 === 10.1.0.0/16 fec1:\:/16::YES
+carol::ping -c 1 PH_IP_MOON::64 bytes from PH_IP_MOON: icmp_req=1::YES
+carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
diff --git a/testing/tests/ikev2/ip-two-pools-v4v6-db/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ip-two-pools-v4v6-db/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..d19399def
--- /dev/null
+++ b/testing/tests/ikev2/ip-two-pools-v4v6-db/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,20 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_CAROL
+	leftsourceip=%config4,%config6
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=0.0.0.0/0,::/0
+	auto=add
diff --git a/testing/tests/ikev2/ip-two-pools-v4v6-db/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-v4v6-db/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..85d8c191f
--- /dev/null
+++ b/testing/tests/ikev2/ip-two-pools-v4v6-db/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
+}
diff --git a/testing/tests/ikev2/ip-two-pools-v4v6-db/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/ip-two-pools-v4v6-db/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..04a74fd44
--- /dev/null
+++ b/testing/tests/ikev2/ip-two-pools-v4v6-db/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,19 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn rw
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16,fec1::0/16
+	rightsourceip=%v4_pool,%v6_pool
+	right=%any
+	auto=add
diff --git a/testing/tests/ikev1/ip-two-pools-mixed/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-v4v6-db/hosts/moon/etc/strongswan.conf
index 630135adc..73b0cb7be 100644
--- a/testing/tests/ikev1/ip-two-pools-mixed/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-two-pools-v4v6-db/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
-pluto {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl sqlite attr-sql kernel-netlink
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown sqlite attr-sql
 }
 
 libhydra {
diff --git a/testing/tests/ikev2/ip-two-pools-v4v6-db/posttest.dat b/testing/tests/ikev2/ip-two-pools-v4v6-db/posttest.dat
new file mode 100644
index 000000000..311e9f21d
--- /dev/null
+++ b/testing/tests/ikev2/ip-two-pools-v4v6-db/posttest.dat
@@ -0,0 +1,5 @@
+alice::ip -6 route del default via fec1:\:1
+carol::ipsec stop
+moon::ipsec stop
+moon::conntrack -F
+moon::rm /etc/ipsec.d/ipsec.*
diff --git a/testing/tests/ikev2/ip-two-pools-v4v6-db/pretest.dat b/testing/tests/ikev2/ip-two-pools-v4v6-db/pretest.dat
new file mode 100644
index 000000000..e3d8f4a78
--- /dev/null
+++ b/testing/tests/ikev2/ip-two-pools-v4v6-db/pretest.dat
@@ -0,0 +1,9 @@
+moon::cat /etc/ipsec.d/tables.sql > /etc/ipsec.d/ipsec.sql
+moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
+moon::ipsec pool --add v4_pool --start 10.3.0.1 --end 10.3.1.244 --timeout 48 2> /dev/null 
+moon::ipsec pool --add v6_pool --start fec3:\:1 --end fec3:\:fe --timeout  48 2> /dev/null
+alice::ip -6 route add default via fec1:\:1
+moon::ipsec start
+carol::ipsec start
+carol::sleep 2
+carol::ipsec up home
diff --git a/testing/tests/ikev2/ip-two-pools-v4v6-db/test.conf b/testing/tests/ikev2/ip-two-pools-v4v6-db/test.conf
new file mode 100644
index 000000000..cd03759f0
--- /dev/null
+++ b/testing/tests/ikev2/ip-two-pools-v4v6-db/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="carol"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/ip-two-pools-v4v6/description.txt b/testing/tests/ikev2/ip-two-pools-v4v6/description.txt
new file mode 100644
index 000000000..32dd88d51
--- /dev/null
+++ b/testing/tests/ikev2/ip-two-pools-v4v6/description.txt
@@ -0,0 +1,5 @@
+The host <b>carol</b> sets up a tunnel connection to gateway <b>moon</b>. It requests
+both an IPv4 and an IPv6 <b>virtual IP</b> via the IKEv2 configuration payload by using
+<b>leftsourceip=%config4,%config6</b>. Gateway <b>moon</b> assigns virtual IPs addresses
+from two in-memory pools using the <b>rightsourceip</b> option. The established tunnel
+carries both IPv4 and IPv6 in an IPv4 encapsulated tunnel.
diff --git a/testing/tests/ikev2/ip-two-pools-v4v6/evaltest.dat b/testing/tests/ikev2/ip-two-pools-v4v6/evaltest.dat
new file mode 100644
index 000000000..0bf3500b5
--- /dev/null
+++ b/testing/tests/ikev2/ip-two-pools-v4v6/evaltest.dat
@@ -0,0 +1,9 @@
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
+carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES
+carol::cat /var/log/daemon.log::installing new virtual IP fec3:\:1::YES
+carol::cat /var/log/daemon.log::TS 10.3.0.1/32 fec3:\:1/128 === 10.1.0.0/16 fec1:\:/16::YES
+carol::ping -c 1 PH_IP_MOON::64 bytes from PH_IP_MOON: icmp_req=1::YES
+carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
diff --git a/testing/tests/ikev2/ip-two-pools-v4v6/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ip-two-pools-v4v6/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..d19399def
--- /dev/null
+++ b/testing/tests/ikev2/ip-two-pools-v4v6/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,20 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_CAROL
+	leftsourceip=%config4,%config6
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=0.0.0.0/0,::/0
+	auto=add
diff --git a/testing/tests/ikev2/ip-two-pools-v4v6/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-v4v6/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..85d8c191f
--- /dev/null
+++ b/testing/tests/ikev2/ip-two-pools-v4v6/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
+}
diff --git a/testing/tests/ikev2/ip-two-pools-v4v6/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/ip-two-pools-v4v6/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..0777f6db5
--- /dev/null
+++ b/testing/tests/ikev2/ip-two-pools-v4v6/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,19 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn rw
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16,fec1::0/16
+	rightsourceip=10.3.0.0/28,fec3::/120
+	right=%any
+	auto=add
diff --git a/testing/tests/ikev2/ip-two-pools-v4v6/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-v4v6/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..dc937641c
--- /dev/null
+++ b/testing/tests/ikev2/ip-two-pools-v4v6/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev2/ip-two-pools-v4v6/posttest.dat b/testing/tests/ikev2/ip-two-pools-v4v6/posttest.dat
new file mode 100644
index 000000000..bb20cae05
--- /dev/null
+++ b/testing/tests/ikev2/ip-two-pools-v4v6/posttest.dat
@@ -0,0 +1,4 @@
+alice::ip -6 route del default via fec1:\:1
+carol::ipsec stop
+moon::ipsec stop
+moon::conntrack -F
diff --git a/testing/tests/ikev1/crl-strict/pretest.dat b/testing/tests/ikev2/ip-two-pools-v4v6/pretest.dat
index d92333d86..04139badf 100644
--- a/testing/tests/ikev1/crl-strict/pretest.dat
+++ b/testing/tests/ikev2/ip-two-pools-v4v6/pretest.dat
@@ -1,3 +1,4 @@
+alice::ip -6 route add default via fec1:\:1
 moon::ipsec start
 carol::ipsec start
 carol::sleep 2
diff --git a/testing/tests/ikev2/ip-two-pools-v4v6/test.conf b/testing/tests/ikev2/ip-two-pools-v4v6/test.conf
new file mode 100644
index 000000000..cd03759f0
--- /dev/null
+++ b/testing/tests/ikev2/ip-two-pools-v4v6/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="carol"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/ip-two-pools/evaltest.dat b/testing/tests/ikev2/ip-two-pools/evaltest.dat
index ac0a3eeb3..fad3781d7 100644
--- a/testing/tests/ikev2/ip-two-pools/evaltest.dat
+++ b/testing/tests/ikev2/ip-two-pools/evaltest.dat
@@ -1,17 +1,21 @@
-carol::ipsec status::home.*INSTALLED::YES
-alice::ipsec status::home.*INSTALLED::YES
-moon::ipsec status::ext.*ESTABLISHED.*carol@strongswan.org::YES
-moon::ipsec status::int.*ESTABLISHED.*alice@strongswan.org::YES
-moon::cat /var/log/daemon.log::adding virtual IP address pool.*int.*10.4.0.0/28::YES
-moon::cat /var/log/daemon.log::adding virtual IP address pool.*ext.*10.3.0.0/28::YES
-moon::ipsec leases ext::1/15, 1 online::YES
-moon::ipsec leases int::1/15, 1 online::YES
-moon::ipsec leases ext 10.3.0.1::carol@strongswan.org::YES
-moon::ipsec leases int 10.4.0.1::alice@strongswan.org::YES
-carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+alice::ipsec status 2> /dev/null::home.*ESTABLISHED.*alice@strongswan.org.*moon.strongswan.org::YES
+alice::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::ext.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::int.*ESTABLISHED.*moon.strongswan.org.*alice@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::ext.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::int.*INSTALLED, TUNNEL::YES
+moon:: cat /var/log/daemon.log::adding virtual IP address pool.*10.4.0.0/28::YES
+moon:: cat /var/log/daemon.log::adding virtual IP address pool.*10.3.0.0/28::YES
+moon:: ipsec leases 10.3.0.0/28 2> /dev/null::1/14, 1 online::YES
+moon:: ipsec leases 10.4.0.0/28 2> /dev/null::1/14, 1 online::YES
+moon:: ipsec leases 10.3.0.0/28 PH_IP_CAROL1 2> /dev/null::carol@strongswan.org::YES
+moon:: ipsec leases 10.4.0.0/28 10.4.0.1 2> /dev/null::alice@strongswan.org::YES
+carol::cat /var/log/daemon.log::installing new virtual IP PH_IP_CAROL1::YES
 alice::cat /var/log/daemon.log::installing new virtual IP 10.4.0.1::YES
-carol::ping -c 1 PH_IP_MOON::64 bytes from PH_IP_MOON: icmp_seq=1::YES
-alice::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_MOON::64 bytes from PH_IP_MOON: icmp_req=1::YES
+alice::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_req=1::YES
 carol::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 carol::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 alice::tcpdump::IP alice.strongswan.org > moon1.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/ip-two-pools/hosts/alice/etc/init.d/iptables b/testing/tests/ikev2/ip-two-pools/hosts/alice/etc/init.d/iptables
deleted file mode 100755
index 97b773645..000000000
--- a/testing/tests/ikev2/ip-two-pools/hosts/alice/etc/init.d/iptables
+++ /dev/null
@@ -1,78 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-        # allow ESP 
-        iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-        iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-        iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-        iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-			
-	# allow MOBIKE 
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/ip-two-pools/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2/ip-two-pools/hosts/alice/etc/ipsec.conf
index f5ce1687e..180226eaa 100755..100644
--- a/testing/tests/ikev2/ip-two-pools/hosts/alice/etc/ipsec.conf
+++ b/testing/tests/ikev2/ip-two-pools/hosts/alice/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/ip-two-pools/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools/hosts/alice/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/ip-two-pools/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-two-pools/hosts/alice/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/ip-two-pools/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ip-two-pools/hosts/carol/etc/ipsec.conf
index e647f1e36..63509bc16 100755..100644
--- a/testing/tests/ikev2/ip-two-pools/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/ip-two-pools/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/ip-two-pools/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools/hosts/carol/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/ip-two-pools/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-two-pools/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/ip-two-pools/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/ip-two-pools/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index bb9d03acd..000000000
--- a/testing/tests/ikev2/ip-two-pools/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,91 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-        iptables -A INPUT  -i eth1 -p 50 -j ACCEPT
-        iptables -A OUTPUT -o eth1 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-        iptables -A INPUT  -i eth1 -p udp --sport 500 --dport 500 -j ACCEPT
-        iptables -A OUTPUT -o eth1 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-        iptables -A INPUT  -i eth1 -p udp --sport 4500 --dport 4500 -j ACCEPT
-        iptables -A OUTPUT -o eth1 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-	iptables -A FORWARD -i eth0 -o eth1 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A FORWARD -o eth0 -i eth1 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# masquerade crl fetches to winnetou
-	iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -d PH_IP_WINNETOU -j MASQUERADE
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/ip-two-pools/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/ip-two-pools/hosts/moon/etc/ipsec.conf
index 8435479fa..5773245d1 100755..100644
--- a/testing/tests/ikev2/ip-two-pools/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/ip-two-pools/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/ip-two-pools/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/ip-two-pools/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..a0ed9f0e6
--- /dev/null
+++ b/testing/tests/ikev2/ip-two-pools/hosts/moon/etc/iptables.rules
@@ -0,0 +1,43 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+-A INPUT  -i eth1 -p 50 -j ACCEPT
+-A OUTPUT -o eth1 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+-A INPUT  -i eth1 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+-A INPUT  -i eth1 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+-A FORWARD -i eth0 -o eth1 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A FORWARD -o eth0 -i eth1 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+COMMIT
+
+*nat
+
+# masquerade crl fetches to winnetou
+-A POSTROUTING -o eth0 -s 10.1.0.0/16 -d PH_IP_WINNETOU -j MASQUERADE
+
+COMMIT
diff --git a/testing/tests/ikev2/ip-two-pools/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools/hosts/moon/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/ip-two-pools/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-two-pools/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/ip-two-pools/posttest.dat b/testing/tests/ikev2/ip-two-pools/posttest.dat
index f41bb0fbc..2fbc2c3a0 100644
--- a/testing/tests/ikev2/ip-two-pools/posttest.dat
+++ b/testing/tests/ikev2/ip-two-pools/posttest.dat
@@ -1,8 +1,8 @@
 alice::ipsec stop
 carol::ipsec stop
 moon::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-alice::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+alice::iptables-restore < /etc/iptables.flush
 moon::conntrack -F
 moon::rm /etc/ipsec.d/ipsec.*
diff --git a/testing/tests/ikev2/ip-two-pools/pretest.dat b/testing/tests/ikev2/ip-two-pools/pretest.dat
index db422a105..4e8b639f4 100644
--- a/testing/tests/ikev2/ip-two-pools/pretest.dat
+++ b/testing/tests/ikev2/ip-two-pools/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-alice::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+alice::iptables-restore < /etc/iptables.rules
 carol::ipsec start
 moon::ipsec start
 alice::ipsec start
diff --git a/testing/tests/ikev2/ip-two-pools/test.conf b/testing/tests/ikev2/ip-two-pools/test.conf
index 329774c0a..1ed3473ab 100644
--- a/testing/tests/ikev2/ip-two-pools/test.conf
+++ b/testing/tests/ikev2/ip-two-pools/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="alice carol"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="alice moon carol"
diff --git a/testing/tests/ikev2/mobike-nat/evaltest.dat b/testing/tests/ikev2/mobike-nat/evaltest.dat
index f2758eb35..c71e3f7c1 100644
--- a/testing/tests/ikev2/mobike-nat/evaltest.dat
+++ b/testing/tests/ikev2/mobike-nat/evaltest.dat
@@ -1,15 +1,15 @@
-alice::ipsec statusall::ESTABLISHED.*PH_IP_ALICE1.*PH_IP_SUN::YES
-sun::ipsec statusall::ESTABLISHED.*PH_IP_SUN.*PH_IP_ALICE1::YES
-alice::ipsec statusall::10.3.0.3/32 === 10.2.0.0/16::YES
-sun::ipsec statusall::10.2.0.0/16 === 10.3.0.3/32::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-alice::/etc/init.d/net.eth1 stop::No output expected::NO
+alice::ipsec status 2> /dev/null::mobike.*ESTABLISHED.*PH_IP_ALICE1.*PH_IP_SUN::YES
+sun::  ipsec status 2> /dev/null::mobike.*ESTABLISHED.*PH_IP_SUN.*PH_IP_ALICE1::YES
+alice::ipsec statusall 2> /dev/null::10.3.0.3/32 === 10.2.0.0/16::YES
+sun::  ipsec statusall 2> /dev/null::10.2.0.0/16 === 10.3.0.3/32::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+alice::ifdown eth1::No output expected::NO
 alice::sleep 1::No output expected::NO
-alice::ipsec statusall::ESTABLISHED.*PH_IP_ALICE.*PH_IP_SUN::YES
-sun::ipsec statusall::ESTABLISHED.*PH_IP_SUN.*PH_IP_MOON::YES
-alice::ipsec statusall::10.3.0.3/32 === 10.2.0.0/16::YES
-sun::ipsec statusall::10.2.0.0/16 === 10.3.0.3/32::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+alice::ipsec status 2> /dev/null::mobike.*ESTABLISHED.*PH_IP_ALICE.*PH_IP_SUN::YES
+sun::  ipsec status 2> /dev/null::mobike.*ESTABLISHED.*PH_IP_SUN.*PH_IP_MOON::YES
+alice::ipsec statusall 2> /dev/null::10.3.0.3/32 === 10.2.0.0/16::YES
+sun::  ipsec statusall 2> /dev/null::10.2.0.0/16 === 10.3.0.3/32::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
 sun::tcpdump::alice1.strongswan.org.*sun.strongswan.org: ESP.*seq=0x1::YES
 sun::tcpdump::sun.strongswan.org.*alice1.strongswan.org: ESP.*seq=0x1::YES
 moon::tcpdump::moon.strongswan.org.*sun.strongswan.org.*: UDP-encap: ESP.*seq=0x2::YES
diff --git a/testing/tests/ikev2/mobike-nat/hosts/alice/etc/init.d/iptables b/testing/tests/ikev2/mobike-nat/hosts/alice/etc/init.d/iptables
deleted file mode 100755
index cf0d65c58..000000000
--- a/testing/tests/ikev2/mobike-nat/hosts/alice/etc/init.d/iptables
+++ /dev/null
@@ -1,87 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-        # allow IPsec tunnel traffic
-        iptables -A INPUT  -m policy --dir in  --pol ipsec --proto esp -j ACCEPT
-        iptables -A OUTPUT -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A INPUT  -i eth1 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A INPUT  -i eth1 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A INPUT  -i eth1 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/mobike-nat/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2/mobike-nat/hosts/alice/etc/ipsec.conf
index ed670efb1..ffb7f563a 100755..100644
--- a/testing/tests/ikev2/mobike-nat/hosts/alice/etc/ipsec.conf
+++ b/testing/tests/ikev2/mobike-nat/hosts/alice/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
@@ -13,7 +10,7 @@ conn %default
 	keyexchange=ikev2
 
 conn mobike
-	left=PH_IP_ALICE1
+	left=192.168.0.50
 	leftsourceip=%config
 	leftcert=aliceCert.pem
 	leftid=alice@strongswan.org
diff --git a/testing/tests/ikev2/mobike-nat/hosts/alice/etc/iptables.rules b/testing/tests/ikev2/mobike-nat/hosts/alice/etc/iptables.rules
new file mode 100644
index 000000000..6dd261f20
--- /dev/null
+++ b/testing/tests/ikev2/mobike-nat/hosts/alice/etc/iptables.rules
@@ -0,0 +1,38 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow IPsec tunnel traffic
+-A INPUT  -m policy --dir in  --pol ipsec --proto esp -j ACCEPT
+-A OUTPUT -m policy --dir out --pol ipsec --proto esp -j ACCEPT
+
+# allow ESP 
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A INPUT  -i eth1 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth1 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A INPUT  -i eth1 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A INPUT  -i eth1 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/mobike-nat/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/mobike-nat/hosts/alice/etc/strongswan.conf
index 88f162098..85d8c191f 100644
--- a/testing/tests/ikev2/mobike-nat/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/ikev2/mobike-nat/hosts/alice/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/mobike-nat/hosts/sun/etc/init.d/iptables b/testing/tests/ikev2/mobike-nat/hosts/sun/etc/init.d/iptables
deleted file mode 100755
index 642c414d5..000000000
--- a/testing/tests/ikev2/mobike-nat/hosts/sun/etc/init.d/iptables
+++ /dev/null
@@ -1,84 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow IPsec tunnel traffic
-	iptables -A FORWARD -m policy --dir in  --pol ipsec --proto esp -j ACCEPT
-	iptables -A FORWARD -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT
-
-        # allow NAT-T 
-	iptables -A INPUT  -i eth0 -p udp --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/mobike-nat/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/mobike-nat/hosts/sun/etc/ipsec.conf
index ca4d84e16..e187f9569 100755..100644
--- a/testing/tests/ikev2/mobike-nat/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev2/mobike-nat/hosts/sun/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/mobike-nat/hosts/sun/etc/iptables.rules b/testing/tests/ikev2/mobike-nat/hosts/sun/etc/iptables.rules
new file mode 100644
index 000000000..0a7d1fa40
--- /dev/null
+++ b/testing/tests/ikev2/mobike-nat/hosts/sun/etc/iptables.rules
@@ -0,0 +1,32 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow IPsec tunnel traffic
+-A FORWARD -m policy --dir in  --pol ipsec --proto esp -j ACCEPT
+-A FORWARD -m policy --dir out --pol ipsec --proto esp -j ACCEPT
+
+# allow ESP 
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/mobike-nat/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/mobike-nat/hosts/sun/etc/strongswan.conf
index 88f162098..85d8c191f 100644
--- a/testing/tests/ikev2/mobike-nat/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/mobike-nat/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/mobike-nat/posttest.dat b/testing/tests/ikev2/mobike-nat/posttest.dat
index cd0d4df25..f4e5316c9 100644
--- a/testing/tests/ikev2/mobike-nat/posttest.dat
+++ b/testing/tests/ikev2/mobike-nat/posttest.dat
@@ -1,6 +1,6 @@
 alice::ipsec stop
 sun::ipsec stop
-alice::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+alice::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
 moon::iptables -t nat -F
 moon::conntrack -F
diff --git a/testing/tests/ikev2/mobike-nat/pretest.dat b/testing/tests/ikev2/mobike-nat/pretest.dat
index 08c2be95c..86ac6e7e0 100644
--- a/testing/tests/ikev2/mobike-nat/pretest.dat
+++ b/testing/tests/ikev2/mobike-nat/pretest.dat
@@ -1,12 +1,11 @@
-alice::/etc/init.d/net.eth1 start
-alice::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+alice::ifup eth1
+alice::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::conntrack -F
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
 moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100
 moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100
 alice::ipsec start
 sun::ipsec start
-alice::sleep 2 
+alice::sleep 2
 alice::ipsec up mobike
 alice::sleep 1
diff --git a/testing/tests/ikev2/mobike-nat/test.conf b/testing/tests/ikev2/mobike-nat/test.conf
index 24a0cf3a4..70c64c503 100644
--- a/testing/tests/ikev2/mobike-nat/test.conf
+++ b/testing/tests/ikev2/mobike-nat/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="bob moon sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="alice sun"
diff --git a/testing/tests/ikev2/mobike-virtual-ip/evaltest.dat b/testing/tests/ikev2/mobike-virtual-ip/evaltest.dat
index 94dea0b14..17593ef82 100644
--- a/testing/tests/ikev2/mobike-virtual-ip/evaltest.dat
+++ b/testing/tests/ikev2/mobike-virtual-ip/evaltest.dat
@@ -1,15 +1,15 @@
-alice::ipsec statusall::ESTABLISHED.*PH_IP_ALICE1.*PH_IP_SUN::YES
-sun::ipsec statusall::ESTABLISHED.*PH_IP_SUN.*PH_IP_ALICE1::YES
-alice::ipsec statusall::10.3.0.3/32 === 10.2.0.0/16::YES
-sun::ipsec statusall::10.2.0.0/16 === 10.3.0.3/32::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-alice::/etc/init.d/net.eth1 stop::No output expected::NO
+alice::ipsec status 2> /dev/null::mobike.*ESTABLISHED.*192.168.0.50.*PH_IP_SUN::YES
+sun::  ipsec status 2> /dev/null::mobike.*ESTABLISHED.*PH_IP_SUN.*192.168.0.50::YES
+alice::ipsec statusall 2> /dev/null::10.3.0.3/32 === 10.2.0.0/16::YES
+sun::  ipsec statusall 2> /dev/null::10.2.0.0/16 === 10.3.0.3/32::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+alice::ifdown eth1::No output expected::NO
 alice::sleep 1::No output expected::NO
-alice::ipsec statusall::ESTABLISHED.*PH_IP_ALICE.*PH_IP_SUN::YES
-sun::ipsec statusall::ESTABLISHED.*PH_IP_SUN.*PH_IP_ALICE::YES
-alice::ipsec statusall::10.3.0.3/32 === 10.2.0.0/16::YES
-sun::ipsec statusall::10.2.0.0/16 === 10.3.0.3/32::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+alice::ipsec status 2> /dev/null::mobike.*ESTABLISHED.*PH_IP_ALICE.*PH_IP_SUN::YES
+sun::  ipsec status 2> /dev/null::mobike.*ESTABLISHED.*PH_IP_SUN.*PH_IP_ALICE::YES
+alice::ipsec statusall 2> /dev/null::10.3.0.3/32 === 10.2.0.0/16::YES
+sun::  ipsec statusall 2> /dev/null::10.2.0.0/16 === 10.3.0.3/32::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
 sun::tcpdump::alice1.strongswan.org.*sun.strongswan.org: ESP.*seq=0x1::YES
 sun::tcpdump::sun.strongswan.org.*alice1.strongswan.org: ESP.*seq=0x1::YES
 moon::tcpdump::alice.strongswan.org.*sun.strongswan.org.*: ESP.*seq=0x2::YES
diff --git a/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/init.d/iptables b/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/init.d/iptables
deleted file mode 100755
index cf0d65c58..000000000
--- a/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/init.d/iptables
+++ /dev/null
@@ -1,87 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-        # allow IPsec tunnel traffic
-        iptables -A INPUT  -m policy --dir in  --pol ipsec --proto esp -j ACCEPT
-        iptables -A OUTPUT -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A INPUT  -i eth1 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A INPUT  -i eth1 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A INPUT  -i eth1 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/ipsec.conf
index ed670efb1..ffb7f563a 100755..100644
--- a/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/ipsec.conf
+++ b/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
@@ -13,7 +10,7 @@ conn %default
 	keyexchange=ikev2
 
 conn mobike
-	left=PH_IP_ALICE1
+	left=192.168.0.50
 	leftsourceip=%config
 	leftcert=aliceCert.pem
 	leftid=alice@strongswan.org
diff --git a/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/iptables.rules b/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/iptables.rules
new file mode 100644
index 000000000..a238c8d19
--- /dev/null
+++ b/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/iptables.rules
@@ -0,0 +1,38 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow IPsec tunnel traffic
+-A INPUT  -m policy --dir in  --pol ipsec --proto esp -j ACCEPT
+-A OUTPUT -m policy --dir out --pol ipsec --proto esp -j ACCEPT
+
+# allow ESP
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A INPUT  -i eth1 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth1 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A INPUT  -i eth1 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A INPUT  -i eth1 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/strongswan.conf
index 88f162098..85d8c191f 100644
--- a/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/init.d/iptables b/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/init.d/iptables
deleted file mode 100755
index 642c414d5..000000000
--- a/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/init.d/iptables
+++ /dev/null
@@ -1,84 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow IPsec tunnel traffic
-	iptables -A FORWARD -m policy --dir in  --pol ipsec --proto esp -j ACCEPT
-	iptables -A FORWARD -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT
-
-        # allow NAT-T 
-	iptables -A INPUT  -i eth0 -p udp --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/ipsec.conf
index 1c8be1db4..2b0c8aebd 100755..100644
--- a/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
@@ -17,7 +14,7 @@ conn mobike
 	leftcert=sunCert.pem
 	leftid=@sun.strongswan.org
 	leftsubnet=10.2.0.0/16
-	right=PH_IP_ALICE1
+	right=192.168.0.50
 	rightsourceip=10.3.0.3
 	rightid=alice@strongswan.org
 	auto=add
diff --git a/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/iptables.rules b/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/iptables.rules
new file mode 100644
index 000000000..d86a461ac
--- /dev/null
+++ b/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/iptables.rules
@@ -0,0 +1,32 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow IPsec tunnel traffic
+-A FORWARD -m policy --dir in  --pol ipsec --proto esp -j ACCEPT
+-A FORWARD -m policy --dir out --pol ipsec --proto esp -j ACCEPT
+
+# allow ESP
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/strongswan.conf
index 88f162098..85d8c191f 100644
--- a/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/mobike-virtual-ip/posttest.dat b/testing/tests/ikev2/mobike-virtual-ip/posttest.dat
index 32fdf0053..95c963091 100644
--- a/testing/tests/ikev2/mobike-virtual-ip/posttest.dat
+++ b/testing/tests/ikev2/mobike-virtual-ip/posttest.dat
@@ -1,5 +1,5 @@
 alice::ipsec stop
 sun::ipsec stop
-alice::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+alice::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
 sun::ip route del 10.1.0.0/16 via PH_IP_MOON
diff --git a/testing/tests/ikev2/mobike-virtual-ip/pretest.dat b/testing/tests/ikev2/mobike-virtual-ip/pretest.dat
index 6666e7794..067c1a1ec 100644
--- a/testing/tests/ikev2/mobike-virtual-ip/pretest.dat
+++ b/testing/tests/ikev2/mobike-virtual-ip/pretest.dat
@@ -1,10 +1,9 @@
-alice::/etc/init.d/net.eth1 start
-alice::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
+alice::ifup eth1
+alice::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 sun::ip route add 10.1.0.0/16 via PH_IP_MOON
 alice::ipsec start
 sun::ipsec start
-alice::sleep 2 
+alice::sleep 2
 alice::ipsec up mobike
 alice::sleep 1
diff --git a/testing/tests/ikev2/mobike-virtual-ip/test.conf b/testing/tests/ikev2/mobike-virtual-ip/test.conf
index 24a0cf3a4..70c64c503 100644
--- a/testing/tests/ikev2/mobike-virtual-ip/test.conf
+++ b/testing/tests/ikev2/mobike-virtual-ip/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="bob moon sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="alice sun"
diff --git a/testing/tests/ikev2/mobike/evaltest.dat b/testing/tests/ikev2/mobike/evaltest.dat
index 6c49c0425..e3464040e 100644
--- a/testing/tests/ikev2/mobike/evaltest.dat
+++ b/testing/tests/ikev2/mobike/evaltest.dat
@@ -1,15 +1,15 @@
-alice::ipsec statusall::ESTABLISHED.*PH_IP_ALICE1.*PH_IP_SUN::YES
-sun::ipsec statusall::ESTABLISHED.*PH_IP_SUN.*PH_IP_ALICE1::YES
-alice::ipsec statusall::PH_IP_ALICE1/32 === 10.2.0.0/16::YES
-sun::ipsec statusall::10.2.0.0/16 === PH_IP_ALICE1/32::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-alice::/etc/init.d/net.eth1 stop::No output expected::NO
+alice::ipsec status 2> /dev/null::mobike.*ESTABLISHED.*192.168.0.50.*PH_IP_SUN::YES
+sun::  ipsec status 2> /dev/null::mobike.*ESTABLISHED.*PH_IP_SUN.*192.168.0.50::YES
+alice::ipsec statusall 2> /dev/null::192.168.0.50/32 === 10.2.0.0/16::YES
+sun::  ipsec statusall 2> /dev/null::10.2.0.0/16 === 192.168.0.50/32::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+alice::ifdown eth1::No output expected::NO
 alice::sleep 1::No output expected::NO
-alice::ipsec statusall::ESTABLISHED.*PH_IP_ALICE.*PH_IP_SUN::YES
-sun::ipsec statusall::ESTABLISHED.*PH_IP_SUN.*PH_IP_ALICE::YES
-alice::ipsec statusall::PH_IP_ALICE/32 === 10.2.0.0/16::YES
-sun::ipsec statusall::10.2.0.0/16 === PH_IP_ALICE/32::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+alice::ipsec status 2> /dev/null::mobike.*ESTABLISHED.*PH_IP_ALICE.*PH_IP_SUN::YES
+sun::  ipsec status 2> /dev/null::mobike.*ESTABLISHED.*PH_IP_SUN.*PH_IP_ALICE::YES
+alice::ipsec statusall 2> /dev/null::PH_IP_ALICE/32 === 10.2.0.0/16::YES
+sun::  ipsec statusall 2> /dev/null::10.2.0.0/16 === PH_IP_ALICE/32::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
 sun::tcpdump::alice1.strongswan.org.*sun.strongswan.org: ESP.*seq=0x1::YES
 sun::tcpdump::sun.strongswan.org.*alice1.strongswan.org: ESP.*seq=0x1::YES
 moon::tcpdump::alice.strongswan.org.*sun.strongswan.org: ESP.*seq=0x2::YES
diff --git a/testing/tests/ikev2/mobike/hosts/alice/etc/init.d/iptables b/testing/tests/ikev2/mobike/hosts/alice/etc/init.d/iptables
deleted file mode 100755
index cf0d65c58..000000000
--- a/testing/tests/ikev2/mobike/hosts/alice/etc/init.d/iptables
+++ /dev/null
@@ -1,87 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-        # allow IPsec tunnel traffic
-        iptables -A INPUT  -m policy --dir in  --pol ipsec --proto esp -j ACCEPT
-        iptables -A OUTPUT -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A INPUT  -i eth1 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A INPUT  -i eth1 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A INPUT  -i eth1 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/mobike/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2/mobike/hosts/alice/etc/ipsec.conf
index 6c87468bb..95683fdc3 100755..100644
--- a/testing/tests/ikev2/mobike/hosts/alice/etc/ipsec.conf
+++ b/testing/tests/ikev2/mobike/hosts/alice/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
@@ -13,7 +10,7 @@ conn %default
 	keyexchange=ikev2
 
 conn mobike
-	left=PH_IP_ALICE1
+	left=192.168.0.50
 	leftcert=aliceCert.pem
 	leftid=alice@strongswan.org
 	right=PH_IP_SUN
diff --git a/testing/tests/ikev2/mobike/hosts/alice/etc/iptables.rules b/testing/tests/ikev2/mobike/hosts/alice/etc/iptables.rules
new file mode 100644
index 000000000..a238c8d19
--- /dev/null
+++ b/testing/tests/ikev2/mobike/hosts/alice/etc/iptables.rules
@@ -0,0 +1,38 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow IPsec tunnel traffic
+-A INPUT  -m policy --dir in  --pol ipsec --proto esp -j ACCEPT
+-A OUTPUT -m policy --dir out --pol ipsec --proto esp -j ACCEPT
+
+# allow ESP
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A INPUT  -i eth1 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth1 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A INPUT  -i eth1 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A INPUT  -i eth1 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/mobike/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/mobike/hosts/alice/etc/strongswan.conf
index 88f162098..85d8c191f 100644
--- a/testing/tests/ikev2/mobike/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/ikev2/mobike/hosts/alice/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/mobike/hosts/sun/etc/init.d/iptables b/testing/tests/ikev2/mobike/hosts/sun/etc/init.d/iptables
deleted file mode 100755
index 6934b1948..000000000
--- a/testing/tests/ikev2/mobike/hosts/sun/etc/init.d/iptables
+++ /dev/null
@@ -1,90 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-        # enable IP forwarding
-        echo 1 > /proc/sys/net/ipv4/ip_forward
-
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-        # allow IPsec tunnel traffic
-        iptables -A FORWARD -m policy --dir in  --pol ipsec --proto esp -j ACCEPT
-        iptables -A FORWARD -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A INPUT  -i eth1 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A INPUT  -i eth1 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A INPUT  -i eth1 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/mobike/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/mobike/hosts/sun/etc/ipsec.conf
index 4806cd9c8..f7693106f 100755..100644
--- a/testing/tests/ikev2/mobike/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev2/mobike/hosts/sun/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
@@ -17,6 +14,6 @@ conn mobike
 	leftcert=sunCert.pem
 	leftid=@sun.strongswan.org
 	leftsubnet=10.2.0.0/16
-	right=PH_IP_ALICE1
+	right=192.168.0.50
 	rightid=alice@strongswan.org
 	auto=add
diff --git a/testing/tests/ikev2/mobike/hosts/sun/etc/iptables.rules b/testing/tests/ikev2/mobike/hosts/sun/etc/iptables.rules
new file mode 100644
index 000000000..d86a461ac
--- /dev/null
+++ b/testing/tests/ikev2/mobike/hosts/sun/etc/iptables.rules
@@ -0,0 +1,32 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow IPsec tunnel traffic
+-A FORWARD -m policy --dir in  --pol ipsec --proto esp -j ACCEPT
+-A FORWARD -m policy --dir out --pol ipsec --proto esp -j ACCEPT
+
+# allow ESP
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/mobike/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/mobike/hosts/sun/etc/strongswan.conf
index 88f162098..85d8c191f 100644
--- a/testing/tests/ikev2/mobike/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/mobike/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/mobike/posttest.dat b/testing/tests/ikev2/mobike/posttest.dat
index 32fdf0053..95c963091 100644
--- a/testing/tests/ikev2/mobike/posttest.dat
+++ b/testing/tests/ikev2/mobike/posttest.dat
@@ -1,5 +1,5 @@
 alice::ipsec stop
 sun::ipsec stop
-alice::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+alice::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
 sun::ip route del 10.1.0.0/16 via PH_IP_MOON
diff --git a/testing/tests/ikev2/mobike/pretest.dat b/testing/tests/ikev2/mobike/pretest.dat
index 6666e7794..067c1a1ec 100644
--- a/testing/tests/ikev2/mobike/pretest.dat
+++ b/testing/tests/ikev2/mobike/pretest.dat
@@ -1,10 +1,9 @@
-alice::/etc/init.d/net.eth1 start
-alice::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
+alice::ifup eth1
+alice::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 sun::ip route add 10.1.0.0/16 via PH_IP_MOON
 alice::ipsec start
 sun::ipsec start
-alice::sleep 2 
+alice::sleep 2
 alice::ipsec up mobike
 alice::sleep 1
diff --git a/testing/tests/ikev2/mobike/test.conf b/testing/tests/ikev2/mobike/test.conf
index 24a0cf3a4..70c64c503 100644
--- a/testing/tests/ikev2/mobike/test.conf
+++ b/testing/tests/ikev2/mobike/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="bob moon sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="alice sun"
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/evaltest.dat b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/evaltest.dat
index 897db40ed..65a003d23 100644
--- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/evaltest.dat
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/evaltest.dat
@@ -1,12 +1,12 @@
-moon::cat /var/log/daemon.log::parsed IKE_AUTH request.*N(AUTH_FOLLOWS)::YES
-moon::cat /var/log/daemon.log::authentication of .*carol@strongswan.org.* with RSA signature successful::YES
+moon:: cat /var/log/daemon.log::parsed IKE_AUTH request.*N(AUTH_FOLLOWS)::YES
+moon:: cat /var/log/daemon.log::authentication of .*carol@strongswan.org.* with RSA signature successful::YES
 carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA signature successful::YES
 carol::cat /var/log/daemon.log::server requested EAP_SIM authentication::YES
-moon::cat /var/log/daemon.log::received EAP identity .*228060123456001::YES
-moon::cat /var/log/daemon.log::authentication of .*228060123456001@strongswan.org.* with EAP successful::YES
-moon::ipsec statusall::rw-mult.*ESTABLISHED.*228060123456001@strongswan.org::YES
-carol::ipsec statusall::home.*ESTABLISHED.*228060123456001@strongswan.org::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon:: cat /var/log/daemon.log::received EAP identity .*228060123456001::YES
+moon:: cat /var/log/daemon.log::authentication of .*228060123456001@strongswan.org.* with EAP successful::YES
+moon:: ipsec status 2> /dev/null::rw-mult.*ESTABLISHED.*228060123456001@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*228060123456001@strongswan.org::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::cat /var/log/daemon.log::authentication of .*dave@strongswan.org.* with RSA signature successful::YES
@@ -15,7 +15,7 @@ dave::cat /var/log/daemon.log::server requested EAP_SIM authentication::YES
 moon::cat /var/log/daemon.log::received EAP identity .*228060123456002::YES
 moon::cat /var/log/daemon.log::RADIUS authentication of '228060123456002' failed::YES
 moon::cat /var/log/daemon.log::EAP method EAP_SIM failed for peer 228060123456002@strongswan.org::YES
-moon::ipsec statusall::rw-mult.*ESTABLISHED.*228060123456002@strongswan.org::NO
+moon::ipsec status 2> /dev/null::rw-mult.*ESTABLISHED.*228060123456002@strongswan.org::NO
 dave::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
-dave::ipsec statusall::home.*ESTABLISHED::NO
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::NO
+dave::ipsec status 2> /dev/null::home.*ESTABLISHED::NO
+dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/eap.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/eap.conf
new file mode 100644
index 000000000..7d8023951
--- /dev/null
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/eap.conf
@@ -0,0 +1,5 @@
+eap {
+  default_eap_type = sim
+  sim {
+  }
+}
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/modules/sim_files b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/modules/sim_files
new file mode 100644
index 000000000..10c26aa15
--- /dev/null
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/modules/sim_files
@@ -0,0 +1,3 @@
+sim_files {
+	simtriplets = "/etc/freeradius/triplets.dat"
+}
diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/proxy.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/proxy.conf
index 23cba8d11..23cba8d11 100644
--- a/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/proxy.conf
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/proxy.conf
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/raddb/sites-available/default b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/sites-available/default
index dfceb037d..91425f812 100644
--- a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/raddb/sites-available/default
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/sites-available/default
@@ -59,4 +59,3 @@ pre-proxy {
 post-proxy {
   eap
 }
-
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/triplets.dat b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/triplets.dat
index 002ee94d1..aaabab89e 100644
--- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/triplets.dat
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/triplets.dat
@@ -4,4 +4,3 @@
 228060123456002,33000000000000000000000000000000,33112233,335566778899AABB
 228060123456002,34000000000000000000000000000000,34112233,345566778899AABB
 228060123456002,35000000000000000000000000000000,35112233,355566778899AABB
-
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/users b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/users
index e69de29bb..e69de29bb 100644
--- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/users
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/users
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/clients.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/clients.conf
deleted file mode 100644
index f4e179aa4..000000000
--- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/clients.conf
+++ /dev/null
@@ -1,4 +0,0 @@
-client PH_IP_MOON1 {
-  secret    = gv6URkSs 
-  shortname = moon
-}
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/eap.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/eap.conf
deleted file mode 100644
index a2020424e..000000000
--- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/eap.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-eap {
-  default_eap_type = sim 
-  sim {
-  }
-}
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/radiusd.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/radiusd.conf
deleted file mode 100644
index d77b818fe..000000000
--- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/radiusd.conf
+++ /dev/null
@@ -1,123 +0,0 @@
-# radiusd.conf	-- FreeRADIUS server configuration file.
-
-prefix = /usr
-exec_prefix = ${prefix}
-sysconfdir = /etc
-localstatedir = /var
-sbindir = ${exec_prefix}/sbin
-logdir = ${localstatedir}/log/radius
-raddbdir = ${sysconfdir}/raddb
-radacctdir = ${logdir}/radacct
-
-#  name of the running server.  See also the "-n" command-line option.
-name = radiusd
-
-#  Location of config and logfiles.
-confdir = ${raddbdir}
-run_dir = ${localstatedir}/run/radiusd
-
-# Should likely be ${localstatedir}/lib/radiusd
-db_dir = ${raddbdir}
-
-# libdir: Where to find the rlm_* modules.
-libdir = ${exec_prefix}/lib
-
-#  pidfile: Where to place the PID of the RADIUS server.
-pidfile = ${run_dir}/${name}.pid
-
-#  max_request_time: The maximum time (in seconds) to handle a request.
-max_request_time = 30
-
-#  cleanup_delay: The time to wait (in seconds) before cleaning up
-cleanup_delay = 5
-
-#  max_requests: The maximum number of requests which the server keeps
-max_requests = 1024
-
-#  listen: Make the server listen on a particular IP address, and send
-listen {
-  type = auth
-  ipaddr = PH_IP_ALICE 
-  port = 0
-}
-
-#  This second "listen" section is for listening on the accounting
-#  port, too.
-#
-listen {
-  type  = acct
-  ipaddr = PH_IP_ALICE 
-  port = 0
-}
-
-#  hostname_lookups: Log the names of clients or just their IP addresses
-hostname_lookups = no
-
-#  Core dumps are a bad thing.  This should only be set to 'yes'
-allow_core_dumps = no
-
-#  Regular expressions
-regular_expressions = yes
-extended_expressions = yes
-
-#  Logging section.  The various "log_*" configuration items
-log {
-  destination = files
-  file = ${logdir}/radius.log
-  syslog_facility = daemon
-  stripped_names = no
-  auth = yes 
-  auth_badpass = yes 
-  auth_goodpass = yes 
-}
-
-#  The program to execute to do concurrency checks.
-checkrad = ${sbindir}/checkrad
-
-#  Security considerations
-security {
-  max_attributes = 200
-  reject_delay = 1
-  status_server = yes
-}
-
-# PROXY CONFIGURATION
-proxy_requests = yes
-$INCLUDE proxy.conf
-
-# CLIENTS CONFIGURATION
-$INCLUDE clients.conf
-
-# THREAD POOL CONFIGURATION
-thread pool {
-  start_servers = 5
-  max_servers = 32
-  min_spare_servers = 3
-  max_spare_servers = 10
-  max_requests_per_server = 0
-}
-
-# MODULE CONFIGURATION
-modules {
-  $INCLUDE ${confdir}/modules/
-  $INCLUDE eap.conf
-  $INCLUDE sql.conf
-  $INCLUDE sql/mysql/counter.conf
-  sim_files {
-    simtriplets = "/etc/raddb/triplets.dat"
-  }
-}
-
-# Instantiation
-instantiate {
-  exec
-  expr
-  expiration
-  logintime
-}
-
-# Policies
-$INCLUDE policy.conf
-
-# Include all enabled virtual hosts
-$INCLUDE sites-enabled/
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/ipsec.conf
index 26cc0cd92..df4440768 100755..100644
--- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/strongswan.conf
index 7b4ab49e4..8e872ddae 100644
--- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file eap-identity updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file eap-identity updown
 }
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/ipsec.conf
index f8c52be78..01fb6b0a3 100755..100644
--- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
@@ -9,7 +8,6 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev2
-	authby=eap
 
 conn home
 	left=PH_IP_DAVE
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/strongswan.conf
index 7b4ab49e4..8e872ddae 100644
--- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file eap-identity updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file eap-identity updown
 }
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 56587b2e8..000000000
--- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,84 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow RADIUS protocol with alice
-	iptables -A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/ipsec.conf
index 37d23b1f5..8dc0daeb5 100755..100644
--- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/ipsec.conf
@@ -1,8 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..1eb755354
--- /dev/null
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/iptables.rules
@@ -0,0 +1,32 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# allow RADIUS protocol with alice
+-A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/strongswan.conf
index 2a18af887..aba7eefdf 100644
--- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-radius eap-identity updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-radius eap-identity updown
   plugins {
     eap-radius {
       secret = gv6URkSs
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/posttest.dat b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/posttest.dat
index dbe56013a..6a4da6631 100644
--- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/posttest.dat
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/posttest.dat
@@ -1,7 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-alice::/etc/init.d/radiusd stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+alice::killall radiusd
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/pretest.dat b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/pretest.dat
index b3fd4cbf1..2d54c6027 100644
--- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/pretest.dat
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/pretest.dat
@@ -1,11 +1,8 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
-alice::cat /etc/raddb/clients.conf
-alice::cat /etc/raddb/eap.conf
-alice::cat /etc/raddb/proxy.conf
-alice::cat /etc/raddb/triplets.dat
-alice::/etc/init.d/radiusd start
+alice::cat /etc/freeradius/clients.conf
+alice::cat /etc/freeradius/eap.conf
+alice::cat /etc/freeradius/proxy.conf
+alice::cat /etc/freeradius/triplets.dat
+alice::radiusd
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/test.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/test.conf
index 70416826e..42d23a50b 100644
--- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/test.conf
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/test.conf
@@ -1,21 +1,25 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
+
+# Guest instances on which FreeRadius is started
+#
+RADIUSHOSTS="alice"
diff --git a/testing/tests/ikev2/multi-level-ca-cr-init/evaltest.dat b/testing/tests/ikev2/multi-level-ca-cr-init/evaltest.dat
index d2453bbee..03426ac44 100644
--- a/testing/tests/ikev2/multi-level-ca-cr-init/evaltest.dat
+++ b/testing/tests/ikev2/multi-level-ca-cr-init/evaltest.dat
@@ -1,12 +1,12 @@
 carol::cat /var/log/daemon.log::sending issuer cert.*CN=Research CA::YES
-dave::cat /var/log/daemon.log::sending issuer cert.*CN=Sales CA::YES
-moon::cat /var/log/daemon.log::fetching crl from.*http.*research.crl::YES
-moon::cat /var/log/daemon.log::crl correctly signed by.*Research CA::YES
-moon::cat /var/log/daemon.log::fetching crl from.*http.*sales.crl::YES
-moon::cat /var/log/daemon.log::crl correctly signed by.*Sales CA::YES
-moon::cat /var/log/daemon.log::fetching crl from.*http.*strongswan.crl::YES
-moon::cat /var/log/daemon.log::crl correctly signed by.*strongSwan Root CA::YES
-carol::ipsec status::alice.*INSTALLED::YES
-moon::ipsec status::alice.*ESTABLISHED.*carol@strongswan.org::YES
-dave::ipsec status::venus.*INSTALLED::YES
-moon::ipsec status::venus.*ESTABLISHED.*dave@strongswan.org::YES
+dave:: cat /var/log/daemon.log::sending issuer cert.*CN=Sales CA::YES
+moon:: cat /var/log/daemon.log::fetching crl from.*http.*research.crl::YES
+moon:: cat /var/log/daemon.log::crl correctly signed by.*Research CA::YES
+moon:: cat /var/log/daemon.log::fetching crl from.*http.*sales.crl::YES
+moon:: cat /var/log/daemon.log::crl correctly signed by.*Sales CA::YES
+moon:: cat /var/log/daemon.log::fetching crl from.*http.*strongswan.crl::YES
+moon:: cat /var/log/daemon.log::crl correctly signed by.*strongSwan Root CA::YES
+carol::ipsec status 2> /dev/null::alice.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::alice.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+dave:: ipsec status 2> /dev/null::venus.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::venus.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
diff --git a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/carol/etc/ipsec.conf
index a8a6d2b8f..7f045801e 100755..100644
--- a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/carol/etc/strongswan.conf
index 88f162098..85d8c191f 100644
--- a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/dave/etc/ipsec.conf
index 8647ac813..9306bf9ec 100755..100644
--- a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/dave/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/dave/etc/strongswan.conf
index 88f162098..85d8c191f 100644
--- a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/moon/etc/ipsec.conf
index 4c84d183b..776b5a5b3 100755..100644
--- a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 ca strongswan
 	cacert=strongswanCert.pem
diff --git a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/moon/etc/strongswan.conf
index 88f162098..85d8c191f 100644
--- a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/multi-level-ca-cr-init/pretest.dat b/testing/tests/ikev2/multi-level-ca-cr-init/pretest.dat
index c8e7adcb7..2eebc0f84 100644
--- a/testing/tests/ikev2/multi-level-ca-cr-init/pretest.dat
+++ b/testing/tests/ikev2/multi-level-ca-cr-init/pretest.dat
@@ -1,4 +1,3 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
 carol::ipsec start
 dave::ipsec start
 moon::ipsec start
diff --git a/testing/tests/ikev2/multi-level-ca-cr-init/test.conf b/testing/tests/ikev2/multi-level-ca-cr-init/test.conf
index 08e5cc145..9bb88d79f 100644
--- a/testing/tests/ikev2/multi-level-ca-cr-init/test.conf
+++ b/testing/tests/ikev2/multi-level-ca-cr-init/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon carol winnetou dave"
+VIRTHOSTS="alice venus moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/multi-level-ca-cr-resp/evaltest.dat b/testing/tests/ikev2/multi-level-ca-cr-resp/evaltest.dat
index 4b827b4dd..dcd271772 100644
--- a/testing/tests/ikev2/multi-level-ca-cr-resp/evaltest.dat
+++ b/testing/tests/ikev2/multi-level-ca-cr-resp/evaltest.dat
@@ -1,12 +1,12 @@
 carol::cat /var/log/daemon.log::sending issuer cert.*CN=Research CA::YES
-dave::cat /var/log/daemon.log::sending issuer cert.*CN=Sales CA::YES
-moon::cat /var/log/daemon.log::fetching crl from.*http.*research.crl::YES
-moon::cat /var/log/daemon.log::crl correctly signed by.*Research CA::YES
-moon::cat /var/log/daemon.log::fetching crl from.*http.*sales.crl::YES
-moon::cat /var/log/daemon.log::crl correctly signed by.*Sales CA::YES
-moon::cat /var/log/daemon.log::fetching crl from.*http.*strongswan.crl::YES
-moon::cat /var/log/daemon.log::crl correctly signed by.*strongSwan Root CA::YES
-carol::ipsec status::alice.*INSTALLED::YES
-moon::ipsec status::alice.*INSTALLED::YES
-dave::ipsec status::venus.*INSTALLED::YES
-moon::ipsec status::venus.*INSTALLED::YES
+dave:: cat /var/log/daemon.log::sending issuer cert.*CN=Sales CA::YES
+moon:: cat /var/log/daemon.log::fetching crl from.*http.*research.crl::YES
+moon:: cat /var/log/daemon.log::crl correctly signed by.*Research CA::YES
+moon:: cat /var/log/daemon.log::fetching crl from.*http.*sales.crl::YES
+moon:: cat /var/log/daemon.log::crl correctly signed by.*Sales CA::YES
+moon:: cat /var/log/daemon.log::fetching crl from.*http.*strongswan.crl::YES
+moon:: cat /var/log/daemon.log::crl correctly signed by.*strongSwan Root CA::YES
+carol::ipsec status 2> /dev/null::alice.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::alice.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::venus.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::venus.*INSTALLED, TUNNEL::YES
diff --git a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/carol/etc/ipsec.conf
index 9031a948c..5ee8ba076 100755..100644
--- a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/carol/etc/strongswan.conf
index 88f162098..85d8c191f 100644
--- a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/dave/etc/ipsec.conf
index 0168be8e1..391bc91a6 100755..100644
--- a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/dave/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/dave/etc/strongswan.conf
index 88f162098..85d8c191f 100644
--- a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/moon/etc/ipsec.conf
index 75138581e..565d0d829 100755..100644
--- a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 ca strongswan
 	cacert=strongswanCert.pem
diff --git a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/moon/etc/strongswan.conf
index 88f162098..85d8c191f 100644
--- a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/multi-level-ca-cr-resp/pretest.dat b/testing/tests/ikev2/multi-level-ca-cr-resp/pretest.dat
index f15265e32..86dd31e83 100644
--- a/testing/tests/ikev2/multi-level-ca-cr-resp/pretest.dat
+++ b/testing/tests/ikev2/multi-level-ca-cr-resp/pretest.dat
@@ -1,4 +1,3 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
 carol::ipsec start
 dave::ipsec start
 moon::ipsec start
diff --git a/testing/tests/ikev2/multi-level-ca-cr-resp/test.conf b/testing/tests/ikev2/multi-level-ca-cr-resp/test.conf
index 08e5cc145..9bb88d79f 100644
--- a/testing/tests/ikev2/multi-level-ca-cr-resp/test.conf
+++ b/testing/tests/ikev2/multi-level-ca-cr-resp/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon carol winnetou dave"
+VIRTHOSTS="alice venus moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/multi-level-ca-ldap/evaltest.dat b/testing/tests/ikev2/multi-level-ca-ldap/evaltest.dat
index 4a1c7208b..4abcde1e8 100644
--- a/testing/tests/ikev2/multi-level-ca-ldap/evaltest.dat
+++ b/testing/tests/ikev2/multi-level-ca-ldap/evaltest.dat
@@ -1,19 +1,19 @@
-moon::cat /var/log/daemon.log::fetching crl from.*ldap.*Research CA::YES
-moon::cat /var/log/daemon.log::crl correctly signed by.*Research CA::YES
-moon::cat /var/log/daemon.log::fetching crl from.*ldap.*Sales CA::YES
-moon::cat /var/log/daemon.log::crl correctly signed by.*Sales CA::YES
-moon::cat /var/log/daemon.log::fetching crl from.*ldap.*strongSwan Root CA::YES
-moon::cat /var/log/daemon.log::crl correctly signed by.*strongSwan Root CA::YES
-carol::ipsec status::alice.*INSTALLED::YES
-moon::ipsec status::alice.*ESTABLISHED.*carol@strongswan.org::YES
+moon:: cat /var/log/daemon.log::fetching crl from.*ldap.*Research CA::YES
+moon:: cat /var/log/daemon.log::crl correctly signed by.*Research CA::YES
+moon:: cat /var/log/daemon.log::fetching crl from.*ldap.*Sales CA::YES
+moon:: cat /var/log/daemon.log::crl correctly signed by.*Sales CA::YES
+moon:: cat /var/log/daemon.log::fetching crl from.*ldap.*strongSwan Root CA::YES
+moon:: cat /var/log/daemon.log::crl correctly signed by.*strongSwan Root CA::YES
+carol::ipsec status 2> /dev/null::alice.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::alice.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
 carol::cat /var/log/daemon.log::received TS_UNACCEPTABLE notify, no CHILD_SA built::YES
-carol::ipsec status::venus.*INSTALLED::NO
-moon::ipsec status::venus.*ESTABLISHED.*carol@strongswan.org::NO
-moon::cat /var/log/daemon.log::constraint check failed: peer not authenticated by.*Research CA::YES
-moon::cat /var/log/daemon.log::selected peer config.*alice.*inacceptable::YES
-moon::cat /var/log/daemon.log::switching to peer config.*venus::YES
-dave::ipsec status::venus.*INSTALLED::YES
-moon::ipsec status::venus.*ESTABLISHED.*dave@strongswan.org::YES
-dave::cat /var/log/daemon.log::received TS_UNACCEPTABLE notify, no CHILD_SA built::YES
-dave::ipsec status::alice.*INSTALLED::NO
-moon::ipsec status::alice.*ESTABLISHED.*dave@strongswan.org::NO
+carol::ipsec status 2> /dev/null::venus.*INSTALLED::NO
+moon:: ipsec status 2> /dev/null::venus.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::NO
+moon:: cat /var/log/daemon.log::constraint check failed: peer not authenticated by.*Research CA::YES
+moon:: cat /var/log/daemon.log::selected peer config.*alice.*inacceptable::YES
+moon:: cat /var/log/daemon.log::switching to peer config.*venus::YES
+dave:: ipsec status 2> /dev/null::venus.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::venus.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+dave:: cat /var/log/daemon.log::received TS_UNACCEPTABLE notify, no CHILD_SA built::YES
+dave:: ipsec status 2> /dev/null::alice.*INSTALLED::NO
+moon:: ipsec status 2> /dev/null::alice.*moon.strongswan.org.*ESTABLISHED.*dave@strongswan.org::NO
diff --git a/testing/tests/ikev2/multi-level-ca-ldap/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-ldap/hosts/carol/etc/ipsec.conf
index 39996cf42..995b347cf 100755..100644
--- a/testing/tests/ikev2/multi-level-ca-ldap/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/multi-level-ca-ldap/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,7 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
 	strictcrlpolicy=yes
-	plutostart=no
 
 ca strongswan
         cacert=strongswanCert.pem
diff --git a/testing/tests/ikev2/multi-level-ca-ldap/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-ldap/hosts/carol/etc/strongswan.conf
index bbe0d3aa7..91ded3733 100644
--- a/testing/tests/ikev2/multi-level-ca-ldap/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca-ldap/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = ldap aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = ldap aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/multi-level-ca-ldap/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-ldap/hosts/dave/etc/ipsec.conf
index e25636a7d..320c0713c 100755..100644
--- a/testing/tests/ikev2/multi-level-ca-ldap/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev2/multi-level-ca-ldap/hosts/dave/etc/ipsec.conf
@@ -1,9 +1,7 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
 	strictcrlpolicy=yes
-	plutostart=no
 
 ca strongswan
 	cacert=strongswanCert.pem
diff --git a/testing/tests/ikev2/multi-level-ca-ldap/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-ldap/hosts/dave/etc/strongswan.conf
index bbe0d3aa7..91ded3733 100644
--- a/testing/tests/ikev2/multi-level-ca-ldap/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca-ldap/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = ldap aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = ldap aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 4f4f3228b..000000000
--- a/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,80 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ldap crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 389 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 389 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/ipsec.conf
index 46f1030cd..e67c9afb0 100755..100644
--- a/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,7 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
 	strictcrlpolicy=yes
-	plutostart=no
 
 ca strongswan
 	cacert=strongswanCert.pem
diff --git a/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..debcc2181
--- /dev/null
+++ b/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/iptables.rules
@@ -0,0 +1,28 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow ldap crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 389 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 389 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/strongswan.conf
index cccd6ae27..d0c3f8c49 100644
--- a/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = ldap aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = ldap aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/multi-level-ca-ldap/posttest.dat b/testing/tests/ikev2/multi-level-ca-ldap/posttest.dat
index ec4ba6e10..6f0ec4b97 100644
--- a/testing/tests/ikev2/multi-level-ca-ldap/posttest.dat
+++ b/testing/tests/ikev2/multi-level-ca-ldap/posttest.dat
@@ -3,5 +3,5 @@ carol::ipsec stop
 dave::ipsec stop
 moon::rm /etc/ipsec.d/cacerts/*
 winnetou::/etc/init.d/slapd stop
-moon::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
 
diff --git a/testing/tests/ikev2/multi-level-ca-ldap/pretest.dat b/testing/tests/ikev2/multi-level-ca-ldap/pretest.dat
index 322f42102..41319ae4d 100644
--- a/testing/tests/ikev2/multi-level-ca-ldap/pretest.dat
+++ b/testing/tests/ikev2/multi-level-ca-ldap/pretest.dat
@@ -1,5 +1,5 @@
 winnetou::/etc/init.d/slapd start
-moon::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
 carol::ipsec start
 dave::ipsec start
 moon::ipsec start
diff --git a/testing/tests/ikev2/multi-level-ca-ldap/test.conf b/testing/tests/ikev2/multi-level-ca-ldap/test.conf
index 08e5cc145..9bb88d79f 100644
--- a/testing/tests/ikev2/multi-level-ca-ldap/test.conf
+++ b/testing/tests/ikev2/multi-level-ca-ldap/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon carol winnetou dave"
+VIRTHOSTS="alice venus moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/multi-level-ca-loop/evaltest.dat b/testing/tests/ikev2/multi-level-ca-loop/evaltest.dat
index 6b77a8161..85bbe4ab9 100644
--- a/testing/tests/ikev2/multi-level-ca-loop/evaltest.dat
+++ b/testing/tests/ikev2/multi-level-ca-loop/evaltest.dat
@@ -1,4 +1,4 @@
-moon::cat /var/log/daemon.log::maximum path length of 7 exceeded::YES
+moon:: cat /var/log/daemon.log::maximum path length of 7 exceeded::YES
 carol::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES
-carol::ipsec status::alice.*INSTALLED::NO
-moon::ipsec status::alice.*ESTABLISHED.*carol@strongswan.org::NO
+carol::ipsec status 2> /dev/null::alice.*INSTALLED::NO
+moon:: ipsec status 2> /dev/null::alice.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::NO
diff --git a/testing/tests/ikev2/multi-level-ca-loop/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-loop/hosts/carol/etc/ipsec.conf
index 5c34528a4..991daafe1 100755..100644
--- a/testing/tests/ikev2/multi-level-ca-loop/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/multi-level-ca-loop/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,7 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
 	strictcrlpolicy=yes
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/multi-level-ca-loop/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-loop/hosts/carol/etc/strongswan.conf
index 88f162098..85d8c191f 100644
--- a/testing/tests/ikev2/multi-level-ca-loop/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca-loop/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/multi-level-ca-loop/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-loop/hosts/moon/etc/ipsec.conf
index 96e493719..7721b2347 100755..100644
--- a/testing/tests/ikev2/multi-level-ca-loop/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/multi-level-ca-loop/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,7 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
 	strictcrlpolicy=yes
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/multi-level-ca-loop/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-loop/hosts/moon/etc/strongswan.conf
index 88f162098..85d8c191f 100644
--- a/testing/tests/ikev2/multi-level-ca-loop/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca-loop/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/multi-level-ca-loop/pretest.dat b/testing/tests/ikev2/multi-level-ca-loop/pretest.dat
index 0a0ec22bf..bb538c160 100644
--- a/testing/tests/ikev2/multi-level-ca-loop/pretest.dat
+++ b/testing/tests/ikev2/multi-level-ca-loop/pretest.dat
@@ -1,4 +1,3 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
 moon::rm /etc/ipsec.d/cacerts/strongswanCert.pem
 carol::ipsec start
 moon::ipsec start
diff --git a/testing/tests/ikev2/multi-level-ca-loop/test.conf b/testing/tests/ikev2/multi-level-ca-loop/test.conf
index 3189fdfc7..a24ec4f1d 100644
--- a/testing/tests/ikev2/multi-level-ca-loop/test.conf
+++ b/testing/tests/ikev2/multi-level-ca-loop/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/multi-level-ca-pathlen/evaltest.dat b/testing/tests/ikev2/multi-level-ca-pathlen/evaltest.dat
index 266f0d0da..913e8f454 100644
--- a/testing/tests/ikev2/multi-level-ca-pathlen/evaltest.dat
+++ b/testing/tests/ikev2/multi-level-ca-pathlen/evaltest.dat
@@ -1,4 +1,4 @@
-moon::cat /var/log/daemon.log::path length of 2 violates constraint of 1::YES
+moon:: cat /var/log/daemon.log::path length of 2 violates constraint of 1::YES
 carol::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES
-carol::ipsec status::home.*INSTALLED::NO
-moon::ipsec status::duck.*INSTALLED::NO
+carol::ipsec status 2> /dev/null::home.*INSTALLED::NO
+moon:: ipsec status 2> /dev/null::duck.*INSTALLED::NO
diff --git a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/ipsec.conf
index 64539ccc2..e8398629c 100755..100644
--- a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/ipsec.conf
@@ -1,8 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/strongswan.conf
index 47dab951f..bc90242f7 100644
--- a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random constraints x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce constraints x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/moon/etc/ipsec.conf
index 528dda39b..4d1286f4f 100755..100644
--- a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/moon/etc/ipsec.conf
@@ -1,8 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/moon/etc/strongswan.conf
index 8335e51f6..77bd6782c 100644
--- a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation constraints hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation constraints hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/multi-level-ca-pathlen/pretest.dat b/testing/tests/ikev2/multi-level-ca-pathlen/pretest.dat
index 9f0232a7b..e209e60ff 100644
--- a/testing/tests/ikev2/multi-level-ca-pathlen/pretest.dat
+++ b/testing/tests/ikev2/multi-level-ca-pathlen/pretest.dat
@@ -1,4 +1,3 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
 carol::ipsec start
 moon::ipsec start
 carol::sleep 2
diff --git a/testing/tests/ikev2/multi-level-ca-pathlen/test.conf b/testing/tests/ikev2/multi-level-ca-pathlen/test.conf
index b118cb7dc..587964390 100644
--- a/testing/tests/ikev2/multi-level-ca-pathlen/test.conf
+++ b/testing/tests/ikev2/multi-level-ca-pathlen/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon carol winnetou"
+VIRTHOSTS="alice venus moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/multi-level-ca-revoked/evaltest.dat b/testing/tests/ikev2/multi-level-ca-revoked/evaltest.dat
index 182f9e0fc..008ff2cf8 100644
--- a/testing/tests/ikev2/multi-level-ca-revoked/evaltest.dat
+++ b/testing/tests/ikev2/multi-level-ca-revoked/evaltest.dat
@@ -1,4 +1,4 @@
-moon::cat /var/log/daemon.log::certificate was revoked::YES
+moon:: cat /var/log/daemon.log::certificate was revoked::YES
 carol::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES
-moon::ipsec status::alice.*ESTABLISHED::NO
-carol::ipsec status::home.*INSTALLED::NO
+moon:: ipsec status 2> /dev/null::alice.*ESTABLISHED::NO
+carol::ipsec status 2> /dev/null::home.*INSTALLED::NO
diff --git a/testing/tests/ikev2/multi-level-ca-revoked/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-revoked/hosts/carol/etc/ipsec.conf
index a042da6d5..297e348ea 100755..100644
--- a/testing/tests/ikev2/multi-level-ca-revoked/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/multi-level-ca-revoked/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,7 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
 	strictcrlpolicy=yes
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/multi-level-ca-revoked/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-revoked/hosts/carol/etc/strongswan.conf
index 88f162098..85d8c191f 100644
--- a/testing/tests/ikev2/multi-level-ca-revoked/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca-revoked/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/multi-level-ca-revoked/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-revoked/hosts/moon/etc/ipsec.conf
index ef1beae7e..a3517967a 100755..100644
--- a/testing/tests/ikev2/multi-level-ca-revoked/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/multi-level-ca-revoked/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,7 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
 	strictcrlpolicy=yes
-	plutostart=no
 
 ca strongswan
 	cacert=strongswanCert.pem
diff --git a/testing/tests/ikev2/multi-level-ca-revoked/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-revoked/hosts/moon/etc/strongswan.conf
index 88f162098..85d8c191f 100644
--- a/testing/tests/ikev2/multi-level-ca-revoked/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca-revoked/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/multi-level-ca-revoked/test.conf b/testing/tests/ikev2/multi-level-ca-revoked/test.conf
index 2b240d895..892f51cd9 100644
--- a/testing/tests/ikev2/multi-level-ca-revoked/test.conf
+++ b/testing/tests/ikev2/multi-level-ca-revoked/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+VIRTHOSTS="moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/multi-level-ca-strict/evaltest.dat b/testing/tests/ikev2/multi-level-ca-strict/evaltest.dat
index a594745b7..90ee6a7a4 100644
--- a/testing/tests/ikev2/multi-level-ca-strict/evaltest.dat
+++ b/testing/tests/ikev2/multi-level-ca-strict/evaltest.dat
@@ -1,6 +1,6 @@
-carol::ipsec status::alice.*INSTALLED::YES
-carol::ipsec status::venus.*INSTALLED::YES
-moon::ipsec status::ESTABLISHED.*carol@strongswan.org::YES
-dave::ipsec status::venus.*INSTALLED::YES
-dave::ipsec status::alice.*INSTALLED::YES
-moon::ipsec status::ESTABLISHED.*dave@strongswan.org::YES
+carol::ipsec status 2> /dev/null::alice.*INSTALLED, TUNNEL::YES
+carol::ipsec status 2> /dev/null::venus.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+dave:: ipsec status 2> /dev/null::venus.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::alice.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
diff --git a/testing/tests/ikev2/multi-level-ca-strict/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-strict/hosts/carol/etc/ipsec.conf
index 6fcc1578e..d65d37be2 100755..100644
--- a/testing/tests/ikev2/multi-level-ca-strict/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/multi-level-ca-strict/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,7 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
 	strictcrlpolicy=yes
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/multi-level-ca-strict/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-strict/hosts/carol/etc/strongswan.conf
index 88f162098..85d8c191f 100644
--- a/testing/tests/ikev2/multi-level-ca-strict/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca-strict/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/multi-level-ca-strict/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-strict/hosts/dave/etc/ipsec.conf
index c4b41aa06..121f7d41a 100755..100644
--- a/testing/tests/ikev2/multi-level-ca-strict/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev2/multi-level-ca-strict/hosts/dave/etc/ipsec.conf
@@ -1,9 +1,7 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
 	strictcrlpolicy=yes
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/multi-level-ca-strict/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-strict/hosts/dave/etc/strongswan.conf
index 88f162098..85d8c191f 100644
--- a/testing/tests/ikev2/multi-level-ca-strict/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca-strict/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/multi-level-ca-strict/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-strict/hosts/moon/etc/ipsec.conf
index 9c02993e7..a49c833b8 100755..100644
--- a/testing/tests/ikev2/multi-level-ca-strict/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/multi-level-ca-strict/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,7 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
 	strictcrlpolicy=yes
-	plutostart=no
 
 ca strongswan
 	cacert=strongswanCert.pem
diff --git a/testing/tests/ikev2/multi-level-ca-strict/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-strict/hosts/moon/etc/strongswan.conf
index 88f162098..85d8c191f 100644
--- a/testing/tests/ikev2/multi-level-ca-strict/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca-strict/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/multi-level-ca-strict/pretest.dat b/testing/tests/ikev2/multi-level-ca-strict/pretest.dat
index 67c50c2ef..755564cbc 100644
--- a/testing/tests/ikev2/multi-level-ca-strict/pretest.dat
+++ b/testing/tests/ikev2/multi-level-ca-strict/pretest.dat
@@ -1,4 +1,3 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
 carol::ipsec start
 dave::ipsec start
 moon::ipsec start
diff --git a/testing/tests/ikev2/multi-level-ca-strict/test.conf b/testing/tests/ikev2/multi-level-ca-strict/test.conf
index 08e5cc145..9bb88d79f 100644
--- a/testing/tests/ikev2/multi-level-ca-strict/test.conf
+++ b/testing/tests/ikev2/multi-level-ca-strict/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon carol winnetou dave"
+VIRTHOSTS="alice venus moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/multi-level-ca/evaltest.dat b/testing/tests/ikev2/multi-level-ca/evaltest.dat
index b0814556d..e1c5be4ed 100644
--- a/testing/tests/ikev2/multi-level-ca/evaltest.dat
+++ b/testing/tests/ikev2/multi-level-ca/evaltest.dat
@@ -1,19 +1,19 @@
-moon::cat /var/log/daemon.log::fetching crl from.*http.*research.crl::YES
-moon::cat /var/log/daemon.log::crl correctly signed by.*Research CA::YES
-moon::cat /var/log/daemon.log::fetching crl from.*http.*sales.crl::YES
-moon::cat /var/log/daemon.log::crl correctly signed by.*Sales CA::YES
-moon::cat /var/log/daemon.log::fetching crl from.*http.*strongswan.crl::YES
-moon::cat /var/log/daemon.log::crl correctly signed by.*strongSwan Root CA::YES
-carol::ipsec status::alice.*INSTALLED::YES
-moon::ipsec status::alice.*ESTABLISHED.*carol@strongswan.org::YES
+moon:: cat /var/log/daemon.log::fetching crl from.*http.*research.crl::YES
+moon:: cat /var/log/daemon.log::crl correctly signed by.*Research CA::YES
+moon:: cat /var/log/daemon.log::fetching crl from.*http.*sales.crl::YES
+moon:: cat /var/log/daemon.log::crl correctly signed by.*Sales CA::YES
+moon:: cat /var/log/daemon.log::fetching crl from.*http.*strongswan.crl::YES
+moon:: cat /var/log/daemon.log::crl correctly signed by.*strongSwan Root CA::YES
+carol::ipsec status 2> /dev/null::alice.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::alice.*ESTABLISHED.*carol@strongswan.org::YES
 carol::cat /var/log/daemon.log::received TS_UNACCEPTABLE notify, no CHILD_SA built::YES
-carol::ipsec status::venus.*INSTALLED::NO
-moon::ipsec status::venus.*ESTABLISHED.*carol@strongswan.org::NO
-moon::cat /var/log/daemon.log::constraint check failed: peer not authenticated by.*Research CA::YES
-moon::cat /var/log/daemon.log::selected peer config.*alice.*inacceptable::YES
-moon::cat /var/log/daemon.log::switching to peer config.*venus::YES
-dave::ipsec status::venus.*INSTALLED::YES
-moon::ipsec status::venus.*ESTABLISHED.*dave@strongswan.org::YES
-dave::cat /var/log/daemon.log::received TS_UNACCEPTABLE notify, no CHILD_SA built::YES
-dave::ipsec status::alice.*INSTALLED::NO
-moon::ipsec status::alice.*ESTABLISHED.*dave@strongswan.org::NO
+carol::ipsec status 2> /dev/null::venus.*INSTALLED::NO
+moon:: ipsec status 2> /dev/null::venus.*ESTABLISHED.*carol@strongswan.org::NO
+moon:: cat /var/log/daemon.log::constraint check failed: peer not authenticated by.*Research CA::YES
+moon:: cat /var/log/daemon.log::selected peer config.*alice.*inacceptable::YES
+moon:: cat /var/log/daemon.log::switching to peer config.*venus::YES
+dave:: ipsec status 2> /dev/null::venus.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::venus.*ESTABLISHED.*dave@strongswan.org::YES
+dave:: cat /var/log/daemon.log::received TS_UNACCEPTABLE notify, no CHILD_SA built::YES
+dave:: ipsec status 2> /dev/null::alice.*INSTALLED::NO
+moon:: ipsec status 2> /dev/null::alice.*ESTABLISHED.*dave@strongswan.org::NO
diff --git a/testing/tests/ikev2/multi-level-ca/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca/hosts/carol/etc/ipsec.conf
index 174e248c2..909118fb1 100755..100644
--- a/testing/tests/ikev2/multi-level-ca/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/multi-level-ca/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/multi-level-ca/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca/hosts/carol/etc/strongswan.conf
index 88f162098..85d8c191f 100644
--- a/testing/tests/ikev2/multi-level-ca/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/multi-level-ca/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca/hosts/dave/etc/ipsec.conf
index 5c90dd4a2..95777460e 100755..100644
--- a/testing/tests/ikev2/multi-level-ca/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev2/multi-level-ca/hosts/dave/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/multi-level-ca/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca/hosts/dave/etc/strongswan.conf
index 88f162098..85d8c191f 100644
--- a/testing/tests/ikev2/multi-level-ca/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/multi-level-ca/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca/hosts/moon/etc/ipsec.conf
index d0240a333..3a5aaa6b6 100755..100644
--- a/testing/tests/ikev2/multi-level-ca/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/multi-level-ca/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 ca strongswan
 	cacert=strongswanCert.pem
diff --git a/testing/tests/ikev2/multi-level-ca/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca/hosts/moon/etc/strongswan.conf
index 88f162098..85d8c191f 100644
--- a/testing/tests/ikev2/multi-level-ca/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/multi-level-ca/pretest.dat b/testing/tests/ikev2/multi-level-ca/pretest.dat
index 67c50c2ef..755564cbc 100644
--- a/testing/tests/ikev2/multi-level-ca/pretest.dat
+++ b/testing/tests/ikev2/multi-level-ca/pretest.dat
@@ -1,4 +1,3 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
 carol::ipsec start
 dave::ipsec start
 moon::ipsec start
diff --git a/testing/tests/ikev2/multi-level-ca/test.conf b/testing/tests/ikev2/multi-level-ca/test.conf
index 08e5cc145..9bb88d79f 100644
--- a/testing/tests/ikev2/multi-level-ca/test.conf
+++ b/testing/tests/ikev2/multi-level-ca/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon carol winnetou dave"
+VIRTHOSTS="alice venus moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/nat-one-rw/description.txt b/testing/tests/ikev2/nat-one-rw/description.txt
deleted file mode 100644
index c3b9bb820..000000000
--- a/testing/tests/ikev2/nat-one-rw/description.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-The roadwarrior <b>alice</b> sitting behind the NAT router <b>moon</b> sets up a tunnel to
-gateway <b>sun</b>. UDP encapsulation is used to traverse the NAT router.
-<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that let pass
-the tunneled traffic. In order to test the tunnel, the NAT-ed host <b>alice</b> pings the
-client <b>bob</b> behind the gateway <b>sun</b>.
diff --git a/testing/tests/ikev2/nat-one-rw/evaltest.dat b/testing/tests/ikev2/nat-one-rw/evaltest.dat
deleted file mode 100644
index 7395e5571..000000000
--- a/testing/tests/ikev2/nat-one-rw/evaltest.dat
+++ /dev/null
@@ -1,5 +0,0 @@
-alice::ipsec statusall::nat-t.*INSTALLED::YES
-sun::ipsec statusall::nat-t.*INSTALLED::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.ipsec-nat-t: UDP::YES
-moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.*: UDP::YES
diff --git a/testing/tests/ikev2/nat-one-rw/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/nat-one-rw/hosts/alice/etc/strongswan.conf
deleted file mode 100644
index 6d9e62e1d..000000000
--- a/testing/tests/ikev2/nat-one-rw/hosts/alice/etc/strongswan.conf
+++ /dev/null
@@ -1,6 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  keep_alive = 1d 
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
-}
diff --git a/testing/tests/ikev2/nat-one-rw/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/nat-one-rw/hosts/sun/etc/ipsec.conf
deleted file mode 100755
index a2c168601..000000000
--- a/testing/tests/ikev2/nat-one-rw/hosts/sun/etc/ipsec.conf
+++ /dev/null
@@ -1,35 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-	left=PH_IP_SUN
-	leftcert=sunCert.pem
-	leftid=@sun.strongswan.org
-	leftfirewall=yes
-
-conn net-net
-	leftsubnet=10.2.0.0/16
-	right=PH_IP_MOON
-	rightsubnet=10.1.0.0/16
-	rightid=@moon.strongswan.org
-	auto=add
-
-conn host-host
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-	auto=add
-
-conn nat-t
-	leftsubnet=10.2.0.0/16
-	right=%any
-	rightsubnet=10.1.0.10/32
-	auto=add
diff --git a/testing/tests/ikev2/nat-one-rw/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/nat-one-rw/hosts/sun/etc/strongswan.conf
deleted file mode 100644
index 339b56987..000000000
--- a/testing/tests/ikev2/nat-one-rw/hosts/sun/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
-}
diff --git a/testing/tests/ikev2/nat-one-rw/posttest.dat b/testing/tests/ikev2/nat-one-rw/posttest.dat
deleted file mode 100644
index cd0d4df25..000000000
--- a/testing/tests/ikev2/nat-one-rw/posttest.dat
+++ /dev/null
@@ -1,6 +0,0 @@
-alice::ipsec stop
-sun::ipsec stop
-alice::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
-moon::iptables -t nat -F
-moon::conntrack -F
diff --git a/testing/tests/ikev2/nat-one-rw/pretest.dat b/testing/tests/ikev2/nat-one-rw/pretest.dat
deleted file mode 100644
index a4f5ecd79..000000000
--- a/testing/tests/ikev2/nat-one-rw/pretest.dat
+++ /dev/null
@@ -1,12 +0,0 @@
-alice::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
-moon::conntrack -F
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
-moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100
-moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100
-alice::ipsec start
-sun::ipsec start
-alice::sleep 4
-alice::ipsec up nat-t
-alice::sleep 1 
-
diff --git a/testing/tests/ikev2/nat-one-rw/test.conf b/testing/tests/ikev2/nat-one-rw/test.conf
deleted file mode 100644
index d84149aaf..000000000
--- a/testing/tests/ikev2/nat-one-rw/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon winnetou sun bob"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-w-s-b.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="alice sun"
diff --git a/testing/tests/ikev2/nat-portswitch/description.txt b/testing/tests/ikev2/nat-portswitch/description.txt
deleted file mode 100644
index 93b779ee1..000000000
--- a/testing/tests/ikev2/nat-portswitch/description.txt
+++ /dev/null
@@ -1,6 +0,0 @@
-The roadwarrior <b>alice</b> sitting behind the NAT router <b>moon</b> sets up a connection 
-to gateway <b>sun</b> using IKEv2. UDP encapsulation is used to traverse the NAT router.
-The authentication is based on locally loaded <b>X.509 certificates</b>.
-After the IPsec Setup NAT router moon "crashes" (i.e. flushes its conntrack
-table) and with the next dpd sent from <b>alice</b> a dynamical address update
-should occur in gateway <b>sun</b>.
diff --git a/testing/tests/ikev2/nat-portswitch/evaltest.dat b/testing/tests/ikev2/nat-portswitch/evaltest.dat
deleted file mode 100644
index 75b01a551..000000000
--- a/testing/tests/ikev2/nat-portswitch/evaltest.dat
+++ /dev/null
@@ -1,10 +0,0 @@
-sun::ipsec statusall::rw-alice.*ESTABLISHED::YES
-alice::ipsec statusall::home.*ESTABLISHED::YES
-moon::cmd::iptables -t nat -F::YES
-moon::cmd::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:3024-3100::YES
-moon::cmd::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:4000-4100::YES
-moon::cmd::conntrack -F::YES
-alice::cmd::sleep 75::YES
-bob::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.ipsec-nat-t: UDP, length: 132::YES
-moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.*: UDP, length: 132::YES
diff --git a/testing/tests/ikev2/nat-portswitch/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2/nat-portswitch/hosts/alice/etc/ipsec.conf
deleted file mode 100644
index cd9de533a..000000000
--- a/testing/tests/ikev2/nat-portswitch/hosts/alice/etc/ipsec.conf
+++ /dev/null
@@ -1,17 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-version	2.0	# conforms to second version of ipsec.conf specification
-
-config setup
-	plutostart=no
-
-conn home
-	left=PH_IP_ALICE
-	leftcert=aliceCert.pem
-	leftid=alice@strongswan.org
-	right=PH_IP_SUN
-	rightcert=sunCert.pem
-	rightid=@sun.strongswan.org
-	rightsubnet=10.2.0.0/16
-	keyexchange=ikev2
-	auto=add
diff --git a/testing/tests/ikev2/nat-portswitch/hosts/alice/etc/ipsec.d/certs/sunCert.pem b/testing/tests/ikev2/nat-portswitch/hosts/alice/etc/ipsec.d/certs/sunCert.pem
deleted file mode 100644
index e7825e3db..000000000
--- a/testing/tests/ikev2/nat-portswitch/hosts/alice/etc/ipsec.d/certs/sunCert.pem
+++ /dev/null
@@ -1,24 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIECzCCAvOgAwIBAgIBAjANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
-MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
-b290IENBMB4XDTA0MDkxMDExMTU1M1oXDTA5MDkwOTExMTU1M1owRTELMAkGA1UE
-BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN1bi5z
-dHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOQ8
-foB9h5BZ92gA5JkQTJNuoF6FAzoq91Gh7To27/g74p01+SUnsSaBfPmNfGp4avdS
-Ewy2dWMA/7uj0Dbe8MEKssNztp0JQubp2s7n8mrrQLGsqB6YAS09l75XDjS3yqTC
-AtH1kD4zAl/j/AyeQBuLR4CyJEmC/rqD3/a+pr42CaljuFBgBRpCTUpU4mlslZSe
-zv9wu61PwTFxb8VDlBHUd/lwkXThKgU3uEhWRxLahpSldEGmiTTmx30k/XbOMF2n
-HObEHt5EY9uWRGGbj81ZRWiNk0dNtbpneUHv/NvdWLc591M8cEGEQdWW2XTVbL2G
-N67q8hdzGgIvb7QJPMcCAwEAAaOCAQQwggEAMAkGA1UdEwQCMAAwCwYDVR0PBAQD
-AgOoMB0GA1UdDgQWBBQ9xLkyCBbyQmRet0vvV1Fg6z5q2DBtBgNVHSMEZjBkgBRd
-p91wBlEyfue2bbO15eBg6i5N76FJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoT
-EExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIB
-ADAdBgNVHREEFjAUghJzdW4uc3Ryb25nc3dhbi5vcmcwOQYDVR0fBDIwMDAuoCyg
-KoYoaHR0cDovL2NybC5zdHJvbmdzd2FuLm9yZy9zdHJvbmdzd2FuLmNybDANBgkq
-hkiG9w0BAQQFAAOCAQEAGQQroiAa0SwwhJprGd7OM+rfBJAGbsa3DPzFCfHX1R7i
-ZyDs9aph1DK+IgUa377Ev1U7oB0EldpmOoJJugCjtNLfpW3t1RXBERL/QfpO2+VP
-Wt3SfZ0Oq48jiqB1MVLMZRPCICZEQjT4sJ3HYs5ZuucuvoxeMx3rQ4HxUtHtMD3S
-5JNMwFFiOXAjyIyrTlb7YuRJTT5hE+Rms8GUQ5Xnt7zKZ7yfoSLFzy0/cLFPdQvE
-JA7w8crODCZpDgEKVHVyUWuyt1O46N3ydUfDcnKJoQ9HWHm3xCbDex5MHTnvm1lk
-Stx71CGM7TE6VPy028UlrSw0JqEwCVwstei2cMzwgA==
------END CERTIFICATE-----
diff --git a/testing/tests/ikev2/nat-portswitch/hosts/sun/etc/ipsec.d/certs/aliceCert.pem b/testing/tests/ikev2/nat-portswitch/hosts/sun/etc/ipsec.d/certs/aliceCert.pem
deleted file mode 100644
index e99ae8ec7..000000000
--- a/testing/tests/ikev2/nat-portswitch/hosts/sun/etc/ipsec.d/certs/aliceCert.pem
+++ /dev/null
@@ -1,25 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIEHzCCAwegAwIBAgIBBTANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
-MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
-b290IENBMB4XDTA0MDkxMDExMjQzOVoXDTA5MDkwOTExMjQzOVowVzELMAkGA1UE
-BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAMBgNVBAsTBVNhbGVz
-MR0wGwYDVQQDFBRhbGljZUBzdHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcNAQEB
-BQADggEPADCCAQoCggEBAK7FyvkE18/oujCaTd8GXBNOH+Cvoy0ibJ8j2sNsBrer
-GS1lgxRs8zaVfK9fosadu0UZeWIHsOKkew5469sPvkKK2SGGH+pu+x+xO/vuaEG4
-FlkAu8iGFWLQycLt6BJfcqw7FT8rwNuD18XXBXmP7hRavi/TEElbVYHbO7lm8T5W
-6hTr/sYddiSB7X9/ba7JBy6lxmBcUAx5bjiiHLaW/llefkqyhc6dw5nvPZ2DchvH
-v/HWvLF9bsvxbBkHU0/z/CEsRuMBI7EPEL4rx3UqmuCUAqiMJTS3IrDaIlfJOLWc
-KlbsnE6hHpwmt9oDB9iWBY9WeZUSAtJGFw4b7FCZvQ0CAwEAAaOCAQYwggECMAkG
-A1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBRZmh0JtiNTjBsQsfD7ECNa
-60iG2jBtBgNVHSMEZjBkgBRdp91wBlEyfue2bbO15eBg6i5N76FJpEcwRTELMAkG
-A1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0
-cm9uZ1N3YW4gUm9vdCBDQYIBADAfBgNVHREEGDAWgRRhbGljZUBzdHJvbmdzd2Fu
-Lm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3Jn
-L3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBBAUAA4IBAQADdQIlJkFtmHEjtuyo
-2aIcrsUx98FtvVgB7RpQB8JZlly7UEjvX0CIIvW/7Al5/8h9s1rhrRffX7nXQKAQ
-AmPnvD2Pp47obDnHqm/L109S1fcL5BiPN1AlgsseUBwzdqBpyRncPXZoAuBh/BU5
-D/1Dip0hXgB/X6+QymSzRJoSKfpeXVICj1kYH1nIkn0YXthYF3BTrCheCzBlKn0S
-CixbCUYsUjtSqld0nG76jyGb/gnWntNettH+RXWe1gm6qREJwfEFdeYviTqx2Uxi
-6sBKG/XjNAcMArXb7V6w0YAwCyjwCl49B+mLZaFH+9izzBJ7NyVqhH8ToB1gt0re
-JGhV
------END CERTIFICATE-----
diff --git a/testing/tests/ikev2/nat-portswitch/posttest.dat b/testing/tests/ikev2/nat-portswitch/posttest.dat
deleted file mode 100644
index 3b9f53e9b..000000000
--- a/testing/tests/ikev2/nat-portswitch/posttest.dat
+++ /dev/null
@@ -1,6 +0,0 @@
-sun::ipsec stop
-alice::ipsec stop
-sun::rm /etc/ipsec.d/certs/*
-alice::rm /etc/ipsec.d/certs/*
-moon::iptables -t nat -F
-moon::conntrack -F
diff --git a/testing/tests/ikev2/nat-portswitch/pretest.dat b/testing/tests/ikev2/nat-portswitch/pretest.dat
deleted file mode 100644
index 17cc4b070..000000000
--- a/testing/tests/ikev2/nat-portswitch/pretest.dat
+++ /dev/null
@@ -1,9 +0,0 @@
-sun::echo 1 > /proc/sys/net/ipv4/ip_forward
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
-moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100
-moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100
-sun::ipsec start
-alice::ipsec start
-alice::sleep 1
-alice::ipsec up home
-alice::sleep 1 
diff --git a/testing/tests/ikev2/nat-portswitch/test.conf b/testing/tests/ikev2/nat-portswitch/test.conf
deleted file mode 100644
index d84149aaf..000000000
--- a/testing/tests/ikev2/nat-portswitch/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon winnetou sun bob"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-w-s-b.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="alice sun"
diff --git a/testing/tests/ikev1/nat-two-rw-mark/description.txt b/testing/tests/ikev2/nat-rw-mark/description.txt
index 2a93d11d8..b8074e665 100644
--- a/testing/tests/ikev1/nat-two-rw-mark/description.txt
+++ b/testing/tests/ikev2/nat-rw-mark/description.txt
@@ -1,7 +1,7 @@
 The roadwarriors <b>alice</b> and <b>venus</b> sitting behind the NAT router <b>moon</b> set up
 tunnels to gateway <b>sun</b>. UDP encapsulation is used to traverse the NAT router.
 Since both roadwarriors possess the same 10.1.0.0/25 subnet, gateway <b>sun</b> uses Source NAT
-after ESP decryption to map these subnets to 10.3.0.10 and 10.3.0.20, respectively.
+after ESP decryption to map these subnets to PH_IP_CAROL10 and PH_IP_DAVE10, respectively.
 <p/>
 In order to differentiate between the tunnels to <b>alice</b> and <b>venus</b>, respectively,
 <b>XFRM marks</b> are defined for both the inbound and outbound IPsec SAs and policies using
diff --git a/testing/tests/ikev2/nat-rw-mark/evaltest.dat b/testing/tests/ikev2/nat-rw-mark/evaltest.dat
new file mode 100644
index 000000000..bb8e856cc
--- /dev/null
+++ b/testing/tests/ikev2/nat-rw-mark/evaltest.dat
@@ -0,0 +1,18 @@
+alice::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*alice@strongswan.org.*sun.strongswan.org::YES
+venus::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*venus.strongswan.org.*sun.strongswan.org::YES
+alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES
+venus::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES
+sun::  ipsec status 2> /dev/null::alice.*ESTABLISHED.*sun.strongswan.org.*alice@strongswan.org::YES
+sun::  ipsec status 2> /dev/null::venus.*ESTABLISHED.*sun.strongswan.org.*venus.strongswan.org::YES
+sun::  ipsec statusall 2> /dev/null::alice.*10.2.0.0/16 === 10.1.0.0/25::YES
+sun::  ipsec statusall 2> /dev/null::venus.*10.2.0.0/16 === 10.1.0.0/25::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+moon::tcpdump::IP moon.strongswan.org.4510.* > sun.strongswan.org.4500: UDP::YES
+moon::tcpdump::IP moon.strongswan.org.4520.* > sun.strongswan.org.4500: UDP::YES
+moon::tcpdump::IP sun.strongswan.org.4500 > moon.strongswan.org.4510.*: UDP::YES
+moon::tcpdump::IP sun.strongswan.org.4500 > moon.strongswan.org.4520.*: UDP::YES
+bob::tcpdump::PH_IP_CAROL10 > bob.strongswan.org: ICMP echo request::YES
+bob::tcpdump::PH_IP_DAVE10 > bob.strongswan.org: ICMP echo request::YES
+bob::tcpdump::bob.strongswan.org > PH_IP_CAROL10: ICMP echo reply::YES
+bob::tcpdump::bob.strongswan.org > PH_IP_DAVE10: ICMP echo reply::YES
diff --git a/testing/tests/ikev2/nat-two-rw-mark/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2/nat-rw-mark/hosts/alice/etc/ipsec.conf
index 0f7c23845..4c29a07d5 100755..100644
--- a/testing/tests/ikev2/nat-two-rw-mark/hosts/alice/etc/ipsec.conf
+++ b/testing/tests/ikev2/nat-rw-mark/hosts/alice/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/nat-rw-mark/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/nat-rw-mark/hosts/alice/etc/strongswan.conf
new file mode 100644
index 000000000..dc937641c
--- /dev/null
+++ b/testing/tests/ikev2/nat-rw-mark/hosts/alice/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev2/nat-two-rw-mark/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/ipsec.conf
index ae4644c4b..aac963e91 100755..100644
--- a/testing/tests/ikev2/nat-two-rw-mark/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 	charondebug="knl 2"
 
 conn %default
diff --git a/testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/iptables.rules b/testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/iptables.rules
new file mode 100644
index 000000000..ae8f9a61e
--- /dev/null
+++ b/testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/iptables.rules
@@ -0,0 +1,24 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev1/nat-two-rw-mark/hosts/sun/etc/mark_updown b/testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/mark_updown
index 0d22e684d..421335ffb 100755
--- a/testing/tests/ikev1/nat-two-rw-mark/hosts/sun/etc/mark_updown
+++ b/testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/mark_updown
@@ -73,8 +73,12 @@
 #              just the host, this will be 255.255.255.255.
 #
 #       PLUTO_MY_SOURCEIP
-#              if non-empty, then the source address for the route will be
-#              set to this IP address.
+#       PLUTO_MY_SOURCEIP4_$i
+#       PLUTO_MY_SOURCEIP6_$i
+#              contains IPv4/IPv6 virtual IP received from a responder,
+#              $i enumerates from 1 to the number of IP per address family.
+#              PLUTO_MY_SOURCEIP is a legacy variable and equals to the first
+#              virtual IP, IPv4 or IPv6.
 #
 #       PLUTO_MY_PROTOCOL
 #              is the IP protocol that will be transported.
@@ -128,9 +132,15 @@
 #              contains the remote UDP port in the case of ESP_IN_UDP
 #              encapsulation
 #
+#       PLUTO_DNS4_$i
+#       PLUTO_DNS6_$i
+#              contains IPv4/IPv6 DNS server attribute received from a
+#              responder, $i enumerates from 1 to the number of servers per
+#              address family.
+#
 
 # define a minimum PATH environment in case it is not set
-PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin"
+PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin:/usr/local/sbin"
 export PATH
 
 # uncomment to log VPN connections
diff --git a/testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..dc937641c
--- /dev/null
+++ b/testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev2/nat-two-rw-mark/hosts/venus/etc/ipsec.conf b/testing/tests/ikev2/nat-rw-mark/hosts/venus/etc/ipsec.conf
index c82c3e978..38ef469c5 100755..100644
--- a/testing/tests/ikev2/nat-two-rw-mark/hosts/venus/etc/ipsec.conf
+++ b/testing/tests/ikev2/nat-rw-mark/hosts/venus/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/nat-rw-mark/hosts/venus/etc/strongswan.conf b/testing/tests/ikev2/nat-rw-mark/hosts/venus/etc/strongswan.conf
new file mode 100644
index 000000000..dc937641c
--- /dev/null
+++ b/testing/tests/ikev2/nat-rw-mark/hosts/venus/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev2/nat-rw-mark/posttest.dat b/testing/tests/ikev2/nat-rw-mark/posttest.dat
new file mode 100644
index 000000000..72dff4e10
--- /dev/null
+++ b/testing/tests/ikev2/nat-rw-mark/posttest.dat
@@ -0,0 +1,12 @@
+sun::iptables -t mangle -v -n -L PREROUTING
+sun::ipsec stop
+alice::ipsec stop
+venus::ipsec stop
+alice::iptables-restore < /etc/iptables.flush
+venus::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
+moon::iptables-restore < /etc/iptables.flush
+moon::conntrack -F
+sun::iptables-restore < /etc/iptables.flush
+sun::conntrack -F
+sun::rm /etc/mark_updown
diff --git a/testing/tests/ikev1/nat-two-rw-mark/pretest.dat b/testing/tests/ikev2/nat-rw-mark/pretest.dat
index 310e5be71..6cddfd4fe 100644
--- a/testing/tests/ikev1/nat-two-rw-mark/pretest.dat
+++ b/testing/tests/ikev2/nat-rw-mark/pretest.dat
@@ -1,19 +1,18 @@
-alice::/etc/init.d/iptables start 2> /dev/null
-venus::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
+sun::iptables-restore < /etc/iptables.rules
+alice::iptables-restore < /etc/iptables.rules
+venus::iptables-restore < /etc/iptables.rules
 moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to PH_IP_MOON
 moon::iptables -t nat -A POSTROUTING -o eth0 -s PH_IP_ALICE -p udp --sport 500  -j SNAT --to PH_IP_MOON:510
 moon::iptables -t nat -A POSTROUTING -o eth0 -s PH_IP_VENUS -p udp --sport 500  -j SNAT --to PH_IP_MOON:520
 moon::iptables -t nat -A POSTROUTING -o eth0 -s PH_IP_ALICE -p udp --sport 4500 -j SNAT --to PH_IP_MOON:4510
 moon::iptables -t nat -A POSTROUTING -o eth0 -s PH_IP_VENUS -p udp --sport 4500 -j SNAT --to PH_IP_MOON:4520
-sun::iptables -t nat -A POSTROUTING -o eth1 -m mark --mark 10 -j SNAT --to 10.3.0.10
-sun::iptables -t nat -A POSTROUTING -o eth1 -m mark --mark 20 -j SNAT --to 10.3.0.20
-sun::iptables -t mangle -A PREROUTING -d 10.3.0.10 -j MARK --set-mark 10
-sun::iptables -t mangle -A PREROUTING -d 10.3.0.20 -j MARK --set-mark 20
+sun::iptables -t nat -A POSTROUTING -o eth1 -m mark --mark 10 -j SNAT --to PH_IP_CAROL10
+sun::iptables -t nat -A POSTROUTING -o eth1 -m mark --mark 20 -j SNAT --to PH_IP_DAVE10
+sun::iptables -t mangle -A PREROUTING -d PH_IP_CAROL10 -j MARK --set-mark 10
+sun::iptables -t mangle -A PREROUTING -d PH_IP_DAVE10 -j MARK --set-mark 20
+sun::ipsec start
 alice::ipsec start
 venus::ipsec start
-sun::ipsec start
 alice::sleep 2
 alice::ipsec up nat-t
 venus::sleep 2
diff --git a/testing/tests/ikev2/nat-rw-mark/test.conf b/testing/tests/ikev2/nat-rw-mark/test.conf
new file mode 100644
index 000000000..105472cbe
--- /dev/null
+++ b/testing/tests/ikev2/nat-rw-mark/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice venus moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-w-s-b.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon bob"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="alice venus sun"
diff --git a/testing/tests/ikev2/nat-rw-mixed/description.txt b/testing/tests/ikev2/nat-rw-mixed/description.txt
deleted file mode 100644
index 511a1a874..000000000
--- a/testing/tests/ikev2/nat-rw-mixed/description.txt
+++ /dev/null
@@ -1,6 +0,0 @@
-The roadwarriors <b>alice</b> and <b>venus</b> sitting behind the NAT router <b>moon</b> 
-set up a connection to gateway <b>sun</b>. <b>alice</b> uses the IKEv2 key exchange protocol 
-whereas <b>venus</b> negotiates the connection via the IKEv1 protocol.
-UDP encapsulation is used to traverse the NAT router.
-In order to test the tunnel the NAT-ed hosts <b>alice</b> and <b>venus</b> ping the client
-<b>bob</b> behind the gateway <b>sun</b>.
diff --git a/testing/tests/ikev2/nat-rw-mixed/evaltest.dat b/testing/tests/ikev2/nat-rw-mixed/evaltest.dat
deleted file mode 100644
index 685c1b43f..000000000
--- a/testing/tests/ikev2/nat-rw-mixed/evaltest.dat
+++ /dev/null
@@ -1,9 +0,0 @@
-sun::ipsec statusall::rw-alice.*ESTABLISHED::YES
-sun::ipsec status::nat-t.*STATE_QUICK_R2.*IPsec SA established::YES
-sun::ipsec status::nat-t.*@venus.strongswan.org::YES
-alice::ipsec statusall::home.*ESTABLISHED::YES
-sun::ipsec status::nat-t.*STATE_QUICK_R2.*IPsec SA established::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.ipsec-nat-t: UDP::YES
-moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.*: UDP::YES
diff --git a/testing/tests/ikev2/nat-rw-mixed/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2/nat-rw-mixed/hosts/alice/etc/ipsec.conf
deleted file mode 100644
index cd9de533a..000000000
--- a/testing/tests/ikev2/nat-rw-mixed/hosts/alice/etc/ipsec.conf
+++ /dev/null
@@ -1,17 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-version	2.0	# conforms to second version of ipsec.conf specification
-
-config setup
-	plutostart=no
-
-conn home
-	left=PH_IP_ALICE
-	leftcert=aliceCert.pem
-	leftid=alice@strongswan.org
-	right=PH_IP_SUN
-	rightcert=sunCert.pem
-	rightid=@sun.strongswan.org
-	rightsubnet=10.2.0.0/16
-	keyexchange=ikev2
-	auto=add
diff --git a/testing/tests/ikev2/nat-rw-mixed/hosts/alice/etc/ipsec.d/certs/sunCert.pem b/testing/tests/ikev2/nat-rw-mixed/hosts/alice/etc/ipsec.d/certs/sunCert.pem
deleted file mode 100644
index e7825e3db..000000000
--- a/testing/tests/ikev2/nat-rw-mixed/hosts/alice/etc/ipsec.d/certs/sunCert.pem
+++ /dev/null
@@ -1,24 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIECzCCAvOgAwIBAgIBAjANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
-MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
-b290IENBMB4XDTA0MDkxMDExMTU1M1oXDTA5MDkwOTExMTU1M1owRTELMAkGA1UE
-BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN1bi5z
-dHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOQ8
-foB9h5BZ92gA5JkQTJNuoF6FAzoq91Gh7To27/g74p01+SUnsSaBfPmNfGp4avdS
-Ewy2dWMA/7uj0Dbe8MEKssNztp0JQubp2s7n8mrrQLGsqB6YAS09l75XDjS3yqTC
-AtH1kD4zAl/j/AyeQBuLR4CyJEmC/rqD3/a+pr42CaljuFBgBRpCTUpU4mlslZSe
-zv9wu61PwTFxb8VDlBHUd/lwkXThKgU3uEhWRxLahpSldEGmiTTmx30k/XbOMF2n
-HObEHt5EY9uWRGGbj81ZRWiNk0dNtbpneUHv/NvdWLc591M8cEGEQdWW2XTVbL2G
-N67q8hdzGgIvb7QJPMcCAwEAAaOCAQQwggEAMAkGA1UdEwQCMAAwCwYDVR0PBAQD
-AgOoMB0GA1UdDgQWBBQ9xLkyCBbyQmRet0vvV1Fg6z5q2DBtBgNVHSMEZjBkgBRd
-p91wBlEyfue2bbO15eBg6i5N76FJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoT
-EExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIB
-ADAdBgNVHREEFjAUghJzdW4uc3Ryb25nc3dhbi5vcmcwOQYDVR0fBDIwMDAuoCyg
-KoYoaHR0cDovL2NybC5zdHJvbmdzd2FuLm9yZy9zdHJvbmdzd2FuLmNybDANBgkq
-hkiG9w0BAQQFAAOCAQEAGQQroiAa0SwwhJprGd7OM+rfBJAGbsa3DPzFCfHX1R7i
-ZyDs9aph1DK+IgUa377Ev1U7oB0EldpmOoJJugCjtNLfpW3t1RXBERL/QfpO2+VP
-Wt3SfZ0Oq48jiqB1MVLMZRPCICZEQjT4sJ3HYs5ZuucuvoxeMx3rQ4HxUtHtMD3S
-5JNMwFFiOXAjyIyrTlb7YuRJTT5hE+Rms8GUQ5Xnt7zKZ7yfoSLFzy0/cLFPdQvE
-JA7w8crODCZpDgEKVHVyUWuyt1O46N3ydUfDcnKJoQ9HWHm3xCbDex5MHTnvm1lk
-Stx71CGM7TE6VPy028UlrSw0JqEwCVwstei2cMzwgA==
------END CERTIFICATE-----
diff --git a/testing/tests/ikev2/nat-rw-mixed/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/nat-rw-mixed/hosts/sun/etc/ipsec.conf
deleted file mode 100644
index b85bd607b..000000000
--- a/testing/tests/ikev2/nat-rw-mixed/hosts/sun/etc/ipsec.conf
+++ /dev/null
@@ -1,31 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-version	2.0	# conforms to second version of ipsec.conf specification
-
-config setup
-	plutodebug=control
-	crlcheckinterval=180	
-	nat_traversal=yes
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	left=PH_IP_SUN
-	leftcert=sunCert.pem
-	leftid=@sun.strongswan.org
-	leftsubnet=10.2.0.0/16
-
-conn rw-alice
-	right=%any
-	rightcert=aliceCert.pem
-	rightid=alice@strongswan.org
-	rightsubnet=10.1.0.0/16
-	keyexchange=ikev2
-	auto=add
-
-conn nat-t
-	leftsubnet=10.2.0.0/16
-	right=%any
-	rightsubnetwithin=10.1.0.0/16
-	keyexchange=ikev1
-	auto=add
diff --git a/testing/tests/ikev2/nat-rw-mixed/hosts/sun/etc/ipsec.d/certs/aliceCert.pem b/testing/tests/ikev2/nat-rw-mixed/hosts/sun/etc/ipsec.d/certs/aliceCert.pem
deleted file mode 100644
index e99ae8ec7..000000000
--- a/testing/tests/ikev2/nat-rw-mixed/hosts/sun/etc/ipsec.d/certs/aliceCert.pem
+++ /dev/null
@@ -1,25 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIEHzCCAwegAwIBAgIBBTANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
-MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
-b290IENBMB4XDTA0MDkxMDExMjQzOVoXDTA5MDkwOTExMjQzOVowVzELMAkGA1UE
-BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAMBgNVBAsTBVNhbGVz
-MR0wGwYDVQQDFBRhbGljZUBzdHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcNAQEB
-BQADggEPADCCAQoCggEBAK7FyvkE18/oujCaTd8GXBNOH+Cvoy0ibJ8j2sNsBrer
-GS1lgxRs8zaVfK9fosadu0UZeWIHsOKkew5469sPvkKK2SGGH+pu+x+xO/vuaEG4
-FlkAu8iGFWLQycLt6BJfcqw7FT8rwNuD18XXBXmP7hRavi/TEElbVYHbO7lm8T5W
-6hTr/sYddiSB7X9/ba7JBy6lxmBcUAx5bjiiHLaW/llefkqyhc6dw5nvPZ2DchvH
-v/HWvLF9bsvxbBkHU0/z/CEsRuMBI7EPEL4rx3UqmuCUAqiMJTS3IrDaIlfJOLWc
-KlbsnE6hHpwmt9oDB9iWBY9WeZUSAtJGFw4b7FCZvQ0CAwEAAaOCAQYwggECMAkG
-A1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBRZmh0JtiNTjBsQsfD7ECNa
-60iG2jBtBgNVHSMEZjBkgBRdp91wBlEyfue2bbO15eBg6i5N76FJpEcwRTELMAkG
-A1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0
-cm9uZ1N3YW4gUm9vdCBDQYIBADAfBgNVHREEGDAWgRRhbGljZUBzdHJvbmdzd2Fu
-Lm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3Jn
-L3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBBAUAA4IBAQADdQIlJkFtmHEjtuyo
-2aIcrsUx98FtvVgB7RpQB8JZlly7UEjvX0CIIvW/7Al5/8h9s1rhrRffX7nXQKAQ
-AmPnvD2Pp47obDnHqm/L109S1fcL5BiPN1AlgsseUBwzdqBpyRncPXZoAuBh/BU5
-D/1Dip0hXgB/X6+QymSzRJoSKfpeXVICj1kYH1nIkn0YXthYF3BTrCheCzBlKn0S
-CixbCUYsUjtSqld0nG76jyGb/gnWntNettH+RXWe1gm6qREJwfEFdeYviTqx2Uxi
-6sBKG/XjNAcMArXb7V6w0YAwCyjwCl49B+mLZaFH+9izzBJ7NyVqhH8ToB1gt0re
-JGhV
------END CERTIFICATE-----
diff --git a/testing/tests/ikev2/nat-rw-mixed/hosts/sun/etc/ipsec.d/certs/venusCert.pem b/testing/tests/ikev2/nat-rw-mixed/hosts/sun/etc/ipsec.d/certs/venusCert.pem
deleted file mode 100644
index 25a6941b0..000000000
--- a/testing/tests/ikev2/nat-rw-mixed/hosts/sun/etc/ipsec.d/certs/venusCert.pem
+++ /dev/null
@@ -1,24 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIEDzCCAvegAwIBAgIBBDANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
-MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
-b290IENBMB4XDTA0MDkxMDExMTgyNloXDTA5MDkwOTExMTgyNlowRzELMAkGA1UE
-BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHTAbBgNVBAMTFHZlbnVz
-LnN0cm9uZ3N3YW4ub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
-mlQ2s9J7bw73onkw0ZwwcM2JDJuU3KmmuzETlmLdtg7m8yFCdhoDg6cxrsIvPAWy
-Gs++1e+1qzy7LTnNHckaHHFwJQf0JoIGE1bbUrJidX8B1T3sDdvZFbyfmQTWSEyJ
-thrdqdPS92VJW/9XQOPeEhudIHr+NtWQfCm3OQFKDXGCEkHOjpVNHn3BPUiL99ON
-FiLZX3gZy6vTERpEE8ga66fHtpM3RJfIxYoUQUdRw8iIa8iOvRGtJa/MfOWX6L/H
-wquRv3SuCl4iMSph7e/VE+z5xx3OyKSAki914DgRFnQITKjyGxw1lORlDQlZy2w/
-nu0BAbXS1pb/2AiF8jDpbQIDAQABo4IBBjCCAQIwCQYDVR0TBAIwADALBgNVHQ8E
-BAMCA6gwHQYDVR0OBBYEFEqPlXBYJh1knX0Q61HMcn9LOZ6sMG0GA1UdIwRmMGSA
-FF2n3XAGUTJ+57Zts7Xl4GDqLk3voUmkRzBFMQswCQYDVQQGEwJDSDEZMBcGA1UE
-ChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBSb290IENB
-ggEAMB8GA1UdEQQYMBaCFHZlbnVzLnN0cm9uZ3N3YW4ub3JnMDkGA1UdHwQyMDAw
-LqAsoCqGKGh0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dhbi5jcmww
-DQYJKoZIhvcNAQEEBQADggEBAEx3kXh2Z5CMH+tX6cJPyi6gSeOgXy7NBiNsEdXN
-rwGp4DwN6uiSog4EYZJA203oqE3eaoYdBXKiOGvjW4vyigvpDr8H+MeW2HsNuMKX
-PFpY4NucV0fJlzFhtkp31zTLHNESCgTqNIwGj+CbN0rxhHGE6502krnu+C12nJ7B
-fdMzml1RmVp4JlZC5yfiTy0F2s/aH+8xQ2x509UoD+boNM9GR+IlWS2dDypISGid
-hbM4rpiMLBj2riWD8HiuljkKQ6LemBXeZQXuIPlusl7cH/synNkHk8iiALM8xfGh
-wTEmdo5Tp5sDI3cj3LVvhcsTxjiOA81her1F0itlxpEA/gA=
------END CERTIFICATE-----
diff --git a/testing/tests/ikev2/nat-rw-mixed/posttest.dat b/testing/tests/ikev2/nat-rw-mixed/posttest.dat
deleted file mode 100644
index 0a8ce2bbc..000000000
--- a/testing/tests/ikev2/nat-rw-mixed/posttest.dat
+++ /dev/null
@@ -1,6 +0,0 @@
-sun::ipsec stop
-alice::ipsec stop
-venus::ipsec stop
-sun::rm /etc/ipsec.d/certs/*
-alice::rm /etc/ipsec.d/certs/*
-moon::iptables -t nat -F
diff --git a/testing/tests/ikev2/nat-rw-mixed/pretest.dat b/testing/tests/ikev2/nat-rw-mixed/pretest.dat
deleted file mode 100644
index d2c5c7df2..000000000
--- a/testing/tests/ikev2/nat-rw-mixed/pretest.dat
+++ /dev/null
@@ -1,11 +0,0 @@
-sun::echo 1 > /proc/sys/net/ipv4/ip_forward
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
-moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100
-moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100
-sun::ipsec start
-alice::ipsec start
-venus::ipsec start
-alice::sleep 1
-venus::ipsec up nat-t
-alice::ipsec up home
-alice::sleep 1 
diff --git a/testing/tests/ikev2/nat-rw-mixed/test.conf b/testing/tests/ikev2/nat-rw-mixed/test.conf
deleted file mode 100644
index 84317fd70..000000000
--- a/testing/tests/ikev2/nat-rw-mixed/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice venus moon winnetou sun bob"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-v-m-w-s-b.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="alice venus sun"
diff --git a/testing/tests/ikev1/nat-two-rw-psk/description.txt b/testing/tests/ikev2/nat-rw-psk/description.txt
index c74897d9a..c74897d9a 100644
--- a/testing/tests/ikev1/nat-two-rw-psk/description.txt
+++ b/testing/tests/ikev2/nat-rw-psk/description.txt
diff --git a/testing/tests/ikev2/nat-rw-psk/evaltest.dat b/testing/tests/ikev2/nat-rw-psk/evaltest.dat
new file mode 100644
index 000000000..6ec29c779
--- /dev/null
+++ b/testing/tests/ikev2/nat-rw-psk/evaltest.dat
@@ -0,0 +1,9 @@
+alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES
+venus::ipsec status 2> /dev/null::nat-t.*INSTALLED. TUNNEL, ESP in UDP::YES
+sun::  ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES
+sun::  ipsec status 2> /dev/null::nat-t.*\[PH_IP_ALICE\]::YES
+sun::  ipsec status 2> /dev/null::nat-t.*\[PH_IP_VENUS\]::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.4500: UDP::YES
+moon::tcpdump::IP sun.strongswan.org.4500 > moon.strongswan.org.*: UDP::YES
diff --git a/testing/tests/ikev2/nat-two-rw-psk/hosts/venus/etc/ipsec.conf b/testing/tests/ikev2/nat-rw-psk/hosts/alice/etc/ipsec.conf
index e0ccbb812..089e91ed7 100755..100644
--- a/testing/tests/ikev2/nat-two-rw-psk/hosts/venus/etc/ipsec.conf
+++ b/testing/tests/ikev2/nat-rw-psk/hosts/alice/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/nat-two-rw-psk/hosts/alice/etc/ipsec.secrets b/testing/tests/ikev2/nat-rw-psk/hosts/alice/etc/ipsec.secrets
index d61e3eb48..d61e3eb48 100644
--- a/testing/tests/ikev2/nat-two-rw-psk/hosts/alice/etc/ipsec.secrets
+++ b/testing/tests/ikev2/nat-rw-psk/hosts/alice/etc/ipsec.secrets
diff --git a/testing/tests/ikev2/nat-rw-psk/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/nat-rw-psk/hosts/alice/etc/strongswan.conf
new file mode 100644
index 000000000..924fd4757
--- /dev/null
+++ b/testing/tests/ikev2/nat-rw-psk/hosts/alice/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce hmac xcbc stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev2/nat-two-rw-psk/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/nat-rw-psk/hosts/sun/etc/ipsec.conf
index d6b5d4d6f..e939d89ae 100755..100644
--- a/testing/tests/ikev2/nat-two-rw-psk/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev2/nat-rw-psk/hosts/sun/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/nat-two-rw-psk/hosts/sun/etc/ipsec.secrets b/testing/tests/ikev2/nat-rw-psk/hosts/sun/etc/ipsec.secrets
index 5f2955503..5f2955503 100644
--- a/testing/tests/ikev2/nat-two-rw-psk/hosts/sun/etc/ipsec.secrets
+++ b/testing/tests/ikev2/nat-rw-psk/hosts/sun/etc/ipsec.secrets
diff --git a/testing/tests/ikev2/nat-rw-psk/hosts/sun/etc/iptables.rules b/testing/tests/ikev2/nat-rw-psk/hosts/sun/etc/iptables.rules
new file mode 100644
index 000000000..ae8f9a61e
--- /dev/null
+++ b/testing/tests/ikev2/nat-rw-psk/hosts/sun/etc/iptables.rules
@@ -0,0 +1,24 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/nat-rw-psk/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/nat-rw-psk/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..924fd4757
--- /dev/null
+++ b/testing/tests/ikev2/nat-rw-psk/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce hmac xcbc stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev2/nat-two-rw-psk/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2/nat-rw-psk/hosts/venus/etc/ipsec.conf
index e0ccbb812..089e91ed7 100755..100644
--- a/testing/tests/ikev2/nat-two-rw-psk/hosts/alice/etc/ipsec.conf
+++ b/testing/tests/ikev2/nat-rw-psk/hosts/venus/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/nat-two-rw-psk/hosts/venus/etc/ipsec.secrets b/testing/tests/ikev2/nat-rw-psk/hosts/venus/etc/ipsec.secrets
index 9cd66b1df..9cd66b1df 100644
--- a/testing/tests/ikev2/nat-two-rw-psk/hosts/venus/etc/ipsec.secrets
+++ b/testing/tests/ikev2/nat-rw-psk/hosts/venus/etc/ipsec.secrets
diff --git a/testing/tests/ikev2/nat-rw-psk/hosts/venus/etc/strongswan.conf b/testing/tests/ikev2/nat-rw-psk/hosts/venus/etc/strongswan.conf
new file mode 100644
index 000000000..924fd4757
--- /dev/null
+++ b/testing/tests/ikev2/nat-rw-psk/hosts/venus/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce hmac xcbc stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev2/nat-rw-psk/posttest.dat b/testing/tests/ikev2/nat-rw-psk/posttest.dat
new file mode 100644
index 000000000..4643a3a7b
--- /dev/null
+++ b/testing/tests/ikev2/nat-rw-psk/posttest.dat
@@ -0,0 +1,8 @@
+sun::ipsec stop
+alice::ipsec stop
+venus::ipsec stop
+alice::iptables-restore < /etc/iptables.flush
+venus::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
+moon::iptables -t nat -F
+moon::conntrack -F
diff --git a/testing/tests/ikev2/nat-two-rw-psk/pretest.dat b/testing/tests/ikev2/nat-rw-psk/pretest.dat
index 5e23259bb..c5d091f32 100644
--- a/testing/tests/ikev2/nat-two-rw-psk/pretest.dat
+++ b/testing/tests/ikev2/nat-rw-psk/pretest.dat
@@ -1,15 +1,14 @@
-alice::/etc/init.d/iptables start 2> /dev/null
-venus::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
+alice::iptables-restore < /etc/iptables.rules
+venus::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100
 moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100
 alice::rm /etc/ipsec.d/cacerts/*
 venus::rm /etc/ipsec.d/cacerts/*
 sun::rm /etc/ipsec.d/cacerts/*
+sun::ipsec start
 alice::ipsec start
 venus::ipsec start
-sun::ipsec start
 alice::sleep 2 
 alice::ipsec up nat-t
 venus::sleep 2 
diff --git a/testing/tests/ikev2/nat-rw-psk/test.conf b/testing/tests/ikev2/nat-rw-psk/test.conf
new file mode 100644
index 000000000..f515d4bc7
--- /dev/null
+++ b/testing/tests/ikev2/nat-rw-psk/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice venus moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-w-s-b.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="alice venus sun"
diff --git a/testing/tests/ikev2/nat-two-rw/description.txt b/testing/tests/ikev2/nat-rw/description.txt
index dcf4b94bd..dcf4b94bd 100644
--- a/testing/tests/ikev2/nat-two-rw/description.txt
+++ b/testing/tests/ikev2/nat-rw/description.txt
diff --git a/testing/tests/ikev2/nat-rw/evaltest.dat b/testing/tests/ikev2/nat-rw/evaltest.dat
new file mode 100644
index 000000000..387dbae23
--- /dev/null
+++ b/testing/tests/ikev2/nat-rw/evaltest.dat
@@ -0,0 +1,18 @@
+alice::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*alice@strongswan.org.*sun.strongswan.org::YES
+venus::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*venus.strongswan.org.*sun.strongswan.org::YES
+sun::  ipsec status 2> /dev/null::nat-t\[1]: ESTABLISHED.*sun.strongswan.org.*alice@strongswan.org::YES
+sun::  ipsec status 2> /dev/null::nat-t\[2]: ESTABLISHED.*sun.strongswan.org.*venus.strongswan.org::YES
+alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES
+venus::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES
+sun::  ipsec status 2> /dev/null::nat-t[{]1}.*INSTALLED, TUNNEL, ESP in UDP::YES
+sun::  ipsec status 2> /dev/null::nat-t[{]2}.*INSTALLED, TUNNEL, ESP in UDP::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+moon:: sleep 6::no output expected::NO
+bob::  ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+bob::  ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
+moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.4500: UDP-encap: ESP::YES
+moon::tcpdump::IP sun.strongswan.org.4500 > moon.strongswan.org.*: UDP-encap: ESP::YES
+moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.4500: isakmp-nat-keep-alive::YES
+alice::cat /var/log/daemon.log::sending keep alive::YES
+venus::cat /var/log/daemon.log::sending keep alive::YES
diff --git a/testing/tests/ikev2/nat-two-rw/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2/nat-rw/hosts/alice/etc/ipsec.conf
index 3da2fcf86..3e85551c9 100755..100644
--- a/testing/tests/ikev2/nat-two-rw/hosts/alice/etc/ipsec.conf
+++ b/testing/tests/ikev2/nat-rw/hosts/alice/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
@@ -13,7 +10,7 @@ conn %default
 	keyexchange=ikev2
 		
 conn nat-t
-	left=%defaultroute
+	left=%any
 	leftcert=aliceCert.pem
 	leftid=alice@strongswan.org
 	leftfirewall=yes
diff --git a/testing/tests/ikev2/nat-rw/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/nat-rw/hosts/alice/etc/strongswan.conf
new file mode 100644
index 000000000..dabff38e4
--- /dev/null
+++ b/testing/tests/ikev2/nat-rw/hosts/alice/etc/strongswan.conf
@@ -0,0 +1,7 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+
+  keep_alive = 5
+}
diff --git a/testing/tests/ikev1/nat-before-esp/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/nat-rw/hosts/sun/etc/ipsec.conf
index 57496e10e..06105ade0 100755..100644
--- a/testing/tests/ikev1/nat-before-esp/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev2/nat-rw/hosts/sun/etc/ipsec.conf
@@ -1,24 +1,20 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	nat_traversal=yes
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
-	keyexchange=ikev1
+	keyexchange=ikev2
 
-conn host-net
-	left=192.168.0.2
+conn nat-t
+	left=PH_IP_SUN
 	leftcert=sunCert.pem
 	leftid=@sun.strongswan.org
 	leftfirewall=yes
 	leftsubnet=10.2.0.0/16
 	right=%any
+	rightsubnet=10.1.0.0/16
 	auto=add
diff --git a/testing/tests/ikev2/nat-rw/hosts/sun/etc/iptables.rules b/testing/tests/ikev2/nat-rw/hosts/sun/etc/iptables.rules
new file mode 100644
index 000000000..ae8f9a61e
--- /dev/null
+++ b/testing/tests/ikev2/nat-rw/hosts/sun/etc/iptables.rules
@@ -0,0 +1,24 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/nat-rw/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/nat-rw/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..ca23c6971
--- /dev/null
+++ b/testing/tests/ikev2/nat-rw/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev2/nat-two-rw/hosts/venus/etc/ipsec.conf b/testing/tests/ikev2/nat-rw/hosts/venus/etc/ipsec.conf
index 3a70b3434..57364be7f 100755..100644
--- a/testing/tests/ikev2/nat-two-rw/hosts/venus/etc/ipsec.conf
+++ b/testing/tests/ikev2/nat-rw/hosts/venus/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
@@ -13,7 +10,7 @@ conn %default
 	keyexchange=ikev2
 
 conn nat-t
-	left=%defaultroute
+	left=%any
 	leftcert=venusCert.pem
 	leftid=@venus.strongswan.org
 	leftfirewall=yes
diff --git a/testing/tests/ikev2/nat-rw/hosts/venus/etc/strongswan.conf b/testing/tests/ikev2/nat-rw/hosts/venus/etc/strongswan.conf
new file mode 100644
index 000000000..dabff38e4
--- /dev/null
+++ b/testing/tests/ikev2/nat-rw/hosts/venus/etc/strongswan.conf
@@ -0,0 +1,7 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+
+  keep_alive = 5
+}
diff --git a/testing/tests/ikev2/nat-rw/posttest.dat b/testing/tests/ikev2/nat-rw/posttest.dat
new file mode 100644
index 000000000..4643a3a7b
--- /dev/null
+++ b/testing/tests/ikev2/nat-rw/posttest.dat
@@ -0,0 +1,8 @@
+sun::ipsec stop
+alice::ipsec stop
+venus::ipsec stop
+alice::iptables-restore < /etc/iptables.flush
+venus::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
+moon::iptables -t nat -F
+moon::conntrack -F
diff --git a/testing/tests/ikev2/nat-two-rw/pretest.dat b/testing/tests/ikev2/nat-rw/pretest.dat
index e365ff5c5..f58e82adc 100644
--- a/testing/tests/ikev2/nat-two-rw/pretest.dat
+++ b/testing/tests/ikev2/nat-rw/pretest.dat
@@ -1,7 +1,7 @@
-alice::/etc/init.d/iptables start 2> /dev/null
-venus::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
+alice::iptables-restore < /etc/iptables.rules
+venus::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
+moon::conntrack -F
 moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100
 moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100
 alice::ipsec start
diff --git a/testing/tests/ikev2/nat-rw/test.conf b/testing/tests/ikev2/nat-rw/test.conf
new file mode 100644
index 000000000..f515d4bc7
--- /dev/null
+++ b/testing/tests/ikev2/nat-rw/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice venus moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-w-s-b.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="alice venus sun"
diff --git a/testing/tests/ikev2/nat-two-rw-mark/description.txt b/testing/tests/ikev2/nat-two-rw-mark/description.txt
deleted file mode 100644
index 2a93d11d8..000000000
--- a/testing/tests/ikev2/nat-two-rw-mark/description.txt
+++ /dev/null
@@ -1,16 +0,0 @@
-The roadwarriors <b>alice</b> and <b>venus</b> sitting behind the NAT router <b>moon</b> set up
-tunnels to gateway <b>sun</b>. UDP encapsulation is used to traverse the NAT router.
-Since both roadwarriors possess the same 10.1.0.0/25 subnet, gateway <b>sun</b> uses Source NAT
-after ESP decryption to map these subnets to 10.3.0.10 and 10.3.0.20, respectively.
-<p/>
-In order to differentiate between the tunnels to <b>alice</b> and <b>venus</b>, respectively,
-<b>XFRM marks</b> are defined for both the inbound and outbound IPsec SAs and policies using
-the <b>mark</b> parameter in ipsec.conf.
-<p/>
-<b>iptables -t mangle</b> rules are then used in the PREROUTING chain to mark the traffic to
-and from <b>alice</b> and <b>venus</b>, respectively.
-<p/>
-The script designated by <b>leftupdown=/etc/mark_updown</b> automatically inserts 
-iptables mangle rules that mark the inbound ESP_IN_UDP packets as well as iptables IPsec-policy rules 
-that let pass the tunneled traffic. In order to test the tunnel, the NAT-ed hosts <b>alice</b> 
-and <b>venus</b> ping the client <b>bob</b> behind the gateway <b>sun</b>.
diff --git a/testing/tests/ikev2/nat-two-rw-mark/evaltest.dat b/testing/tests/ikev2/nat-two-rw-mark/evaltest.dat
deleted file mode 100644
index 74ba178d9..000000000
--- a/testing/tests/ikev2/nat-two-rw-mark/evaltest.dat
+++ /dev/null
@@ -1,16 +0,0 @@
-alice::ipsec statusall::nat-t.*INSTALLED::YES
-venus::ipsec statusall::nat-t.*INSTALLED::YES
-sun::ipsec statusall::alice.*ESTABLISHED.*alice@strongswan.org::YES
-sun::ipsec statusall::venus.*ESTABLISHED.*venus.strongswan.org::YES
-sun::ipsec statusall::alice.*10.2.0.0/16 === 10.1.0.0/25::YES
-sun::ipsec statusall::venus.*10.2.0.0/16 === 10.1.0.0/25::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-moon::tcpdump::IP moon.strongswan.org.4510.* > sun.strongswan.org.ipsec-nat-t: UDP::YES
-moon::tcpdump::IP moon.strongswan.org.4520.* > sun.strongswan.org.ipsec-nat-t: UDP::YES
-moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.4510.*: UDP::YES
-moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.4520.*: UDP::YES
-bob::tcpdump::10.3.0.10 > bob.strongswan.org: ICMP echo request::YES
-bob::tcpdump::10.3.0.20 > bob.strongswan.org: ICMP echo request::YES
-bob::tcpdump::bob.strongswan.org > 10.3.0.10: ICMP echo reply::YES
-bob::tcpdump::bob.strongswan.org > 10.3.0.20: ICMP echo reply::YES
diff --git a/testing/tests/ikev2/nat-two-rw-mark/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/nat-two-rw-mark/hosts/alice/etc/strongswan.conf
deleted file mode 100644
index 339b56987..000000000
--- a/testing/tests/ikev2/nat-two-rw-mark/hosts/alice/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
-}
diff --git a/testing/tests/ikev2/nat-two-rw-mark/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/nat-two-rw-mark/hosts/sun/etc/strongswan.conf
deleted file mode 100644
index 339b56987..000000000
--- a/testing/tests/ikev2/nat-two-rw-mark/hosts/sun/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
-}
diff --git a/testing/tests/ikev2/nat-two-rw-mark/hosts/venus/etc/strongswan.conf b/testing/tests/ikev2/nat-two-rw-mark/hosts/venus/etc/strongswan.conf
deleted file mode 100644
index 339b56987..000000000
--- a/testing/tests/ikev2/nat-two-rw-mark/hosts/venus/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
-}
diff --git a/testing/tests/ikev2/nat-two-rw-mark/posttest.dat b/testing/tests/ikev2/nat-two-rw-mark/posttest.dat
deleted file mode 100644
index 89d5f534b..000000000
--- a/testing/tests/ikev2/nat-two-rw-mark/posttest.dat
+++ /dev/null
@@ -1,11 +0,0 @@
-sun::iptables -t mangle -v -n -L PREROUTING
-sun::ipsec stop
-alice::ipsec stop
-venus::ipsec stop
-alice::/etc/init.d/iptables stop 2> /dev/null
-venus::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
-moon::iptables -t nat -F
-moon::conntrack -F
-sun::conntrack -F
-sun::rm /etc/mark_updown
diff --git a/testing/tests/ikev2/nat-two-rw-mark/pretest.dat b/testing/tests/ikev2/nat-two-rw-mark/pretest.dat
deleted file mode 100644
index 105968f45..000000000
--- a/testing/tests/ikev2/nat-two-rw-mark/pretest.dat
+++ /dev/null
@@ -1,21 +0,0 @@
-alice::/etc/init.d/iptables start 2> /dev/null
-venus::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
-moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to PH_IP_MOON
-moon::iptables -t nat -A POSTROUTING -o eth0 -s PH_IP_ALICE -p udp --sport 500  -j SNAT --to PH_IP_MOON:510
-moon::iptables -t nat -A POSTROUTING -o eth0 -s PH_IP_VENUS -p udp --sport 500  -j SNAT --to PH_IP_MOON:520
-moon::iptables -t nat -A POSTROUTING -o eth0 -s PH_IP_ALICE -p udp --sport 4500 -j SNAT --to PH_IP_MOON:4510
-moon::iptables -t nat -A POSTROUTING -o eth0 -s PH_IP_VENUS -p udp --sport 4500 -j SNAT --to PH_IP_MOON:4520
-sun::iptables -t nat -A POSTROUTING -o eth1 -m mark --mark 10 -j SNAT --to 10.3.0.10
-sun::iptables -t nat -A POSTROUTING -o eth1 -m mark --mark 20 -j SNAT --to 10.3.0.20
-sun::iptables -t mangle -A PREROUTING -d 10.3.0.10 -j MARK --set-mark 10
-sun::iptables -t mangle -A PREROUTING -d 10.3.0.20 -j MARK --set-mark 20
-alice::ipsec start
-venus::ipsec start
-sun::ipsec start
-alice::sleep 2 
-alice::ipsec up nat-t
-venus::sleep 2 
-venus::ipsec up nat-t
-venus::sleep 2
diff --git a/testing/tests/ikev2/nat-two-rw-mark/test.conf b/testing/tests/ikev2/nat-two-rw-mark/test.conf
deleted file mode 100644
index ae3c190b8..000000000
--- a/testing/tests/ikev2/nat-two-rw-mark/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice venus moon winnetou sun bob"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-v-m-w-s-b.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon bob"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="alice venus sun"
diff --git a/testing/tests/ikev2/nat-two-rw-psk/description.txt b/testing/tests/ikev2/nat-two-rw-psk/description.txt
deleted file mode 100644
index c74897d9a..000000000
--- a/testing/tests/ikev2/nat-two-rw-psk/description.txt
+++ /dev/null
@@ -1,6 +0,0 @@
-The roadwarriors <b>alice</b> and <b>venus</b> sitting behind the NAT router <b>moon</b> set up
-tunnels to gateway <b>sun</b>. UDP encapsulation is used to traverse the NAT router.
-Both roadwarriors share the same Pre-Shared Key (PSK) with the gateway <b>sun</b>.
-<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that let pass
-the tunneled traffic. In order to test the tunnel, the NAT-ed hosts <b>alice</b> and <b>venus</b>
-ping the client <b>bob</b> behind the gateway <b>sun</b>.
diff --git a/testing/tests/ikev2/nat-two-rw-psk/evaltest.dat b/testing/tests/ikev2/nat-two-rw-psk/evaltest.dat
deleted file mode 100644
index 2cab168f0..000000000
--- a/testing/tests/ikev2/nat-two-rw-psk/evaltest.dat
+++ /dev/null
@@ -1,9 +0,0 @@
-alice::ipsec statusall::nat-t.*INSTALLED::YES
-venus::ipsec statusall::nat-t.*INSTALLED::YES
-sun::ipsec statusall::nat-t.*INSTALLED::YES
-sun::ipsec status::nat-t.*\[PH_IP_ALICE\]::YES
-sun::ipsec status::nat-t.*\[PH_IP_VENUS\]::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.ipsec-nat-t: UDP::YES
-moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.*: UDP::YES
diff --git a/testing/tests/ikev2/nat-two-rw-psk/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/nat-two-rw-psk/hosts/alice/etc/strongswan.conf
deleted file mode 100644
index 882ea04a5..000000000
--- a/testing/tests/ikev2/nat-two-rw-psk/hosts/alice/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink socket-default updown
-}
diff --git a/testing/tests/ikev2/nat-two-rw-psk/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/nat-two-rw-psk/hosts/sun/etc/strongswan.conf
deleted file mode 100644
index 882ea04a5..000000000
--- a/testing/tests/ikev2/nat-two-rw-psk/hosts/sun/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink socket-default updown
-}
diff --git a/testing/tests/ikev2/nat-two-rw-psk/hosts/venus/etc/strongswan.conf b/testing/tests/ikev2/nat-two-rw-psk/hosts/venus/etc/strongswan.conf
deleted file mode 100644
index 882ea04a5..000000000
--- a/testing/tests/ikev2/nat-two-rw-psk/hosts/venus/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink socket-default updown
-}
diff --git a/testing/tests/ikev2/nat-two-rw-psk/posttest.dat b/testing/tests/ikev2/nat-two-rw-psk/posttest.dat
deleted file mode 100644
index 52572ece8..000000000
--- a/testing/tests/ikev2/nat-two-rw-psk/posttest.dat
+++ /dev/null
@@ -1,8 +0,0 @@
-sun::ipsec stop
-alice::ipsec stop
-venus::ipsec stop
-alice::/etc/init.d/iptables stop 2> /dev/null
-venus::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
-moon::iptables -t nat -F
-moon::conntrack -F
diff --git a/testing/tests/ikev2/nat-two-rw-psk/test.conf b/testing/tests/ikev2/nat-two-rw-psk/test.conf
deleted file mode 100644
index 84317fd70..000000000
--- a/testing/tests/ikev2/nat-two-rw-psk/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice venus moon winnetou sun bob"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-v-m-w-s-b.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="alice venus sun"
diff --git a/testing/tests/ikev2/nat-two-rw/evaltest.dat b/testing/tests/ikev2/nat-two-rw/evaltest.dat
deleted file mode 100644
index bd0a4b52b..000000000
--- a/testing/tests/ikev2/nat-two-rw/evaltest.dat
+++ /dev/null
@@ -1,9 +0,0 @@
-alice::ipsec statusall::nat-t.*INSTALLED::YES
-venus::ipsec statusall::nat-t.*INSTALLED::YES
-sun::ipsec statusall::nat-t.*INSTALLED::YES
-sun::ipsec status::alice@strongswan.org::YES
-sun::ipsec status::venus.strongswan.org::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.ipsec-nat-t: UDP::YES
-moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.*: UDP::YES
diff --git a/testing/tests/ikev2/nat-two-rw/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/nat-two-rw/hosts/alice/etc/strongswan.conf
deleted file mode 100644
index 339b56987..000000000
--- a/testing/tests/ikev2/nat-two-rw/hosts/alice/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
-}
diff --git a/testing/tests/ikev2/nat-two-rw/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/nat-two-rw/hosts/sun/etc/ipsec.conf
deleted file mode 100755
index d8b426318..000000000
--- a/testing/tests/ikev2/nat-two-rw/hosts/sun/etc/ipsec.conf
+++ /dev/null
@@ -1,35 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev2
-	left=PH_IP_SUN
-	leftcert=sunCert.pem
-	leftid=@sun.strongswan.org
-	leftfirewall=yes
-
-conn net-net
-	leftsubnet=10.2.0.0/16
-	right=PH_IP_MOON
-	rightsubnet=10.1.0.0/16
-	rightid=@moon.strongswan.org
-	auto=add
-
-conn host-host
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-	auto=add
-
-conn nat-t
-	leftsubnet=10.2.0.0/16
-	right=%any
-	rightsubnet=10.1.0.0/16
-	auto=add
diff --git a/testing/tests/ikev2/nat-two-rw/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/nat-two-rw/hosts/sun/etc/strongswan.conf
deleted file mode 100644
index 339b56987..000000000
--- a/testing/tests/ikev2/nat-two-rw/hosts/sun/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
-}
diff --git a/testing/tests/ikev2/nat-two-rw/hosts/venus/etc/strongswan.conf b/testing/tests/ikev2/nat-two-rw/hosts/venus/etc/strongswan.conf
deleted file mode 100644
index 339b56987..000000000
--- a/testing/tests/ikev2/nat-two-rw/hosts/venus/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
-}
diff --git a/testing/tests/ikev2/nat-two-rw/posttest.dat b/testing/tests/ikev2/nat-two-rw/posttest.dat
deleted file mode 100644
index 52572ece8..000000000
--- a/testing/tests/ikev2/nat-two-rw/posttest.dat
+++ /dev/null
@@ -1,8 +0,0 @@
-sun::ipsec stop
-alice::ipsec stop
-venus::ipsec stop
-alice::/etc/init.d/iptables stop 2> /dev/null
-venus::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
-moon::iptables -t nat -F
-moon::conntrack -F
diff --git a/testing/tests/ikev2/nat-two-rw/test.conf b/testing/tests/ikev2/nat-two-rw/test.conf
deleted file mode 100644
index 84317fd70..000000000
--- a/testing/tests/ikev2/nat-two-rw/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice venus moon winnetou sun bob"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-v-m-w-s-b.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="alice venus sun"
diff --git a/testing/tests/ikev2/nat-virtual-ip/evaltest.dat b/testing/tests/ikev2/nat-virtual-ip/evaltest.dat
index 75d5ffbd3..c60ffc772 100644
--- a/testing/tests/ikev2/nat-virtual-ip/evaltest.dat
+++ b/testing/tests/ikev2/nat-virtual-ip/evaltest.dat
@@ -1,7 +1,7 @@
-moon::ipsec statusall::net-net.*ESTABLISHED::YES
-sun::ipsec statusall::net-net.*ESTABLISHED::YES
-moon::cat /var/log/daemon.log::inserted NAT rule mapping PH_IP_ALICE to virtual IP::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun::  ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon:: cat /var/log/daemon.log::inserted NAT rule mapping PH_IP_ALICE to virtual IP::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
 bob::tcpdump::IP alice2.strongswan.org > bob.strongswan.org: ICMP::YES
diff --git a/testing/tests/ikev2/nat-virtual-ip/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/nat-virtual-ip/hosts/moon/etc/ipsec.conf
index e43e0d785..46fc364dd 100755..100644
--- a/testing/tests/ikev2/nat-virtual-ip/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/nat-virtual-ip/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/nat-virtual-ip/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/nat-virtual-ip/hosts/moon/etc/strongswan.conf
index cb3d46293..8e685c862 100644
--- a/testing/tests/ikev2/nat-virtual-ip/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/nat-virtual-ip/hosts/moon/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-raw updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
   multiple_authentication = no
 }
diff --git a/testing/tests/ikev2/nat-virtual-ip/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/nat-virtual-ip/hosts/sun/etc/ipsec.conf
index 9cede8d56..1d7ba47ee 100755..100644
--- a/testing/tests/ikev2/nat-virtual-ip/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev2/nat-virtual-ip/hosts/sun/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/nat-virtual-ip/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/nat-virtual-ip/hosts/sun/etc/strongswan.conf
index cb3d46293..8e685c862 100644
--- a/testing/tests/ikev2/nat-virtual-ip/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/nat-virtual-ip/hosts/sun/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-raw updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
   multiple_authentication = no
 }
diff --git a/testing/tests/ikev2/nat-virtual-ip/posttest.dat b/testing/tests/ikev2/nat-virtual-ip/posttest.dat
index ee30e2c59..11bd19da7 100644
--- a/testing/tests/ikev2/nat-virtual-ip/posttest.dat
+++ b/testing/tests/ikev2/nat-virtual-ip/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
 moon::conntrack -F
 moon::rm /etc/nat_updown
diff --git a/testing/tests/ikev2/nat-virtual-ip/pretest.dat b/testing/tests/ikev2/nat-virtual-ip/pretest.dat
index abbca90d7..eb0c28c7f 100644
--- a/testing/tests/ikev2/nat-virtual-ip/pretest.dat
+++ b/testing/tests/ikev2/nat-virtual-ip/pretest.dat
@@ -1,7 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::conntrack -F
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
 moon::ipsec start
 sun::ipsec start
 moon::sleep 1 
diff --git a/testing/tests/ikev2/nat-virtual-ip/test.conf b/testing/tests/ikev2/nat-virtual-ip/test.conf
index 1971a33ab..f46f137b4 100644
--- a/testing/tests/ikev2/nat-virtual-ip/test.conf
+++ b/testing/tests/ikev2/nat-virtual-ip/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b.png"
  
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun bob"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev2/net2net-cert/evaltest.dat b/testing/tests/ikev2/net2net-cert/evaltest.dat
index e67c39a08..2b37cad99 100644
--- a/testing/tests/ikev2/net2net-cert/evaltest.dat
+++ b/testing/tests/ikev2/net2net-cert/evaltest.dat
@@ -1,5 +1,7 @@
-moon::ipsec statusall::net-net.*ESTABLISHED::YES
-sun::ipsec statusall::net-net.*ESTABLISHED::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/net2net-cert/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-cert/hosts/moon/etc/ipsec.conf
index 562f26826..2d31a19d2 100755..100644
--- a/testing/tests/ikev2/net2net-cert/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/net2net-cert/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/net2net-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-cert/hosts/moon/etc/strongswan.conf
index cb17a9e07..94e0b2a62 100644
--- a/testing/tests/ikev2/net2net-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-cert/hosts/moon/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
   multiple_authentication = no
 }
diff --git a/testing/tests/ikev2/net2net-cert/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-cert/hosts/sun/etc/ipsec.conf
index 24e5df519..06bfa038b 100755..100644
--- a/testing/tests/ikev2/net2net-cert/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev2/net2net-cert/hosts/sun/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/net2net-cert/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-cert/hosts/sun/etc/strongswan.conf
index cb17a9e07..94e0b2a62 100644
--- a/testing/tests/ikev2/net2net-cert/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-cert/hosts/sun/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
   multiple_authentication = no
 }
diff --git a/testing/tests/ikev2/net2net-cert/posttest.dat b/testing/tests/ikev2/net2net-cert/posttest.dat
index a4c96e10f..837738fc6 100644
--- a/testing/tests/ikev2/net2net-cert/posttest.dat
+++ b/testing/tests/ikev2/net2net-cert/posttest.dat
@@ -1,5 +1,5 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
 
diff --git a/testing/tests/ikev2/net2net-cert/pretest.dat b/testing/tests/ikev2/net2net-cert/pretest.dat
index 2d7a78acb..c724e5df8 100644
--- a/testing/tests/ikev2/net2net-cert/pretest.dat
+++ b/testing/tests/ikev2/net2net-cert/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 sun::ipsec start
 moon::sleep 1 
diff --git a/testing/tests/ikev2/net2net-cert/test.conf b/testing/tests/ikev2/net2net-cert/test.conf
index d9a61590f..646b8b3e6 100644
--- a/testing/tests/ikev2/net2net-cert/test.conf
+++ b/testing/tests/ikev2/net2net-cert/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b.png"
  
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev2/net2net-dnssec/description.txt b/testing/tests/ikev2/net2net-dnssec/description.txt
new file mode 100644
index 000000000..9893359c0
--- /dev/null
+++ b/testing/tests/ikev2/net2net-dnssec/description.txt
@@ -0,0 +1,8 @@
+A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
+The authentication is based on trustworthy public keys stored as <b>IPSECKEY</b>
+resource records in the Domain Name System (DNS) and protected by <b>DNSSEC</b>.
+<p/>
+Upon the successful establishment of the IPsec tunnel, <b>leftfirewall=yes</b>
+automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b>
+pings client <b>bob</b> located behind gateway <b>sun</b>.
diff --git a/testing/tests/ikev2/net2net-dnssec/evaltest.dat b/testing/tests/ikev2/net2net-dnssec/evaltest.dat
new file mode 100644
index 000000000..389cac7f3
--- /dev/null
+++ b/testing/tests/ikev2/net2net-dnssec/evaltest.dat
@@ -0,0 +1,9 @@
+moon:: cat /var/log/daemon.log::performing a DNS query for IPSECKEY RRs of.*sun.strongswan.org::YES
+sun::  cat /var/log/daemon.log::performing a DNS query for IPSECKEY RRs of.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun::  ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::INSTALLED, TUNNEL::YES
+sun::  ipsec status 2> /dev/null::INSTALLED, TUNNEL::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/ipsec.conf
index a38c66023..ea10eb0a3 100755..100644
--- a/testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/ipsec.conf
@@ -1,24 +1,24 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug="control parsing"
-	nocrsend=yes
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
-	keyexchange=ikev1
+	keyexchange=ikev2
+	mobike=no
 	
 conn net-net
 	left=PH_IP_MOON
+	leftid=moon.strongswan.org
 	leftsubnet=10.1.0.0/16
-	leftcert=moonCert.asc
-	leftid=@#71270432cd763a18020ac988c0e75aed
+	leftsigkey=moonPub.der
+	leftauth=pubkey
 	leftfirewall=yes
-	right=PH_IP_SUN
+	right=sun.strongswan.org
+	rightid=sun.strongswan.org
 	rightsubnet=10.2.0.0/16
-	rightcert=sunCert.asc
+	rightauth=pubkey
 	auto=add
diff --git a/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/ipsec.d/certs/moonPub.der b/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/ipsec.d/certs/moonPub.der
new file mode 100644
index 000000000..71571044c
--- /dev/null
+++ b/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/ipsec.d/certs/moonPub.der
diff --git a/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/ipsec.d/dnssec.keys b/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/ipsec.d/dnssec.keys
new file mode 100644
index 000000000..d059d8476
--- /dev/null
+++ b/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/ipsec.d/dnssec.keys
@@ -0,0 +1,10 @@
+; This is a key-signing key, keyid 32329, for .
+.		IN	DNSKEY	257 3 8	(
+				AwEAAbcskaratFgvgvXl0bNq4I43ZBzd9jYnoPqsIcA0ahqXlUTUa+c2
+				XzN2mS7DGcI4Z5Gn+8v/Ih4lQJQrlf9I/c2HjooCAsK1bA5cRS2DiU+b
+				L6Ge0nLtvNOf4C0MHGLrWcDONg5QoL0OcFvMXuUtOvDkoIMdtfDYDScx
+				E9vSokc98Sx553/MTxpssXeM9i+OauGqohIZU+MVRdWwvJPieCL7Ma4b
+				AttgG+KSbQy7x/qXPISoqzwGQvCxsL93fvD/cpp+KziqA0oH+Dfryvc5
+				nWdCdra4gYz7WCFFwcY1PW6PbL5ie4jnjl3WWxopuzT46HKROxDhE+FO
+				O9fOgGnjzAk=
+				)
diff --git a/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..b2c425289
--- /dev/null
+++ b/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/iptables.rules
@@ -0,0 +1,28 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow DNSSEC fetch from winnetou
+-A INPUT  -i eth0 -p udp --sport 53 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 53 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/resolv.conf b/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/resolv.conf
new file mode 100644
index 000000000..73d926def
--- /dev/null
+++ b/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/resolv.conf
@@ -0,0 +1 @@
+nameserver PH_IP_WINNETOU
diff --git a/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..44a54a9dd
--- /dev/null
+++ b/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,20 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = sha1 sha2 md5 aes des hmac gmp dnskey pem pkcs1 pubkey unbound ipseckey random nonce curl kernel-netlink socket-default stroke updown
+
+  plugins {
+    ipseckey {
+      enable = yes
+    }
+  }
+}
+
+libstrongswan {
+  plugins {
+    unbound {
+      # trust_anchors = /etc/ipsec.d/dnssec.keys
+      # resolv_conf = /etc/resolv.conf
+    }
+  }
+}
diff --git a/testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/ipsec.conf
index 6a373e29f..9e310050d 100755..100644
--- a/testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/ipsec.conf
@@ -1,24 +1,24 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	nocrsend=yes
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
-	keyexchange=ikev1
+	keyexchange=ikev2
+	mobike=no
 	
 conn net-net
 	left=PH_IP_SUN
+	leftid=sun.strongswan.org
 	leftsubnet=10.2.0.0/16
-	leftcert=sunCert.asc
+	leftsigkey=sunPub.der
+	leftauth=pubkey
 	leftfirewall=yes
-	right=PH_IP_MOON
+	right=moon.strongswan.org
+	rightid=moon.strongswan.org
 	rightsubnet=10.1.0.0/16
-	rightcert=moonCert.asc
-	rightid=@#71270432cd763a18020ac988c0e75aed
+	rightauth=pubkey
 	auto=add
diff --git a/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/ipsec.d/certs/sunPub.der b/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/ipsec.d/certs/sunPub.der
new file mode 100644
index 000000000..cc99934db
--- /dev/null
+++ b/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/ipsec.d/certs/sunPub.der
diff --git a/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/ipsec.d/dnssec.keys b/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/ipsec.d/dnssec.keys
new file mode 100644
index 000000000..d059d8476
--- /dev/null
+++ b/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/ipsec.d/dnssec.keys
@@ -0,0 +1,10 @@
+; This is a key-signing key, keyid 32329, for .
+.		IN	DNSKEY	257 3 8	(
+				AwEAAbcskaratFgvgvXl0bNq4I43ZBzd9jYnoPqsIcA0ahqXlUTUa+c2
+				XzN2mS7DGcI4Z5Gn+8v/Ih4lQJQrlf9I/c2HjooCAsK1bA5cRS2DiU+b
+				L6Ge0nLtvNOf4C0MHGLrWcDONg5QoL0OcFvMXuUtOvDkoIMdtfDYDScx
+				E9vSokc98Sx553/MTxpssXeM9i+OauGqohIZU+MVRdWwvJPieCL7Ma4b
+				AttgG+KSbQy7x/qXPISoqzwGQvCxsL93fvD/cpp+KziqA0oH+Dfryvc5
+				nWdCdra4gYz7WCFFwcY1PW6PbL5ie4jnjl3WWxopuzT46HKROxDhE+FO
+				O9fOgGnjzAk=
+				)
diff --git a/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/iptables.rules b/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/iptables.rules
new file mode 100644
index 000000000..b2c425289
--- /dev/null
+++ b/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/iptables.rules
@@ -0,0 +1,28 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow DNSSEC fetch from winnetou
+-A INPUT  -i eth0 -p udp --sport 53 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 53 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/resolv.conf b/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/resolv.conf
new file mode 100644
index 000000000..73d926def
--- /dev/null
+++ b/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/resolv.conf
@@ -0,0 +1 @@
+nameserver PH_IP_WINNETOU
diff --git a/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..44a54a9dd
--- /dev/null
+++ b/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,20 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = sha1 sha2 md5 aes des hmac gmp dnskey pem pkcs1 pubkey unbound ipseckey random nonce curl kernel-netlink socket-default stroke updown
+
+  plugins {
+    ipseckey {
+      enable = yes
+    }
+  }
+}
+
+libstrongswan {
+  plugins {
+    unbound {
+      # trust_anchors = /etc/ipsec.d/dnssec.keys
+      # resolv_conf = /etc/resolv.conf
+    }
+  }
+}
diff --git a/testing/tests/ikev2/net2net-dnssec/posttest.dat b/testing/tests/ikev2/net2net-dnssec/posttest.dat
new file mode 100644
index 000000000..c594c4dc8
--- /dev/null
+++ b/testing/tests/ikev2/net2net-dnssec/posttest.dat
@@ -0,0 +1,8 @@
+moon::ipsec stop
+sun::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
+moon::rm /etc/resolv.conf
+sun::rm /etc/resolv.conf
+moon::rm /etc/ipsec.d/dnssec.keys
+sun::rm /etc/ipsec.d/dnssec.keys
diff --git a/testing/tests/ikev1/net2net-rsa/pretest.dat b/testing/tests/ikev2/net2net-dnssec/pretest.dat
index 9e40684ab..0f4ae0f4f 100644
--- a/testing/tests/ikev1/net2net-rsa/pretest.dat
+++ b/testing/tests/ikev2/net2net-dnssec/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::rm /etc/ipsec.d/cacerts/*
 sun::rm /etc/ipsec.d/cacerts/*
 moon::ipsec start
diff --git a/testing/tests/ikev2/net2net-dnssec/test.conf b/testing/tests/ikev2/net2net-dnssec/test.conf
new file mode 100644
index 000000000..afa2accbe
--- /dev/null
+++ b/testing/tests/ikev2/net2net-dnssec/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-w-s-b.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev2/net2net-esn/evaltest.dat b/testing/tests/ikev2/net2net-esn/evaltest.dat
index 928783c87..63058eb88 100644
--- a/testing/tests/ikev2/net2net-esn/evaltest.dat
+++ b/testing/tests/ikev2/net2net-esn/evaltest.dat
@@ -1,14 +1,16 @@
-sun::cat /var/log/daemon.log::received proposals: ESP:AES_CBC_128/HMAC_SHA1_96/EXT_SEQ/NO_EXT_SEQ::YES
-sun::cat /var/log/daemon.log::selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/EXT_SEQ::YES
-sun::cat /var/log/daemon.log::using extended sequence numbers (ESN)::YES
-moon::cat /var/log/daemon.log::using extended sequence numbers (ESN)::YES
-moon::ipsec statusall::net-net.*ESTABLISHED::YES
-sun::ipsec statusall::net-net.*ESTABLISHED::YES
-sun::ip -s xfrm state::flag af-unspec.*(0x10100000)::YES
-moon::ip -s xfrm state::flag af-unspec.*(0x10100000)::YES
+sun::  cat /var/log/daemon.log::received proposals: ESP:AES_CBC_128/HMAC_SHA1_96/EXT_SEQ/NO_EXT_SEQ::YES
+sun::  cat /var/log/daemon.log::selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/EXT_SEQ::YES
+sun::  cat /var/log/daemon.log::using extended sequence numbers (ESN)::YES
+moon:: cat /var/log/daemon.log::using extended sequence numbers (ESN)::YES
+moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun::  ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+sun::  ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+sun::  ip -s xfrm state::flag af-unspec.*(0x10100000)::YES
+moon:: ip -s xfrm state::flag af-unspec.*(0x10100000)::YES
 alice::ping -c 10 -i 0 -f PH_IP_BOB::10 packets transmitted, 10 received, 0% packet loss::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
-moon::ipsec statusall::AES_CBC_128/HMAC_SHA1_96/ESN::YES
-sun::ipsec statusall::AES_CBC_128/HMAC_SHA1_96/ESN::YES
+moon::ipsec statusall 2> /dev/null::AES_CBC_128/HMAC_SHA1_96/ESN::YES
+sun:: ipsec statusall 2> /dev/null::AES_CBC_128/HMAC_SHA1_96/ESN::YES
 
diff --git a/testing/tests/ikev2/net2net-esn/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-esn/hosts/moon/etc/ipsec.conf
index 98f4864d3..3418e63c4 100755..100644
--- a/testing/tests/ikev2/net2net-esn/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/net2net-esn/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 	charondebug="cfg 2, knl 2"
 
 conn %default
diff --git a/testing/tests/ikev2/net2net-esn/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-esn/hosts/moon/etc/strongswan.conf
index cb17a9e07..8e685c862 100644
--- a/testing/tests/ikev2/net2net-esn/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-esn/hosts/moon/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
   multiple_authentication = no
 }
diff --git a/testing/tests/ikev2/net2net-esn/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-esn/hosts/sun/etc/ipsec.conf
index 26fde389e..f0b6c906f 100755..100644
--- a/testing/tests/ikev2/net2net-esn/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev2/net2net-esn/hosts/sun/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 	charondebug="cfg 2, knl 2"
 
 conn %default
diff --git a/testing/tests/ikev2/net2net-esn/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-esn/hosts/sun/etc/strongswan.conf
index cb17a9e07..8e685c862 100644
--- a/testing/tests/ikev2/net2net-esn/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-esn/hosts/sun/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
   multiple_authentication = no
 }
diff --git a/testing/tests/ikev2/net2net-esn/posttest.dat b/testing/tests/ikev2/net2net-esn/posttest.dat
index a4c96e10f..837738fc6 100644
--- a/testing/tests/ikev2/net2net-esn/posttest.dat
+++ b/testing/tests/ikev2/net2net-esn/posttest.dat
@@ -1,5 +1,5 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
 
diff --git a/testing/tests/ikev2/net2net-esn/pretest.dat b/testing/tests/ikev2/net2net-esn/pretest.dat
index 2d7a78acb..c724e5df8 100644
--- a/testing/tests/ikev2/net2net-esn/pretest.dat
+++ b/testing/tests/ikev2/net2net-esn/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 sun::ipsec start
 moon::sleep 1 
diff --git a/testing/tests/ikev2/net2net-esn/test.conf b/testing/tests/ikev2/net2net-esn/test.conf
index d9a61590f..646b8b3e6 100644
--- a/testing/tests/ikev2/net2net-esn/test.conf
+++ b/testing/tests/ikev2/net2net-esn/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b.png"
  
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev2/net2net-pgp-v3/evaltest.dat b/testing/tests/ikev2/net2net-pgp-v3/evaltest.dat
index 1a3759e34..460c659d9 100644
--- a/testing/tests/ikev2/net2net-pgp-v3/evaltest.dat
+++ b/testing/tests/ikev2/net2net-pgp-v3/evaltest.dat
@@ -1,5 +1,7 @@
-moon::ipsec status::net-net.*INSTALLED::YES
-sun::ipsec status::net-net.*INSTALLED::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*71:27:04:32:cd:76:3a:18:02:0a:c9:88:c0:e7:5a:ed.*sun <sun.strongswan.org>::YES
+sun::  ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun <sun.strongswan.org>.*71:27:04:32:cd:76:3a:18:02:0a:c9:88:c0:e7:5a:ed::YES
+moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+sun::  ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.conf
index 405cd06bf..7601113ab 100755..100644
--- a/testing/tests/ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/net2net-pgp-v3/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-pgp-v3/hosts/moon/etc/strongswan.conf
index 949b9af16..8accff27c 100644
--- a/testing/tests/ikev2/net2net-pgp-v3/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-pgp-v3/hosts/moon/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 pgp gmp random stroke kernel-netlink socket-default updown
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 pgp gmp random nonce stroke kernel-netlink socket-default updown
 }
 
diff --git a/testing/tests/ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.conf
index 4460106de..641c3d929 100755..100644
--- a/testing/tests/ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/net2net-pgp-v3/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-pgp-v3/hosts/sun/etc/strongswan.conf
index 949b9af16..8accff27c 100644
--- a/testing/tests/ikev2/net2net-pgp-v3/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-pgp-v3/hosts/sun/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 pgp gmp random stroke kernel-netlink socket-default updown
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 pgp gmp random nonce stroke kernel-netlink socket-default updown
 }
 
diff --git a/testing/tests/ikev2/net2net-pgp-v3/posttest.dat b/testing/tests/ikev2/net2net-pgp-v3/posttest.dat
index fafcde975..9a9513dc3 100644
--- a/testing/tests/ikev2/net2net-pgp-v3/posttest.dat
+++ b/testing/tests/ikev2/net2net-pgp-v3/posttest.dat
@@ -1,7 +1,7 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
 moon::rm /etc/ipsec.d/certs/*
 moon::rm /etc/ipsec.d/private/*
 sun::rm /etc/ipsec.d/certs/*
diff --git a/testing/tests/ikev2/net2net-pgp-v3/pretest.dat b/testing/tests/ikev2/net2net-pgp-v3/pretest.dat
index 9e40684ab..0f4ae0f4f 100644
--- a/testing/tests/ikev2/net2net-pgp-v3/pretest.dat
+++ b/testing/tests/ikev2/net2net-pgp-v3/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::rm /etc/ipsec.d/cacerts/*
 sun::rm /etc/ipsec.d/cacerts/*
 moon::ipsec start
diff --git a/testing/tests/ikev2/net2net-pgp-v3/test.conf b/testing/tests/ikev2/net2net-pgp-v3/test.conf
index f74d0f7d6..afa2accbe 100644
--- a/testing/tests/ikev2/net2net-pgp-v3/test.conf
+++ b/testing/tests/ikev2/net2net-pgp-v3/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev2/net2net-pgp-v4/evaltest.dat b/testing/tests/ikev2/net2net-pgp-v4/evaltest.dat
index 1a3759e34..f74eb6a19 100644
--- a/testing/tests/ikev2/net2net-pgp-v4/evaltest.dat
+++ b/testing/tests/ikev2/net2net-pgp-v4/evaltest.dat
@@ -1,5 +1,7 @@
-moon::ipsec status::net-net.*INSTALLED::YES
-sun::ipsec status::net-net.*INSTALLED::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*b4:2f:31:fe:c8:0a:e3:26:4a:10:1c:85:97:7a:04:ac:8d:16:38:d3::YES
+sun::  ipsec status 2> /dev/null::net-net.*ESTABLISHED.*b4:2f:31:fe:c8:0a:e3:26:4a:10:1c:85:97:7a:04:ac:8d:16:38:d3.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+sun::  ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/net2net-pgp-v4/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-pgp-v4/hosts/moon/etc/ipsec.conf
index d059cb1da..06a26b64b 100755..100644
--- a/testing/tests/ikev2/net2net-pgp-v4/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/net2net-pgp-v4/hosts/moon/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/net2net-pgp-v4/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-pgp-v4/hosts/moon/etc/strongswan.conf
index 949b9af16..8accff27c 100644
--- a/testing/tests/ikev2/net2net-pgp-v4/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-pgp-v4/hosts/moon/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 pgp gmp random stroke kernel-netlink socket-default updown
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 pgp gmp random nonce stroke kernel-netlink socket-default updown
 }
 
diff --git a/testing/tests/ikev2/net2net-pgp-v4/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-pgp-v4/hosts/sun/etc/ipsec.conf
index 198f2a8a8..cff03c4c6 100755..100644
--- a/testing/tests/ikev2/net2net-pgp-v4/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev2/net2net-pgp-v4/hosts/sun/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/net2net-pgp-v4/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-pgp-v4/hosts/sun/etc/strongswan.conf
index 949b9af16..8accff27c 100644
--- a/testing/tests/ikev2/net2net-pgp-v4/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-pgp-v4/hosts/sun/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 pgp gmp random stroke kernel-netlink socket-default updown
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 pgp gmp random nonce stroke kernel-netlink socket-default updown
 }
 
diff --git a/testing/tests/ikev2/net2net-pgp-v4/posttest.dat b/testing/tests/ikev2/net2net-pgp-v4/posttest.dat
index fafcde975..9a9513dc3 100644
--- a/testing/tests/ikev2/net2net-pgp-v4/posttest.dat
+++ b/testing/tests/ikev2/net2net-pgp-v4/posttest.dat
@@ -1,7 +1,7 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
 moon::rm /etc/ipsec.d/certs/*
 moon::rm /etc/ipsec.d/private/*
 sun::rm /etc/ipsec.d/certs/*
diff --git a/testing/tests/ikev2/net2net-pgp-v4/pretest.dat b/testing/tests/ikev2/net2net-pgp-v4/pretest.dat
index 9e40684ab..0f4ae0f4f 100644
--- a/testing/tests/ikev2/net2net-pgp-v4/pretest.dat
+++ b/testing/tests/ikev2/net2net-pgp-v4/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::rm /etc/ipsec.d/cacerts/*
 sun::rm /etc/ipsec.d/cacerts/*
 moon::ipsec start
diff --git a/testing/tests/ikev2/net2net-pgp-v4/test.conf b/testing/tests/ikev2/net2net-pgp-v4/test.conf
index f74d0f7d6..afa2accbe 100644
--- a/testing/tests/ikev2/net2net-pgp-v4/test.conf
+++ b/testing/tests/ikev2/net2net-pgp-v4/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev1/net2net-pgp-v3/description.txt b/testing/tests/ikev2/net2net-pkcs12/description.txt
index bd680b57a..e66ea1918 100644
--- a/testing/tests/ikev1/net2net-pgp-v3/description.txt
+++ b/testing/tests/ikev2/net2net-pkcs12/description.txt
@@ -1,6 +1,8 @@
 A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
-The authentication is based on <b>OpenPGP V3 keys</b>. Upon the successful
-establishment of the IPsec tunnel, <b>leftfirewall=yes</b> automatically
+The authentication is based on <b>X.509 certificates</b> and an RSA private key stored in
+<b>PKCS12</b> format.
+<p/>
+Upon the successful establishment of the IPsec tunnel, <b>leftfirewall=yes</b> automatically
 inserts iptables-based firewall rules that let pass the tunneled traffic.
 In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b>
 pings client <b>bob</b> located behind gateway <b>sun</b>.
diff --git a/testing/tests/ikev2/net2net-pkcs12/evaltest.dat b/testing/tests/ikev2/net2net-pkcs12/evaltest.dat
new file mode 100644
index 000000000..2b37cad99
--- /dev/null
+++ b/testing/tests/ikev2/net2net-pkcs12/evaltest.dat
@@ -0,0 +1,7 @@
+moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..0296e1804
--- /dev/null
+++ b/testing/tests/ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,21 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	mobike=no
+
+conn net-net 
+	left=PH_IP_MOON
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	leftfirewall=yes
+	right=PH_IP_SUN
+	rightid=@sun.strongswan.org
+	rightsubnet=10.2.0.0/16
+	auto=add
diff --git a/testing/tests/ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.d/private/moonCert.p12 b/testing/tests/ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.d/private/moonCert.p12
new file mode 100644
index 000000000..d3cca4fd5
--- /dev/null
+++ b/testing/tests/ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.d/private/moonCert.p12
diff --git a/testing/tests/ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..802cfc681
--- /dev/null
+++ b/testing/tests/ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: P12 moonCert.p12 "kUqd8O7mzbjXNJKQ"
diff --git a/testing/tests/ikev2/net2net-pkcs12/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-pkcs12/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..4628e70ce
--- /dev/null
+++ b/testing/tests/ikev2/net2net-pkcs12/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 rc2 pem pkcs1 pkcs7 pkcs8 pkcs12 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+  multiple_authentication = no
+}
diff --git a/testing/tests/ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.conf
new file mode 100644
index 000000000..6dcedd0e6
--- /dev/null
+++ b/testing/tests/ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,21 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+        keyingtries=1
+	keyexchange=ikev2
+	mobike=no
+
+conn net-net 
+	left=PH_IP_SUN
+	leftid=@sun.strongswan.org
+	leftsubnet=10.2.0.0/16
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.d/private/sunCert.p12 b/testing/tests/ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.d/private/sunCert.p12
new file mode 100644
index 000000000..1a9e2aa01
--- /dev/null
+++ b/testing/tests/ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.d/private/sunCert.p12
diff --git a/testing/tests/ikev1/rw-psk-no-policy/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.secrets
index 1b721dc58..3dc85528c 100644
--- a/testing/tests/ikev1/rw-psk-no-policy/hosts/carol/etc/ipsec.secrets
+++ b/testing/tests/ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.secrets
@@ -1,6 +1,7 @@
 # /etc/ipsec.secrets - strongSwan IPsec secrets file
 
-: PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
+: P12 sunCert.p12 "IxjQVCF3JGI+MoPi"
+
 
 
 
diff --git a/testing/tests/ikev2/net2net-pkcs12/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-pkcs12/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..4628e70ce
--- /dev/null
+++ b/testing/tests/ikev2/net2net-pkcs12/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 rc2 pem pkcs1 pkcs7 pkcs8 pkcs12 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+  multiple_authentication = no
+}
diff --git a/testing/tests/ikev2/net2net-pkcs12/posttest.dat b/testing/tests/ikev2/net2net-pkcs12/posttest.dat
new file mode 100644
index 000000000..0fbba487c
--- /dev/null
+++ b/testing/tests/ikev2/net2net-pkcs12/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+sun::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
+moon::rm /etc/ipsec.d/private/moonCert.p12
+sun::rm /etc/ipsec.d/private/sunCert.p12
diff --git a/testing/tests/ikev2/net2net-pkcs12/pretest.dat b/testing/tests/ikev2/net2net-pkcs12/pretest.dat
new file mode 100644
index 000000000..3492238f0
--- /dev/null
+++ b/testing/tests/ikev2/net2net-pkcs12/pretest.dat
@@ -0,0 +1,10 @@
+moon::rm /etc/ipsec.d/private/moonKey.pem
+moon::rm /etc/ipsec.d/cacerts/strongswanCert.pem
+sun::rm /etc/ipsec.d/private/sunKey.pem
+sun::rm /etc/ipsec.d/cacerts/strongswanCert.pem
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
+moon::ipsec start
+sun::ipsec start
+moon::sleep 1 
+moon::ipsec up net-net
diff --git a/testing/tests/ikev2/net2net-pkcs12/test.conf b/testing/tests/ikev2/net2net-pkcs12/test.conf
new file mode 100644
index 000000000..646b8b3e6
--- /dev/null
+++ b/testing/tests/ikev2/net2net-pkcs12/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-w-s-b.png"
+ 
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev2/net2net-psk-dscp/evaltest.dat b/testing/tests/ikev2/net2net-psk-dscp/evaltest.dat
index 5881d9246..113c3d9c0 100644
--- a/testing/tests/ikev2/net2net-psk-dscp/evaltest.dat
+++ b/testing/tests/ikev2/net2net-psk-dscp/evaltest.dat
@@ -1,8 +1,8 @@
-moon::ipsec statusall::dscp-be.*ESTABLISHED::YES
-moon::ipsec statusall::dscp-ef.*ESTABLISHED::YES
-sun::ipsec statusall::dscp-be.*ESTABLISHED::YES
-sun::ipsec statusall::dscp-ef.*ESTABLISHED::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+moon:: ipsec status 2> /dev/null::dscp-be.*ESTABLISHED.*moon-be.*sun-be::YES
+moon:: ipsec status 2> /dev/null::dscp-ef.*ESTABLISHED.*moon-ef.*sun-ef::YES
+sun::  ipsec status 2> /dev/null::dscp-be.*ESTABLISHED.*sun-be.*moon-be::YES
+sun::  ipsec status 2> /dev/null::dscp-ef.*ESTABLISHED.*sun-ef.*moon-ef::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/net2net-psk-dscp/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-psk-dscp/hosts/moon/etc/ipsec.conf
index d78d27c1a..aeaebe1f4 100755..100644
--- a/testing/tests/ikev2/net2net-psk-dscp/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/net2net-psk-dscp/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 	charondebug="knl 2"
 
 conn %default
@@ -15,15 +12,15 @@ conn %default
 	mobike=no
 
 conn dscp-be
-	leftid=@sun-be
-	rightid=@moon-be
+	leftid=@moon-be
+	rightid=@sun-be
 	mark=10
 	also=net-net
 	auto=add
 
 conn dscp-ef
-	leftid=@sun-ef
-	rightid=@moon-ef
+	leftid=@moon-ef
+	rightid=@sun-ef
 	mark=20
 	also=net-net
 	auto=add
diff --git a/testing/tests/ikev2/net2net-psk-dscp/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-psk-dscp/hosts/moon/etc/strongswan.conf
index 5e8f49b17..54cdfd9bc 100644
--- a/testing/tests/ikev2/net2net-psk-dscp/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-psk-dscp/hosts/moon/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 gmp random nonce hmac xcbc stroke kernel-netlink socket-default updown
   multiple_authentication = no
 }
diff --git a/testing/tests/ikev2/net2net-psk-dscp/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-psk-dscp/hosts/sun/etc/ipsec.conf
index 9d2ef7471..8b54476fd 100755..100644
--- a/testing/tests/ikev2/net2net-psk-dscp/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev2/net2net-psk-dscp/hosts/sun/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 	charondebug="knl 2"
 
 conn %default
@@ -15,15 +12,15 @@ conn %default
 	mobike=no
 
 conn dscp-be
-	leftid=@moon-be
-	rightid=@sun-be
+	leftid=@sun-be
+	rightid=@moon-be
 	mark=10
 	also=net-net
 	auto=add
 
 conn dscp-ef
-	leftid=@moon-ef
-	rightid=@sun-ef
+	leftid=@sun-ef
+	rightid=@moon-ef
 	mark=20
 	also=net-net
 	auto=add
diff --git a/testing/tests/ikev2/net2net-psk-dscp/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-psk-dscp/hosts/sun/etc/strongswan.conf
index 5e8f49b17..54cdfd9bc 100644
--- a/testing/tests/ikev2/net2net-psk-dscp/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-psk-dscp/hosts/sun/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 gmp random hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 gmp random nonce hmac xcbc stroke kernel-netlink socket-default updown
   multiple_authentication = no
 }
diff --git a/testing/tests/ikev2/net2net-psk-dscp/posttest.dat b/testing/tests/ikev2/net2net-psk-dscp/posttest.dat
index d070c1443..21a22bfb8 100644
--- a/testing/tests/ikev2/net2net-psk-dscp/posttest.dat
+++ b/testing/tests/ikev2/net2net-psk-dscp/posttest.dat
@@ -1,7 +1,7 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
 alice::iptables -t mangle -F OUTPUT
 venus::iptables -t mangle -F OUTPUT
 bob::iptables -t mangle -F OUTPUT
diff --git a/testing/tests/ikev2/net2net-psk-dscp/pretest.dat b/testing/tests/ikev2/net2net-psk-dscp/pretest.dat
index 058c24f8f..0495890dd 100644
--- a/testing/tests/ikev2/net2net-psk-dscp/pretest.dat
+++ b/testing/tests/ikev2/net2net-psk-dscp/pretest.dat
@@ -1,7 +1,7 @@
 moon::rm /etc/ipsec.d/cacerts/*
 sun::rm /etc/ipsec.d/cacerts/*
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 alice::iptables -t mangle -A OUTPUT -p icmp -j DSCP --set-dscp-class BE
 venus::iptables -t mangle -A OUTPUT -p icmp -j DSCP --set-dscp-class EF
 moon::iptables -t mangle -A PREROUTING -m dscp --dscp-class BE -j MARK --set-mark 10
diff --git a/testing/tests/ikev2/net2net-psk-dscp/test.conf b/testing/tests/ikev2/net2net-psk-dscp/test.conf
index 13a8a2a48..10c582c9b 100644
--- a/testing/tests/ikev2/net2net-psk-dscp/test.conf
+++ b/testing/tests/ikev2/net2net-psk-dscp/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon winnetou sun bob"
+VIRTHOSTS="alice venus moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-w-s-b.png"
  
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev2/net2net-psk-fail/description.txt b/testing/tests/ikev2/net2net-psk-fail/description.txt
new file mode 100644
index 000000000..d41b2c954
--- /dev/null
+++ b/testing/tests/ikev2/net2net-psk-fail/description.txt
@@ -0,0 +1,4 @@
+A connection between the gateways <b>moon</b> and <b>sun</b> is set up.
+The authentication is based on <b>Preshared Keys</b> (PSK), but gateway <b>moon</b>
+uses a wrong PSK. Therefore the connection setup is aborted by gateway <b>sun</b>
+by sending an <b>AUTHENTICATION_FAILED</b> notify error.
diff --git a/testing/tests/ikev2/net2net-psk-fail/evaltest.dat b/testing/tests/ikev2/net2net-psk-fail/evaltest.dat
new file mode 100644
index 000000000..3f5092893
--- /dev/null
+++ b/testing/tests/ikev2/net2net-psk-fail/evaltest.dat
@@ -0,0 +1,6 @@
+sun:: cat /var/log/daemon.log::tried 1 shared key for.*sun.strongswan.org.*moon.strongswan.org.*but MAC mismatched::YES
+moon::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES
+moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::NO
+sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::NO
+moon::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::NO
+sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::NO
diff --git a/testing/tests/ikev1/rw-psk-fqdn-named/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-psk-fail/hosts/moon/etc/ipsec.conf
index 5f7cdedd2..f495194a7 100755..100644
--- a/testing/tests/ikev1/rw-psk-fqdn-named/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/net2net-psk-fail/hosts/moon/etc/ipsec.conf
@@ -1,22 +1,22 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
-	keyexchange=ikev1
 	authby=secret
-	
-conn rw-carol 
+	keyexchange=ikev2
+	mobike=no
+
+conn net-net
 	left=PH_IP_MOON
 	leftsubnet=10.1.0.0/16
 	leftid=@moon.strongswan.org
 	leftfirewall=yes
-	right=%any
-	rightid=@carol.strongswan.org
+	right=PH_IP_SUN
+	rightsubnet=10.2.0.0/16
+	rightid=@sun.strongswan.org
 	auto=add
diff --git a/testing/tests/ikev2/net2net-psk-fail/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/net2net-psk-fail/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..38ebf966c
--- /dev/null
+++ b/testing/tests/ikev2/net2net-psk-fail/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,4 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+@moon.strongswan.org @sun.strongswan.org : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2dxxxx
+
diff --git a/testing/tests/ikev2/net2net-psk-fail/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-psk-fail/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..5db4358d6
--- /dev/null
+++ b/testing/tests/ikev2/net2net-psk-fail/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown
+  multiple_authentication = no
+}
diff --git a/testing/tests/ikev2/net2net-psk-fail/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-psk-fail/hosts/sun/etc/ipsec.conf
new file mode 100644
index 000000000..26f16ac6e
--- /dev/null
+++ b/testing/tests/ikev2/net2net-psk-fail/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	authby=secret
+	keyexchange=ikev2
+	mobike=no
+
+conn net-net
+	left=PH_IP_SUN
+	leftsubnet=10.2.0.0/16
+	leftid=@sun.strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add
diff --git a/testing/tests/ikev2/net2net-psk-fail/hosts/sun/etc/ipsec.secrets b/testing/tests/ikev2/net2net-psk-fail/hosts/sun/etc/ipsec.secrets
new file mode 100644
index 000000000..be95c4d99
--- /dev/null
+++ b/testing/tests/ikev2/net2net-psk-fail/hosts/sun/etc/ipsec.secrets
@@ -0,0 +1,7 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+@moon.strongswan.org @sun.strongswan.org : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
+
+
+
+
diff --git a/testing/tests/ikev2/net2net-psk-fail/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-psk-fail/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..5db4358d6
--- /dev/null
+++ b/testing/tests/ikev2/net2net-psk-fail/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown
+  multiple_authentication = no
+}
diff --git a/testing/tests/ikev2/net2net-psk-fail/posttest.dat b/testing/tests/ikev2/net2net-psk-fail/posttest.dat
new file mode 100644
index 000000000..1f7aa73a1
--- /dev/null
+++ b/testing/tests/ikev2/net2net-psk-fail/posttest.dat
@@ -0,0 +1,4 @@
+moon::ipsec stop
+sun::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/net2net-pgp-v4/pretest.dat b/testing/tests/ikev2/net2net-psk-fail/pretest.dat
index 9e40684ab..cb9282595 100644
--- a/testing/tests/ikev1/net2net-pgp-v4/pretest.dat
+++ b/testing/tests/ikev2/net2net-psk-fail/pretest.dat
@@ -1,8 +1,8 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::rm /etc/ipsec.d/cacerts/*
 sun::rm /etc/ipsec.d/cacerts/*
 moon::ipsec start
 sun::ipsec start
-moon::sleep 2
+moon::sleep 1 
 moon::ipsec up net-net
diff --git a/testing/tests/ikev2/net2net-psk-fail/test.conf b/testing/tests/ikev2/net2net-psk-fail/test.conf
new file mode 100644
index 000000000..eb4822b5d
--- /dev/null
+++ b/testing/tests/ikev2/net2net-psk-fail/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="moon winnetou sun"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-w-s.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev2/net2net-psk/evaltest.dat b/testing/tests/ikev2/net2net-psk/evaltest.dat
index e67c39a08..2b37cad99 100644
--- a/testing/tests/ikev2/net2net-psk/evaltest.dat
+++ b/testing/tests/ikev2/net2net-psk/evaltest.dat
@@ -1,5 +1,7 @@
-moon::ipsec statusall::net-net.*ESTABLISHED::YES
-sun::ipsec statusall::net-net.*ESTABLISHED::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/net2net-psk/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-psk/hosts/moon/etc/ipsec.conf
index 15d8ddb11..f495194a7 100755..100644
--- a/testing/tests/ikev2/net2net-psk/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/net2net-psk/hosts/moon/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/net2net-psk/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/net2net-psk/hosts/moon/etc/ipsec.secrets
index cbdddfb18..ba909a234 100644
--- a/testing/tests/ikev2/net2net-psk/hosts/moon/etc/ipsec.secrets
+++ b/testing/tests/ikev2/net2net-psk/hosts/moon/etc/ipsec.secrets
@@ -8,5 +8,5 @@
 
 : PSK 'My "home" is my "castle"!'
 
-192.168.0.1 : PSK   "Andi's home"
+PH_IP_MOON : PSK   "Andi's home"
 
diff --git a/testing/tests/ikev2/net2net-psk/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-psk/hosts/moon/etc/strongswan.conf
index 4e2fcf17b..5db4358d6 100644
--- a/testing/tests/ikev2/net2net-psk/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-psk/hosts/moon/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink socket-default updown
+  load = aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown
   multiple_authentication = no
 }
diff --git a/testing/tests/ikev2/net2net-psk/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-psk/hosts/sun/etc/ipsec.conf
index e145d9974..26f16ac6e 100755..100644
--- a/testing/tests/ikev2/net2net-psk/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev2/net2net-psk/hosts/sun/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/net2net-psk/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-psk/hosts/sun/etc/strongswan.conf
index 4e2fcf17b..5db4358d6 100644
--- a/testing/tests/ikev2/net2net-psk/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-psk/hosts/sun/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink socket-default updown
+  load = aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown
   multiple_authentication = no
 }
diff --git a/testing/tests/ikev2/net2net-psk/posttest.dat b/testing/tests/ikev2/net2net-psk/posttest.dat
index 5a9150bc8..1f7aa73a1 100644
--- a/testing/tests/ikev2/net2net-psk/posttest.dat
+++ b/testing/tests/ikev2/net2net-psk/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/net2net-psk/pretest.dat b/testing/tests/ikev2/net2net-psk/pretest.dat
index 976a196db..cb9282595 100644
--- a/testing/tests/ikev2/net2net-psk/pretest.dat
+++ b/testing/tests/ikev2/net2net-psk/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::rm /etc/ipsec.d/cacerts/*
 sun::rm /etc/ipsec.d/cacerts/*
 moon::ipsec start
diff --git a/testing/tests/ikev2/net2net-psk/test.conf b/testing/tests/ikev2/net2net-psk/test.conf
index f74d0f7d6..afa2accbe 100644
--- a/testing/tests/ikev2/net2net-psk/test.conf
+++ b/testing/tests/ikev2/net2net-psk/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev2/net2net-pubkey/evaltest.dat b/testing/tests/ikev2/net2net-pubkey/evaltest.dat
index 0ccfb7efd..bc03a39fb 100644
--- a/testing/tests/ikev2/net2net-pubkey/evaltest.dat
+++ b/testing/tests/ikev2/net2net-pubkey/evaltest.dat
@@ -1,7 +1,7 @@
-moon::ipsec status::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
-sun::ipsec status::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
-moon::ipsec status::INSTALLED, TUNNEL::YES
-sun::ipsec status::INSTALLED, TUNNEL::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun::  ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::INSTALLED, TUNNEL::YES
+sun::  ipsec status 2> /dev/null::INSTALLED, TUNNEL::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/net2net-pubkey/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-pubkey/hosts/moon/etc/ipsec.conf
index 945cf3a40..bcc6d5b69 100755..100644
--- a/testing/tests/ikev2/net2net-pubkey/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/net2net-pubkey/hosts/moon/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
@@ -14,12 +13,12 @@ conn net-net
 	left=PH_IP_MOON
 	leftsubnet=10.1.0.0/16
 	leftid=@moon.strongswan.org
-	leftrsasigkey=moonPub.der
+	leftsigkey=moonPub.der
 	leftauth=pubkey
 	leftfirewall=yes
 	right=PH_IP_SUN
 	rightsubnet=10.2.0.0/16
 	rightid=@sun.strongswan.org
-	rightrsasigkey=sunPub.der
+	rightsigkey=sunPub.der
 	rightauth=pubkey
 	auto=add
diff --git a/testing/tests/ikev2/net2net-pubkey/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-pubkey/hosts/moon/etc/strongswan.conf
index 0581bae5c..3cd90047f 100644
--- a/testing/tests/ikev2/net2net-pubkey/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-pubkey/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = sha1 sha2 md5 aes des hmac gmp pem pkcs1 pubkey random curl kernel-netlink socket-default stroke updown
+  load = sha1 sha2 md5 aes des hmac gmp pem pkcs1 pubkey random nonce curl kernel-netlink socket-default stroke updown
 }
diff --git a/testing/tests/ikev2/net2net-pubkey/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-pubkey/hosts/sun/etc/ipsec.conf
index 5c07de8a2..4fe2e67de 100755..100644
--- a/testing/tests/ikev2/net2net-pubkey/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev2/net2net-pubkey/hosts/sun/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
@@ -14,10 +13,10 @@ conn net-net
 	left=PH_IP_SUN
 	leftsubnet=10.2.0.0/16
 	leftid=@sun.strongswan.org
-	leftrsasigkey=sunPub.der
+	leftsigkey=sunPub.der
 	leftfirewall=yes
 	right=PH_IP_MOON
 	rightsubnet=10.1.0.0/16
 	rightid=@moon.strongswan.org
-	rightrsasigkey=moonPub.der
+	rightsigkey=moonPub.der
 	auto=add
diff --git a/testing/tests/ikev2/net2net-pubkey/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-pubkey/hosts/sun/etc/strongswan.conf
index 0581bae5c..3cd90047f 100644
--- a/testing/tests/ikev2/net2net-pubkey/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-pubkey/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = sha1 sha2 md5 aes des hmac gmp pem pkcs1 pubkey random curl kernel-netlink socket-default stroke updown
+  load = sha1 sha2 md5 aes des hmac gmp pem pkcs1 pubkey random nonce curl kernel-netlink socket-default stroke updown
 }
diff --git a/testing/tests/ikev2/net2net-pubkey/posttest.dat b/testing/tests/ikev2/net2net-pubkey/posttest.dat
index 65b18b7ca..675b02976 100644
--- a/testing/tests/ikev2/net2net-pubkey/posttest.dat
+++ b/testing/tests/ikev2/net2net-pubkey/posttest.dat
@@ -1,7 +1,7 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
 moon::rm /etc/ipsec.d/private/moonKey.der
 sun::rm /etc/ipsec.d/private/sunKey.der
 moon::rm /etc/ipsec.d/certs/*.der
diff --git a/testing/tests/ikev2/net2net-pubkey/pretest.dat b/testing/tests/ikev2/net2net-pubkey/pretest.dat
index 9e40684ab..0f4ae0f4f 100644
--- a/testing/tests/ikev2/net2net-pubkey/pretest.dat
+++ b/testing/tests/ikev2/net2net-pubkey/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::rm /etc/ipsec.d/cacerts/*
 sun::rm /etc/ipsec.d/cacerts/*
 moon::ipsec start
diff --git a/testing/tests/ikev2/net2net-pubkey/test.conf b/testing/tests/ikev2/net2net-pubkey/test.conf
index f74d0f7d6..afa2accbe 100644
--- a/testing/tests/ikev2/net2net-pubkey/test.conf
+++ b/testing/tests/ikev2/net2net-pubkey/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev2/net2net-rfc3779/evaltest.dat b/testing/tests/ikev2/net2net-rfc3779/evaltest.dat
index 149cf727a..e8e1a46e4 100644
--- a/testing/tests/ikev2/net2net-rfc3779/evaltest.dat
+++ b/testing/tests/ikev2/net2net-rfc3779/evaltest.dat
@@ -1,15 +1,15 @@
-moon::ipsec statusall::net-net.*ESTABLISHED::YES
-sun::ipsec statusall::net-net.*ESTABLISHED::YES
-moon::cat /var/log/daemon.log::subject address block 10.2.0.0/16 is contained in issuer address block 10.1.0.0..10.2.255.255::YES 
-moon::cat /var/log/daemon.log::subject address block 192.168.0.2/32 is contained in issuer address block 192.168.0.0/24::YES 
-moon::cat /var/log/daemon.log::subject address block fec0:\:2/128 is contained in issuer address block fec0:\:..fec2:ffff:ffff:ffff:ffff:ffff:ffff:ffff::YES 
-moon::cat /var/log/daemon.log::subject address block fec2:\:/16 is contained in issuer address block fec0:\:..fec2:ffff:ffff:ffff:ffff:ffff:ffff:ffff::YES 
-sun::cat /var/log/daemon.log::subject address block 10.1.0.0/16 is contained in issuer address block 10.1.0.0..10.2.255.255::YES 
-sun::cat /var/log/daemon.log::subject address block 192.168.0.1/32 is contained in issuer address block 192.168.0.0/24::YES 
-sun::cat /var/log/daemon.log::subject address block fec0:\:1/128 is contained in issuer address block fec0:\:..fec2:ffff:ffff:ffff:ffff:ffff:ffff:ffff::YES 
-sun::cat /var/log/daemon.log::subject address block fec1:\:/16 is contained in issuer address block fec0:\:..fec2:ffff:ffff:ffff:ffff:ffff:ffff:ffff::YES 
-moon::cat /var/log/daemon.log::TS 10.2.0.0/16 is contained in address block constraint 10.2.0.0/16::YES
-sun::cat /var/log/daemon.log::TS 10.1.0.0/16 is contained in address block constraint 10.1.0.0/16::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun::  ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon:: cat /var/log/daemon.log::subject address block 10.2.0.0/16 is contained in issuer address block 10.1.0.0..10.2.255.255::YES 
+moon:: cat /var/log/daemon.log::subject address block PH_IP_SUN/32 is contained in issuer address block 192.168.0.0/24::YES
+moon:: cat /var/log/daemon.log::subject address block fec0:\:2/128 is contained in issuer address block fec0:\:..fec2:ffff:ffff:ffff:ffff:ffff:ffff:ffff::YES 
+moon:: cat /var/log/daemon.log::subject address block fec2:\:/16 is contained in issuer address block fec0:\:..fec2:ffff:ffff:ffff:ffff:ffff:ffff:ffff::YES 
+sun::  cat /var/log/daemon.log::subject address block 10.1.0.0/16 is contained in issuer address block 10.1.0.0..10.2.255.255::YES 
+sun::  cat /var/log/daemon.log::subject address block PH_IP_MOON/32 is contained in issuer address block 192.168.0.0/24::YES
+sun::  cat /var/log/daemon.log::subject address block fec0:\:1/128 is contained in issuer address block fec0:\:..fec2:ffff:ffff:ffff:ffff:ffff:ffff:ffff::YES 
+sun::  cat /var/log/daemon.log::subject address block fec1:\:/16 is contained in issuer address block fec0:\:..fec2:ffff:ffff:ffff:ffff:ffff:ffff:ffff::YES 
+moon:: cat /var/log/daemon.log::TS 10.2.0.0/16 is contained in address block constraint 10.2.0.0/16::YES
+sun::  cat /var/log/daemon.log::TS 10.1.0.0/16 is contained in address block constraint 10.1.0.0/16::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/ipsec.conf
index ce59d849c..9ba918893 100755..100644
--- a/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 	charondebug="cfg 2"
 
 conn %default
diff --git a/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/strongswan.conf
index 025e1c222..f1e81ea2f 100644
--- a/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation addrblock hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation addrblock hmac xcbc stroke kernel-netlink socket-default updown
   multiple_authentication = no
 }
diff --git a/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/ipsec.conf
index afc2e399e..d41e43a5c 100755..100644
--- a/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 	charondebug="cfg 2"
 
 conn %default
diff --git a/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/strongswan.conf
index 025e1c222..f1e81ea2f 100644
--- a/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation addrblock hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation addrblock hmac xcbc stroke kernel-netlink socket-default updown
   multiple_authentication = no
 }
diff --git a/testing/tests/ikev2/net2net-rfc3779/posttest.dat b/testing/tests/ikev2/net2net-rfc3779/posttest.dat
index a4c96e10f..837738fc6 100644
--- a/testing/tests/ikev2/net2net-rfc3779/posttest.dat
+++ b/testing/tests/ikev2/net2net-rfc3779/posttest.dat
@@ -1,5 +1,5 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
 
diff --git a/testing/tests/ikev2/net2net-rfc3779/pretest.dat b/testing/tests/ikev2/net2net-rfc3779/pretest.dat
index 545a3690e..9fe2860b9 100644
--- a/testing/tests/ikev2/net2net-rfc3779/pretest.dat
+++ b/testing/tests/ikev2/net2net-rfc3779/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 sun::ipsec start
 moon::sleep 1 
diff --git a/testing/tests/ikev2/net2net-rfc3779/test.conf b/testing/tests/ikev2/net2net-rfc3779/test.conf
index d9a61590f..646b8b3e6 100644
--- a/testing/tests/ikev2/net2net-rfc3779/test.conf
+++ b/testing/tests/ikev2/net2net-rfc3779/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b.png"
  
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev2/net2net-route/evaltest.dat b/testing/tests/ikev2/net2net-route/evaltest.dat
index a89e5a298..77ab6e7c6 100644
--- a/testing/tests/ikev2/net2net-route/evaltest.dat
+++ b/testing/tests/ikev2/net2net-route/evaltest.dat
@@ -1,6 +1,8 @@
-moon::cat /var/log/daemon.log::creating acquire job::YES
-moon::ipsec statusall::net-net.*INSTALLED::YES
-sun::ipsec statusall::net-net.*INSTALLED::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+moon:: cat /var/log/daemon.log::creating acquire job::YES
+moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun::  ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+sun::  ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/net2net-route/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-route/hosts/moon/etc/ipsec.conf
index 8a2f8b77c..c374cd6b4 100755..100644
--- a/testing/tests/ikev2/net2net-route/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/net2net-route/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/net2net-route/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-route/hosts/moon/etc/strongswan.conf
index cb17a9e07..8e685c862 100644
--- a/testing/tests/ikev2/net2net-route/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-route/hosts/moon/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
   multiple_authentication = no
 }
diff --git a/testing/tests/ikev2/net2net-route/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-route/hosts/sun/etc/ipsec.conf
index 24e5df519..06bfa038b 100755..100644
--- a/testing/tests/ikev2/net2net-route/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev2/net2net-route/hosts/sun/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/net2net-route/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-route/hosts/sun/etc/strongswan.conf
index cb17a9e07..8e685c862 100644
--- a/testing/tests/ikev2/net2net-route/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-route/hosts/sun/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
   multiple_authentication = no
 }
diff --git a/testing/tests/ikev2/net2net-route/posttest.dat b/testing/tests/ikev2/net2net-route/posttest.dat
index 5a9150bc8..1f7aa73a1 100644
--- a/testing/tests/ikev2/net2net-route/posttest.dat
+++ b/testing/tests/ikev2/net2net-route/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/net2net-route/pretest.dat b/testing/tests/ikev2/net2net-route/pretest.dat
index 2eef7de19..e4ee3fac2 100644
--- a/testing/tests/ikev2/net2net-route/pretest.dat
+++ b/testing/tests/ikev2/net2net-route/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 sun::ipsec start
 moon::sleep 2 
diff --git a/testing/tests/ikev2/net2net-route/test.conf b/testing/tests/ikev2/net2net-route/test.conf
index d9a61590f..646b8b3e6 100644
--- a/testing/tests/ikev2/net2net-route/test.conf
+++ b/testing/tests/ikev2/net2net-route/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b.png"
  
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev2/net2net-rsa/evaltest.dat b/testing/tests/ikev2/net2net-rsa/evaltest.dat
index 0ccfb7efd..bc03a39fb 100644
--- a/testing/tests/ikev2/net2net-rsa/evaltest.dat
+++ b/testing/tests/ikev2/net2net-rsa/evaltest.dat
@@ -1,7 +1,7 @@
-moon::ipsec status::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
-sun::ipsec status::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
-moon::ipsec status::INSTALLED, TUNNEL::YES
-sun::ipsec status::INSTALLED, TUNNEL::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun::  ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::INSTALLED, TUNNEL::YES
+sun::  ipsec status 2> /dev/null::INSTALLED, TUNNEL::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/net2net-rsa/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-rsa/hosts/moon/etc/ipsec.conf
index 61b9b710a..c0ee06240 100755..100644
--- a/testing/tests/ikev2/net2net-rsa/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/net2net-rsa/hosts/moon/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
@@ -14,12 +13,12 @@ conn net-net
 	left=PH_IP_MOON
 	leftsubnet=10.1.0.0/16
 	leftid=@moon.strongswan.org
-	leftrsasigkey=0sAQN+mkeECF5Bm7XnDkkkfmgny/TZndTkN1XzFZWB7nJroM3cTk3zMtdSPX8hY9GQxVGWSsmUBq7mGA5Qx39JpRNpyzxW7wRcMbwqDquG1PRfblLzV1ixdXOGSLUNaXonqDI/h5fCkqTuZtLbE4q3Pf4PmQAwzWVWaTZQ1gXXqUqKlN6218Hm2vbvNRE/CBHuFMmaCz11jckvaPvcqBLZzRTx9b/Mi+qD6xT7k9RpYHmtaGCJ95ed1bY6SZkapgHWu88/3M6bxCzD0KOA3oFbwlkHkFyaGWFB2+fc7L6BfYq0wr/d84tQdOxEn3BwLTrVKo7+6AxDrMi0I+blD2nd9cxj
+	leftsigkey=dns:0sAQN+mkeECF5Bm7XnDkkkfmgny/TZndTkN1XzFZWB7nJroM3cTk3zMtdSPX8hY9GQxVGWSsmUBq7mGA5Qx39JpRNpyzxW7wRcMbwqDquG1PRfblLzV1ixdXOGSLUNaXonqDI/h5fCkqTuZtLbE4q3Pf4PmQAwzWVWaTZQ1gXXqUqKlN6218Hm2vbvNRE/CBHuFMmaCz11jckvaPvcqBLZzRTx9b/Mi+qD6xT7k9RpYHmtaGCJ95ed1bY6SZkapgHWu88/3M6bxCzD0KOA3oFbwlkHkFyaGWFB2+fc7L6BfYq0wr/d84tQdOxEn3BwLTrVKo7+6AxDrMi0I+blD2nd9cxj
 	leftauth=pubkey
 	leftfirewall=yes
 	right=PH_IP_SUN
 	rightsubnet=10.2.0.0/16
 	rightid=@sun.strongswan.org
-	rightrsasigkey=0sAQOiSuR9e/WMZFOxK3IdaFBOT2DGoObFDJURejqLcjMpmY2yVbA9Lpc+AEGKxqjb37WG6sVo3fBCDBOAhgmMw9s0b6DTSeXaIQloqW1M8IC+xe1fT+F0BsW1ttaEN0WTF5H+J+a4/arYg4HyiA+sjoqHagnCVPM15Rm5mkmg913XmSCgtkenD4WUq+NfPLuOcggqTjHAAoGD0doswRa3sebyqHQNAb32PXW9ecKi9ExcPrdr5hR5uNXRMYGumBtoxcE6xEvCM/sPRK1hbyynixc5nfMQ5Ymb4mdCUotUGaCyKDa4pF58sYgP6xpd/HXMXGdRP+KxqA4sfes46gp8UuJT
+	rightsigkey=dns:0sAQOiSuR9e/WMZFOxK3IdaFBOT2DGoObFDJURejqLcjMpmY2yVbA9Lpc+AEGKxqjb37WG6sVo3fBCDBOAhgmMw9s0b6DTSeXaIQloqW1M8IC+xe1fT+F0BsW1ttaEN0WTF5H+J+a4/arYg4HyiA+sjoqHagnCVPM15Rm5mkmg913XmSCgtkenD4WUq+NfPLuOcggqTjHAAoGD0doswRa3sebyqHQNAb32PXW9ecKi9ExcPrdr5hR5uNXRMYGumBtoxcE6xEvCM/sPRK1hbyynixc5nfMQ5Ymb4mdCUotUGaCyKDa4pF58sYgP6xpd/HXMXGdRP+KxqA4sfes46gp8UuJT
 	rightauth=pubkey
 	auto=add
diff --git a/testing/tests/ikev2/net2net-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-rsa/hosts/moon/etc/strongswan.conf
index 3bc16ccda..e1efec866 100644
--- a/testing/tests/ikev2/net2net-rsa/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-rsa/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = sha1 sha2 md5 aes des hmac gmp dnskey pem pkcs1 pubkey random curl kernel-netlink socket-default stroke updown
+  load = sha1 sha2 md5 aes des hmac gmp dnskey pem pkcs1 pubkey random nonce curl kernel-netlink socket-default stroke updown
 }
diff --git a/testing/tests/ikev2/net2net-rsa/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-rsa/hosts/sun/etc/ipsec.conf
index 24e20dc25..b089e9f48 100755..100644
--- a/testing/tests/ikev2/net2net-rsa/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev2/net2net-rsa/hosts/sun/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
@@ -14,10 +13,10 @@ conn net-net
 	left=PH_IP_SUN
 	leftsubnet=10.2.0.0/16
 	leftid=@sun.strongswan.org
-	leftrsasigkey=0sAQOiSuR9e/WMZFOxK3IdaFBOT2DGoObFDJURejqLcjMpmY2yVbA9Lpc+AEGKxqjb37WG6sVo3fBCDBOAhgmMw9s0b6DTSeXaIQloqW1M8IC+xe1fT+F0BsW1ttaEN0WTF5H+J+a4/arYg4HyiA+sjoqHagnCVPM15Rm5mkmg913XmSCgtkenD4WUq+NfPLuOcggqTjHAAoGD0doswRa3sebyqHQNAb32PXW9ecKi9ExcPrdr5hR5uNXRMYGumBtoxcE6xEvCM/sPRK1hbyynixc5nfMQ5Ymb4mdCUotUGaCyKDa4pF58sYgP6xpd/HXMXGdRP+KxqA4sfes46gp8UuJT
+	leftsigkey=dns:0sAQOiSuR9e/WMZFOxK3IdaFBOT2DGoObFDJURejqLcjMpmY2yVbA9Lpc+AEGKxqjb37WG6sVo3fBCDBOAhgmMw9s0b6DTSeXaIQloqW1M8IC+xe1fT+F0BsW1ttaEN0WTF5H+J+a4/arYg4HyiA+sjoqHagnCVPM15Rm5mkmg913XmSCgtkenD4WUq+NfPLuOcggqTjHAAoGD0doswRa3sebyqHQNAb32PXW9ecKi9ExcPrdr5hR5uNXRMYGumBtoxcE6xEvCM/sPRK1hbyynixc5nfMQ5Ymb4mdCUotUGaCyKDa4pF58sYgP6xpd/HXMXGdRP+KxqA4sfes46gp8UuJT
 	leftfirewall=yes
 	right=PH_IP_MOON
 	rightsubnet=10.1.0.0/16
 	rightid=@moon.strongswan.org
-	rightrsasigkey=0sAQN+mkeECF5Bm7XnDkkkfmgny/TZndTkN1XzFZWB7nJroM3cTk3zMtdSPX8hY9GQxVGWSsmUBq7mGA5Qx39JpRNpyzxW7wRcMbwqDquG1PRfblLzV1ixdXOGSLUNaXonqDI/h5fCkqTuZtLbE4q3Pf4PmQAwzWVWaTZQ1gXXqUqKlN6218Hm2vbvNRE/CBHuFMmaCz11jckvaPvcqBLZzRTx9b/Mi+qD6xT7k9RpYHmtaGCJ95ed1bY6SZkapgHWu88/3M6bxCzD0KOA3oFbwlkHkFyaGWFB2+fc7L6BfYq0wr/d84tQdOxEn3BwLTrVKo7+6AxDrMi0I+blD2nd9cxj
+	rightsigkey=dns:0sAQN+mkeECF5Bm7XnDkkkfmgny/TZndTkN1XzFZWB7nJroM3cTk3zMtdSPX8hY9GQxVGWSsmUBq7mGA5Qx39JpRNpyzxW7wRcMbwqDquG1PRfblLzV1ixdXOGSLUNaXonqDI/h5fCkqTuZtLbE4q3Pf4PmQAwzWVWaTZQ1gXXqUqKlN6218Hm2vbvNRE/CBHuFMmaCz11jckvaPvcqBLZzRTx9b/Mi+qD6xT7k9RpYHmtaGCJ95ed1bY6SZkapgHWu88/3M6bxCzD0KOA3oFbwlkHkFyaGWFB2+fc7L6BfYq0wr/d84tQdOxEn3BwLTrVKo7+6AxDrMi0I+blD2nd9cxj
 	auto=add
diff --git a/testing/tests/ikev2/net2net-rsa/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-rsa/hosts/sun/etc/strongswan.conf
index 3bc16ccda..e1efec866 100644
--- a/testing/tests/ikev2/net2net-rsa/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-rsa/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = sha1 sha2 md5 aes des hmac gmp dnskey pem pkcs1 pubkey random curl kernel-netlink socket-default stroke updown
+  load = sha1 sha2 md5 aes des hmac gmp dnskey pem pkcs1 pubkey random nonce curl kernel-netlink socket-default stroke updown
 }
diff --git a/testing/tests/ikev2/net2net-rsa/posttest.dat b/testing/tests/ikev2/net2net-rsa/posttest.dat
index a199946aa..f7fe7dc48 100644
--- a/testing/tests/ikev2/net2net-rsa/posttest.dat
+++ b/testing/tests/ikev2/net2net-rsa/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
 moon::rm /etc/ipsec.d/private/moonKey.der
 sun::rm /etc/ipsec.d/private/sunKey.der
diff --git a/testing/tests/ikev2/net2net-rsa/pretest.dat b/testing/tests/ikev2/net2net-rsa/pretest.dat
index 9e40684ab..0f4ae0f4f 100644
--- a/testing/tests/ikev2/net2net-rsa/pretest.dat
+++ b/testing/tests/ikev2/net2net-rsa/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::rm /etc/ipsec.d/cacerts/*
 sun::rm /etc/ipsec.d/cacerts/*
 moon::ipsec start
diff --git a/testing/tests/ikev2/net2net-rsa/test.conf b/testing/tests/ikev2/net2net-rsa/test.conf
index f74d0f7d6..afa2accbe 100644
--- a/testing/tests/ikev2/net2net-rsa/test.conf
+++ b/testing/tests/ikev2/net2net-rsa/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev2/net2net-same-nets/evaltest.dat b/testing/tests/ikev2/net2net-same-nets/evaltest.dat
index bf99bb278..3b479cefa 100644
--- a/testing/tests/ikev2/net2net-same-nets/evaltest.dat
+++ b/testing/tests/ikev2/net2net-same-nets/evaltest.dat
@@ -1,7 +1,9 @@
-moon::ipsec statusall::net-net.*ESTABLISHED::YES
-sun::ipsec statusall::net-net.*ESTABLISHED::YES
-alice::ping -c 1 10.6.0.10::64 bytes from 10.6.0.10: icmp_seq=1::YES
-bob::ping -c 1 10.9.0.10::64 bytes from 10.9.0.10: icmp_seq=1::YES
+moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun::  ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+sun::  ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+alice::ping -c 1 10.6.0.10::64 bytes from 10.6.0.10: icmp_req=1::YES
+bob::  ping -c 1 10.9.0.10::64 bytes from 10.9.0.10: icmp_req=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
 bob::tcpdump::IP 10.9.0.10 > bob.strongswan.org: ICMP echo request::YES
diff --git a/testing/tests/ikev2/net2net-same-nets/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-same-nets/hosts/moon/etc/ipsec.conf
index 8f43a4f6e..077a3ed08 100755..100644
--- a/testing/tests/ikev2/net2net-same-nets/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/net2net-same-nets/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/net2net-same-nets/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-same-nets/hosts/moon/etc/strongswan.conf
index cb17a9e07..8e685c862 100644
--- a/testing/tests/ikev2/net2net-same-nets/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-same-nets/hosts/moon/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
   multiple_authentication = no
 }
diff --git a/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/ipsec.conf
index 33e1e6656..af85e186a 100755..100644
--- a/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/mark_updown b/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/mark_updown
index c64158a2f..bdba3fb05 100755
--- a/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/mark_updown
+++ b/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/mark_updown
@@ -73,8 +73,12 @@
 #              just the host, this will be 255.255.255.255.
 #
 #       PLUTO_MY_SOURCEIP
-#              if non-empty, then the source address for the route will be
-#              set to this IP address.
+#       PLUTO_MY_SOURCEIP4_$i
+#       PLUTO_MY_SOURCEIP6_$i
+#              contains IPv4/IPv6 virtual IP received from a responder,
+#              $i enumerates from 1 to the number of IP per address family.
+#              PLUTO_MY_SOURCEIP is a legacy variable and equals to the first
+#              virtual IP, IPv4 or IPv6.
 #
 #       PLUTO_MY_PROTOCOL
 #              is the IP protocol that will be transported.
@@ -128,9 +132,15 @@
 #              contains the remote UDP port in the case of ESP_IN_UDP
 #              encapsulation
 #
+#       PLUTO_DNS4_$i
+#       PLUTO_DNS6_$i
+#              contains IPv4/IPv6 DNS server attribute received from a
+#              responder, $i enumerates from 1 to the number of servers per
+#              address family.
+#
 
 # define a minimum PATH environment in case it is not set
-PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin"
+PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin:/usr/local/sbin"
 export PATH
 
 # check parameter(s)
@@ -196,8 +206,8 @@ up-client:)
 	    iptables -t nat -A PREROUTING -i $INT_INTERFACE -m mark --mark $PLUTO_MARK_OUT \
 	             -d $OUT_NET -j NETMAP --to $SAME_NET
 	    iptables -I FORWARD 1 -o $PLUTO_INTERFACE -m mark --mark $PLUTO_MARK_OUT -j ACCEPT
-            iptables -t nat -A POSTROUTING -o $PLUTO_INTERFACE -m mark --mark $PLUTO_MARK_OUT \
-                     -s $SAME_NET -j NETMAP --to $IN_NET
+	    iptables -t nat -A POSTROUTING -o $PLUTO_INTERFACE -m mark --mark $PLUTO_MARK_OUT \
+	             -s $SAME_NET -j NETMAP --to $IN_NET
 	fi
 	;;
 down-client:)
@@ -215,7 +225,11 @@ down-client:)
 	if [ -n "$PLUTO_MARK_OUT" ]
 	then
 	    iptables -t mangle -D PREROUTING $SET_MARK_OUT
+	    iptables -t nat -D PREROUTING -i $INT_INTERFACE -m mark --mark $PLUTO_MARK_OUT \
+	             -d $OUT_NET -j NETMAP --to $SAME_NET
 	    iptables -D FORWARD -o $PLUTO_INTERFACE -m mark --mark $PLUTO_MARK_OUT -j ACCEPT
+	    iptables -t nat -D POSTROUTING -o $PLUTO_INTERFACE -m mark --mark $PLUTO_MARK_OUT \
+	             -s $SAME_NET -j NETMAP --to $IN_NET
 	fi
 	;;
 *)	echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
diff --git a/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/strongswan.conf
index cb17a9e07..8e685c862 100644
--- a/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
   multiple_authentication = no
 }
diff --git a/testing/tests/ikev2/net2net-same-nets/posttest.dat b/testing/tests/ikev2/net2net-same-nets/posttest.dat
index e75e66650..b0225c37e 100644
--- a/testing/tests/ikev2/net2net-same-nets/posttest.dat
+++ b/testing/tests/ikev2/net2net-same-nets/posttest.dat
@@ -2,6 +2,6 @@ sun::iptables -t mangle -n -v -L PREROUTING
 sun::iptables -t nat -n -v -L
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
 sun::conntrack -F
diff --git a/testing/tests/ikev2/net2net-same-nets/pretest.dat b/testing/tests/ikev2/net2net-same-nets/pretest.dat
index 2d7a78acb..c724e5df8 100644
--- a/testing/tests/ikev2/net2net-same-nets/pretest.dat
+++ b/testing/tests/ikev2/net2net-same-nets/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 sun::ipsec start
 moon::sleep 1 
diff --git a/testing/tests/ikev2/net2net-same-nets/test.conf b/testing/tests/ikev2/net2net-same-nets/test.conf
index 1971a33ab..f46f137b4 100644
--- a/testing/tests/ikev2/net2net-same-nets/test.conf
+++ b/testing/tests/ikev2/net2net-same-nets/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b.png"
  
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun bob"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev2/net2net-start/evaltest.dat b/testing/tests/ikev2/net2net-start/evaltest.dat
index 244dec5bf..f003f822f 100644
--- a/testing/tests/ikev2/net2net-start/evaltest.dat
+++ b/testing/tests/ikev2/net2net-start/evaltest.dat
@@ -1,5 +1,7 @@
-moon::ipsec statusall::net-net.*INSTALLED::YES
-sun::ipsec statusall::net-net.*INSTALLED::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun::  ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+sun::  ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/net2net-start/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-start/hosts/moon/etc/ipsec.conf
index 1cc812864..fa611ff09 100755..100644
--- a/testing/tests/ikev2/net2net-start/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/net2net-start/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/net2net-start/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-start/hosts/moon/etc/strongswan.conf
index cb17a9e07..8e685c862 100644
--- a/testing/tests/ikev2/net2net-start/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-start/hosts/moon/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
   multiple_authentication = no
 }
diff --git a/testing/tests/ikev2/net2net-start/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-start/hosts/sun/etc/ipsec.conf
index 24e5df519..06bfa038b 100755..100644
--- a/testing/tests/ikev2/net2net-start/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev2/net2net-start/hosts/sun/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/net2net-start/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-start/hosts/sun/etc/strongswan.conf
index cb17a9e07..8e685c862 100644
--- a/testing/tests/ikev2/net2net-start/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-start/hosts/sun/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
   multiple_authentication = no
 }
diff --git a/testing/tests/ikev2/net2net-start/posttest.dat b/testing/tests/ikev2/net2net-start/posttest.dat
index 5a9150bc8..1f7aa73a1 100644
--- a/testing/tests/ikev2/net2net-start/posttest.dat
+++ b/testing/tests/ikev2/net2net-start/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/net2net-start/pretest.dat b/testing/tests/ikev2/net2net-start/pretest.dat
index 6e41d5245..9d23c553e 100644
--- a/testing/tests/ikev2/net2net-start/pretest.dat
+++ b/testing/tests/ikev2/net2net-start/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 sun::ipsec start
 sun::sleep 2
 moon::ipsec start
-alice::sleep 3 
+moon::sleep 3 
diff --git a/testing/tests/ikev2/net2net-start/test.conf b/testing/tests/ikev2/net2net-start/test.conf
index d9a61590f..646b8b3e6 100644
--- a/testing/tests/ikev2/net2net-start/test.conf
+++ b/testing/tests/ikev2/net2net-start/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b.png"
  
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev2/ocsp-local-cert/evaltest.dat b/testing/tests/ikev2/ocsp-local-cert/evaltest.dat
index c08a17943..e931afb7e 100644
--- a/testing/tests/ikev2/ocsp-local-cert/evaltest.dat
+++ b/testing/tests/ikev2/ocsp-local-cert/evaltest.dat
@@ -1,12 +1,12 @@
-moon::ipsec listocspcerts::altNames.*ocsp.strongswan.org::YES
-moon::cat /var/log/daemon.log::requesting ocsp status from::YES
-moon::cat /var/log/daemon.log::ocsp response correctly signed by::YES
-moon::cat /var/log/daemon.log::ocsp response is valid::YES
-moon::cat /var/log/daemon.log::certificate status is good::YES
-carol::ipsec listocspcerts::altNames.*ocsp.strongswan.org::YES
+moon:: ipsec listocspcerts 2> /dev/null::altNames.*ocsp.strongswan.org::YES
+moon:: cat /var/log/daemon.log::requesting ocsp status from::YES
+moon:: cat /var/log/daemon.log::ocsp response correctly signed by::YES
+moon:: cat /var/log/daemon.log::ocsp response is valid::YES
+moon:: cat /var/log/daemon.log::certificate status is good::YES
+carol::ipsec listocspcerts 2> /dev/null::altNames.*ocsp.strongswan.org::YES
 carol::cat /var/log/daemon.log::requesting ocsp status from::YES
 carol::cat /var/log/daemon.log::ocsp response correctly signed by::YES
 carol::cat /var/log/daemon.log::ocsp response is valid::YES
 carol::cat /var/log/daemon.log::certificate status is good::YES
-moon::ipsec status::rw.*ESTABLISHED::YES
-carol::ipsec status::home.*ESTABLISHED::YES
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
diff --git a/testing/tests/ikev2/ocsp-local-cert/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ocsp-local-cert/hosts/carol/etc/ipsec.conf
index e2602f08a..05e27f641 100755..100644
--- a/testing/tests/ikev2/ocsp-local-cert/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/ocsp-local-cert/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,7 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
 	strictcrlpolicy=yes
-	plutostart=no
 
 ca strongswan
 	cacert=strongswanCert.pem
diff --git a/testing/tests/ikev2/ocsp-local-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-local-cert/hosts/carol/etc/strongswan.conf
index 88f162098..85d8c191f 100644
--- a/testing/tests/ikev2/ocsp-local-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-local-cert/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/ocsp-local-cert/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/ocsp-local-cert/hosts/moon/etc/ipsec.conf
index 119d14a42..e441e661f 100755..100644
--- a/testing/tests/ikev2/ocsp-local-cert/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/ocsp-local-cert/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,7 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
 	strictcrlpolicy=yes
-	plutostart=no
 
 ca strongswan-ca
 	cacert=strongswanCert.pem
diff --git a/testing/tests/ikev2/ocsp-local-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-local-cert/hosts/moon/etc/strongswan.conf
index 88f162098..85d8c191f 100644
--- a/testing/tests/ikev2/ocsp-local-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-local-cert/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/ocsp-local-cert/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi b/testing/tests/ikev2/ocsp-local-cert/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi
index dda793f44..4e2cc2860 100755
--- a/testing/tests/ikev2/ocsp-local-cert/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi
+++ b/testing/tests/ikev2/ocsp-local-cert/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi
@@ -5,7 +5,7 @@ cd /etc/openssl
 echo "Content-type: application/ocsp-response"
 echo ""
 
-/usr/bin/openssl ocsp -index index.txt -CA strongswanCert.pem \
-                      -rkey ocspKey-self.pem -rsigner ocspCert-self.pem \
-		      -resp_no_certs -nmin 5 \
-		      -reqin /dev/stdin -respout /dev/stdout
+cat | /usr/bin/openssl ocsp -index index.txt -CA strongswanCert.pem \
+	-rkey ocspKey-self.pem -rsigner ocspCert-self.pem \
+	-resp_no_certs -nmin 5 \
+	-reqin /dev/stdin -respout /dev/stdout | cat
diff --git a/testing/tests/ikev2/ocsp-local-cert/test.conf b/testing/tests/ikev2/ocsp-local-cert/test.conf
index 2b240d895..892f51cd9 100644
--- a/testing/tests/ikev2/ocsp-local-cert/test.conf
+++ b/testing/tests/ikev2/ocsp-local-cert/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+VIRTHOSTS="moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/ocsp-multi-level/evaltest.dat b/testing/tests/ikev2/ocsp-multi-level/evaltest.dat
index 768de938b..c41a668f0 100644
--- a/testing/tests/ikev2/ocsp-multi-level/evaltest.dat
+++ b/testing/tests/ikev2/ocsp-multi-level/evaltest.dat
@@ -1,10 +1,10 @@
-moon::ipsec listocspcerts::altNames.*ocsp.*strongswan.org::YES
-carol::ipsec listocspcerts::altNames.*ocsp.strongswan.org::YES
-dave::ipsec listocspcerts::altNames.*ocsp.strongswan.org::YES
-moon::cat /var/log/daemon.log::certificate status is good::YES
+moon:: ipsec listocspcerts 2> /dev/null::altNames.*ocsp.*strongswan.org::YES
+carol::ipsec listocspcerts 2> /dev/null::altNames.*ocsp.strongswan.org::YES
+dave:: ipsec listocspcerts 2> /dev/null::altNames.*ocsp.strongswan.org::YES
+moon:: cat /var/log/daemon.log::certificate status is good::YES
 carol::cat /var/log/daemon.log::certificate status is good::YES
-dave::cat /var/log/daemon.log::certificate status is good::YES
-moon::ipsec status::ESTABLISHED.*carol::YES
-moon::ipsec status::ESTABLISHED.*dave::YES
-carol::ipsec status::ESTABLISHED::YES
-dave::ipsec status::ESTABLISHED::YES
+dave:: cat /var/log/daemon.log::certificate status is good::YES
+moon:: ipsec status 2> /dev/null::alice.*ESTABLISHED.*moon.strongswan.org.*CN=carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::venus.*ESTABLISHED.*moon.strongswan.org.*CN=dave@strongswan.org::YES
+carol::ipsec status 2> /dev/null::ESTABLISHED.*CN=carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::ESTABLISHED.*CN=dave@strongswan.org.*moon.strongswan.org::YES
diff --git a/testing/tests/ikev2/ocsp-multi-level/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ocsp-multi-level/hosts/carol/etc/ipsec.conf
index 259997f5c..4d3aa1cc6 100755..100644
--- a/testing/tests/ikev2/ocsp-multi-level/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/ocsp-multi-level/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,7 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
 	strictcrlpolicy=yes
-	plutostart=no
 
 ca strongswan
 	cacert=strongswanCert.pem
diff --git a/testing/tests/ikev2/ocsp-multi-level/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-multi-level/hosts/carol/etc/strongswan.conf
index 88f162098..85d8c191f 100644
--- a/testing/tests/ikev2/ocsp-multi-level/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-multi-level/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/ocsp-multi-level/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/ocsp-multi-level/hosts/dave/etc/ipsec.conf
index 0763d1734..756d6ec51 100755..100644
--- a/testing/tests/ikev2/ocsp-multi-level/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev2/ocsp-multi-level/hosts/dave/etc/ipsec.conf
@@ -1,9 +1,7 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
 	strictcrlpolicy=yes
-	plutostart=no
 
 ca strongswan
 	cacert=strongswanCert.pem
diff --git a/testing/tests/ikev2/ocsp-multi-level/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/ocsp-multi-level/hosts/dave/etc/strongswan.conf
index 88f162098..85d8c191f 100644
--- a/testing/tests/ikev2/ocsp-multi-level/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-multi-level/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/ocsp-multi-level/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/ocsp-multi-level/hosts/moon/etc/ipsec.conf
index b0e8336e6..630117af9 100755..100644
--- a/testing/tests/ikev2/ocsp-multi-level/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/ocsp-multi-level/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,7 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
 	strictcrlpolicy=yes
-	plutostart=no
 
 ca strongswan
 	cacert=strongswanCert.pem
diff --git a/testing/tests/ikev2/ocsp-multi-level/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-multi-level/hosts/moon/etc/strongswan.conf
index 88f162098..85d8c191f 100644
--- a/testing/tests/ikev2/ocsp-multi-level/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-multi-level/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/ocsp-multi-level/pretest.dat b/testing/tests/ikev2/ocsp-multi-level/pretest.dat
index f15265e32..86dd31e83 100644
--- a/testing/tests/ikev2/ocsp-multi-level/pretest.dat
+++ b/testing/tests/ikev2/ocsp-multi-level/pretest.dat
@@ -1,4 +1,3 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
 carol::ipsec start
 dave::ipsec start
 moon::ipsec start
diff --git a/testing/tests/ikev2/ocsp-multi-level/test.conf b/testing/tests/ikev2/ocsp-multi-level/test.conf
index 08e5cc145..9bb88d79f 100644
--- a/testing/tests/ikev2/ocsp-multi-level/test.conf
+++ b/testing/tests/ikev2/ocsp-multi-level/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon carol winnetou dave"
+VIRTHOSTS="alice venus moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/ocsp-no-signer-cert/evaltest.dat b/testing/tests/ikev2/ocsp-no-signer-cert/evaltest.dat
index a0a045ce8..a2ce5ad93 100644
--- a/testing/tests/ikev2/ocsp-no-signer-cert/evaltest.dat
+++ b/testing/tests/ikev2/ocsp-no-signer-cert/evaltest.dat
@@ -1,7 +1,7 @@
-moon::cat /var/log/daemon.log::requesting ocsp status from::YES
-moon::cat /var/log/daemon.log::ocsp response verification failed::YES
-moon::cat /var/log/daemon.log::certificate status is not available::YES
-moon::cat /var/log/daemon.log::constraint check failed: RULE_CRL_VALIDATION is FAILED, but requires at least GOOD::YES
-moon::ipsec status::rw.*ESTABLISHED::NO
+moon:: cat /var/log/daemon.log::requesting ocsp status from::YES
+moon:: cat /var/log/daemon.log::ocsp response verification failed::YES
+moon:: cat /var/log/daemon.log::certificate status is not available::YES
+moon:: cat /var/log/daemon.log::constraint check failed: RULE_CRL_VALIDATION is FAILED, but requires at least GOOD::YES
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED::NO
 carol::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES
-carol::ipsec status::home.*ESTABLISHED::NO
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED::NO
diff --git a/testing/tests/ikev2/ocsp-no-signer-cert/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ocsp-no-signer-cert/hosts/carol/etc/ipsec.conf
index ba9779cb5..05e27f641 100755..100644
--- a/testing/tests/ikev2/ocsp-no-signer-cert/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/ocsp-no-signer-cert/hosts/carol/etc/ipsec.conf
@@ -2,7 +2,6 @@
 
 config setup
 	strictcrlpolicy=yes
-	plutostart=no
 
 ca strongswan
 	cacert=strongswanCert.pem
diff --git a/testing/tests/ikev2/ocsp-no-signer-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-no-signer-cert/hosts/carol/etc/strongswan.conf
index 88f162098..85d8c191f 100644
--- a/testing/tests/ikev2/ocsp-no-signer-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-no-signer-cert/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/ocsp-no-signer-cert/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/ocsp-no-signer-cert/hosts/moon/etc/ipsec.conf
index b79c056ab..e441e661f 100755..100644
--- a/testing/tests/ikev2/ocsp-no-signer-cert/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/ocsp-no-signer-cert/hosts/moon/etc/ipsec.conf
@@ -2,7 +2,6 @@
 
 config setup
 	strictcrlpolicy=yes
-	plutostart=no
 
 ca strongswan-ca
 	cacert=strongswanCert.pem
diff --git a/testing/tests/ikev2/ocsp-no-signer-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-no-signer-cert/hosts/moon/etc/strongswan.conf
index 88f162098..85d8c191f 100644
--- a/testing/tests/ikev2/ocsp-no-signer-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-no-signer-cert/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/ocsp-no-signer-cert/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi b/testing/tests/ikev2/ocsp-no-signer-cert/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi
index 74d22b90d..429061376 100755
--- a/testing/tests/ikev2/ocsp-no-signer-cert/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi
+++ b/testing/tests/ikev2/ocsp-no-signer-cert/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi
@@ -5,7 +5,7 @@ cd /etc/openssl
 echo "Content-type: application/ocsp-response"
 echo ""
 
-/usr/bin/openssl ocsp -index index.txt -CA strongswanCert.pem \
-                      -rkey winnetouKey.pem -rsigner winnetouCert.pem \
-		      -nmin 5 \
-		      -reqin /dev/stdin -respout /dev/stdout
+cat | /usr/bin/openssl ocsp -index index.txt -CA strongswanCert.pem \
+	-rkey winnetouKey.pem -rsigner winnetouCert.pem \
+	-nmin 5 \
+	-reqin /dev/stdin -respout /dev/stdout | cat
diff --git a/testing/tests/ikev2/ocsp-no-signer-cert/test.conf b/testing/tests/ikev2/ocsp-no-signer-cert/test.conf
index 2b240d895..892f51cd9 100644
--- a/testing/tests/ikev2/ocsp-no-signer-cert/test.conf
+++ b/testing/tests/ikev2/ocsp-no-signer-cert/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+VIRTHOSTS="moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/ocsp-revoked/evaltest.dat b/testing/tests/ikev2/ocsp-revoked/evaltest.dat
index 2c3196103..97006c93e 100644
--- a/testing/tests/ikev2/ocsp-revoked/evaltest.dat
+++ b/testing/tests/ikev2/ocsp-revoked/evaltest.dat
@@ -1,8 +1,8 @@
-moon::cat /var/log/daemon.log::requesting ocsp status from::YES
-moon::cat /var/log/daemon.log::ocsp response correctly signed by::YES
-moon::cat /var/log/daemon.log::certificate was revoked on::YES
-moon::cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with RSA signature failed
+moon:: cat /var/log/daemon.log::requesting ocsp status from::YES
+moon:: cat /var/log/daemon.log::ocsp response correctly signed by::YES
+moon:: cat /var/log/daemon.log::certificate was revoked on::YES
+moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with RSA signature failed
 carol::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES
-moon::ipsec status::rw.*ESTABLISHED::NO
-carol::ipsec status::home.*ESTABLISHED::NO
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED::NO
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED::NO
 
diff --git a/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/ipsec.conf
index 0d7cf5928..94eb58621 100755..100644
--- a/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,7 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
 	strictcrlpolicy=yes
-	plutostart=no
 
 ca strongswan
 	cacert=strongswanCert.pem
diff --git a/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/strongswan.conf
index 88f162098..85d8c191f 100644
--- a/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/ocsp-revoked/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/ocsp-revoked/hosts/moon/etc/ipsec.conf
index 119d14a42..e441e661f 100755..100644
--- a/testing/tests/ikev2/ocsp-revoked/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/ocsp-revoked/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,7 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
 	strictcrlpolicy=yes
-	plutostart=no
 
 ca strongswan-ca
 	cacert=strongswanCert.pem
diff --git a/testing/tests/ikev2/ocsp-revoked/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-revoked/hosts/moon/etc/strongswan.conf
index 88f162098..85d8c191f 100644
--- a/testing/tests/ikev2/ocsp-revoked/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-revoked/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/ocsp-revoked/test.conf b/testing/tests/ikev2/ocsp-revoked/test.conf
index 2b240d895..892f51cd9 100644
--- a/testing/tests/ikev2/ocsp-revoked/test.conf
+++ b/testing/tests/ikev2/ocsp-revoked/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+VIRTHOSTS="moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/ocsp-root-cert/evaltest.dat b/testing/tests/ikev2/ocsp-root-cert/evaltest.dat
index 5bb322acc..0f852d7b1 100644
--- a/testing/tests/ikev2/ocsp-root-cert/evaltest.dat
+++ b/testing/tests/ikev2/ocsp-root-cert/evaltest.dat
@@ -1,10 +1,10 @@
-moon::cat /var/log/daemon.log::requesting ocsp status::YES
-moon::cat /var/log/daemon.log::ocsp response correctly signed by::YES
-moon::cat /var/log/daemon.log::ocsp response is valid::YES
-moon::cat /var/log/daemon.log::certificate status is good::YES
+moon:: cat /var/log/daemon.log::requesting ocsp status::YES
+moon:: cat /var/log/daemon.log::ocsp response correctly signed by::YES
+moon:: cat /var/log/daemon.log::ocsp response is valid::YES
+moon:: cat /var/log/daemon.log::certificate status is good::YES
 carol::cat /var/log/daemon.log::requesting ocsp status::YES
 carol::cat /var/log/daemon.log::ocsp response correctly signed by::YES
 carol::cat /var/log/daemon.log::ocsp response is valid::YES
 carol::cat /var/log/daemon.log::certificate status is good::YES
-moon::ipsec status::rw.*ESTABLISHED::YES
-carol::ipsec status::home.*ESTABLISHED::YES
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
diff --git a/testing/tests/ikev2/ocsp-root-cert/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ocsp-root-cert/hosts/carol/etc/ipsec.conf
index e2602f08a..05e27f641 100755..100644
--- a/testing/tests/ikev2/ocsp-root-cert/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/ocsp-root-cert/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,7 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
 	strictcrlpolicy=yes
-	plutostart=no
 
 ca strongswan
 	cacert=strongswanCert.pem
diff --git a/testing/tests/ikev2/ocsp-root-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-root-cert/hosts/carol/etc/strongswan.conf
index 88f162098..85d8c191f 100644
--- a/testing/tests/ikev2/ocsp-root-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-root-cert/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/ocsp-root-cert/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/ocsp-root-cert/hosts/moon/etc/ipsec.conf
index 119d14a42..e441e661f 100755..100644
--- a/testing/tests/ikev2/ocsp-root-cert/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/ocsp-root-cert/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,7 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
 	strictcrlpolicy=yes
-	plutostart=no
 
 ca strongswan-ca
 	cacert=strongswanCert.pem
diff --git a/testing/tests/ikev2/ocsp-root-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-root-cert/hosts/moon/etc/strongswan.conf
index 88f162098..85d8c191f 100644
--- a/testing/tests/ikev2/ocsp-root-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-root-cert/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/ocsp-root-cert/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi b/testing/tests/ikev2/ocsp-root-cert/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi
index e998b6ad0..59c356302 100755
--- a/testing/tests/ikev2/ocsp-root-cert/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi
+++ b/testing/tests/ikev2/ocsp-root-cert/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi
@@ -5,7 +5,7 @@ cd /etc/openssl
 echo "Content-type: application/ocsp-response"
 echo ""
 
-/usr/bin/openssl ocsp -index index.txt -CA strongswanCert.pem \
-                      -rkey strongswanKey.pem -rsigner strongswanCert.pem \
-		      -resp_no_certs -nmin 5 \
-		      -reqin /dev/stdin -respout /dev/stdout
+cat | /usr/bin/openssl ocsp -index index.txt -CA strongswanCert.pem \
+	-rkey strongswanKey.pem -rsigner strongswanCert.pem \
+	-resp_no_certs -nmin 5 \
+	-reqin /dev/stdin -respout /dev/stdout | cat
diff --git a/testing/tests/ikev2/ocsp-root-cert/test.conf b/testing/tests/ikev2/ocsp-root-cert/test.conf
index 2b240d895..892f51cd9 100644
--- a/testing/tests/ikev2/ocsp-root-cert/test.conf
+++ b/testing/tests/ikev2/ocsp-root-cert/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+VIRTHOSTS="moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/ocsp-signer-cert/evaltest.dat b/testing/tests/ikev2/ocsp-signer-cert/evaltest.dat
index f8bf0326a..7c7813cff 100644
--- a/testing/tests/ikev2/ocsp-signer-cert/evaltest.dat
+++ b/testing/tests/ikev2/ocsp-signer-cert/evaltest.dat
@@ -1,12 +1,12 @@
-carol::ipsec listcainfos::ocspuris.*http://ocsp.strongswan.org::YES
-moon::cat /var/log/daemon.log::requesting ocsp status::YES
-moon::cat /var/log/daemon.log::ocsp response correctly signed by::YES
-moon::cat /var/log/daemon.log::ocsp response is valid::YES
-moon::cat /var/log/daemon.log::certificate status is good::YES
+carol::ipsec listcainfos 2> /dev/null::ocspuris.*http://ocsp.strongswan.org::YES
+moon:: cat /var/log/daemon.log::requesting ocsp status::YES
+moon:: cat /var/log/daemon.log::ocsp response correctly signed by::YES
+moon:: cat /var/log/daemon.log::ocsp response is valid::YES
+moon:: cat /var/log/daemon.log::certificate status is good::YES
 carol::cat /var/log/daemon.log::requesting ocsp status::YES
 carol::cat /var/log/daemon.log::ocsp response correctly signed by::YES
 carol::cat /var/log/daemon.log::ocsp response is valid::YES
 carol::cat /var/log/daemon.log::certificate status is good::YES
-moon::ipsec status::rw.*ESTABLISHED::YES
-carol::ipsec status::home.*ESTABLISHED::YES
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
 
diff --git a/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/ipsec.conf
index 4011a6c17..a1bc9b014 100755..100644
--- a/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,7 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
 	strictcrlpolicy=yes
-	plutostart=no
 
 ca strongswan
 	cacert=strongswanCert.pem
diff --git a/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/strongswan.conf
index 88f162098..85d8c191f 100644
--- a/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/ocsp-signer-cert/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/ocsp-signer-cert/hosts/moon/etc/ipsec.conf
index ce653cf08..2cec8851c 100755..100644
--- a/testing/tests/ikev2/ocsp-signer-cert/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/ocsp-signer-cert/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,7 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
 	strictcrlpolicy=yes
-	plutostart=no
 
 conn %default
 	keyexchange=ikev2
diff --git a/testing/tests/ikev2/ocsp-signer-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-signer-cert/hosts/moon/etc/strongswan.conf
index 88f162098..85d8c191f 100644
--- a/testing/tests/ikev2/ocsp-signer-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-signer-cert/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/ocsp-signer-cert/test.conf b/testing/tests/ikev2/ocsp-signer-cert/test.conf
index 2b240d895..892f51cd9 100644
--- a/testing/tests/ikev2/ocsp-signer-cert/test.conf
+++ b/testing/tests/ikev2/ocsp-signer-cert/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+VIRTHOSTS="moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/evaltest.dat b/testing/tests/ikev2/ocsp-strict-ifuri/evaltest.dat
index 2e0f059c6..c31e05ef5 100644
--- a/testing/tests/ikev2/ocsp-strict-ifuri/evaltest.dat
+++ b/testing/tests/ikev2/ocsp-strict-ifuri/evaltest.dat
@@ -1,8 +1,8 @@
-moon::cat /var/log/daemon.log::authentication of.*carol.*successful::YES
-moon::cat /var/log/daemon.log::libcurl http request failed::YES
-moon::cat /var/log/daemon.log::certificate status is not available::YES
-moon::cat /var/log/daemon.log::constraint check failed: RULE_CRL_VALIDATION is FAILED, but requires at least SKIPPED::YES
-moon::ipsec status::ESTABLISHED.*carol::YES
-moon::ipsec status::ESTABLISHED.*dave::NO
-carol::ipsec status::ESTABLISHED::YES
-dave::ipsec status::ESTABLISHED::NO
+moon:: cat /var/log/daemon.log::authentication of.*carol.*successful::YES
+moon:: cat /var/log/daemon.log::libcurl http request failed::YES
+moon:: cat /var/log/daemon.log::certificate status is not available::YES
+moon:: cat /var/log/daemon.log::constraint check failed: RULE_CRL_VALIDATION is FAILED, but requires at least SKIPPED::YES
+moon:: ipsec status 2> /dev/null::ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::NO
+carol::ipsec status 2> /dev/null::ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::ESTABLISHED::NO
diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/ipsec.conf
index bce685c53..27af8e7a8 100755..100644
--- a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,7 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
 	strictcrlpolicy=ifuri
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/strongswan.conf
index 88f162098..85d8c191f 100644
--- a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/ipsec.conf
index 1ab63e84b..aa07085f4 100755..100644
--- a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/ipsec.conf
@@ -1,9 +1,7 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
 	strictcrlpolicy=ifuri
-	plutostart=no
 	
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/strongswan.conf
index 88f162098..85d8c191f 100644
--- a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/moon/etc/ipsec.conf
index 401e9b567..02db316d7 100755..100644
--- a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,7 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
 	strictcrlpolicy=ifuri
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/moon/etc/strongswan.conf
index 88f162098..85d8c191f 100644
--- a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/pretest.dat b/testing/tests/ikev2/ocsp-strict-ifuri/pretest.dat
index f15265e32..86dd31e83 100644
--- a/testing/tests/ikev2/ocsp-strict-ifuri/pretest.dat
+++ b/testing/tests/ikev2/ocsp-strict-ifuri/pretest.dat
@@ -1,4 +1,3 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
 carol::ipsec start
 dave::ipsec start
 moon::ipsec start
diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/test.conf b/testing/tests/ikev2/ocsp-strict-ifuri/test.conf
index 08e5cc145..9bb88d79f 100644
--- a/testing/tests/ikev2/ocsp-strict-ifuri/test.conf
+++ b/testing/tests/ikev2/ocsp-strict-ifuri/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon carol winnetou dave"
+VIRTHOSTS="alice venus moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/ocsp-timeouts-good/evaltest.dat b/testing/tests/ikev2/ocsp-timeouts-good/evaltest.dat
index 777c32699..f50d5e88c 100644
--- a/testing/tests/ikev2/ocsp-timeouts-good/evaltest.dat
+++ b/testing/tests/ikev2/ocsp-timeouts-good/evaltest.dat
@@ -1,13 +1,12 @@
-moon::cat /var/log/daemon.log::libcurl http request failed::YES
-moon::cat /var/log/daemon.log::ocsp request to.*ocsp2.strongswan.org:8880.*failed::YES
-moon::cat /var/log/daemon.log::requesting ocsp status from.*ocsp.strongswan.org:8880::YES
-moon::cat /var/log/daemon.log::ocsp response is valid::YES
-moon::cat /var/log/daemon.log::certificate status is good::YES
+moon:: cat /var/log/daemon.log::libcurl http request failed::YES
+moon:: cat /var/log/daemon.log::ocsp request to.*ocsp2.strongswan.org:8880.*failed::YES
+moon:: cat /var/log/daemon.log::requesting ocsp status from.*ocsp.strongswan.org:8880::YES
+moon:: cat /var/log/daemon.log::ocsp response is valid::YES
+moon:: cat /var/log/daemon.log::certificate status is good::YES
 carol::cat /var/log/daemon.log::libcurl http request failed::YES
 carol::cat /var/log/daemon.log::ocsp request to.*bob.strongswan.org:8800.*failed::YES
 carol::cat /var/log/daemon.log::requesting ocsp status from.*ocsp.strongswan.org:8880::YES
 carol::cat /var/log/daemon.log::ocsp response is valid::YES
 carol::cat /var/log/daemon.log::certificate status is good::YES
-moon::ipsec status::rw.*ESTABLISHED::YES
-carol::ipsec status::home.*ESTABLISHED::YES
-
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
diff --git a/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/ipsec.conf
index ff312cc6b..816db6e1e 100755..100644
--- a/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,7 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
 	strictcrlpolicy=yes
-	plutostart=no
 
 ca strongswan-ca
 	cacert=strongswanCert.pem
diff --git a/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/strongswan.conf
index 88f162098..85d8c191f 100644
--- a/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/ocsp-timeouts-good/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/ocsp-timeouts-good/hosts/moon/etc/ipsec.conf
index 394d94160..f307c12d0 100755..100644
--- a/testing/tests/ikev2/ocsp-timeouts-good/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/ocsp-timeouts-good/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,7 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
 	strictcrlpolicy=yes
-	plutostart=no
 
 ca strongswan-ca
 	cacert=strongswanCert.pem
diff --git a/testing/tests/ikev2/ocsp-timeouts-good/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-timeouts-good/hosts/moon/etc/strongswan.conf
index 88f162098..85d8c191f 100644
--- a/testing/tests/ikev2/ocsp-timeouts-good/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-timeouts-good/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/ocsp-timeouts-good/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi b/testing/tests/ikev2/ocsp-timeouts-good/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi
index 92aa920aa..aa70321d5 100755
--- a/testing/tests/ikev2/ocsp-timeouts-good/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi
+++ b/testing/tests/ikev2/ocsp-timeouts-good/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi
@@ -6,9 +6,9 @@ echo "Content-type: application/ocsp-response"
 echo ""
 
 # simulate a delayed response
-sleep 5 
+sleep 5
 
-/usr/bin/openssl ocsp -index index.txt -CA strongswanCert.pem \
-                      -rkey ocspKey.pem -rsigner ocspCert.pem \
-		      -nmin 5 \
-		      -reqin /dev/stdin -respout /dev/stdout
+cat | /usr/bin/openssl ocsp -index index.txt -CA strongswanCert.pem \
+	-rkey ocspKey.pem -rsigner ocspCert.pem \
+	-nmin 5 \
+	-reqin /dev/stdin -respout /dev/stdout | cat
diff --git a/testing/tests/ikev2/ocsp-timeouts-good/test.conf b/testing/tests/ikev2/ocsp-timeouts-good/test.conf
index 2b240d895..892f51cd9 100644
--- a/testing/tests/ikev2/ocsp-timeouts-good/test.conf
+++ b/testing/tests/ikev2/ocsp-timeouts-good/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+VIRTHOSTS="moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/ocsp-timeouts-unknown/evaltest.dat b/testing/tests/ikev2/ocsp-timeouts-unknown/evaltest.dat
index 1b281507b..7c0a9a5a4 100644
--- a/testing/tests/ikev2/ocsp-timeouts-unknown/evaltest.dat
+++ b/testing/tests/ikev2/ocsp-timeouts-unknown/evaltest.dat
@@ -1,7 +1,7 @@
-moon::cat /var/log/daemon.log::libcurl http request failed::YES
-moon::cat /var/log/daemon.log::certificate status is not available::YES
-moon::cat /var/log/daemon.log::constraint check failed::YES
+moon:: cat /var/log/daemon.log::libcurl http request failed::YES
+moon:: cat /var/log/daemon.log::certificate status is not available::YES
+moon:: cat /var/log/daemon.log::constraint check failed::YES
 carol::cat /var/log/daemon.log::received AUTHENTICATION_FAILED::YES
-moon::ipsec status::rw.*ESTABLISHED::NO
-carol::ipsec status::home.*ESTABLISHED::NO
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED::NO
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED::NO
 
diff --git a/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/carol/etc/ipsec.conf
index ef24ea191..459da1467 100755..100644
--- a/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,7 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
 	strictcrlpolicy=yes
-	plutostart=no
 
 ca strongswan-ca
 	cacert=strongswanCert.pem
diff --git a/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/carol/etc/strongswan.conf
index 88f162098..85d8c191f 100644
--- a/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/moon/etc/ipsec.conf
index fe657b4a6..a464f017a 100755..100644
--- a/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,7 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
 	strictcrlpolicy=yes
-	plutostart=no
 
 ca strongswan-ca
 	cacert=strongswanCert.pem
diff --git a/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/moon/etc/strongswan.conf
index 88f162098..85d8c191f 100644
--- a/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/ocsp-timeouts-unknown/test.conf b/testing/tests/ikev2/ocsp-timeouts-unknown/test.conf
index 2b240d895..892f51cd9 100644
--- a/testing/tests/ikev2/ocsp-timeouts-unknown/test.conf
+++ b/testing/tests/ikev2/ocsp-timeouts-unknown/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+VIRTHOSTS="moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/ocsp-untrusted-cert/evaltest.dat b/testing/tests/ikev2/ocsp-untrusted-cert/evaltest.dat
index 45c6ce7c5..6ba1be6b1 100644
--- a/testing/tests/ikev2/ocsp-untrusted-cert/evaltest.dat
+++ b/testing/tests/ikev2/ocsp-untrusted-cert/evaltest.dat
@@ -1,7 +1,7 @@
-moon::cat /var/log/daemon.log::requesting ocsp status from::YES
-moon::cat /var/log/daemon.log::self-signed certificate.*is not trusted::YES
-moon::cat /var/log/daemon.log::ocsp response verification failed::YES
-moon::cat /var/log/daemon.log::certificate status is not available::YES
-moon::cat /var/log/daemon.log::constraint check failed: RULE_CRL_VALIDATION is FAILED, but requires at least GOOD::YES
-moon::ipsec status::rw.*ESTABLISHED::NO
-carol::ipsec status::home.*ESTABLISHED::NO
+moon:: cat /var/log/daemon.log::requesting ocsp status from::YES
+moon:: cat /var/log/daemon.log::self-signed certificate.*is not trusted::YES
+moon:: cat /var/log/daemon.log::ocsp response verification failed::YES
+moon:: cat /var/log/daemon.log::certificate status is not available::YES
+moon:: cat /var/log/daemon.log::constraint check failed: RULE_CRL_VALIDATION is FAILED, but requires at least GOOD::YES
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED::NO
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED::NO
diff --git a/testing/tests/ikev2/ocsp-untrusted-cert/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ocsp-untrusted-cert/hosts/carol/etc/ipsec.conf
index ba9779cb5..05e27f641 100755..100644
--- a/testing/tests/ikev2/ocsp-untrusted-cert/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/ocsp-untrusted-cert/hosts/carol/etc/ipsec.conf
@@ -2,7 +2,6 @@
 
 config setup
 	strictcrlpolicy=yes
-	plutostart=no
 
 ca strongswan
 	cacert=strongswanCert.pem
diff --git a/testing/tests/ikev2/ocsp-untrusted-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-untrusted-cert/hosts/carol/etc/strongswan.conf
index 88f162098..85d8c191f 100644
--- a/testing/tests/ikev2/ocsp-untrusted-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-untrusted-cert/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/ocsp-untrusted-cert/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/ocsp-untrusted-cert/hosts/moon/etc/ipsec.conf
index b79c056ab..e441e661f 100755..100644
--- a/testing/tests/ikev2/ocsp-untrusted-cert/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/ocsp-untrusted-cert/hosts/moon/etc/ipsec.conf
@@ -2,7 +2,6 @@
 
 config setup
 	strictcrlpolicy=yes
-	plutostart=no
 
 ca strongswan-ca
 	cacert=strongswanCert.pem
diff --git a/testing/tests/ikev2/ocsp-untrusted-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-untrusted-cert/hosts/moon/etc/strongswan.conf
index 88f162098..85d8c191f 100644
--- a/testing/tests/ikev2/ocsp-untrusted-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-untrusted-cert/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/ocsp-untrusted-cert/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi b/testing/tests/ikev2/ocsp-untrusted-cert/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi
index 20c4b2a22..72aa7a6c4 100755
--- a/testing/tests/ikev2/ocsp-untrusted-cert/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi
+++ b/testing/tests/ikev2/ocsp-untrusted-cert/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi
@@ -5,7 +5,7 @@ cd /etc/openssl
 echo "Content-type: application/ocsp-response"
 echo ""
 
-/usr/bin/openssl ocsp -index index.txt -CA strongswanCert.pem \
-                      -rkey ocspKey-self.pem -rsigner ocspCert-self.pem \
-		      -nmin 5 \
-		      -reqin /dev/stdin -respout /dev/stdout
+cat | /usr/bin/openssl ocsp -index index.txt -CA strongswanCert.pem \
+	-rkey ocspKey-self.pem -rsigner ocspCert-self.pem \
+	-nmin 5 \
+	-reqin /dev/stdin -respout /dev/stdout | cat
diff --git a/testing/tests/ikev2/ocsp-untrusted-cert/test.conf b/testing/tests/ikev2/ocsp-untrusted-cert/test.conf
index 2b240d895..892f51cd9 100644
--- a/testing/tests/ikev2/ocsp-untrusted-cert/test.conf
+++ b/testing/tests/ikev2/ocsp-untrusted-cert/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="moon carol winnetou"
+VIRTHOSTS="moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/protoport-dual/evaltest.dat b/testing/tests/ikev2/protoport-dual/evaltest.dat
index bd24b911c..cf45f3b52 100644
--- a/testing/tests/ikev2/protoport-dual/evaltest.dat
+++ b/testing/tests/ikev2/protoport-dual/evaltest.dat
@@ -1,9 +1,9 @@
-carol::ipsec statusall::home-icmp.*INSTALLED::YES
-carol::ipsec statusall::home-ssh.*INSTALLED::YES
-moon::ipsec statusall::rw-icmp.*INSTALLED::YES
-moon::ipsec statusall::rw-ssh.*INSTALLED::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-carol::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES
+carol::ipsec status 2> /dev/null::home-icmp.*INSTALLED, TUNNEL::YES
+carol::ipsec status 2> /dev/null::home-ssh.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw-icmp.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw-ssh.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+carol::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_req=1::YES
 carol::ssh -o ConnectTimeout=5 PH_IP_ALICE hostname::alice::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/protoport-dual/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/protoport-dual/hosts/carol/etc/ipsec.conf
index 51971a13c..e15382bad 100755..100644
--- a/testing/tests/ikev2/protoport-dual/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/protoport-dual/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/protoport-dual/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/protoport-dual/hosts/carol/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/protoport-dual/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/protoport-dual/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/protoport-dual/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/protoport-dual/hosts/moon/etc/ipsec.conf
index 0d7e8db3f..bc131cd71 100755..100644
--- a/testing/tests/ikev2/protoport-dual/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/protoport-dual/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/protoport-dual/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/protoport-dual/hosts/moon/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/protoport-dual/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/protoport-dual/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/protoport-dual/posttest.dat b/testing/tests/ikev2/protoport-dual/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/ikev2/protoport-dual/posttest.dat
+++ b/testing/tests/ikev2/protoport-dual/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/protoport-dual/pretest.dat b/testing/tests/ikev2/protoport-dual/pretest.dat
index d3d0061c3..efb2e5712 100644
--- a/testing/tests/ikev2/protoport-dual/pretest.dat
+++ b/testing/tests/ikev2/protoport-dual/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 2
diff --git a/testing/tests/ikev2/protoport-dual/test.conf b/testing/tests/ikev2/protoport-dual/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/ikev2/protoport-dual/test.conf
+++ b/testing/tests/ikev2/protoport-dual/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/protoport-route/evaltest.dat b/testing/tests/ikev2/protoport-route/evaltest.dat
index 78d062918..75c547995 100644
--- a/testing/tests/ikev2/protoport-route/evaltest.dat
+++ b/testing/tests/ikev2/protoport-route/evaltest.dat
@@ -1,10 +1,10 @@
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq::YES
-carol::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req::YES
+carol::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_req::YES
 carol::ssh PH_IP_ALICE hostname::alice::YES
 carol::cat /var/log/daemon.log::creating acquire job::YES
-carol::ipsec statusall::home-icmp.*INSTALLED::YES
-carol::ipsec statusall::home-ssh.*INSTALLED::YES
-moon::ipsec statusall::rw-icmp.*INSTALLED::YES
-moon::ipsec statusall::rw-ssh.*INSTALLED::YES
+carol::ipsec status 2> /dev/null::home-icmp.*INSTALLED::YES
+carol::ipsec status 2> /dev/null::home-ssh.*INSTALLED::YES
+moon:: ipsec status 2> /dev/null::rw-icmp.*INSTALLED::YES
+moon:: ipsec status 2> /dev/null::rw-ssh.*INSTALLED::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/protoport-route/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/protoport-route/hosts/carol/etc/ipsec.conf
index d76a6ee17..f4d112daf 100755..100644
--- a/testing/tests/ikev2/protoport-route/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/protoport-route/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/protoport-route/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/protoport-route/hosts/carol/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/protoport-route/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/protoport-route/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/protoport-route/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/protoport-route/hosts/moon/etc/ipsec.conf
index 0d7e8db3f..bc131cd71 100755..100644
--- a/testing/tests/ikev2/protoport-route/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/protoport-route/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/protoport-route/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/protoport-route/hosts/moon/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/protoport-route/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/protoport-route/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/protoport-route/posttest.dat b/testing/tests/ikev2/protoport-route/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/ikev2/protoport-route/posttest.dat
+++ b/testing/tests/ikev2/protoport-route/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/protoport-route/pretest.dat b/testing/tests/ikev2/protoport-route/pretest.dat
index 0aded0f4d..5a15574d6 100644
--- a/testing/tests/ikev2/protoport-route/pretest.dat
+++ b/testing/tests/ikev2/protoport-route/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1
diff --git a/testing/tests/ikev2/protoport-route/test.conf b/testing/tests/ikev2/protoport-route/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/ikev2/protoport-route/test.conf
+++ b/testing/tests/ikev2/protoport-route/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/reauth-early/evaltest.dat b/testing/tests/ikev2/reauth-early/evaltest.dat
index b4cbe2f41..dbc6f8d97 100644
--- a/testing/tests/ikev2/reauth-early/evaltest.dat
+++ b/testing/tests/ikev2/reauth-early/evaltest.dat
@@ -1,6 +1,6 @@
-moon::ipsec statusall::rw\[2\].*ESTABLISHED::YES
-carol::ipsec statusall::home\[2\].*ESTABLISHED::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home\[2]: ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
 carol::cat /var/log/daemon.log::received AUTH_LIFETIME of 30s, scheduling reauthentication in 25s::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/reauth-early/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/reauth-early/hosts/carol/etc/ipsec.conf
index 311dc3dc5..2277bcd59 100755..100644
--- a/testing/tests/ikev2/reauth-early/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/reauth-early/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/reauth-early/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/reauth-early/hosts/carol/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/reauth-early/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/reauth-early/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/reauth-early/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/reauth-early/hosts/moon/etc/ipsec.conf
index 64a7aef6d..fb09e74b3 100755..100644
--- a/testing/tests/ikev2/reauth-early/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/reauth-early/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=30s
diff --git a/testing/tests/ikev2/reauth-early/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/reauth-early/hosts/moon/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/reauth-early/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/reauth-early/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/reauth-early/posttest.dat b/testing/tests/ikev2/reauth-early/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/ikev2/reauth-early/posttest.dat
+++ b/testing/tests/ikev2/reauth-early/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/reauth-early/pretest.dat b/testing/tests/ikev2/reauth-early/pretest.dat
index 7ed2423be..153ea7c43 100644
--- a/testing/tests/ikev2/reauth-early/pretest.dat
+++ b/testing/tests/ikev2/reauth-early/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1
diff --git a/testing/tests/ikev2/reauth-early/test.conf b/testing/tests/ikev2/reauth-early/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/ikev2/reauth-early/test.conf
+++ b/testing/tests/ikev2/reauth-early/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/reauth-late/evaltest.dat b/testing/tests/ikev2/reauth-late/evaltest.dat
index c0893df65..205a4d9e7 100644
--- a/testing/tests/ikev2/reauth-late/evaltest.dat
+++ b/testing/tests/ikev2/reauth-late/evaltest.dat
@@ -1,7 +1,7 @@
-moon::ipsec statusall::rw\[2\].*ESTABLISHED::YES
-carol::ipsec statusall::home\[2\].*ESTABLISHED::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home\[2]: ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
 carol::cat /var/log/daemon.log::scheduling reauthentication in 2[0-5]s::YES
 carol::cat /var/log/daemon.log::received AUTH_LIFETIME of 360[01]s, reauthentication already scheduled in 2[0-5]s::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/reauth-late/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/reauth-late/hosts/carol/etc/ipsec.conf
index 32a43efac..9de0dda86 100755..100644
--- a/testing/tests/ikev2/reauth-late/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/reauth-late/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=30s
diff --git a/testing/tests/ikev2/reauth-late/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/reauth-late/hosts/carol/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/reauth-late/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/reauth-late/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/reauth-late/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/reauth-late/hosts/moon/etc/ipsec.conf
index cb5e86a66..225e2aab1 100755..100644
--- a/testing/tests/ikev2/reauth-late/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/reauth-late/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=3601
diff --git a/testing/tests/ikev2/reauth-late/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/reauth-late/hosts/moon/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/reauth-late/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/reauth-late/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/reauth-late/posttest.dat b/testing/tests/ikev2/reauth-late/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/ikev2/reauth-late/posttest.dat
+++ b/testing/tests/ikev2/reauth-late/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/reauth-late/pretest.dat b/testing/tests/ikev2/reauth-late/pretest.dat
index 7ed2423be..153ea7c43 100644
--- a/testing/tests/ikev2/reauth-late/pretest.dat
+++ b/testing/tests/ikev2/reauth-late/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1
diff --git a/testing/tests/ikev2/reauth-late/test.conf b/testing/tests/ikev2/reauth-late/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/ikev2/reauth-late/test.conf
+++ b/testing/tests/ikev2/reauth-late/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/rw-cert/evaltest.dat b/testing/tests/ikev2/rw-cert/evaltest.dat
index 06a0f8cda..ba661975b 100644
--- a/testing/tests/ikev2/rw-cert/evaltest.dat
+++ b/testing/tests/ikev2/rw-cert/evaltest.dat
@@ -1,8 +1,13 @@
-moon::ipsec statusall::rw.*ESTABLISHED::YES
-carol::ipsec statusall::home.*ESTABLISHED::YES
-dave::ipsec statusall::home.*ESTABLISHED::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-cert/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-cert/hosts/carol/etc/ipsec.conf
index bcdb8641b..dd2ceea60 100755..100644
--- a/testing/tests/ikev2/rw-cert/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-cert/hosts/carol/etc/ipsec.conf
@@ -1,15 +1,13 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev2
 
 conn home
 	left=PH_IP_CAROL
@@ -19,5 +17,4 @@ conn home
 	right=PH_IP_MOON
 	rightid=@moon.strongswan.org
 	rightsubnet=10.1.0.0/16
-	keyexchange=ikev2
 	auto=add
diff --git a/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf
index e070f9a27..102801a92 100644
--- a/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown
+  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown
 }
 
 libstrongswan {
diff --git a/testing/tests/ikev2/rw-cert/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-cert/hosts/dave/etc/ipsec.conf
index ea8bc92a7..4c6e11f16 100755..100644
--- a/testing/tests/ikev2/rw-cert/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-cert/hosts/dave/etc/ipsec.conf
@@ -1,15 +1,13 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev2
 
 conn home
 	left=PH_IP_DAVE
@@ -19,5 +17,4 @@ conn home
 	right=PH_IP_MOON
 	rightid=@moon.strongswan.org
 	rightsubnet=10.1.0.0/16
-	keyexchange=ikev2
 	auto=add
diff --git a/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf
index e070f9a27..102801a92 100644
--- a/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown
+  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown
 }
 
 libstrongswan {
diff --git a/testing/tests/ikev2/rw-cert/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-cert/hosts/moon/etc/ipsec.conf
index 274521386..e67d9af9b 100755..100644
--- a/testing/tests/ikev2/rw-cert/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-cert/hosts/moon/etc/ipsec.conf
@@ -1,15 +1,13 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
+	keyexchange=ikev2
 
 conn rw
 	left=PH_IP_MOON
@@ -18,5 +16,4 @@ conn rw
 	leftsubnet=10.1.0.0/16
 	leftfirewall=yes
 	right=%any
-	keyexchange=ikev2
 	auto=add
diff --git a/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf
index e070f9a27..102801a92 100644
--- a/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown
+  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown
 }
 
 libstrongswan {
diff --git a/testing/tests/ikev2/rw-cert/posttest.dat b/testing/tests/ikev2/rw-cert/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/ikev2/rw-cert/posttest.dat
+++ b/testing/tests/ikev2/rw-cert/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-cert/pretest.dat b/testing/tests/ikev2/rw-cert/pretest.dat
index 42e9d7c24..8bbea1412 100644
--- a/testing/tests/ikev2/rw-cert/pretest.dat
+++ b/testing/tests/ikev2/rw-cert/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/ikev2/rw-cert/test.conf b/testing/tests/ikev2/rw-cert/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/ikev2/rw-cert/test.conf
+++ b/testing/tests/ikev2/rw-cert/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/rw-dnssec/description.txt b/testing/tests/ikev2/rw-dnssec/description.txt
new file mode 100644
index 000000000..0135f078c
--- /dev/null
+++ b/testing/tests/ikev2/rw-dnssec/description.txt
@@ -0,0 +1,10 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
+The authentication is based on trustworthy public keys stored as <b>IPSECKEY</b>
+resource records in the Domain Name System (DNS) and protected by <b>DNSSEC</b>.
+</p>
+Both <b>carol</b> and <b>dave</b> request a <b>virtual IP</b> via the IKEv2 configuration payload
+by using the <b>leftsourceip=%config</b> parameter. <b>leftfirewall=yes</b> automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic. In order to test the
+tunnels, <b>carol</b> and <b>dave</b> then ping the client <b>alice</b> behind the gateway
+<b>moon</b>. The source IP addresses of the two pings will be the virtual IPs <b>carol1</b>
+and <b>dave1</b>, respectively.
diff --git a/testing/tests/ikev2/rw-dnssec/evaltest.dat b/testing/tests/ikev2/rw-dnssec/evaltest.dat
new file mode 100644
index 000000000..49183fb42
--- /dev/null
+++ b/testing/tests/ikev2/rw-dnssec/evaltest.dat
@@ -0,0 +1,24 @@
+carol::cat /var/log/daemon.log::performing a DNS query for IPSECKEY RRs of.*moon.strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol.strongswan.org.*moon.strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+carol::cat /var/log/daemon.log::installing new virtual IP PH_IP_CAROL1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: cat /var/log/daemon.log::performing a DNS query for IPSECKEY RRs of.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave.strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon:: cat /var/log/daemon.log::performing a DNS query for IPSECKEY RRs of.*carol.strongswan.org::YES
+moon:: cat /var/log/daemon.log::performing a DNS query for IPSECKEY RRs of.*dave.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
+alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES
diff --git a/testing/tests/ikev2/rw-dnssec/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-dnssec/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..082b18a7f
--- /dev/null
+++ b/testing/tests/ikev2/rw-dnssec/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=%any
+	leftsourceip=%config
+	leftid=carol.strongswan.org
+	leftsigkey="dns:0sAwEAAdBdWU+BF7x4lyo+xHnr4UAOU89yQQuT5vdPoXzx6kRPsjYAuuktgXR+SaLkQHw/YRgDPSKj5nzmmlOQf/rWRr+8O2q+C92aUICmkNvZGamo5w2WlOMZ6T5dk2Hv+QM6xT/GzWyVr1dMYu/7tywD1Bw7aW/HqkRESDu6q95VWu+Lzg6XlxCNEez0YsZrN/fC6BL2qzKAqMBbIHFW8OOnh+nEY4IF5AzkZnFrw12GI72Z882pw97lyKwZhSz/GMQFBJx+rnNdw5P1IJwTlG5PUdoDCte/Mcr1iiA+zOovx55x1GoGxduoXWU5egrf1MtalRf9Pc8Xr4q3WEKTAmsZrVE="
+	leftauth=pubkey
+	leftfirewall=yes
+	right=moon.strongswan.org
+	rightid=moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	rightauth=pubkey
+	auto=add
diff --git a/testing/tests/ikev2/rw-dnssec/hosts/carol/etc/ipsec.d/dnssec.keys b/testing/tests/ikev2/rw-dnssec/hosts/carol/etc/ipsec.d/dnssec.keys
new file mode 100644
index 000000000..d059d8476
--- /dev/null
+++ b/testing/tests/ikev2/rw-dnssec/hosts/carol/etc/ipsec.d/dnssec.keys
@@ -0,0 +1,10 @@
+; This is a key-signing key, keyid 32329, for .
+.		IN	DNSKEY	257 3 8	(
+				AwEAAbcskaratFgvgvXl0bNq4I43ZBzd9jYnoPqsIcA0ahqXlUTUa+c2
+				XzN2mS7DGcI4Z5Gn+8v/Ih4lQJQrlf9I/c2HjooCAsK1bA5cRS2DiU+b
+				L6Ge0nLtvNOf4C0MHGLrWcDONg5QoL0OcFvMXuUtOvDkoIMdtfDYDScx
+				E9vSokc98Sx553/MTxpssXeM9i+OauGqohIZU+MVRdWwvJPieCL7Ma4b
+				AttgG+KSbQy7x/qXPISoqzwGQvCxsL93fvD/cpp+KziqA0oH+Dfryvc5
+				nWdCdra4gYz7WCFFwcY1PW6PbL5ie4jnjl3WWxopuzT46HKROxDhE+FO
+				O9fOgGnjzAk=
+				)
diff --git a/testing/tests/ikev2/rw-dnssec/hosts/carol/etc/iptables.rules b/testing/tests/ikev2/rw-dnssec/hosts/carol/etc/iptables.rules
new file mode 100644
index 000000000..b2c425289
--- /dev/null
+++ b/testing/tests/ikev2/rw-dnssec/hosts/carol/etc/iptables.rules
@@ -0,0 +1,28 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow DNSSEC fetch from winnetou
+-A INPUT  -i eth0 -p udp --sport 53 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 53 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/rw-dnssec/hosts/carol/etc/resolv.conf b/testing/tests/ikev2/rw-dnssec/hosts/carol/etc/resolv.conf
new file mode 100644
index 000000000..73d926def
--- /dev/null
+++ b/testing/tests/ikev2/rw-dnssec/hosts/carol/etc/resolv.conf
@@ -0,0 +1 @@
+nameserver PH_IP_WINNETOU
diff --git a/testing/tests/ikev2/rw-dnssec/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-dnssec/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..825af9dd0
--- /dev/null
+++ b/testing/tests/ikev2/rw-dnssec/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce dnskey pubkey unbound ipseckey hmac stroke kernel-netlink socket-default updown resolve
+
+  plugins {
+    ipseckey {
+      enable = yes
+    }
+  }
+}
diff --git a/testing/tests/ikev2/rw-dnssec/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-dnssec/hosts/dave/etc/ipsec.conf
new file mode 100644
index 000000000..a68f981d1
--- /dev/null
+++ b/testing/tests/ikev2/rw-dnssec/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=%any
+	leftsourceip=%config
+	leftid=dave.strongswan.org
+	leftsigkey="dns:0sAwEAAcAH8lNvBVjmg0XT7wF6F1tzQ055f5uXRI5yClmFrqdswFA7jWO04jmvlduD2wr2X4Ng6dlBkSwSEhVkOgrzIYj8UgQT6BZF/44uYjyTYr4bV2SVML9U/a1lYxBhBazpSdfeKJWkdxwjcJCqolZ719mwiyrQn2P2G7qH10YgRuifpFcMs8jkMiIgpzevSMMc0OwhQPNyO5R0LEoUIy4dQJ9rU8GKqmPmk/pdPQaAjpSNuCc1Y9M9vZrETs/XHmBCZXCIWJiz5VOHZ+r073E3Gef9ibMuTj9g2XLvFhdDfU26FK9GkfuOwnWnhVK66diq9xw9Qqynk+8K0J4a81Paq3U="
+	leftauth=pubkey
+	leftfirewall=yes
+	right=moon.strongswan.org
+	rightid=moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	rightauth=pubkey
+	auto=add
diff --git a/testing/tests/ikev2/rw-dnssec/hosts/dave/etc/ipsec.d/dnssec.keys b/testing/tests/ikev2/rw-dnssec/hosts/dave/etc/ipsec.d/dnssec.keys
new file mode 100644
index 000000000..d059d8476
--- /dev/null
+++ b/testing/tests/ikev2/rw-dnssec/hosts/dave/etc/ipsec.d/dnssec.keys
@@ -0,0 +1,10 @@
+; This is a key-signing key, keyid 32329, for .
+.		IN	DNSKEY	257 3 8	(
+				AwEAAbcskaratFgvgvXl0bNq4I43ZBzd9jYnoPqsIcA0ahqXlUTUa+c2
+				XzN2mS7DGcI4Z5Gn+8v/Ih4lQJQrlf9I/c2HjooCAsK1bA5cRS2DiU+b
+				L6Ge0nLtvNOf4C0MHGLrWcDONg5QoL0OcFvMXuUtOvDkoIMdtfDYDScx
+				E9vSokc98Sx553/MTxpssXeM9i+OauGqohIZU+MVRdWwvJPieCL7Ma4b
+				AttgG+KSbQy7x/qXPISoqzwGQvCxsL93fvD/cpp+KziqA0oH+Dfryvc5
+				nWdCdra4gYz7WCFFwcY1PW6PbL5ie4jnjl3WWxopuzT46HKROxDhE+FO
+				O9fOgGnjzAk=
+				)
diff --git a/testing/tests/ikev2/rw-dnssec/hosts/dave/etc/iptables.rules b/testing/tests/ikev2/rw-dnssec/hosts/dave/etc/iptables.rules
new file mode 100644
index 000000000..b2c425289
--- /dev/null
+++ b/testing/tests/ikev2/rw-dnssec/hosts/dave/etc/iptables.rules
@@ -0,0 +1,28 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow DNSSEC fetch from winnetou
+-A INPUT  -i eth0 -p udp --sport 53 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 53 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/rw-dnssec/hosts/dave/etc/resolv.conf b/testing/tests/ikev2/rw-dnssec/hosts/dave/etc/resolv.conf
new file mode 100644
index 000000000..73d926def
--- /dev/null
+++ b/testing/tests/ikev2/rw-dnssec/hosts/dave/etc/resolv.conf
@@ -0,0 +1 @@
+nameserver PH_IP_WINNETOU
diff --git a/testing/tests/ikev2/rw-dnssec/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-dnssec/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..825af9dd0
--- /dev/null
+++ b/testing/tests/ikev2/rw-dnssec/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce dnskey pubkey unbound ipseckey hmac stroke kernel-netlink socket-default updown resolve
+
+  plugins {
+    ipseckey {
+      enable = yes
+    }
+  }
+}
diff --git a/testing/tests/ikev1/xauth-id-psk/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/ipsec.conf
index 850ea561b..74ddc6e01 100644
--- a/testing/tests/ikev1/xauth-id-psk/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/ipsec.conf
@@ -1,23 +1,22 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
 
-conn %default
+conn %default 
 	ikelifetime=60m
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
-	keyexchange=ikev1
-	authby=xauthpsk
-	xauth=server
+	keyexchange=ikev2
 
-conn rw
+conn rw 
 	left=PH_IP_MOON
 	leftsubnet=10.1.0.0/16
+	leftid=moon.strongswan.org
+	leftauth=pubkey
+	leftsigkey=moonPub.der
 	leftfirewall=yes
 	right=%any
+	rightauth=pubkey
+	rightsourceip=10.3.0.0/24
 	auto=add
diff --git a/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/ipsec.d/certs/moonPub.der b/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/ipsec.d/certs/moonPub.der
new file mode 100644
index 000000000..71571044c
--- /dev/null
+++ b/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/ipsec.d/certs/moonPub.der
diff --git a/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/ipsec.d/dnssec.keys b/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/ipsec.d/dnssec.keys
new file mode 100644
index 000000000..d059d8476
--- /dev/null
+++ b/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/ipsec.d/dnssec.keys
@@ -0,0 +1,10 @@
+; This is a key-signing key, keyid 32329, for .
+.		IN	DNSKEY	257 3 8	(
+				AwEAAbcskaratFgvgvXl0bNq4I43ZBzd9jYnoPqsIcA0ahqXlUTUa+c2
+				XzN2mS7DGcI4Z5Gn+8v/Ih4lQJQrlf9I/c2HjooCAsK1bA5cRS2DiU+b
+				L6Ge0nLtvNOf4C0MHGLrWcDONg5QoL0OcFvMXuUtOvDkoIMdtfDYDScx
+				E9vSokc98Sx553/MTxpssXeM9i+OauGqohIZU+MVRdWwvJPieCL7Ma4b
+				AttgG+KSbQy7x/qXPISoqzwGQvCxsL93fvD/cpp+KziqA0oH+Dfryvc5
+				nWdCdra4gYz7WCFFwcY1PW6PbL5ie4jnjl3WWxopuzT46HKROxDhE+FO
+				O9fOgGnjzAk=
+				)
diff --git a/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..b2c425289
--- /dev/null
+++ b/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/iptables.rules
@@ -0,0 +1,28 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow DNSSEC fetch from winnetou
+-A INPUT  -i eth0 -p udp --sport 53 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 53 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/resolv.conf b/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/resolv.conf
new file mode 100644
index 000000000..73d926def
--- /dev/null
+++ b/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/resolv.conf
@@ -0,0 +1 @@
+nameserver PH_IP_WINNETOU
diff --git a/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..644ac3d6a
--- /dev/null
+++ b/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,14 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = aes des sha1 sha2 md5 pem pkcs1 dnskey pubkey unbound ipseckey gmp random nonce hmac stroke kernel-netlink socket-default updown attr
+
+  dns1 = PH_IP_WINNETOU
+  dns2 = PH_IP_VENUS
+
+  plugins {
+    ipseckey {
+      enable = yes
+    }
+  }
+}
diff --git a/testing/tests/ikev2/rw-dnssec/posttest.dat b/testing/tests/ikev2/rw-dnssec/posttest.dat
new file mode 100644
index 000000000..3d55e09f9
--- /dev/null
+++ b/testing/tests/ikev2/rw-dnssec/posttest.dat
@@ -0,0 +1,12 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
+moon:rm /etc/resolv.conf
+carol:rm /etc/resolv.conf
+dave:rm /etc/resolv.conf
+moon:rm /etc/ipsec.d/dnssec.key
+carol:rm /etc/ipsec.d/dnssec.key
+dave:rm /etc/ipse.cd/dnssec.key
diff --git a/testing/tests/ikev2/rw-dnssec/pretest.dat b/testing/tests/ikev2/rw-dnssec/pretest.dat
new file mode 100644
index 000000000..40eaede87
--- /dev/null
+++ b/testing/tests/ikev2/rw-dnssec/pretest.dat
@@ -0,0 +1,13 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+moon::rm /etc/ipsec.d/cacerts/*
+carol::rm /etc/ipsec.d/cacerts/*
+dave::rm /etc/ipsec.d/cacerts/*
+carol::ipsec start
+dave::ipsec start
+moon::ipsec start
+carol::sleep 2 
+carol::ipsec up home
+dave::ipsec up home
+carol::sleep 1
diff --git a/testing/tests/ikev2/rw-dnssec/test.conf b/testing/tests/ikev2/rw-dnssec/test.conf
new file mode 100644
index 000000000..164b07ff9
--- /dev/null
+++ b/testing/tests/ikev2/rw-dnssec/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon alice"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/rw-eap-aka-id-rsa/evaltest.dat b/testing/tests/ikev2/rw-eap-aka-id-rsa/evaltest.dat
index 661e6cfe7..d59eef513 100644
--- a/testing/tests/ikev2/rw-eap-aka-id-rsa/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-aka-id-rsa/evaltest.dat
@@ -1,11 +1,13 @@
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
 carol::cat /var/log/daemon.log::server requested EAP_AKA authentication::YES
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-moon::cat /var/log/daemon.log::received EAP identity.*carol::YES
-moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
-moon::ipsec statusall::rw-eap.*ESTABLISHED::YES
-carol::ipsec statusall::home.*ESTABLISHED::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon:: cat /var/log/daemon.log::received EAP identity.*carol::YES
+moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw-eap.*INSTALLED, TUNNEL::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 
diff --git a/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/carol/etc/ipsec.conf
index 22bba57a7..f1f761186 100755..100644
--- a/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/carol/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/carol/etc/strongswan.conf
index ccf446f79..2f8bf5d9e 100644
--- a/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-aka eap-aka-3gpp2 eap-identity updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-aka eap-aka-3gpp2 eap-identity updown
 }
diff --git a/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/moon/etc/ipsec.conf
index 16171feb3..12431486c 100755..100644
--- a/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/moon/etc/ipsec.conf
@@ -1,8 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/moon/etc/strongswan.conf
index ccf446f79..2f8bf5d9e 100644
--- a/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-aka eap-aka-3gpp2 eap-identity updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-aka eap-aka-3gpp2 eap-identity updown
 }
diff --git a/testing/tests/ikev2/rw-eap-aka-id-rsa/posttest.dat b/testing/tests/ikev2/rw-eap-aka-id-rsa/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/ikev2/rw-eap-aka-id-rsa/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-aka-id-rsa/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-aka-id-rsa/pretest.dat b/testing/tests/ikev2/rw-eap-aka-id-rsa/pretest.dat
index ed5498bfe..388339fb8 100644
--- a/testing/tests/ikev2/rw-eap-aka-id-rsa/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-aka-id-rsa/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-aka-id-rsa/test.conf b/testing/tests/ikev2/rw-eap-aka-id-rsa/test.conf
index 2bd21499b..e093d43d8 100644
--- a/testing/tests/ikev2/rw-eap-aka-id-rsa/test.conf
+++ b/testing/tests/ikev2/rw-eap-aka-id-rsa/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice carol moon"
+VIRTHOSTS="alice carol moon"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/rw-eap-aka-rsa/evaltest.dat b/testing/tests/ikev2/rw-eap-aka-rsa/evaltest.dat
index 3064f02a6..0ea4e21ab 100644
--- a/testing/tests/ikev2/rw-eap-aka-rsa/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-aka-rsa/evaltest.dat
@@ -1,10 +1,12 @@
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
 carol::cat /var/log/daemon.log::server requested EAP_AKA authentication::YES
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
-moon::ipsec statusall::rw-eap-aka.*ESTABLISHED::YES
-carol::ipsec statusall::home.*ESTABLISHED::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon:: ipsec status 2> /dev/null::rw-eap-aka.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw-eap-aka.*INSTALLED, TUNNEL::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 
diff --git a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/ipsec.conf
index ba9294f6a..b4825fb82 100755..100644
--- a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf
index d8c77f5b1..69f9845af 100644
--- a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default fips-prf eap-aka eap-aka-3gpp2 updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default fips-prf eap-aka eap-aka-3gpp2 updown
 }
 
 libstrongswan {
diff --git a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/ipsec.conf
index 3a1fd98d3..cd2e42d9f 100755..100644
--- a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/ipsec.conf
@@ -1,8 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf
index d8c77f5b1..69f9845af 100644
--- a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default fips-prf eap-aka eap-aka-3gpp2 updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default fips-prf eap-aka eap-aka-3gpp2 updown
 }
 
 libstrongswan {
diff --git a/testing/tests/ikev2/rw-eap-aka-rsa/posttest.dat b/testing/tests/ikev2/rw-eap-aka-rsa/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/ikev2/rw-eap-aka-rsa/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-aka-rsa/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-aka-rsa/pretest.dat b/testing/tests/ikev2/rw-eap-aka-rsa/pretest.dat
index ed5498bfe..388339fb8 100644
--- a/testing/tests/ikev2/rw-eap-aka-rsa/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-aka-rsa/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-aka-rsa/test.conf b/testing/tests/ikev2/rw-eap-aka-rsa/test.conf
index 2bd21499b..e093d43d8 100644
--- a/testing/tests/ikev2/rw-eap-aka-rsa/test.conf
+++ b/testing/tests/ikev2/rw-eap-aka-rsa/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice carol moon"
+VIRTHOSTS="alice carol moon"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/rw-eap-dynamic/description.txt b/testing/tests/ikev2/rw-eap-dynamic/description.txt
new file mode 100644
index 000000000..2bd9aaaac
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-dynamic/description.txt
@@ -0,0 +1,5 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
+<b>carol</b> uses the default <i>EAP-MD5</i> password-based client authentication
+method as proposed by EAP server <b>moon</b> whereas <b>dave</b> requests an <i>EAP-TLS</i>
+certificate-based client authentication by sending this proposal in an <i>EAP-NAK</i> message
+back to the EAP server.
diff --git a/testing/tests/ikev2/rw-eap-dynamic/evaltest.dat b/testing/tests/ikev2/rw-eap-dynamic/evaltest.dat
new file mode 100644
index 000000000..6a20b8e8c
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-dynamic/evaltest.dat
@@ -0,0 +1,23 @@
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+carol::cat /var/log/daemon.log::EAP method EAP_MD5 succeeded, no MSK established::YES
+dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+dave:: cat /var/log/daemon.log::requesting EAP_TLS authentication, sending EAP_NAK::YES
+dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+dave:: cat /var/log/daemon.log::EAP method EAP_TLS succeeded, MSK established::YES
+moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
+moon:: ipsec status 2> /dev/null::rw-eap\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw-eap\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw-eap[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw-eap[{]2}.*INSTALLED, TUNNEL::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-eap-dynamic/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-dynamic/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..b8b628758
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-dynamic/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,21 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_CAROL
+	leftid=carol@strongswan.org
+	leftauth=eap-md5
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	rightauth=pubkey
+	auto=add
diff --git a/testing/tests/ikev2/rw-eap-dynamic/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-dynamic/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..74942afda
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-dynamic/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+carol@strongswan.org : EAP "Ar3etTnp"
diff --git a/testing/tests/ikev2/rw-eap-dynamic/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-dynamic/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..0fd7117dd
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-dynamic/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-md5 updown
+}
diff --git a/testing/tests/ikev2/rw-eap-dynamic/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-dynamic/hosts/dave/etc/ipsec.conf
new file mode 100644
index 000000000..981dee3cd
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-dynamic/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_DAVE
+	leftcert=daveCert.pem
+	leftid=dave@strongswan.org
+	leftauth=eap-tls
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	rightauth=pubkey
+	auto=add
diff --git a/testing/tests/ikev1/multi-level-ca-strict/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-dynamic/hosts/dave/etc/ipsec.secrets
index fac55d63b..0979b9afd 100644
--- a/testing/tests/ikev1/multi-level-ca-strict/hosts/carol/etc/ipsec.secrets
+++ b/testing/tests/ikev2/rw-eap-dynamic/hosts/dave/etc/ipsec.secrets
@@ -1,3 +1,3 @@
 # /etc/ipsec.secrets - strongSwan IPsec secrets file
 
-: RSA carolKey.pem
+: RSA daveKey.pem 
diff --git a/testing/tests/ikev2/rw-eap-dynamic/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-dynamic/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..5f9eedba1
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-dynamic/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-tls updown
+}
diff --git a/testing/tests/ikev2/rw-eap-dynamic/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-dynamic/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..191989e7b
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-dynamic/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn rw-eap
+	left=PH_IP_MOON
+	leftsubnet=10.1.0.0/16
+	leftid=@moon.strongswan.org
+	leftcert=moonCert.pem
+	leftauth=pubkey
+	leftfirewall=yes
+	rightid=*@strongswan.org
+	rightauth=eap-dynamic
+	right=%any
+	auto=add
diff --git a/testing/tests/ikev1/xauth-rsa-nosecret/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-dynamic/hosts/moon/etc/ipsec.secrets
index 2586f5f39..c991683b8 100644
--- a/testing/tests/ikev1/xauth-rsa-nosecret/hosts/moon/etc/ipsec.secrets
+++ b/testing/tests/ikev2/rw-eap-dynamic/hosts/moon/etc/ipsec.secrets
@@ -2,4 +2,4 @@
 
 : RSA moonKey.pem
 
-carol@strongswan.org : XAUTH "4iChxLT3" 
+carol@strongswan.org : EAP "Ar3etTnp"
diff --git a/testing/tests/ikev2/rw-eap-dynamic/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-dynamic/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..a0682268d
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-dynamic/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,12 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-mschapv2 eap-md5 eap-tls eap-dynamic updown
+
+  plugins {
+    eap-dynamic {
+      prefer_user = yes
+      preferred = md5, tls
+    }
+  }  
+}
diff --git a/testing/tests/ikev2/rw-eap-dynamic/posttest.dat b/testing/tests/ikev2/rw-eap-dynamic/posttest.dat
new file mode 100644
index 000000000..b757d8b15
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-dynamic/posttest.dat
@@ -0,0 +1,6 @@
+carol::ipsec stop
+dave::ipsec stop
+moon::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-dynamic/pretest.dat b/testing/tests/ikev2/rw-eap-dynamic/pretest.dat
new file mode 100644
index 000000000..17f1b5f2b
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-dynamic/pretest.dat
@@ -0,0 +1,10 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+carol::ipsec up home
+dave::ipsec up home
+dave::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-dynamic/test.conf b/testing/tests/ikev2/rw-eap-dynamic/test.conf
new file mode 100644
index 000000000..a5525e6aa
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-dynamic/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice  moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/description.txt b/testing/tests/ikev2/rw-eap-framed-ip-radius/description.txt
new file mode 100644
index 000000000..46ffc0611
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/description.txt
@@ -0,0 +1,9 @@
+The roadwarriors <b>carol</b> an <b>dave</b> set up a connection to gateway
+<b>moon</b>. At the outset the gateway authenticates itself to the client by
+sending an IKEv2 <b>RSA signature</b> accompanied by a certificate.
+<b>carol</b> and <b>dave</b> then use the <b>EAP-MD5</b> protocol to authenticate
+against the gateway <b>moon</b>.
+<p/>
+The roadwarriors <b>carol</b> and <b>dave</b> request a virtual IP which is
+assigned by the RADIUS server <b>alice</b> using the <b>Framed-IP-Address</b>
+RADIUS attribute.
diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-framed-ip-radius/evaltest.dat
new file mode 100644
index 000000000..1460ec8f9
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/evaltest.dat
@@ -0,0 +1,26 @@
+carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA signature successful::YES
+moon ::cat /var/log/daemon.log::received EAP identity .*carol::YES
+carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
+carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with EAP successful::YES
+moon ::cat /var/log/daemon.log::authentication of .*PH_IP_CAROL.* with EAP successful::YES
+moon ::ipsec status 2> /dev/null::rw-eap\[1]: ESTABLISHED.*moon.strongswan.org.*PH_IP_CAROL::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*PH_IP_CAROL.*moon.strongswan.org::YES
+moon ::ipsec status 2> /dev/null::rw-eap[{]1}.*INSTALLED, TUNNEL::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES
+dave ::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA signature successful::YES
+moon ::cat /var/log/daemon.log::received EAP identity .*dave::YES
+dave ::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
+dave ::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with EAP successful::YES
+moon ::cat /var/log/daemon.log::authentication of .*PH_IP_DAVE.* with EAP successful::YES
+moon ::ipsec status 2> /dev/null::rw-eap\[2]: ESTABLISHED.*moon.strongswan.org.*PH_IP_DAVE::YES
+dave ::ipsec status 2> /dev/null::home.*ESTABLISHED.*PH_IP_DAVE.*moon.strongswan.org::YES
+moon ::ipsec status 2> /dev/null::rw-eap[{]2}.*INSTALLED, TUNNEL::YES
+dave ::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave ::cat /var/log/daemon.log::installing new virtual IP 10.3.0.2::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/raddb/eap.conf b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/eap.conf
index 623f42904..623f42904 100644
--- a/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/raddb/eap.conf
+++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/eap.conf
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/raddb/proxy.conf b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/proxy.conf
index 783587b55..783587b55 100644
--- a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/raddb/proxy.conf
+++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/proxy.conf
diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/raddb/sites-available/default b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/sites-available/default
index 2de32a6f2..a67a5dcb4 100644
--- a/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/raddb/sites-available/default
+++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/sites-available/default
@@ -40,4 +40,3 @@ pre-proxy {
 post-proxy {
   eap
 }
-
diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/users b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/users
new file mode 100644
index 000000000..ba92f0080
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/users
@@ -0,0 +1,4 @@
+carol	Cleartext-Password := "Ar3etTnp"
+		Framed-IP-Address = 10.3.0.1
+dave	Cleartext-Password := "W7R0g3do"
+		Framed-IP-Address = 10.3.0.2
diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..ed908db4d
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=%any
+	leftauth=eap
+	leftfirewall=yes
+	leftsourceip=%config
+	eap_identity=carol
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightauth=pubkey
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..23d79cf2e
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+carol : EAP "Ar3etTnp"
diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..b1b418060
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-md5 eap-identity updown
+}
diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/dave/etc/ipsec.conf
new file mode 100644
index 000000000..97aa8bbff
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=%any
+	leftauth=eap
+	leftfirewall=yes
+	leftsourceip=%config
+	eap_identity=dave
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightauth=pubkey
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/dave/etc/ipsec.secrets
new file mode 100644
index 000000000..02e0c9963
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/dave/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+dave : EAP "W7R0g3do"
diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..b1b418060
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-md5 eap-identity updown
+}
diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..a3299393a
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn rw-eap
+	left=PH_IP_MOON
+	leftid=@moon.strongswan.org
+	leftcert=moonCert.pem
+	leftauth=pubkey
+	leftsubnet=10.1.0.0/16
+	leftfirewall=yes
+	rightsendcert=never
+	rightauth=eap-radius
+	rightsourceip=%radius
+	eap_identity=%any
+	right=%any
+	auto=add
diff --git a/testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/moon/etc/ipsec.secrets
index ee98b1611..e86d6aa5c 100644
--- a/testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/ipsec.secrets
+++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/moon/etc/ipsec.secrets
@@ -1,3 +1,3 @@
 # /etc/ipsec.secrets - strongSwan IPsec secrets file
 
-: RSA sunKey.asc
+: RSA moonKey.pem
diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..1eb755354
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/moon/etc/iptables.rules
@@ -0,0 +1,32 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# allow RADIUS protocol with alice
+-A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..4297a3056
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,12 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-radius eap-identity updown
+  plugins {
+    eap-radius {
+      class_group = yes
+      secret = gv6URkSs
+      server = PH_IP_ALICE
+    }
+  }
+}
diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/posttest.dat b/testing/tests/ikev2/rw-eap-framed-ip-radius/posttest.dat
new file mode 100644
index 000000000..670d2e72f
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/posttest.dat
@@ -0,0 +1,7 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+alice::killall radiusd
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/pretest.dat b/testing/tests/ikev2/rw-eap-framed-ip-radius/pretest.dat
new file mode 100644
index 000000000..698a719f7
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/pretest.dat
@@ -0,0 +1,11 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+alice::radiusd
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+carol::ipsec up home 
+dave::ipsec up home 
+dave::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/test.conf b/testing/tests/ikev2/rw-eap-framed-ip-radius/test.conf
new file mode 100644
index 000000000..5dfb41723
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/test.conf
@@ -0,0 +1,26 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice venus moon carol winnetou moon"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
+
+# Guest instances on which FreeRadius is started
+#
+RADIUSHOSTS="alice"
+
diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/description.txt b/testing/tests/ikev2/rw-eap-md5-class-radius/description.txt
new file mode 100644
index 000000000..6860700db
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-class-radius/description.txt
@@ -0,0 +1,9 @@
+The roadwarriors <b>carol</b> an <b>dave</b> set up a connection to gateway
+<b>moon</b>. At the outset the gateway authenticates itself to the client by
+sending an IKEv2 <b>RSA signature</b> accompanied by a certificate.
+<b>carol</b> and <b>dave</b> then use the <b>EAP-MD5</b> protocol to authenticate
+against the gateway <b>moon</b>. The user credentials of <b>carol</b>
+and <b>dave</b> are kept both on the local clients and the RADIUS server <b>alice</b>.
+<b>carol</b> possesses the RADIUS class attribute <b>Research</b> and therefore obtains
+access to the <b>research</b> subnet behind gateway <b>moon</b> whereas <b>dave</b>
+belongs to the class <b>Accounting</b> and has access to the <b>acccess</b> subnet.
diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-md5-class-radius/evaltest.dat
new file mode 100644
index 000000000..aa6d4291b
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-class-radius/evaltest.dat
@@ -0,0 +1,26 @@
+carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA signature successful::YES
+moon ::cat /var/log/daemon.log::received EAP identity .*carol::YES
+carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
+carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with EAP successful::YES
+moon ::cat /var/log/daemon.log::authentication of .*PH_IP_CAROL.* with EAP successful::YES
+moon ::ipsec status 2> /dev/null::research.*ESTABLISHED.*moon.strongswan.org.*PH_IP_CAROL::YES
+carol::ipsec status 2> /dev/null::alice.*ESTABLISHED.*PH_IP_CAROL.*moon.strongswan.org::YES
+moon ::ipsec status 2> /dev/null::research.*INSTALLED, TUNNEL::YES
+carol::ipsec status 2> /dev/null::alice.*INSTALLED, TUNNEL::YES
+carol::ipsec status 2> /dev/null::venus.*INSTALLED, TUNNEL::NO
+dave ::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA signature successful::YES
+moon ::cat /var/log/daemon.log::received EAP identity .*dave::YES
+dave ::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
+dave ::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with EAP successful::YES
+moon ::cat /var/log/daemon.log::authentication of .*PH_IP_DAVE.* with EAP successful::YES
+moon ::ipsec status 2> /dev/null::accounting.*ESTABLISHED.*moon.strongswan.org.*PH_IP_DAVE::YES
+dave ::ipsec status 2> /dev/null::alice.*ESTABLISHED.*PH_IP_DAVE.*moon.strongswan.org::YES
+moon ::ipsec status 2> /dev/null::accounting.*INSTALLED, TUNNEL::YES
+dave ::ipsec status 2> /dev/null::alice.*INSTALLED, TUNNEL::NO
+dave ::ipsec status 2> /dev/null::venus.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/eap.conf b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/eap.conf
new file mode 100644
index 000000000..623f42904
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/eap.conf
@@ -0,0 +1,5 @@
+eap {
+  default_eap_type = md5
+  md5 {
+  }
+}
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/proxy.conf b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/proxy.conf
index 783587b55..783587b55 100644
--- a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/proxy.conf
+++ b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/proxy.conf
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/raddb/sites-available/default b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/sites-available/default
index 2de32a6f2..a67a5dcb4 100644
--- a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/raddb/sites-available/default
+++ b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/sites-available/default
@@ -40,4 +40,3 @@ pre-proxy {
 post-proxy {
   eap
 }
-
diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/users b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/users
new file mode 100644
index 000000000..62d459115
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/users
@@ -0,0 +1,4 @@
+carol	Cleartext-Password := "Ar3etTnp"
+		Class = "Research"
+dave	Cleartext-Password := "W7R0g3do"
+		Class = "Accounting"
diff --git a/testing/tests/ikev1/mode-config-multiple/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/carol/etc/ipsec.conf
index 3d6addb62..53e2be638 100755..100644
--- a/testing/tests/ikev1/mode-config-multiple/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/carol/etc/ipsec.conf
@@ -1,33 +1,29 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
-	keyexchange=ikev1
+	keyexchange=ikev2
 
 conn alice
-	also=home
 	rightsubnet=10.1.0.10/32
+	also=home
 	auto=add
 
 conn venus
-	also=home
 	rightsubnet=10.1.0.20/32
+	also=home
 	auto=add
 
 conn home
-	left=192.168.0.100
-	leftsourceip=%modeconfig
-	leftcert=carolCert.pem
-	leftid=carol@strongswan.org
+	left=%any
+	leftauth=eap
 	leftfirewall=yes
-	right=192.168.0.1
+	eap_identity=carol
+	right=PH_IP_MOON
 	rightid=@moon.strongswan.org
+	rightauth=pubkey
diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..23d79cf2e
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+carol : EAP "Ar3etTnp"
diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..b1b418060
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-md5 eap-identity updown
+}
diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/dave/etc/ipsec.conf
new file mode 100644
index 000000000..9428f323a
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,29 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn alice
+	rightsubnet=10.1.0.10/32
+	also=home
+	auto=add
+
+conn venus
+	rightsubnet=10.1.0.20/32
+	also=home
+	auto=add
+
+conn home
+	left=%any
+	leftauth=eap
+	leftfirewall=yes
+	eap_identity=dave
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightauth=pubkey
diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/dave/etc/ipsec.secrets
new file mode 100644
index 000000000..02e0c9963
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/dave/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+dave : EAP "W7R0g3do"
diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..b1b418060
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-md5 eap-identity updown
+}
diff --git a/testing/tests/ikev1/attr-cert/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/moon/etc/ipsec.conf
index 11cf4d5d1..9dcbcca75 100755..100644
--- a/testing/tests/ikev1/attr-cert/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/moon/etc/ipsec.conf
@@ -1,30 +1,33 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
-	keyexchange=ikev1
-	left=PH_IP_MOON
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
+	keyexchange=ikev2
 
-conn alice
-	leftsubnet=PH_IP_ALICE/32
-	right=%any
+conn research
 	rightgroups=Research
+	leftsubnet=10.1.0.0/28
+	also=rw-eap
 	auto=add
-	
-conn venus
-	leftsubnet=PH_IP_VENUS/32
-	right=%any
-	rightgroups="Accounting, Sales"
+
+conn accounting
+	rightgroups=Accounting
+	leftsubnet=10.1.0.16/28
+	also=rw-eap
 	auto=add
-	
+
+conn rw-eap
+	left=PH_IP_MOON
+	leftid=@moon.strongswan.org
+	leftcert=moonCert.pem
+	leftauth=pubkey
+	leftfirewall=yes
+	rightsendcert=never
+	rightauth=eap-radius
+	eap_identity=%any
+	right=%any
diff --git a/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/moon/etc/ipsec.secrets
index afb1ff927..e86d6aa5c 100644
--- a/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/ipsec.secrets
+++ b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/moon/etc/ipsec.secrets
@@ -1,3 +1,3 @@
 # /etc/ipsec.secrets - strongSwan IPsec secrets file
 
-: RSA moonKey.asc
+: RSA moonKey.pem
diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..1eb755354
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/moon/etc/iptables.rules
@@ -0,0 +1,32 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# allow RADIUS protocol with alice
+-A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..4297a3056
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,12 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-radius eap-identity updown
+  plugins {
+    eap-radius {
+      class_group = yes
+      secret = gv6URkSs
+      server = PH_IP_ALICE
+    }
+  }
+}
diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/posttest.dat b/testing/tests/ikev2/rw-eap-md5-class-radius/posttest.dat
new file mode 100644
index 000000000..670d2e72f
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-class-radius/posttest.dat
@@ -0,0 +1,7 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+alice::killall radiusd
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/pretest.dat b/testing/tests/ikev2/rw-eap-md5-class-radius/pretest.dat
new file mode 100644
index 000000000..a2704e833
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-class-radius/pretest.dat
@@ -0,0 +1,13 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+alice::radiusd
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+carol::ipsec up alice
+carol::ipsec up venus
+dave::ipsec up alice
+dave::ipsec up venus
+dave::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/test.conf b/testing/tests/ikev2/rw-eap-md5-class-radius/test.conf
new file mode 100644
index 000000000..5dfb41723
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-class-radius/test.conf
@@ -0,0 +1,26 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice venus moon carol winnetou moon"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
+
+# Guest instances on which FreeRadius is started
+#
+RADIUSHOSTS="alice"
+
diff --git a/testing/tests/ikev2/rw-eap-md5-id-prompt/evaltest.dat b/testing/tests/ikev2/rw-eap-md5-id-prompt/evaltest.dat
index 3f828141c..42d2c319e 100644
--- a/testing/tests/ikev2/rw-eap-md5-id-prompt/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-md5-id-prompt/evaltest.dat
@@ -2,11 +2,13 @@ carol::cat /var/log/daemon.log::configured EAP-Identity carol::YES
 carol::cat /var/log/daemon.log::added EAP secret for carol moon.strongswan.org::YES
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-moon::cat /var/log/daemon.log::authentication of '192.168.0.100' with EAP successful::YES
-moon::cat /var/log/daemon.log::received EAP identity.*carol::YES
-moon::ipsec statusall::rw-eap.*ESTABLISHED::YES
-carol::ipsec statusall::home.*ESTABLISHED::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon:: cat /var/log/daemon.log::authentication of 'PH_IP_CAROL' with EAP successful::YES
+moon:: cat /var/log/daemon.log::received EAP identity.*carol::YES
+moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*\[PH_IP_CAROL]::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*\[PH_IP_CAROL].*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw-eap.*INSTALLED, TUNNEL::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 
diff --git a/testing/tests/ikev2/rw-eap-md5-id-prompt/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-md5-id-prompt/hosts/carol/etc/ipsec.conf
index 7859ee9cc..176c1af2e 100755..100644
--- a/testing/tests/ikev2/rw-eap-md5-id-prompt/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-md5-id-prompt/hosts/carol/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/rw-eap-md5-id-prompt/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-md5-id-prompt/hosts/carol/etc/strongswan.conf
index fe067d344..b1b418060 100644
--- a/testing/tests/ikev2/rw-eap-md5-id-prompt/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-md5-id-prompt/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-md5 eap-identity updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-md5 eap-identity updown
 }
diff --git a/testing/tests/ikev2/rw-eap-md5-id-prompt/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-md5-id-prompt/hosts/moon/etc/ipsec.conf
index c132b9ab8..ea4185355 100755..100644
--- a/testing/tests/ikev2/rw-eap-md5-id-prompt/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-md5-id-prompt/hosts/moon/etc/ipsec.conf
@@ -1,8 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/rw-eap-md5-id-prompt/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-md5-id-prompt/hosts/moon/etc/strongswan.conf
index fe067d344..b1b418060 100644
--- a/testing/tests/ikev2/rw-eap-md5-id-prompt/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-md5-id-prompt/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-md5 eap-identity updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-md5 eap-identity updown
 }
diff --git a/testing/tests/ikev2/rw-eap-md5-id-prompt/posttest.dat b/testing/tests/ikev2/rw-eap-md5-id-prompt/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/ikev2/rw-eap-md5-id-prompt/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-md5-id-prompt/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-md5-id-prompt/pretest.dat b/testing/tests/ikev2/rw-eap-md5-id-prompt/pretest.dat
index 9c301f484..180537f5f 100644
--- a/testing/tests/ikev2/rw-eap-md5-id-prompt/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-md5-id-prompt/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-md5-id-prompt/test.conf b/testing/tests/ikev2/rw-eap-md5-id-prompt/test.conf
index 2bd21499b..e093d43d8 100644
--- a/testing/tests/ikev2/rw-eap-md5-id-prompt/test.conf
+++ b/testing/tests/ikev2/rw-eap-md5-id-prompt/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice carol moon"
+VIRTHOSTS="alice carol moon"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-md5-id-radius/evaltest.dat
index 2ee440cdb..8f813395a 100644
--- a/testing/tests/ikev2/rw-eap-md5-id-radius/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-md5-id-radius/evaltest.dat
@@ -1,11 +1,13 @@
 carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA signature successful::YES
-moon::cat /var/log/daemon.log::received EAP identity .*carol::YES
+moon:: cat /var/log/daemon.log::received EAP identity .*carol::YES
 carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
 carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with EAP successful::YES
-moon::cat /var/log/daemon.log::authentication of .*carol@strongswan.org.* with EAP successful::YES
-moon::ipsec statusall::rw-eap.*ESTABLISHED::YES
-carol::ipsec statusall::home.*ESTABLISHED::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon:: cat /var/log/daemon.log::authentication of .*carol@strongswan.org.* with EAP successful::YES
+moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw-eap.*INSTALLED, TUNNEL::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/eap.conf b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/eap.conf
new file mode 100644
index 000000000..623f42904
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/eap.conf
@@ -0,0 +1,5 @@
+eap {
+  default_eap_type = md5
+  md5 {
+  }
+}
diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/raddb/proxy.conf b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/proxy.conf
index 783587b55..783587b55 100644
--- a/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/raddb/proxy.conf
+++ b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/proxy.conf
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/sites-available/default
new file mode 100644
index 000000000..a67a5dcb4
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/sites-available/default
@@ -0,0 +1,42 @@
+authorize {
+  eap {
+    ok = return
+  }
+  files
+}
+
+authenticate {
+  eap
+}
+
+preacct {
+  preprocess
+  acct_unique
+  suffix
+  files
+}
+
+accounting {
+  detail
+  unix
+  radutmp
+  attr_filter.accounting_response
+}
+
+session {
+  radutmp
+}
+
+post-auth {
+  exec
+  Post-Auth-Type REJECT {
+    attr_filter.access_reject
+  }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+  eap
+}
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/raddb/users b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/users
index 247b918e3..247b918e3 100644
--- a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/raddb/users
+++ b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/users
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/raddb/clients.conf b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/raddb/clients.conf
deleted file mode 100644
index f4e179aa4..000000000
--- a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/raddb/clients.conf
+++ /dev/null
@@ -1,4 +0,0 @@
-client PH_IP_MOON1 {
-  secret    = gv6URkSs 
-  shortname = moon
-}
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/raddb/radiusd.conf b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/raddb/radiusd.conf
deleted file mode 100644
index 1143a0473..000000000
--- a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/raddb/radiusd.conf
+++ /dev/null
@@ -1,120 +0,0 @@
-# radiusd.conf	-- FreeRADIUS server configuration file.
-
-prefix = /usr
-exec_prefix = ${prefix}
-sysconfdir = /etc
-localstatedir = /var
-sbindir = ${exec_prefix}/sbin
-logdir = ${localstatedir}/log/radius
-raddbdir = ${sysconfdir}/raddb
-radacctdir = ${logdir}/radacct
-
-#  name of the running server.  See also the "-n" command-line option.
-name = radiusd
-
-#  Location of config and logfiles.
-confdir = ${raddbdir}
-run_dir = ${localstatedir}/run/radiusd
-
-# Should likely be ${localstatedir}/lib/radiusd
-db_dir = ${raddbdir}
-
-# libdir: Where to find the rlm_* modules.
-libdir = ${exec_prefix}/lib
-
-#  pidfile: Where to place the PID of the RADIUS server.
-pidfile = ${run_dir}/${name}.pid
-
-#  max_request_time: The maximum time (in seconds) to handle a request.
-max_request_time = 30
-
-#  cleanup_delay: The time to wait (in seconds) before cleaning up
-cleanup_delay = 5
-
-#  max_requests: The maximum number of requests which the server keeps
-max_requests = 1024
-
-#  listen: Make the server listen on a particular IP address, and send
-listen {
-  type = auth
-  ipaddr = PH_IP_ALICE 
-  port = 0
-}
-
-#  This second "listen" section is for listening on the accounting
-#  port, too.
-#
-listen {
-  type  = acct
-  ipaddr = PH_IP_ALICE 
-  port = 0
-}
-
-#  hostname_lookups: Log the names of clients or just their IP addresses
-hostname_lookups = no
-
-#  Core dumps are a bad thing.  This should only be set to 'yes'
-allow_core_dumps = no
-
-#  Regular expressions
-regular_expressions = yes
-extended_expressions = yes
-
-#  Logging section.  The various "log_*" configuration items
-log {
-  destination = files
-  file = ${logdir}/radius.log
-  syslog_facility = daemon
-  stripped_names = no
-  auth = yes 
-  auth_badpass = yes 
-  auth_goodpass = yes 
-}
-
-#  The program to execute to do concurrency checks.
-checkrad = ${sbindir}/checkrad
-
-#  Security considerations
-security {
-  max_attributes = 200
-  reject_delay = 1
-  status_server = yes
-}
-
-# PROXY CONFIGURATION
-proxy_requests = yes
-$INCLUDE proxy.conf
-
-# CLIENTS CONFIGURATION
-$INCLUDE clients.conf
-
-# THREAD POOL CONFIGURATION
-thread pool {
-  start_servers = 5
-  max_servers = 32
-  min_spare_servers = 3
-  max_spare_servers = 10
-  max_requests_per_server = 0
-}
-
-# MODULE CONFIGURATION
-modules {
-  $INCLUDE ${confdir}/modules/
-  $INCLUDE eap.conf
-  $INCLUDE sql.conf
-  $INCLUDE sql/mysql/counter.conf
-}
-
-# Instantiation
-instantiate {
-  exec
-  expr
-  expiration
-  logintime
-}
-
-# Policies
-$INCLUDE policy.conf
-
-# Include all enabled virtual hosts
-$INCLUDE sites-enabled/
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/carol/etc/ipsec.conf
index 5f779d1af..881971e80 100755..100644
--- a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/carol/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/carol/etc/strongswan.conf
index fe067d344..b1b418060 100644
--- a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-md5 eap-identity updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-md5 eap-identity updown
 }
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 56587b2e8..000000000
--- a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,84 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow RADIUS protocol with alice
-	iptables -A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/ipsec.conf
index 11ff84400..8ce1721f5 100755..100644
--- a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/ipsec.conf
@@ -1,8 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..1eb755354
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/iptables.rules
@@ -0,0 +1,32 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# allow RADIUS protocol with alice
+-A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/strongswan.conf
index 2a18af887..aba7eefdf 100644
--- a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-radius eap-identity updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-radius eap-identity updown
   plugins {
     eap-radius {
       secret = gv6URkSs
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/posttest.dat b/testing/tests/ikev2/rw-eap-md5-id-radius/posttest.dat
index 920d6a20d..181949fb5 100644
--- a/testing/tests/ikev2/rw-eap-md5-id-radius/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-md5-id-radius/posttest.dat
@@ -1,5 +1,5 @@
 moon::ipsec stop
 carol::ipsec stop
-alice::/etc/init.d/radiusd stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+alice::killall radiusd
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/pretest.dat b/testing/tests/ikev2/rw-eap-md5-id-radius/pretest.dat
index 280d62e3c..9adc43d3e 100644
--- a/testing/tests/ikev2/rw-eap-md5-id-radius/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-md5-id-radius/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-alice::/etc/init.d/radiusd start 
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+alice::radiusd
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/test.conf b/testing/tests/ikev2/rw-eap-md5-id-radius/test.conf
index e0d77b583..eb1e15dd2 100644
--- a/testing/tests/ikev2/rw-eap-md5-id-radius/test.conf
+++ b/testing/tests/ikev2/rw-eap-md5-id-radius/test.conf
@@ -1,26 +1,26 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice carol moon"
+VIRTHOSTS="alice carol moon"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
 
-# UML instances on which FreeRadius is started
+# Guest instances on which FreeRadius is started
 #
 RADIUSHOSTS="alice"
 
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-md5-radius/evaltest.dat
index 5e8dce9cf..a8019b3e7 100644
--- a/testing/tests/ikev2/rw-eap-md5-radius/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-md5-radius/evaltest.dat
@@ -1,11 +1,11 @@
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
 carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
-moon::ipsec statusall::rw-eap.*ESTABLISHED::YES
-carol::ipsec statusall::home.*ESTABLISHED::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw-eap.*INSTALLED, TUNNEL::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-
-
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/eap.conf b/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/eap.conf
new file mode 100644
index 000000000..623f42904
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/eap.conf
@@ -0,0 +1,5 @@
+eap {
+  default_eap_type = md5
+  md5 {
+  }
+}
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/proxy.conf b/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/proxy.conf
index 23cba8d11..23cba8d11 100644
--- a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/proxy.conf
+++ b/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/proxy.conf
diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/sites-available/default b/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/sites-available/default
index 802fcfd8d..dd0825858 100644
--- a/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/sites-available/default
+++ b/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/sites-available/default
@@ -41,4 +41,3 @@ pre-proxy {
 post-proxy {
   eap
 }
-
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/raddb/users b/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/users
index 247b918e3..247b918e3 100644
--- a/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/raddb/users
+++ b/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/users
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/raddb/clients.conf b/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/raddb/clients.conf
deleted file mode 100644
index f4e179aa4..000000000
--- a/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/raddb/clients.conf
+++ /dev/null
@@ -1,4 +0,0 @@
-client PH_IP_MOON1 {
-  secret    = gv6URkSs 
-  shortname = moon
-}
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/raddb/radiusd.conf b/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/raddb/radiusd.conf
deleted file mode 100644
index 1143a0473..000000000
--- a/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/raddb/radiusd.conf
+++ /dev/null
@@ -1,120 +0,0 @@
-# radiusd.conf	-- FreeRADIUS server configuration file.
-
-prefix = /usr
-exec_prefix = ${prefix}
-sysconfdir = /etc
-localstatedir = /var
-sbindir = ${exec_prefix}/sbin
-logdir = ${localstatedir}/log/radius
-raddbdir = ${sysconfdir}/raddb
-radacctdir = ${logdir}/radacct
-
-#  name of the running server.  See also the "-n" command-line option.
-name = radiusd
-
-#  Location of config and logfiles.
-confdir = ${raddbdir}
-run_dir = ${localstatedir}/run/radiusd
-
-# Should likely be ${localstatedir}/lib/radiusd
-db_dir = ${raddbdir}
-
-# libdir: Where to find the rlm_* modules.
-libdir = ${exec_prefix}/lib
-
-#  pidfile: Where to place the PID of the RADIUS server.
-pidfile = ${run_dir}/${name}.pid
-
-#  max_request_time: The maximum time (in seconds) to handle a request.
-max_request_time = 30
-
-#  cleanup_delay: The time to wait (in seconds) before cleaning up
-cleanup_delay = 5
-
-#  max_requests: The maximum number of requests which the server keeps
-max_requests = 1024
-
-#  listen: Make the server listen on a particular IP address, and send
-listen {
-  type = auth
-  ipaddr = PH_IP_ALICE 
-  port = 0
-}
-
-#  This second "listen" section is for listening on the accounting
-#  port, too.
-#
-listen {
-  type  = acct
-  ipaddr = PH_IP_ALICE 
-  port = 0
-}
-
-#  hostname_lookups: Log the names of clients or just their IP addresses
-hostname_lookups = no
-
-#  Core dumps are a bad thing.  This should only be set to 'yes'
-allow_core_dumps = no
-
-#  Regular expressions
-regular_expressions = yes
-extended_expressions = yes
-
-#  Logging section.  The various "log_*" configuration items
-log {
-  destination = files
-  file = ${logdir}/radius.log
-  syslog_facility = daemon
-  stripped_names = no
-  auth = yes 
-  auth_badpass = yes 
-  auth_goodpass = yes 
-}
-
-#  The program to execute to do concurrency checks.
-checkrad = ${sbindir}/checkrad
-
-#  Security considerations
-security {
-  max_attributes = 200
-  reject_delay = 1
-  status_server = yes
-}
-
-# PROXY CONFIGURATION
-proxy_requests = yes
-$INCLUDE proxy.conf
-
-# CLIENTS CONFIGURATION
-$INCLUDE clients.conf
-
-# THREAD POOL CONFIGURATION
-thread pool {
-  start_servers = 5
-  max_servers = 32
-  min_spare_servers = 3
-  max_spare_servers = 10
-  max_requests_per_server = 0
-}
-
-# MODULE CONFIGURATION
-modules {
-  $INCLUDE ${confdir}/modules/
-  $INCLUDE eap.conf
-  $INCLUDE sql.conf
-  $INCLUDE sql/mysql/counter.conf
-}
-
-# Instantiation
-instantiate {
-  exec
-  expr
-  expiration
-  logintime
-}
-
-# Policies
-$INCLUDE policy.conf
-
-# Include all enabled virtual hosts
-$INCLUDE sites-enabled/
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-md5-radius/hosts/carol/etc/ipsec.conf
index ba9294f6a..b4825fb82 100755..100644
--- a/testing/tests/ikev2/rw-eap-md5-radius/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-md5-radius/hosts/carol/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-md5-radius/hosts/carol/etc/strongswan.conf
index 57bd6cceb..0fd7117dd 100644
--- a/testing/tests/ikev2/rw-eap-md5-radius/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-md5-radius/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-md5 updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-md5 updown
 }
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 56587b2e8..000000000
--- a/testing/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,84 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow RADIUS protocol with alice
-	iptables -A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/ipsec.conf
index 4a885babc..efdf6f7ed 100755..100644
--- a/testing/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/ipsec.conf
@@ -1,8 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..1eb755354
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/iptables.rules
@@ -0,0 +1,32 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# allow RADIUS protocol with alice
+-A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/strongswan.conf
index f21745bcd..f634316f8 100644
--- a/testing/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-radius updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-radius updown
   plugins {
     eap-radius {
       secret = gv6URkSs 
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/posttest.dat b/testing/tests/ikev2/rw-eap-md5-radius/posttest.dat
index 920d6a20d..181949fb5 100644
--- a/testing/tests/ikev2/rw-eap-md5-radius/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-md5-radius/posttest.dat
@@ -1,5 +1,5 @@
 moon::ipsec stop
 carol::ipsec stop
-alice::/etc/init.d/radiusd stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+alice::killall radiusd
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/pretest.dat b/testing/tests/ikev2/rw-eap-md5-radius/pretest.dat
index 280d62e3c..9adc43d3e 100644
--- a/testing/tests/ikev2/rw-eap-md5-radius/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-md5-radius/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-alice::/etc/init.d/radiusd start 
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+alice::radiusd
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/test.conf b/testing/tests/ikev2/rw-eap-md5-radius/test.conf
index e0d77b583..eb1e15dd2 100644
--- a/testing/tests/ikev2/rw-eap-md5-radius/test.conf
+++ b/testing/tests/ikev2/rw-eap-md5-radius/test.conf
@@ -1,26 +1,26 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice carol moon"
+VIRTHOSTS="alice carol moon"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
 
-# UML instances on which FreeRadius is started
+# Guest instances on which FreeRadius is started
 #
 RADIUSHOSTS="alice"
 
diff --git a/testing/tests/ikev2/rw-eap-md5-rsa/evaltest.dat b/testing/tests/ikev2/rw-eap-md5-rsa/evaltest.dat
index fadcdc635..84f41fd93 100644
--- a/testing/tests/ikev2/rw-eap-md5-rsa/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-md5-rsa/evaltest.dat
@@ -1,9 +1,11 @@
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
-moon::ipsec statusall::rw-eap.*ESTABLISHED::YES
-carol::ipsec statusall::home.*ESTABLISHED::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw-eap.*INSTALLED, TUNNEL::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 
diff --git a/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/ipsec.conf
index ba9294f6a..b4825fb82 100755..100644
--- a/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/strongswan.conf
index 57bd6cceb..0fd7117dd 100644
--- a/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-md5 updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-md5 updown
 }
diff --git a/testing/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/ipsec.conf
index 28d52b9eb..5d799a870 100755..100644
--- a/testing/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/ipsec.conf
@@ -1,8 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/strongswan.conf
index 57bd6cceb..0fd7117dd 100644
--- a/testing/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-md5 updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-md5 updown
 }
diff --git a/testing/tests/ikev2/rw-eap-md5-rsa/posttest.dat b/testing/tests/ikev2/rw-eap-md5-rsa/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/ikev2/rw-eap-md5-rsa/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-md5-rsa/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-md5-rsa/pretest.dat b/testing/tests/ikev2/rw-eap-md5-rsa/pretest.dat
index ed5498bfe..388339fb8 100644
--- a/testing/tests/ikev2/rw-eap-md5-rsa/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-md5-rsa/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-md5-rsa/test.conf b/testing/tests/ikev2/rw-eap-md5-rsa/test.conf
index 2bd21499b..e093d43d8 100644
--- a/testing/tests/ikev2/rw-eap-md5-rsa/test.conf
+++ b/testing/tests/ikev2/rw-eap-md5-rsa/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice carol moon"
+VIRTHOSTS="alice carol moon"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/evaltest.dat b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/evaltest.dat
index 5b632bfe8..010f48315 100644
--- a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/evaltest.dat
@@ -1,11 +1,13 @@
 carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA signature successful::YES
 carol::cat /var/log/daemon.log::server requested EAP_MSCHAPV2 authentication::YES
 carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with EAP successful::YES
-moon::cat /var/log/daemon.log::received EAP identity.*carol::YES
-moon::cat /var/log/daemon.log::authentication of .*PH_IP_CAROL.* with EAP successful::YES
-moon::ipsec statusall::rw-eap.*ESTABLISHED::YES
-carol::ipsec statusall::home.*ESTABLISHED::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon:: cat /var/log/daemon.log::received EAP identity.*carol::YES
+moon:: cat /var/log/daemon.log::authentication of .*PH_IP_CAROL.* with EAP successful::YES
+moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*\[PH_IP_CAROL]::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*\[PH_IP_CAROL].*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw-eap.*INSTALLED, TUNNEL::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 
diff --git a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/carol/etc/ipsec.conf
index c1497ca0e..59a0d66c3 100755..100644
--- a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/carol/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/carol/etc/strongswan.conf
index fd717317c..66dee832b 100644
--- a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md4 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-mschapv2 eap-identity updown
+  load = curl aes des sha1 sha2 md4 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-mschapv2 eap-identity updown
 }
diff --git a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/moon/etc/ipsec.conf
index a4a45f06c..086a734e3 100755..100644
--- a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/moon/etc/ipsec.conf
@@ -1,8 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/moon/etc/strongswan.conf
index fd717317c..66dee832b 100644
--- a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md4 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-mschapv2 eap-identity updown
+  load = curl aes des sha1 sha2 md4 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-mschapv2 eap-identity updown
 }
diff --git a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/posttest.dat b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/pretest.dat b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/pretest.dat
index ed5498bfe..388339fb8 100644
--- a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/test.conf b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/test.conf
index 2bd21499b..e093d43d8 100644
--- a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/test.conf
+++ b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice carol moon"
+VIRTHOSTS="alice carol moon"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/rw-eap-peap-md5/evaltest.dat b/testing/tests/ikev2/rw-eap-peap-md5/evaltest.dat
index 0908e1c97..4ed5257b1 100644
--- a/testing/tests/ikev2/rw-eap-peap-md5/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-peap-md5/evaltest.dat
@@ -3,17 +3,21 @@ carol::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES
 carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
 carol::cat /var/log/daemon.log::EAP method EAP_PEAP succeeded, MSK established::YES
 carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' with EAP successful::YES
-dave::cat /var/log/daemon.log::server requested EAP_PEAP authentication::YES
-dave::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES
-dave::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
-dave::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
-moon::cat /var/log/daemon.log::EAP_PEAP phase2 authentication of 'carol@strongswan.org' with EAP_MD5 successful::YES
-moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
-moon::cat /var/log/daemon.log::EAP method EAP_PEAP failed for peer dave@strongswan.org::YES
-moon::ipsec statusall::rw-eap.*ESTABLISHED.*carol@strongswan.org::YES
-moon::ipsec statusall::rw-eap.*ESTABLISHED.*dave@stronswan.org::NO
-carol::ipsec statusall::home.*ESTABLISHED::YES
-dave::ipsec statusall::home.*ESTABLISHED::NO
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave:: cat /var/log/daemon.log::server requested EAP_PEAP authentication::YES
+dave:: cat /var/log/daemon.log::allow mutual EAP-only authentication::YES
+dave:: cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
+dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
+moon:: cat /var/log/daemon.log::EAP_PEAP phase2 authentication of 'carol@strongswan.org' with EAP_MD5 successful::YES
+moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon:: cat /var/log/daemon.log::EAP method EAP_PEAP failed for peer dave@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw-eap\[1]: ESTABLISHED.*CN=moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw-eap\[2]: ESTABLISHED.*CN=moon.strongswan.org.*dave@stronswan.org::NO
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*CN=moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*CN=moon.strongswan.org::NO
+moon:: ipsec status 2> /dev/null::rw-eap[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw-eap[{]2}.*INSTALLED::NO
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED::NO 
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-eap-peap-md5/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-peap-md5/hosts/carol/etc/ipsec.conf
index 2f8b9dfda..dd1b89302 100755..100644
--- a/testing/tests/ikev2/rw-eap-peap-md5/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-peap-md5/hosts/carol/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
@@ -17,6 +16,7 @@ conn home
 	leftfirewall=yes
 	right=PH_IP_MOON
 	rightid="C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
+	rightauth=any
 	rightsubnet=10.1.0.0/16
 	rightsendcert=never
 	auto=add
diff --git a/testing/tests/ikev2/rw-eap-peap-md5/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-peap-md5/hosts/carol/etc/strongswan.conf
index fd5d3f5f4..e9958df28 100644
--- a/testing/tests/ikev2/rw-eap-peap-md5/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-peap-md5/hosts/carol/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-peap updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-peap updown
   multiple_authentication=no
 }
diff --git a/testing/tests/ikev2/rw-eap-peap-md5/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-peap-md5/hosts/dave/etc/ipsec.conf
index 3a29329d5..a46071a3a 100755..100644
--- a/testing/tests/ikev2/rw-eap-peap-md5/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-peap-md5/hosts/dave/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
@@ -17,6 +16,7 @@ conn home
 	leftfirewall=yes
 	right=PH_IP_MOON
 	rightid="C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
+	rightauth=any
 	rightsubnet=10.1.0.0/16
 	rightsendcert=never
 	auto=add
diff --git a/testing/tests/ikev2/rw-eap-peap-md5/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-peap-md5/hosts/dave/etc/strongswan.conf
index fd5d3f5f4..e9958df28 100644
--- a/testing/tests/ikev2/rw-eap-peap-md5/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-peap-md5/hosts/dave/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-peap updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-peap updown
   multiple_authentication=no
 }
diff --git a/testing/tests/ikev2/rw-eap-peap-md5/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-peap-md5/hosts/moon/etc/ipsec.conf
index 129486c05..d12eafbb2 100755..100644
--- a/testing/tests/ikev2/rw-eap-peap-md5/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-peap-md5/hosts/moon/etc/ipsec.conf
@@ -1,8 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/rw-eap-peap-md5/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-peap-md5/hosts/moon/etc/strongswan.conf
index f5024111c..5f00ef57f 100644
--- a/testing/tests/ikev2/rw-eap-peap-md5/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-peap-md5/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-peap updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-peap updown
   multiple_authentication=no
   plugins {
     eap-peap {
diff --git a/testing/tests/ikev2/rw-eap-peap-md5/posttest.dat b/testing/tests/ikev2/rw-eap-peap-md5/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/ikev2/rw-eap-peap-md5/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-peap-md5/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-peap-md5/pretest.dat b/testing/tests/ikev2/rw-eap-peap-md5/pretest.dat
index 369596177..17f1b5f2b 100644
--- a/testing/tests/ikev2/rw-eap-peap-md5/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-peap-md5/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/ikev2/rw-eap-peap-md5/test.conf b/testing/tests/ikev2/rw-eap-peap-md5/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/ikev2/rw-eap-peap-md5/test.conf
+++ b/testing/tests/ikev2/rw-eap-peap-md5/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/rw-eap-peap-mschapv2/evaltest.dat b/testing/tests/ikev2/rw-eap-peap-mschapv2/evaltest.dat
index 8743b9643..fc75e1c9a 100644
--- a/testing/tests/ikev2/rw-eap-peap-mschapv2/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-peap-mschapv2/evaltest.dat
@@ -3,17 +3,17 @@ carol::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES
 carol::cat /var/log/daemon.log::server requested EAP_MSCHAPV2 authentication::YES
 carol::cat /var/log/daemon.log::EAP method EAP_PEAP succeeded, MSK established::YES
 carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' with EAP successful::YES
-dave::cat /var/log/daemon.log::server requested EAP_PEAP authentication::YES
-dave::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES
-dave::cat /var/log/daemon.log::server requested EAP_MSCHAPV2 authentication::YES
-dave::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
-moon::cat /var/log/daemon.log::EAP_PEAP phase2 authentication of 'carol@strongswan.org' with EAP_MSCHAPV2 successful::YES
-moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
-moon::cat /var/log/daemon.log::EAP method EAP_PEAP failed for peer dave@strongswan.org::YES
-moon::ipsec statusall::rw-eap.*ESTABLISHED.*carol@strongswan.org::YES
-moon::ipsec statusall::rw-eap.*ESTABLISHED.*dave@stronswan.org::NO
-carol::ipsec statusall::home.*ESTABLISHED::YES
-dave::ipsec statusall::home.*ESTABLISHED::NO
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave:: cat /var/log/daemon.log::server requested EAP_PEAP authentication::YES
+dave:: cat /var/log/daemon.log::allow mutual EAP-only authentication::YES
+dave:: cat /var/log/daemon.log::server requested EAP_MSCHAPV2 authentication::YES
+dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
+moon:: cat /var/log/daemon.log::EAP_PEAP phase2 authentication of 'carol@strongswan.org' with EAP_MSCHAPV2 successful::YES
+moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon:: cat /var/log/daemon.log::EAP method EAP_PEAP failed for peer dave@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*dave@stronswan.org::NO
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED::NO
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/carol/etc/ipsec.conf
index 2f8b9dfda..dd1b89302 100755..100644
--- a/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/carol/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
@@ -17,6 +16,7 @@ conn home
 	leftfirewall=yes
 	right=PH_IP_MOON
 	rightid="C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
+	rightauth=any
 	rightsubnet=10.1.0.0/16
 	rightsendcert=never
 	auto=add
diff --git a/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/carol/etc/strongswan.conf
index 2cbfb2484..613ceee06 100644
--- a/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/carol/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md4 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-mschapv2 eap-peap updown
+  load = curl aes des sha1 sha2 md4 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-mschapv2 eap-peap updown
   multiple_authentication=no
 }
diff --git a/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/dave/etc/ipsec.conf
index 3a29329d5..a46071a3a 100755..100644
--- a/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/dave/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
@@ -17,6 +16,7 @@ conn home
 	leftfirewall=yes
 	right=PH_IP_MOON
 	rightid="C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
+	rightauth=any
 	rightsubnet=10.1.0.0/16
 	rightsendcert=never
 	auto=add
diff --git a/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/dave/etc/strongswan.conf
index 2cbfb2484..613ceee06 100644
--- a/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/dave/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md4 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-mschapv2 eap-peap updown
+  load = curl aes des sha1 sha2 md4 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-mschapv2 eap-peap updown
   multiple_authentication=no
 }
diff --git a/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/moon/etc/ipsec.conf
index 129486c05..d12eafbb2 100755..100644
--- a/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/moon/etc/ipsec.conf
@@ -1,8 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/moon/etc/strongswan.conf
index 19d12447f..58e8df0da 100644
--- a/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md4 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-mschapv2 eap-peap updown
+  load = curl aes des sha1 sha2 md4 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-mschapv2 eap-peap updown
   multiple_authentication=no
   plugins {
     eap-peap {
diff --git a/testing/tests/ikev2/rw-eap-peap-mschapv2/posttest.dat b/testing/tests/ikev2/rw-eap-peap-mschapv2/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/ikev2/rw-eap-peap-mschapv2/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-peap-mschapv2/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-peap-mschapv2/pretest.dat b/testing/tests/ikev2/rw-eap-peap-mschapv2/pretest.dat
index 369596177..17f1b5f2b 100644
--- a/testing/tests/ikev2/rw-eap-peap-mschapv2/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-peap-mschapv2/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/ikev2/rw-eap-peap-mschapv2/test.conf b/testing/tests/ikev2/rw-eap-peap-mschapv2/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/ikev2/rw-eap-peap-mschapv2/test.conf
+++ b/testing/tests/ikev2/rw-eap-peap-mschapv2/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/rw-eap-peap-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-peap-radius/evaltest.dat
index 39a24f15e..95c29b7f5 100644
--- a/testing/tests/ikev2/rw-eap-peap-radius/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-peap-radius/evaltest.dat
@@ -3,19 +3,17 @@ carol::cat /var/log/daemon.log::server requested EAP_PEAP authentication::YES
 carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
 carol::cat /var/log/daemon.log::EAP method EAP_PEAP succeeded, MSK established::YES
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-dave::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
-dave::cat /var/log/daemon.log::server requested EAP_PEAP authentication::YES
-dave::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
-dave::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
-moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
-moon::cat /var/log/daemon.log::RADIUS authentication of 'dave@strongswan.org' failed::YES
-moon::cat /var/log/daemon.log::EAP method EAP_PEAP failed for peer dave@strongswan.org::YES
-moon::ipsec statusall::rw-eap.*ESTABLISHED.*carol@strongswan.org::YES
-moon::ipsec statusall::rw-eap.*ESTABLISHED.*dave@strongswan.org::NO
-carol::ipsec statusall::home.*ESTABLISHED::YES
-dave::ipsec statusall::home.*ESTABLISHED::NO
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+dave:: cat /var/log/daemon.log::server requested EAP_PEAP authentication::YES
+dave:: cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
+dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
+moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon:: cat /var/log/daemon.log::RADIUS authentication of 'dave@strongswan.org' failed::YES
+moon:: cat /var/log/daemon.log::EAP method EAP_PEAP failed for peer dave@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::NO
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED::NO
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-
-
diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/eap.conf b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/eap.conf
index df50901d5..11d3e2acd 100644
--- a/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/eap.conf
+++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/eap.conf
@@ -1,7 +1,7 @@
 eap {
   md5 {
   }
-  default_eap_type = peap 
+  default_eap_type = peap
   tls {
     private_key_file = /etc/raddb/certs/aaaKey.pem
     certificate_file = /etc/raddb/certs/aaaCert.pem
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/raddb/proxy.conf b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/proxy.conf
index 23cba8d11..23cba8d11 100644
--- a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/raddb/proxy.conf
+++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/proxy.conf
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/sites-available/default b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/sites-available/default
index 802fcfd8d..dd0825858 100644
--- a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/sites-available/default
+++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/sites-available/default
@@ -41,4 +41,3 @@ pre-proxy {
 post-proxy {
   eap
 }
-
diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel
index e088fae14..e088fae14 100644
--- a/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel
+++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel
diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/users b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/users
index 50ccf3e76..50ccf3e76 100644
--- a/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/users
+++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/users
diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/clients.conf b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/clients.conf
deleted file mode 100644
index f4e179aa4..000000000
--- a/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/clients.conf
+++ /dev/null
@@ -1,4 +0,0 @@
-client PH_IP_MOON1 {
-  secret    = gv6URkSs 
-  shortname = moon
-}
diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/radiusd.conf b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/radiusd.conf
deleted file mode 100644
index 1143a0473..000000000
--- a/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/radiusd.conf
+++ /dev/null
@@ -1,120 +0,0 @@
-# radiusd.conf	-- FreeRADIUS server configuration file.
-
-prefix = /usr
-exec_prefix = ${prefix}
-sysconfdir = /etc
-localstatedir = /var
-sbindir = ${exec_prefix}/sbin
-logdir = ${localstatedir}/log/radius
-raddbdir = ${sysconfdir}/raddb
-radacctdir = ${logdir}/radacct
-
-#  name of the running server.  See also the "-n" command-line option.
-name = radiusd
-
-#  Location of config and logfiles.
-confdir = ${raddbdir}
-run_dir = ${localstatedir}/run/radiusd
-
-# Should likely be ${localstatedir}/lib/radiusd
-db_dir = ${raddbdir}
-
-# libdir: Where to find the rlm_* modules.
-libdir = ${exec_prefix}/lib
-
-#  pidfile: Where to place the PID of the RADIUS server.
-pidfile = ${run_dir}/${name}.pid
-
-#  max_request_time: The maximum time (in seconds) to handle a request.
-max_request_time = 30
-
-#  cleanup_delay: The time to wait (in seconds) before cleaning up
-cleanup_delay = 5
-
-#  max_requests: The maximum number of requests which the server keeps
-max_requests = 1024
-
-#  listen: Make the server listen on a particular IP address, and send
-listen {
-  type = auth
-  ipaddr = PH_IP_ALICE 
-  port = 0
-}
-
-#  This second "listen" section is for listening on the accounting
-#  port, too.
-#
-listen {
-  type  = acct
-  ipaddr = PH_IP_ALICE 
-  port = 0
-}
-
-#  hostname_lookups: Log the names of clients or just their IP addresses
-hostname_lookups = no
-
-#  Core dumps are a bad thing.  This should only be set to 'yes'
-allow_core_dumps = no
-
-#  Regular expressions
-regular_expressions = yes
-extended_expressions = yes
-
-#  Logging section.  The various "log_*" configuration items
-log {
-  destination = files
-  file = ${logdir}/radius.log
-  syslog_facility = daemon
-  stripped_names = no
-  auth = yes 
-  auth_badpass = yes 
-  auth_goodpass = yes 
-}
-
-#  The program to execute to do concurrency checks.
-checkrad = ${sbindir}/checkrad
-
-#  Security considerations
-security {
-  max_attributes = 200
-  reject_delay = 1
-  status_server = yes
-}
-
-# PROXY CONFIGURATION
-proxy_requests = yes
-$INCLUDE proxy.conf
-
-# CLIENTS CONFIGURATION
-$INCLUDE clients.conf
-
-# THREAD POOL CONFIGURATION
-thread pool {
-  start_servers = 5
-  max_servers = 32
-  min_spare_servers = 3
-  max_spare_servers = 10
-  max_requests_per_server = 0
-}
-
-# MODULE CONFIGURATION
-modules {
-  $INCLUDE ${confdir}/modules/
-  $INCLUDE eap.conf
-  $INCLUDE sql.conf
-  $INCLUDE sql/mysql/counter.conf
-}
-
-# Instantiation
-instantiate {
-  exec
-  expr
-  expiration
-  logintime
-}
-
-# Policies
-$INCLUDE policy.conf
-
-# Include all enabled virtual hosts
-$INCLUDE sites-enabled/
diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-peap-radius/hosts/carol/etc/ipsec.conf
index b2eef5785..944546ff8 100755..100644
--- a/testing/tests/ikev2/rw-eap-peap-radius/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/carol/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-peap-radius/hosts/carol/etc/strongswan.conf
index 2c06d26a6..0e20d1c68 100644
--- a/testing/tests/ikev2/rw-eap-peap-radius/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/carol/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-peap updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-peap updown
   multiple_authentication=no
 }
diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-peap-radius/hosts/dave/etc/ipsec.conf
index 3c8ea5c58..b1a22e78a 100755..100644
--- a/testing/tests/ikev2/rw-eap-peap-radius/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/dave/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-peap-radius/hosts/dave/etc/strongswan.conf
index 2c06d26a6..0e20d1c68 100644
--- a/testing/tests/ikev2/rw-eap-peap-radius/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/dave/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-peap updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-peap updown
   multiple_authentication=no
 }
diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/rw-eap-peap-radius/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 56587b2e8..000000000
--- a/testing/tests/ikev2/rw-eap-peap-radius/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,84 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow RADIUS protocol with alice
-	iptables -A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-peap-radius/hosts/moon/etc/ipsec.conf
index fc8f84638..98e2525ba 100755..100644
--- a/testing/tests/ikev2/rw-eap-peap-radius/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/moon/etc/ipsec.conf
@@ -1,8 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/rw-eap-peap-radius/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..1eb755354
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/moon/etc/iptables.rules
@@ -0,0 +1,32 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# allow RADIUS protocol with alice
+-A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-peap-radius/hosts/moon/etc/strongswan.conf
index 4d2d3058d..38d78e7a0 100644
--- a/testing/tests/ikev2/rw-eap-peap-radius/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-radius updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-radius updown
   multiple_authentication=no
   plugins {
     eap-radius {
diff --git a/testing/tests/ikev2/rw-eap-peap-radius/posttest.dat b/testing/tests/ikev2/rw-eap-peap-radius/posttest.dat
index dbe56013a..670d2e72f 100644
--- a/testing/tests/ikev2/rw-eap-peap-radius/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-peap-radius/posttest.dat
@@ -1,7 +1,7 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-alice::/etc/init.d/radiusd stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+alice::killall radiusd
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-peap-radius/pretest.dat b/testing/tests/ikev2/rw-eap-peap-radius/pretest.dat
index cbe1ae229..3e7fc0bb1 100644
--- a/testing/tests/ikev2/rw-eap-peap-radius/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-peap-radius/pretest.dat
@@ -1,7 +1,7 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
-alice::/etc/init.d/radiusd start 
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+alice::radiusd
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/ikev2/rw-eap-peap-radius/test.conf b/testing/tests/ikev2/rw-eap-peap-radius/test.conf
index e6a786a94..20d586309 100644
--- a/testing/tests/ikev2/rw-eap-peap-radius/test.conf
+++ b/testing/tests/ikev2/rw-eap-peap-radius/test.conf
@@ -1,26 +1,26 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice carol winnetou dave moon"
+VIRTHOSTS="alice carol winnetou dave moon"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
 
-# UML instances on which FreeRadius is started
+# Guest instances on which FreeRadius is started
 #
 RADIUSHOSTS="alice"
 
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-sim-id-radius/evaltest.dat
index 4305a1400..f1a68bc19 100644
--- a/testing/tests/ikev2/rw-eap-sim-id-radius/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/evaltest.dat
@@ -1,12 +1,12 @@
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
-moon::cat /var/log/daemon.log::received EAP identity .*228060123456001::YES
+moon:: cat /var/log/daemon.log::received EAP identity .*228060123456001::YES
 carol::cat /var/log/daemon.log::server requested EAP_SIM authentication::YES
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
-moon::ipsec statusall::rw-eap.*ESTABLISHED::YES
-carol::ipsec statusall::home.*ESTABLISHED::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw-eap.*INSTALLED, TUNNEL::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-
-
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/eap.conf b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/eap.conf
new file mode 100644
index 000000000..7d8023951
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/eap.conf
@@ -0,0 +1,5 @@
+eap {
+  default_eap_type = sim
+  sim {
+  }
+}
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/modules/sim_files b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/modules/sim_files
new file mode 100644
index 000000000..10c26aa15
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/modules/sim_files
@@ -0,0 +1,3 @@
+sim_files {
+	simtriplets = "/etc/freeradius/triplets.dat"
+}
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/proxy.conf b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/proxy.conf
new file mode 100644
index 000000000..783587b55
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/proxy.conf
@@ -0,0 +1,5 @@
+realm LOCAL {
+  type     = radius
+  authhost = LOCAL
+  accthost = LOCAL
+}
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/sites-available/default b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/sites-available/default
index 92896b11e..893529324 100644
--- a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/sites-available/default
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/sites-available/default
@@ -40,4 +40,3 @@ pre-proxy {
 post-proxy {
   eap
 }
-
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/triplets.dat b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/triplets.dat
index c167ba940..c167ba940 100644
--- a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/triplets.dat
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/triplets.dat
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/users b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/users
index e69de29bb..e69de29bb 100644
--- a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/users
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/users
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/clients.conf b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/clients.conf
deleted file mode 100644
index f4e179aa4..000000000
--- a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/clients.conf
+++ /dev/null
@@ -1,4 +0,0 @@
-client PH_IP_MOON1 {
-  secret    = gv6URkSs 
-  shortname = moon
-}
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/eap.conf b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/eap.conf
deleted file mode 100644
index a2020424e..000000000
--- a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/eap.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-eap {
-  default_eap_type = sim 
-  sim {
-  }
-}
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/radiusd.conf b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/radiusd.conf
deleted file mode 100644
index d77b818fe..000000000
--- a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/radiusd.conf
+++ /dev/null
@@ -1,123 +0,0 @@
-# radiusd.conf	-- FreeRADIUS server configuration file.
-
-prefix = /usr
-exec_prefix = ${prefix}
-sysconfdir = /etc
-localstatedir = /var
-sbindir = ${exec_prefix}/sbin
-logdir = ${localstatedir}/log/radius
-raddbdir = ${sysconfdir}/raddb
-radacctdir = ${logdir}/radacct
-
-#  name of the running server.  See also the "-n" command-line option.
-name = radiusd
-
-#  Location of config and logfiles.
-confdir = ${raddbdir}
-run_dir = ${localstatedir}/run/radiusd
-
-# Should likely be ${localstatedir}/lib/radiusd
-db_dir = ${raddbdir}
-
-# libdir: Where to find the rlm_* modules.
-libdir = ${exec_prefix}/lib
-
-#  pidfile: Where to place the PID of the RADIUS server.
-pidfile = ${run_dir}/${name}.pid
-
-#  max_request_time: The maximum time (in seconds) to handle a request.
-max_request_time = 30
-
-#  cleanup_delay: The time to wait (in seconds) before cleaning up
-cleanup_delay = 5
-
-#  max_requests: The maximum number of requests which the server keeps
-max_requests = 1024
-
-#  listen: Make the server listen on a particular IP address, and send
-listen {
-  type = auth
-  ipaddr = PH_IP_ALICE 
-  port = 0
-}
-
-#  This second "listen" section is for listening on the accounting
-#  port, too.
-#
-listen {
-  type  = acct
-  ipaddr = PH_IP_ALICE 
-  port = 0
-}
-
-#  hostname_lookups: Log the names of clients or just their IP addresses
-hostname_lookups = no
-
-#  Core dumps are a bad thing.  This should only be set to 'yes'
-allow_core_dumps = no
-
-#  Regular expressions
-regular_expressions = yes
-extended_expressions = yes
-
-#  Logging section.  The various "log_*" configuration items
-log {
-  destination = files
-  file = ${logdir}/radius.log
-  syslog_facility = daemon
-  stripped_names = no
-  auth = yes 
-  auth_badpass = yes 
-  auth_goodpass = yes 
-}
-
-#  The program to execute to do concurrency checks.
-checkrad = ${sbindir}/checkrad
-
-#  Security considerations
-security {
-  max_attributes = 200
-  reject_delay = 1
-  status_server = yes
-}
-
-# PROXY CONFIGURATION
-proxy_requests = yes
-$INCLUDE proxy.conf
-
-# CLIENTS CONFIGURATION
-$INCLUDE clients.conf
-
-# THREAD POOL CONFIGURATION
-thread pool {
-  start_servers = 5
-  max_servers = 32
-  min_spare_servers = 3
-  max_spare_servers = 10
-  max_requests_per_server = 0
-}
-
-# MODULE CONFIGURATION
-modules {
-  $INCLUDE ${confdir}/modules/
-  $INCLUDE eap.conf
-  $INCLUDE sql.conf
-  $INCLUDE sql/mysql/counter.conf
-  sim_files {
-    simtriplets = "/etc/raddb/triplets.dat"
-  }
-}
-
-# Instantiation
-instantiate {
-  exec
-  expr
-  expiration
-  logintime
-}
-
-# Policies
-$INCLUDE policy.conf
-
-# Include all enabled virtual hosts
-$INCLUDE sites-enabled/
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/carol/etc/ipsec.conf
index d3a99fe41..97ce965a0 100755..100644
--- a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/carol/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
@@ -12,7 +11,6 @@ conn %default
 
 conn home
 	left=PH_IP_CAROL
-	leftnexthop=%direct
 	leftid=carol@strongswan.org
 	leftfirewall=yes
 	leftauth=eap
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/carol/etc/strongswan.conf
index 7b4ab49e4..8e872ddae 100644
--- a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file eap-identity updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file eap-identity updown
 }
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 56587b2e8..000000000
--- a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,84 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow RADIUS protocol with alice
-	iptables -A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/ipsec.conf
index a86bb3d73..8216627ba 100755..100644
--- a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/ipsec.conf
@@ -1,8 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..1eb755354
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/iptables.rules
@@ -0,0 +1,32 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# allow RADIUS protocol with alice
+-A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/strongswan.conf
index 2a18af887..aba7eefdf 100644
--- a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-radius eap-identity updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-radius eap-identity updown
   plugins {
     eap-radius {
       secret = gv6URkSs
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/posttest.dat b/testing/tests/ikev2/rw-eap-sim-id-radius/posttest.dat
index 920d6a20d..181949fb5 100644
--- a/testing/tests/ikev2/rw-eap-sim-id-radius/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/posttest.dat
@@ -1,5 +1,5 @@
 moon::ipsec stop
 carol::ipsec stop
-alice::/etc/init.d/radiusd stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+alice::killall radiusd
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/pretest.dat b/testing/tests/ikev2/rw-eap-sim-id-radius/pretest.dat
index 0da980c07..b9117af36 100644
--- a/testing/tests/ikev2/rw-eap-sim-id-radius/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/pretest.dat
@@ -1,7 +1,7 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-alice::cat /etc/raddb/triplets.dat
-alice::/etc/init.d/radiusd start
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+alice::cat /etc/freeradius/triplets.dat
+alice::radiusd
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/test.conf b/testing/tests/ikev2/rw-eap-sim-id-radius/test.conf
index e0d77b583..eb1e15dd2 100644
--- a/testing/tests/ikev2/rw-eap-sim-id-radius/test.conf
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/test.conf
@@ -1,26 +1,26 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice carol moon"
+VIRTHOSTS="alice carol moon"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
 
-# UML instances on which FreeRadius is started
+# Guest instances on which FreeRadius is started
 #
 RADIUSHOSTS="alice"
 
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-sim-only-radius/evaltest.dat
index 852d424af..f434ddfc6 100644
--- a/testing/tests/ikev2/rw-eap-sim-only-radius/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/evaltest.dat
@@ -1,15 +1,15 @@
 carol::cat /var/log/daemon.log::server requested EAP_SIM authentication::YES
 carol::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
-moon::ipsec statusall::rw-eap.*ESTABLISHED.*carol@strongswan.org::YES
-carol::ipsec statusall::home.*ESTABLISHED::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-moon::cat /var/log/daemon.log::RADIUS authentication of 'dave@strongswan.org' failed::YES
-moon::cat /var/log/daemon.log::EAP method EAP_SIM failed for peer dave@strongswan.org::YES
-moon::ipsec statusall::rw-eap.*ESTABLISHED.*dave@strongswan.org::NO
-dave::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
-dave::ipsec statusall::home.*ESTABLISHED::NO
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::NO
+moon:: cat /var/log/daemon.log::RADIUS authentication of 'dave@strongswan.org' failed::YES
+moon:: cat /var/log/daemon.log::EAP method EAP_SIM failed for peer dave@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::NO
+dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED::NO
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/eap.conf b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/eap.conf
new file mode 100644
index 000000000..7d8023951
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/eap.conf
@@ -0,0 +1,5 @@
+eap {
+  default_eap_type = sim
+  sim {
+  }
+}
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/modules/sim_files b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/modules/sim_files
new file mode 100644
index 000000000..10c26aa15
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/modules/sim_files
@@ -0,0 +1,3 @@
+sim_files {
+	simtriplets = "/etc/freeradius/triplets.dat"
+}
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/proxy.conf b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/proxy.conf
index 23cba8d11..23cba8d11 100644
--- a/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/proxy.conf
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/proxy.conf
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/sites-available/default b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/sites-available/default
index 126d61d05..fbdf75f4c 100644
--- a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/sites-available/default
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/sites-available/default
@@ -41,4 +41,3 @@ pre-proxy {
 post-proxy {
   eap
 }
-
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/triplets.dat b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/triplets.dat
index fd0eb19b9..3e9a644eb 100644
--- a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/triplets.dat
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/triplets.dat
@@ -4,4 +4,3 @@ carol@strongswan.org,32000000000000000000000000000000,32112233,325566778899AABB
 dave@strongswan.org,33000000000000000000000000000000,33112233,335566778899AABB
 dave@strongswan.org,34000000000000000000000000000000,34112233,345566778899AABB
 dave@strongswan.org,35000000000000000000000000000000,35112233,355566778899AABB
-
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/users b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/users
index e69de29bb..e69de29bb 100644
--- a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/users
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/users
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/clients.conf b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/clients.conf
deleted file mode 100644
index f4e179aa4..000000000
--- a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/clients.conf
+++ /dev/null
@@ -1,4 +0,0 @@
-client PH_IP_MOON1 {
-  secret    = gv6URkSs 
-  shortname = moon
-}
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/eap.conf b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/eap.conf
deleted file mode 100644
index a2020424e..000000000
--- a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/eap.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-eap {
-  default_eap_type = sim 
-  sim {
-  }
-}
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/radiusd.conf b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/radiusd.conf
deleted file mode 100644
index d77b818fe..000000000
--- a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/radiusd.conf
+++ /dev/null
@@ -1,123 +0,0 @@
-# radiusd.conf	-- FreeRADIUS server configuration file.
-
-prefix = /usr
-exec_prefix = ${prefix}
-sysconfdir = /etc
-localstatedir = /var
-sbindir = ${exec_prefix}/sbin
-logdir = ${localstatedir}/log/radius
-raddbdir = ${sysconfdir}/raddb
-radacctdir = ${logdir}/radacct
-
-#  name of the running server.  See also the "-n" command-line option.
-name = radiusd
-
-#  Location of config and logfiles.
-confdir = ${raddbdir}
-run_dir = ${localstatedir}/run/radiusd
-
-# Should likely be ${localstatedir}/lib/radiusd
-db_dir = ${raddbdir}
-
-# libdir: Where to find the rlm_* modules.
-libdir = ${exec_prefix}/lib
-
-#  pidfile: Where to place the PID of the RADIUS server.
-pidfile = ${run_dir}/${name}.pid
-
-#  max_request_time: The maximum time (in seconds) to handle a request.
-max_request_time = 30
-
-#  cleanup_delay: The time to wait (in seconds) before cleaning up
-cleanup_delay = 5
-
-#  max_requests: The maximum number of requests which the server keeps
-max_requests = 1024
-
-#  listen: Make the server listen on a particular IP address, and send
-listen {
-  type = auth
-  ipaddr = PH_IP_ALICE 
-  port = 0
-}
-
-#  This second "listen" section is for listening on the accounting
-#  port, too.
-#
-listen {
-  type  = acct
-  ipaddr = PH_IP_ALICE 
-  port = 0
-}
-
-#  hostname_lookups: Log the names of clients or just their IP addresses
-hostname_lookups = no
-
-#  Core dumps are a bad thing.  This should only be set to 'yes'
-allow_core_dumps = no
-
-#  Regular expressions
-regular_expressions = yes
-extended_expressions = yes
-
-#  Logging section.  The various "log_*" configuration items
-log {
-  destination = files
-  file = ${logdir}/radius.log
-  syslog_facility = daemon
-  stripped_names = no
-  auth = yes 
-  auth_badpass = yes 
-  auth_goodpass = yes 
-}
-
-#  The program to execute to do concurrency checks.
-checkrad = ${sbindir}/checkrad
-
-#  Security considerations
-security {
-  max_attributes = 200
-  reject_delay = 1
-  status_server = yes
-}
-
-# PROXY CONFIGURATION
-proxy_requests = yes
-$INCLUDE proxy.conf
-
-# CLIENTS CONFIGURATION
-$INCLUDE clients.conf
-
-# THREAD POOL CONFIGURATION
-thread pool {
-  start_servers = 5
-  max_servers = 32
-  min_spare_servers = 3
-  max_spare_servers = 10
-  max_requests_per_server = 0
-}
-
-# MODULE CONFIGURATION
-modules {
-  $INCLUDE ${confdir}/modules/
-  $INCLUDE eap.conf
-  $INCLUDE sql.conf
-  $INCLUDE sql/mysql/counter.conf
-  sim_files {
-    simtriplets = "/etc/raddb/triplets.dat"
-  }
-}
-
-# Instantiation
-instantiate {
-  exec
-  expr
-  expiration
-  logintime
-}
-
-# Policies
-$INCLUDE policy.conf
-
-# Include all enabled virtual hosts
-$INCLUDE sites-enabled/
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/carol/etc/ipsec.conf
index 11b9f0d71..0e6090c40 100755..100644
--- a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/carol/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
@@ -17,5 +16,6 @@ conn home
 	leftauth=eap
 	right=PH_IP_MOON
 	rightid=@moon.strongswan.org
+	rightauth=any
 	rightsubnet=10.1.0.0/16
 	auto=add
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/carol/etc/strongswan.conf
index e468cd4f9..691bec865 100644
--- a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown
 }
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/dave/etc/ipsec.conf
index dca65c09f..0507a6b6c 100755..100644
--- a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/dave/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/dave/etc/strongswan.conf
index e468cd4f9..691bec865 100644
--- a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown
 }
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 56587b2e8..000000000
--- a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,84 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow RADIUS protocol with alice
-	iptables -A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/moon/etc/ipsec.conf
index e3f4694bd..b80a47bf1 100755..100644
--- a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/moon/etc/ipsec.conf
@@ -1,8 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..1eb755354
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/moon/etc/iptables.rules
@@ -0,0 +1,32 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# allow RADIUS protocol with alice
+-A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/moon/etc/strongswan.conf
index f21745bcd..f634316f8 100644
--- a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-radius updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-radius updown
   plugins {
     eap-radius {
       secret = gv6URkSs 
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/posttest.dat b/testing/tests/ikev2/rw-eap-sim-only-radius/posttest.dat
index dbe56013a..670d2e72f 100644
--- a/testing/tests/ikev2/rw-eap-sim-only-radius/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/posttest.dat
@@ -1,7 +1,7 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-alice::/etc/init.d/radiusd stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+alice::killall radiusd
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/pretest.dat b/testing/tests/ikev2/rw-eap-sim-only-radius/pretest.dat
index 5a51733dc..0b3e901c2 100644
--- a/testing/tests/ikev2/rw-eap-sim-only-radius/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/pretest.dat
@@ -1,11 +1,11 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::rm /etc/ipsec.d/cacerts/*
 carol::rm /etc/ipsec.d/cacerts/*
 dave::rm /etc/ipsec.d/cacerts/*
-alice::cat /etc/raddb/triplets.dat
-alice::/etc/init.d/radiusd start
+alice::cat /etc/freeradius/triplets.dat
+alice::radiusd
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/test.conf b/testing/tests/ikev2/rw-eap-sim-only-radius/test.conf
index bb6b68687..29bfaa78c 100644
--- a/testing/tests/ikev2/rw-eap-sim-only-radius/test.conf
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/test.conf
@@ -1,26 +1,26 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
 
-# UML instances on which FreeRadius is started
+# Guest instances on which FreeRadius is started
 #
 RADIUSHOSTS="alice"
 
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-sim-radius/evaltest.dat
index b4d66adc6..21cfe429a 100644
--- a/testing/tests/ikev2/rw-eap-sim-radius/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-sim-radius/evaltest.dat
@@ -1,15 +1,15 @@
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
 carol::cat /var/log/daemon.log::server requested EAP_SIM authentication::YES
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
-moon::ipsec statusall::rw-eap.*ESTABLISHED.*carol@strongswan.org::YES
-carol::ipsec statusall::home.*ESTABLISHED::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-moon::cat /var/log/daemon.log::RADIUS authentication of 'dave@strongswan.org' failed::YES
-moon::cat /var/log/daemon.log::EAP method EAP_SIM failed for peer dave@strongswan.org::YES
-moon::ipsec statusall::rw-eap.*ESTABLISHED.*dave@strongswan.org::NO
-dave::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
-dave::ipsec statusall::home.*ESTABLISHED::NO
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::NO
+moon:: cat /var/log/daemon.log::RADIUS authentication of 'dave@strongswan.org' failed::YES
+moon:: cat /var/log/daemon.log::EAP method EAP_SIM failed for peer dave@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::NO
+dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED::NO
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/eap.conf b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/eap.conf
new file mode 100644
index 000000000..7d8023951
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/eap.conf
@@ -0,0 +1,5 @@
+eap {
+  default_eap_type = sim
+  sim {
+  }
+}
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/proxy.conf b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/proxy.conf
index 23cba8d11..23cba8d11 100644
--- a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/proxy.conf
+++ b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/proxy.conf
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/sites-available/default b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/sites-available/default
index dfceb037d..91425f812 100644
--- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/sites-available/default
+++ b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/sites-available/default
@@ -59,4 +59,3 @@ pre-proxy {
 post-proxy {
   eap
 }
-
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/raddb/triplets.dat b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/triplets.dat
index fd0eb19b9..3e9a644eb 100644
--- a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/raddb/triplets.dat
+++ b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/triplets.dat
@@ -4,4 +4,3 @@ carol@strongswan.org,32000000000000000000000000000000,32112233,325566778899AABB
 dave@strongswan.org,33000000000000000000000000000000,33112233,335566778899AABB
 dave@strongswan.org,34000000000000000000000000000000,34112233,345566778899AABB
 dave@strongswan.org,35000000000000000000000000000000,35112233,355566778899AABB
-
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/raddb/users b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/users
index e69de29bb..e69de29bb 100644
--- a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/raddb/users
+++ b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/users
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/raddb/clients.conf b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/raddb/clients.conf
deleted file mode 100644
index f4e179aa4..000000000
--- a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/raddb/clients.conf
+++ /dev/null
@@ -1,4 +0,0 @@
-client PH_IP_MOON1 {
-  secret    = gv6URkSs 
-  shortname = moon
-}
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/raddb/eap.conf b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/raddb/eap.conf
deleted file mode 100644
index a2020424e..000000000
--- a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/raddb/eap.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-eap {
-  default_eap_type = sim 
-  sim {
-  }
-}
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/raddb/radiusd.conf b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/raddb/radiusd.conf
deleted file mode 100644
index d77b818fe..000000000
--- a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/raddb/radiusd.conf
+++ /dev/null
@@ -1,123 +0,0 @@
-# radiusd.conf	-- FreeRADIUS server configuration file.
-
-prefix = /usr
-exec_prefix = ${prefix}
-sysconfdir = /etc
-localstatedir = /var
-sbindir = ${exec_prefix}/sbin
-logdir = ${localstatedir}/log/radius
-raddbdir = ${sysconfdir}/raddb
-radacctdir = ${logdir}/radacct
-
-#  name of the running server.  See also the "-n" command-line option.
-name = radiusd
-
-#  Location of config and logfiles.
-confdir = ${raddbdir}
-run_dir = ${localstatedir}/run/radiusd
-
-# Should likely be ${localstatedir}/lib/radiusd
-db_dir = ${raddbdir}
-
-# libdir: Where to find the rlm_* modules.
-libdir = ${exec_prefix}/lib
-
-#  pidfile: Where to place the PID of the RADIUS server.
-pidfile = ${run_dir}/${name}.pid
-
-#  max_request_time: The maximum time (in seconds) to handle a request.
-max_request_time = 30
-
-#  cleanup_delay: The time to wait (in seconds) before cleaning up
-cleanup_delay = 5
-
-#  max_requests: The maximum number of requests which the server keeps
-max_requests = 1024
-
-#  listen: Make the server listen on a particular IP address, and send
-listen {
-  type = auth
-  ipaddr = PH_IP_ALICE 
-  port = 0
-}
-
-#  This second "listen" section is for listening on the accounting
-#  port, too.
-#
-listen {
-  type  = acct
-  ipaddr = PH_IP_ALICE 
-  port = 0
-}
-
-#  hostname_lookups: Log the names of clients or just their IP addresses
-hostname_lookups = no
-
-#  Core dumps are a bad thing.  This should only be set to 'yes'
-allow_core_dumps = no
-
-#  Regular expressions
-regular_expressions = yes
-extended_expressions = yes
-
-#  Logging section.  The various "log_*" configuration items
-log {
-  destination = files
-  file = ${logdir}/radius.log
-  syslog_facility = daemon
-  stripped_names = no
-  auth = yes 
-  auth_badpass = yes 
-  auth_goodpass = yes 
-}
-
-#  The program to execute to do concurrency checks.
-checkrad = ${sbindir}/checkrad
-
-#  Security considerations
-security {
-  max_attributes = 200
-  reject_delay = 1
-  status_server = yes
-}
-
-# PROXY CONFIGURATION
-proxy_requests = yes
-$INCLUDE proxy.conf
-
-# CLIENTS CONFIGURATION
-$INCLUDE clients.conf
-
-# THREAD POOL CONFIGURATION
-thread pool {
-  start_servers = 5
-  max_servers = 32
-  min_spare_servers = 3
-  max_spare_servers = 10
-  max_requests_per_server = 0
-}
-
-# MODULE CONFIGURATION
-modules {
-  $INCLUDE ${confdir}/modules/
-  $INCLUDE eap.conf
-  $INCLUDE sql.conf
-  $INCLUDE sql/mysql/counter.conf
-  sim_files {
-    simtriplets = "/etc/raddb/triplets.dat"
-  }
-}
-
-# Instantiation
-instantiate {
-  exec
-  expr
-  expiration
-  logintime
-}
-
-# Policies
-$INCLUDE policy.conf
-
-# Include all enabled virtual hosts
-$INCLUDE sites-enabled/
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-sim-radius/hosts/carol/etc/ipsec.conf
index 4f0d40b3e..951008d2b 100755..100644
--- a/testing/tests/ikev2/rw-eap-sim-radius/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-sim-radius/hosts/carol/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
@@ -9,13 +8,14 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev2
-	authby=eap
 
 conn home
 	left=PH_IP_CAROL
 	leftid=carol@strongswan.org
+	leftauth=eap
 	leftfirewall=yes
 	right=PH_IP_MOON
 	rightid=@moon.strongswan.org
+	rightauth=pubkey
 	rightsubnet=10.1.0.0/16
 	auto=add
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-radius/hosts/carol/etc/strongswan.conf
index e468cd4f9..691bec865 100644
--- a/testing/tests/ikev2/rw-eap-sim-radius/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-sim-radius/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown
 }
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-sim-radius/hosts/dave/etc/ipsec.conf
index 511eb6172..a9d04ebfa 100755..100644
--- a/testing/tests/ikev2/rw-eap-sim-radius/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-sim-radius/hosts/dave/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
@@ -9,13 +8,14 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev2
-	authby=eap
 
 conn home
 	left=PH_IP_DAVE
 	leftid=dave@strongswan.org
+	leftauth=eap
 	leftfirewall=yes
 	right=PH_IP_MOON
 	rightid=@moon.strongswan.org
+	rightauth=pubkey
 	rightsubnet=10.1.0.0/16
 	auto=add
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-radius/hosts/dave/etc/strongswan.conf
index e468cd4f9..691bec865 100644
--- a/testing/tests/ikev2/rw-eap-sim-radius/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-sim-radius/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown
 }
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/rw-eap-sim-radius/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 56587b2e8..000000000
--- a/testing/tests/ikev2/rw-eap-sim-radius/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,84 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow RADIUS protocol with alice
-	iptables -A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-sim-radius/hosts/moon/etc/ipsec.conf
index 825994278..a246bd172 100755..100644
--- a/testing/tests/ikev2/rw-eap-sim-radius/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-sim-radius/hosts/moon/etc/ipsec.conf
@@ -1,8 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
@@ -13,13 +11,14 @@ conn %default
 
 conn rw-eap
 	authby=rsasig
-	eap=radius
 	left=PH_IP_MOON
 	leftsubnet=10.1.0.0/16
 	leftid=@moon.strongswan.org
+	leftauth=pubkey
 	leftcert=moonCert.pem
 	leftfirewall=yes
 	rightid=*@strongswan.org
+	rightauth=eap-radius
 	rightsendcert=never
 	right=%any
 	auto=add
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/rw-eap-sim-radius/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..1eb755354
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-sim-radius/hosts/moon/etc/iptables.rules
@@ -0,0 +1,32 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# allow RADIUS protocol with alice
+-A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-radius/hosts/moon/etc/strongswan.conf
index f21745bcd..f634316f8 100644
--- a/testing/tests/ikev2/rw-eap-sim-radius/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-sim-radius/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-radius updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-radius updown
   plugins {
     eap-radius {
       secret = gv6URkSs 
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/posttest.dat b/testing/tests/ikev2/rw-eap-sim-radius/posttest.dat
index dbe56013a..670d2e72f 100644
--- a/testing/tests/ikev2/rw-eap-sim-radius/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-sim-radius/posttest.dat
@@ -1,7 +1,7 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-alice::/etc/init.d/radiusd stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+alice::killall radiusd
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/pretest.dat b/testing/tests/ikev2/rw-eap-sim-radius/pretest.dat
index b3fd4cbf1..c17bec0f7 100644
--- a/testing/tests/ikev2/rw-eap-sim-radius/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-sim-radius/pretest.dat
@@ -1,11 +1,11 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
-alice::cat /etc/raddb/clients.conf
-alice::cat /etc/raddb/eap.conf
-alice::cat /etc/raddb/proxy.conf
-alice::cat /etc/raddb/triplets.dat
-alice::/etc/init.d/radiusd start
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+alice::cat /etc/freeradius/clients.conf
+alice::cat /etc/freeradius/eap.conf
+alice::cat /etc/freeradius/proxy.conf
+alice::cat /etc/freeradius/triplets.dat
+alice::radiusd
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/test.conf b/testing/tests/ikev2/rw-eap-sim-radius/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/ikev2/rw-eap-sim-radius/test.conf
+++ b/testing/tests/ikev2/rw-eap-sim-radius/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/rw-eap-sim-rsa/evaltest.dat b/testing/tests/ikev2/rw-eap-sim-rsa/evaltest.dat
index 53c7e71ce..ab27b4510 100644
--- a/testing/tests/ikev2/rw-eap-sim-rsa/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-sim-rsa/evaltest.dat
@@ -1,10 +1,10 @@
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
-moon::ipsec statusall::rw-eap-sim.*ESTABLISHED::YES
-carol::ipsec statusall::home.*ESTABLISHED::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon:: ipsec status 2> /dev/null::rw-eap-sim.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw-eap-sim.*INSTALLED, TUNNEL::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+carol:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-
-
diff --git a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/ipsec.conf
index ba9294f6a..b4825fb82 100755..100644
--- a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/strongswan.conf
index 0add0f360..8caa11c97 100644
--- a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown
 }
 
 libstrongswan {
diff --git a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/ipsec.conf
index ea62749be..ab49aa0f3 100755..100644
--- a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/ipsec.conf
@@ -1,8 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/strongswan.conf
index 527cb2b37..6c8911e5a 100644
--- a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown
 }
 
 libstrongswan {
diff --git a/testing/tests/ikev2/rw-eap-sim-rsa/posttest.dat b/testing/tests/ikev2/rw-eap-sim-rsa/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/ikev2/rw-eap-sim-rsa/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-sim-rsa/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-sim-rsa/pretest.dat b/testing/tests/ikev2/rw-eap-sim-rsa/pretest.dat
index 23c7a62b2..ae464b51c 100644
--- a/testing/tests/ikev2/rw-eap-sim-rsa/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-sim-rsa/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::cat /etc/ipsec.d/triplets.dat
 carol::cat /etc/ipsec.d/triplets.dat
 moon::ipsec start
diff --git a/testing/tests/ikev2/rw-eap-sim-rsa/test.conf b/testing/tests/ikev2/rw-eap-sim-rsa/test.conf
index 2bd21499b..e093d43d8 100644
--- a/testing/tests/ikev2/rw-eap-sim-rsa/test.conf
+++ b/testing/tests/ikev2/rw-eap-sim-rsa/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice carol moon"
+VIRTHOSTS="alice carol moon"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/evaltest.dat b/testing/tests/ikev2/rw-eap-tls-fragments/evaltest.dat
index f4d534051..314769b3e 100644
--- a/testing/tests/ikev2/rw-eap-tls-fragments/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-tls-fragments/evaltest.dat
@@ -1,9 +1,9 @@
 carol::cat /var/log/daemon.log::server requested EAP_TLS authentication::YES
 carol::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES
 carol::cat /var/log/daemon.log::authentication of 'C=CH, O=strongSwan Project, CN=moon.d.strongswan.org' with EAP successful::YES
-moon::cat /var/log/daemon.log::authentication of 'C=CH, O=strongSwan Project, CN=carol@d.strongswan.org' with EAP successful::YES
-moon::ipsec statusall::rw-eap.*ESTABLISHED::YES
-carol::ipsec statusall::home.*ESTABLISHED::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon:: cat /var/log/daemon.log::authentication of 'C=CH, O=strongSwan Project, CN=carol@d.strongswan.org' with EAP successful::YES
+moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/ipsec.conf
index 889a47d80..b7b27b720 100755..100644
--- a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 	charondebug="tls 2"
 
 conn %default
@@ -18,6 +17,7 @@ conn home
 	leftfirewall=yes
 	right=PH_IP_MOON
 	rightid="C=CH, O=strongSwan Project, CN=moon.d.strongswan.org"
+	rightauth=any
 	rightsubnet=10.1.0.0/16
 	rightsendcert=never
 	auto=add
diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/strongswan.conf
index dc0bcdff5..535b37210 100644
--- a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac stroke kernel-netlink socket-default eap-tls updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 hmac stroke kernel-netlink socket-default eap-tls updown
   multiple_authentication=no
 
   plugins {
diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.conf
index 9f979e17b..ee4bfd27d 100755..100644
--- a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.conf
@@ -1,8 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	strictcrlpolicy=no
-	plutostart=no
 	charondebug="tls 2"
 
 conn %default
diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/strongswan.conf
index dc0bcdff5..535b37210 100644
--- a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac stroke kernel-netlink socket-default eap-tls updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 hmac stroke kernel-netlink socket-default eap-tls updown
   multiple_authentication=no
 
   plugins {
diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/posttest.dat b/testing/tests/ikev2/rw-eap-tls-fragments/posttest.dat
index 085b19509..e8156ea70 100644
--- a/testing/tests/ikev2/rw-eap-tls-fragments/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-tls-fragments/posttest.dat
@@ -1,7 +1,7 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
 moon::rm /etc/ipsec.d/cacerts/*
 moon::rm /etc/ipsec.d/certs/*
 moon::rm /etc/ipsec.d/private/*
diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/pretest.dat b/testing/tests/ikev2/rw-eap-tls-fragments/pretest.dat
index 35d35dc86..3d680ab78 100644
--- a/testing/tests/ikev2/rw-eap-tls-fragments/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-tls-fragments/pretest.dat
@@ -1,7 +1,7 @@
 moon::rm /etc/ipsec.d/cacerts/strongswanCert.pem
 carol::rm /etc/ipsec.d/cacerts/strongswanCert.pem
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/test.conf b/testing/tests/ikev2/rw-eap-tls-fragments/test.conf
index 2bd21499b..e093d43d8 100644
--- a/testing/tests/ikev2/rw-eap-tls-fragments/test.conf
+++ b/testing/tests/ikev2/rw-eap-tls-fragments/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice carol moon"
+VIRTHOSTS="alice carol moon"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/rw-eap-tls-only/evaltest.dat b/testing/tests/ikev2/rw-eap-tls-only/evaltest.dat
index 1e9bdb2af..a436131bf 100644
--- a/testing/tests/ikev2/rw-eap-tls-only/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-tls-only/evaltest.dat
@@ -1,9 +1,9 @@
 carol::cat /var/log/daemon.log::server requested EAP_TLS authentication::YES
 carol::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES
 carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' with EAP successful::YES
-moon::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org' with EAP successful::YES
-moon::ipsec statusall::rw-eap.*ESTABLISHED::YES
-carol::ipsec statusall::home.*ESTABLISHED::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon:: cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org' with EAP successful::YES
+moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf
index 3aeab002f..4272d98be 100755..100644
--- a/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
@@ -17,6 +16,7 @@ conn home
 	leftfirewall=yes
 	right=PH_IP_MOON
 	rightid="C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
+	rightauth=any
 	rightsubnet=10.1.0.0/16
 	rightsendcert=never
 	auto=add
diff --git a/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf
index 4e47e632c..2eb2adc78 100644
--- a/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-tls updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-tls updown
   multiple_authentication=no
 }
diff --git a/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.conf
index 430211020..b9a58e902 100755..100644
--- a/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.conf
@@ -1,8 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf
index 4e47e632c..2eb2adc78 100644
--- a/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-tls updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-tls updown
   multiple_authentication=no
 }
diff --git a/testing/tests/ikev2/rw-eap-tls-only/posttest.dat b/testing/tests/ikev2/rw-eap-tls-only/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/ikev2/rw-eap-tls-only/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-tls-only/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-tls-only/pretest.dat b/testing/tests/ikev2/rw-eap-tls-only/pretest.dat
index ed5498bfe..388339fb8 100644
--- a/testing/tests/ikev2/rw-eap-tls-only/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-tls-only/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-tls-only/test.conf b/testing/tests/ikev2/rw-eap-tls-only/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/ikev2/rw-eap-tls-only/test.conf
+++ b/testing/tests/ikev2/rw-eap-tls-only/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-tls-radius/evaltest.dat
index f0a674063..7584e14dc 100644
--- a/testing/tests/ikev2/rw-eap-tls-radius/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-tls-radius/evaltest.dat
@@ -1,11 +1,9 @@
 carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' with RSA signature successful::YES
 carol::cat /var/log/daemon.log::server requested EAP_TLS authentication::YES
 carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' with EAP successful::YES
-moon::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org' with EAP successful::YES
-moon::ipsec statusall::rw-eap.*ESTABLISHED::YES
-carol::ipsec statusall::home.*ESTABLISHED::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon:: cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org' with EAP successful::YES
+moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-
-
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/eap.conf b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/eap.conf
index 92f96ad66..92f96ad66 100644
--- a/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/eap.conf
+++ b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/eap.conf
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/proxy.conf b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/proxy.conf
index 23cba8d11..23cba8d11 100644
--- a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/proxy.conf
+++ b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/proxy.conf
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/sites-available/default b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/sites-available/default
index 990184919..18ebf9e9d 100644
--- a/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/sites-available/default
+++ b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/sites-available/default
@@ -39,4 +39,3 @@ pre-proxy {
 post-proxy {
   eap
 }
-
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/users b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/users
index 247b918e3..247b918e3 100644
--- a/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/users
+++ b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/users
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/clients.conf b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/clients.conf
deleted file mode 100644
index f4e179aa4..000000000
--- a/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/clients.conf
+++ /dev/null
@@ -1,4 +0,0 @@
-client PH_IP_MOON1 {
-  secret    = gv6URkSs 
-  shortname = moon
-}
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/radiusd.conf b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/radiusd.conf
deleted file mode 100644
index 1143a0473..000000000
--- a/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/radiusd.conf
+++ /dev/null
@@ -1,120 +0,0 @@
-# radiusd.conf	-- FreeRADIUS server configuration file.
-
-prefix = /usr
-exec_prefix = ${prefix}
-sysconfdir = /etc
-localstatedir = /var
-sbindir = ${exec_prefix}/sbin
-logdir = ${localstatedir}/log/radius
-raddbdir = ${sysconfdir}/raddb
-radacctdir = ${logdir}/radacct
-
-#  name of the running server.  See also the "-n" command-line option.
-name = radiusd
-
-#  Location of config and logfiles.
-confdir = ${raddbdir}
-run_dir = ${localstatedir}/run/radiusd
-
-# Should likely be ${localstatedir}/lib/radiusd
-db_dir = ${raddbdir}
-
-# libdir: Where to find the rlm_* modules.
-libdir = ${exec_prefix}/lib
-
-#  pidfile: Where to place the PID of the RADIUS server.
-pidfile = ${run_dir}/${name}.pid
-
-#  max_request_time: The maximum time (in seconds) to handle a request.
-max_request_time = 30
-
-#  cleanup_delay: The time to wait (in seconds) before cleaning up
-cleanup_delay = 5
-
-#  max_requests: The maximum number of requests which the server keeps
-max_requests = 1024
-
-#  listen: Make the server listen on a particular IP address, and send
-listen {
-  type = auth
-  ipaddr = PH_IP_ALICE 
-  port = 0
-}
-
-#  This second "listen" section is for listening on the accounting
-#  port, too.
-#
-listen {
-  type  = acct
-  ipaddr = PH_IP_ALICE 
-  port = 0
-}
-
-#  hostname_lookups: Log the names of clients or just their IP addresses
-hostname_lookups = no
-
-#  Core dumps are a bad thing.  This should only be set to 'yes'
-allow_core_dumps = no
-
-#  Regular expressions
-regular_expressions = yes
-extended_expressions = yes
-
-#  Logging section.  The various "log_*" configuration items
-log {
-  destination = files
-  file = ${logdir}/radius.log
-  syslog_facility = daemon
-  stripped_names = no
-  auth = yes 
-  auth_badpass = yes 
-  auth_goodpass = yes 
-}
-
-#  The program to execute to do concurrency checks.
-checkrad = ${sbindir}/checkrad
-
-#  Security considerations
-security {
-  max_attributes = 200
-  reject_delay = 1
-  status_server = yes
-}
-
-# PROXY CONFIGURATION
-proxy_requests = yes
-$INCLUDE proxy.conf
-
-# CLIENTS CONFIGURATION
-$INCLUDE clients.conf
-
-# THREAD POOL CONFIGURATION
-thread pool {
-  start_servers = 5
-  max_servers = 32
-  min_spare_servers = 3
-  max_spare_servers = 10
-  max_requests_per_server = 0
-}
-
-# MODULE CONFIGURATION
-modules {
-  $INCLUDE ${confdir}/modules/
-  $INCLUDE eap.conf
-  $INCLUDE sql.conf
-  $INCLUDE sql/mysql/counter.conf
-}
-
-# Instantiation
-instantiate {
-  exec
-  expr
-  expiration
-  logintime
-}
-
-# Policies
-$INCLUDE policy.conf
-
-# Include all enabled virtual hosts
-$INCLUDE sites-enabled/
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tls-radius/hosts/carol/etc/ipsec.conf
index 4f4c8abcf..fc6f1e633 100755..100644
--- a/testing/tests/ikev2/rw-eap-tls-radius/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-tls-radius/hosts/carol/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 	charondebug="tls 2"
 
 conn %default
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tls-radius/hosts/carol/etc/strongswan.conf
index 4e47e632c..2eb2adc78 100644
--- a/testing/tests/ikev2/rw-eap-tls-radius/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-tls-radius/hosts/carol/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-tls updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-tls updown
   multiple_authentication=no
 }
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 56587b2e8..000000000
--- a/testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,84 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow RADIUS protocol with alice
-	iptables -A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/ipsec.conf
index be907f839..deadcff6d 100755..100644
--- a/testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/ipsec.conf
@@ -1,8 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..1eb755354
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/iptables.rules
@@ -0,0 +1,32 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# allow RADIUS protocol with alice
+-A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/strongswan.conf
index ab71e5908..5bf9dc03b 100644
--- a/testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-radius updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-radius updown
   multiple_authentication=no
   plugins {
     eap-radius {
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/posttest.dat b/testing/tests/ikev2/rw-eap-tls-radius/posttest.dat
index 920d6a20d..181949fb5 100644
--- a/testing/tests/ikev2/rw-eap-tls-radius/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-tls-radius/posttest.dat
@@ -1,5 +1,5 @@
 moon::ipsec stop
 carol::ipsec stop
-alice::/etc/init.d/radiusd stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+alice::killall radiusd
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/pretest.dat b/testing/tests/ikev2/rw-eap-tls-radius/pretest.dat
index 280d62e3c..9adc43d3e 100644
--- a/testing/tests/ikev2/rw-eap-tls-radius/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-tls-radius/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-alice::/etc/init.d/radiusd start 
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+alice::radiusd
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/test.conf b/testing/tests/ikev2/rw-eap-tls-radius/test.conf
index e0d77b583..eb1e15dd2 100644
--- a/testing/tests/ikev2/rw-eap-tls-radius/test.conf
+++ b/testing/tests/ikev2/rw-eap-tls-radius/test.conf
@@ -1,26 +1,26 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice carol moon"
+VIRTHOSTS="alice carol moon"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
 
-# UML instances on which FreeRadius is started
+# Guest instances on which FreeRadius is started
 #
 RADIUSHOSTS="alice"
 
diff --git a/testing/tests/ikev2/rw-eap-ttls-only/evaltest.dat b/testing/tests/ikev2/rw-eap-ttls-only/evaltest.dat
index 9586fe558..d22dd18db 100644
--- a/testing/tests/ikev2/rw-eap-ttls-only/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-ttls-only/evaltest.dat
@@ -3,17 +3,17 @@ carol::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES
 carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
 carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' with EAP successful::YES
-dave::cat /var/log/daemon.log::server requested EAP_TTLS authentication::YES
-dave::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES
-dave::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
-dave::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
-moon::cat /var/log/daemon.log::EAP_TTLS phase2 authentication of 'carol@strongswan.org' with EAP_MD5 successful::YES
-moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
-moon::cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer dave@strongswan.org::YES
-moon::ipsec statusall::rw-eap.*ESTABLISHED.*carol@strongswan.org::YES
-moon::ipsec statusall::rw-eap.*ESTABLISHED.*dave@stronswan.org::NO
-carol::ipsec statusall::home.*ESTABLISHED::YES
-dave::ipsec statusall::home.*ESTABLISHED::NO
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave:: cat /var/log/daemon.log::server requested EAP_TTLS authentication::YES
+dave:: cat /var/log/daemon.log::allow mutual EAP-only authentication::YES
+dave:: cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
+dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
+moon:: cat /var/log/daemon.log::EAP_TTLS phase2 authentication of 'carol@strongswan.org' with EAP_MD5 successful::YES
+moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon:: cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer dave@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*dave@stronswan.org::NO
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED::NO
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-eap-ttls-only/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-ttls-only/hosts/carol/etc/ipsec.conf
index 967598643..8ff3c2ab6 100755..100644
--- a/testing/tests/ikev2/rw-eap-ttls-only/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-ttls-only/hosts/carol/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 	charondebug="tls 2"
 
 conn %default
@@ -18,6 +17,7 @@ conn home
 	leftfirewall=yes
 	right=PH_IP_MOON
 	rightid="C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
+	rightauth=any
 	rightsubnet=10.1.0.0/16
 	rightsendcert=never
 	auto=add
diff --git a/testing/tests/ikev2/rw-eap-ttls-only/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-ttls-only/hosts/carol/etc/strongswan.conf
index 96620d0c2..32b4d2eb1 100644
--- a/testing/tests/ikev2/rw-eap-ttls-only/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-ttls-only/hosts/carol/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
   multiple_authentication=no
 }
diff --git a/testing/tests/ikev2/rw-eap-ttls-only/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-ttls-only/hosts/dave/etc/ipsec.conf
index ad1255212..367c0b527 100755..100644
--- a/testing/tests/ikev2/rw-eap-ttls-only/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-ttls-only/hosts/dave/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 	charondebug="tls 2"
 
 conn %default
@@ -18,6 +17,7 @@ conn home
 	leftfirewall=yes
 	right=PH_IP_MOON
 	rightid="C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
+	rightauth=any
 	rightsubnet=10.1.0.0/16
 	rightsendcert=never
 	auto=add
diff --git a/testing/tests/ikev2/rw-eap-ttls-only/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-ttls-only/hosts/dave/etc/strongswan.conf
index 96620d0c2..32b4d2eb1 100644
--- a/testing/tests/ikev2/rw-eap-ttls-only/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-ttls-only/hosts/dave/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
   multiple_authentication=no
 }
diff --git a/testing/tests/ikev2/rw-eap-ttls-only/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-ttls-only/hosts/moon/etc/ipsec.conf
index d37848bac..cd93a48e7 100755..100644
--- a/testing/tests/ikev2/rw-eap-ttls-only/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-ttls-only/hosts/moon/etc/ipsec.conf
@@ -1,8 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	strictcrlpolicy=no
-	plutostart=no
 	charondebug="tls 2"
 
 conn %default
diff --git a/testing/tests/ikev2/rw-eap-ttls-only/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-ttls-only/hosts/moon/etc/strongswan.conf
index a68a74712..9401ffb00 100644
--- a/testing/tests/ikev2/rw-eap-ttls-only/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-ttls-only/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
   multiple_authentication=no
   plugins {
     eap-ttls {
diff --git a/testing/tests/ikev2/rw-eap-ttls-only/posttest.dat b/testing/tests/ikev2/rw-eap-ttls-only/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/ikev2/rw-eap-ttls-only/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-ttls-only/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-ttls-only/pretest.dat b/testing/tests/ikev2/rw-eap-ttls-only/pretest.dat
index 369596177..589d478e7 100644
--- a/testing/tests/ikev2/rw-eap-ttls-only/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-ttls-only/pretest.dat
@@ -1,10 +1,10 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
-carol::sleep 1
+carol::sleep 2
 carol::ipsec up home
 dave::ipsec up home
-dave::sleep 1
+dave::sleep 2
diff --git a/testing/tests/ikev2/rw-eap-ttls-only/test.conf b/testing/tests/ikev2/rw-eap-ttls-only/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/ikev2/rw-eap-ttls-only/test.conf
+++ b/testing/tests/ikev2/rw-eap-ttls-only/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/evaltest.dat b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/evaltest.dat
index 9586fe558..d22dd18db 100644
--- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/evaltest.dat
@@ -3,17 +3,17 @@ carol::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES
 carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
 carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' with EAP successful::YES
-dave::cat /var/log/daemon.log::server requested EAP_TTLS authentication::YES
-dave::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES
-dave::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
-dave::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
-moon::cat /var/log/daemon.log::EAP_TTLS phase2 authentication of 'carol@strongswan.org' with EAP_MD5 successful::YES
-moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
-moon::cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer dave@strongswan.org::YES
-moon::ipsec statusall::rw-eap.*ESTABLISHED.*carol@strongswan.org::YES
-moon::ipsec statusall::rw-eap.*ESTABLISHED.*dave@stronswan.org::NO
-carol::ipsec statusall::home.*ESTABLISHED::YES
-dave::ipsec statusall::home.*ESTABLISHED::NO
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave:: cat /var/log/daemon.log::server requested EAP_TTLS authentication::YES
+dave:: cat /var/log/daemon.log::allow mutual EAP-only authentication::YES
+dave:: cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
+dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
+moon:: cat /var/log/daemon.log::EAP_TTLS phase2 authentication of 'carol@strongswan.org' with EAP_MD5 successful::YES
+moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon:: cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer dave@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*dave@stronswan.org::NO
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED::NO
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/ipsec.conf
index 967598643..8ff3c2ab6 100755..100644
--- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 	charondebug="tls 2"
 
 conn %default
@@ -18,6 +17,7 @@ conn home
 	leftfirewall=yes
 	right=PH_IP_MOON
 	rightid="C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
+	rightauth=any
 	rightsubnet=10.1.0.0/16
 	rightsendcert=never
 	auto=add
diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/strongswan.conf
index 378bdc540..8de5ec68f 100644
--- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
   multiple_authentication=no
 }
diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/ipsec.conf
index ad1255212..367c0b527 100755..100644
--- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 	charondebug="tls 2"
 
 conn %default
@@ -18,6 +17,7 @@ conn home
 	leftfirewall=yes
 	right=PH_IP_MOON
 	rightid="C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
+	rightauth=any
 	rightsubnet=10.1.0.0/16
 	rightsendcert=never
 	auto=add
diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/strongswan.conf
index 378bdc540..8de5ec68f 100644
--- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
   multiple_authentication=no
 }
diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/ipsec.conf
index d37848bac..cd93a48e7 100755..100644
--- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/ipsec.conf
@@ -1,8 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	strictcrlpolicy=no
-	plutostart=no
 	charondebug="tls 2"
 
 conn %default
diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/strongswan.conf
index b065251ea..c730346a6 100644
--- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
   multiple_authentication=no
   plugins {
     eap-ttls {
diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/posttest.dat b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/pretest.dat b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/pretest.dat
index 369596177..17f1b5f2b 100644
--- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/test.conf b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/test.conf
+++ b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-ttls-radius/evaltest.dat
index 2c0f65159..a471a2cfa 100644
--- a/testing/tests/ikev2/rw-eap-ttls-radius/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/evaltest.dat
@@ -3,18 +3,18 @@ carol::cat /var/log/daemon.log::server requested EAP_TTLS authentication::YES
 carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
 carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-dave::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
-dave::cat /var/log/daemon.log::server requested EAP_TTLS authentication::YES
-dave::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
-dave::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
-moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
-moon::cat /var/log/daemon.log::RADIUS authentication of 'dave@strongswan.org' failed::YES
-moon::cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer dave@strongswan.org::YES
-moon::ipsec statusall::rw-eap.*ESTABLISHED.*carol@strongswan.org::YES
-moon::ipsec statusall::rw-eap.*ESTABLISHED.*dave@strongswan.org::NO
-carol::ipsec statusall::home.*ESTABLISHED::YES
-dave::ipsec statusall::home.*ESTABLISHED::NO
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+dave:: cat /var/log/daemon.log::server requested EAP_TTLS authentication::YES
+dave:: cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
+dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
+moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon:: cat /var/log/daemon.log::RADIUS authentication of 'dave@strongswan.org' failed::YES
+moon:: cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer dave@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*dave@strongswan.org::NO
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED::NO
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/eap.conf b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/eap.conf
index c91cd40fb..c91cd40fb 100644
--- a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/eap.conf
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/eap.conf
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/proxy.conf b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/proxy.conf
index 23cba8d11..23cba8d11 100644
--- a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/proxy.conf
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/proxy.conf
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/sites-available/default b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/sites-available/default
index 802fcfd8d..dd0825858 100644
--- a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/sites-available/default
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/sites-available/default
@@ -41,4 +41,3 @@ pre-proxy {
 post-proxy {
   eap
 }
-
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel
index e088fae14..e088fae14 100644
--- a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/users b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/users
index 50ccf3e76..50ccf3e76 100644
--- a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/users
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/users
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/clients.conf b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/clients.conf
deleted file mode 100644
index f4e179aa4..000000000
--- a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/clients.conf
+++ /dev/null
@@ -1,4 +0,0 @@
-client PH_IP_MOON1 {
-  secret    = gv6URkSs 
-  shortname = moon
-}
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/radiusd.conf b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/radiusd.conf
deleted file mode 100644
index 1143a0473..000000000
--- a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/radiusd.conf
+++ /dev/null
@@ -1,120 +0,0 @@
-# radiusd.conf	-- FreeRADIUS server configuration file.
-
-prefix = /usr
-exec_prefix = ${prefix}
-sysconfdir = /etc
-localstatedir = /var
-sbindir = ${exec_prefix}/sbin
-logdir = ${localstatedir}/log/radius
-raddbdir = ${sysconfdir}/raddb
-radacctdir = ${logdir}/radacct
-
-#  name of the running server.  See also the "-n" command-line option.
-name = radiusd
-
-#  Location of config and logfiles.
-confdir = ${raddbdir}
-run_dir = ${localstatedir}/run/radiusd
-
-# Should likely be ${localstatedir}/lib/radiusd
-db_dir = ${raddbdir}
-
-# libdir: Where to find the rlm_* modules.
-libdir = ${exec_prefix}/lib
-
-#  pidfile: Where to place the PID of the RADIUS server.
-pidfile = ${run_dir}/${name}.pid
-
-#  max_request_time: The maximum time (in seconds) to handle a request.
-max_request_time = 30
-
-#  cleanup_delay: The time to wait (in seconds) before cleaning up
-cleanup_delay = 5
-
-#  max_requests: The maximum number of requests which the server keeps
-max_requests = 1024
-
-#  listen: Make the server listen on a particular IP address, and send
-listen {
-  type = auth
-  ipaddr = PH_IP_ALICE 
-  port = 0
-}
-
-#  This second "listen" section is for listening on the accounting
-#  port, too.
-#
-listen {
-  type  = acct
-  ipaddr = PH_IP_ALICE 
-  port = 0
-}
-
-#  hostname_lookups: Log the names of clients or just their IP addresses
-hostname_lookups = no
-
-#  Core dumps are a bad thing.  This should only be set to 'yes'
-allow_core_dumps = no
-
-#  Regular expressions
-regular_expressions = yes
-extended_expressions = yes
-
-#  Logging section.  The various "log_*" configuration items
-log {
-  destination = files
-  file = ${logdir}/radius.log
-  syslog_facility = daemon
-  stripped_names = no
-  auth = yes 
-  auth_badpass = yes 
-  auth_goodpass = yes 
-}
-
-#  The program to execute to do concurrency checks.
-checkrad = ${sbindir}/checkrad
-
-#  Security considerations
-security {
-  max_attributes = 200
-  reject_delay = 1
-  status_server = yes
-}
-
-# PROXY CONFIGURATION
-proxy_requests = yes
-$INCLUDE proxy.conf
-
-# CLIENTS CONFIGURATION
-$INCLUDE clients.conf
-
-# THREAD POOL CONFIGURATION
-thread pool {
-  start_servers = 5
-  max_servers = 32
-  min_spare_servers = 3
-  max_spare_servers = 10
-  max_requests_per_server = 0
-}
-
-# MODULE CONFIGURATION
-modules {
-  $INCLUDE ${confdir}/modules/
-  $INCLUDE eap.conf
-  $INCLUDE sql.conf
-  $INCLUDE sql/mysql/counter.conf
-}
-
-# Instantiation
-instantiate {
-  exec
-  expr
-  expiration
-  logintime
-}
-
-# Policies
-$INCLUDE policy.conf
-
-# Include all enabled virtual hosts
-$INCLUDE sites-enabled/
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/carol/etc/ipsec.conf
index 97a2e02c9..5b1ac90a3 100755..100644
--- a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/carol/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 	charondebug="tls 2"
 
 conn %default
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/carol/etc/strongswan.conf
index 96620d0c2..32b4d2eb1 100644
--- a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/carol/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
   multiple_authentication=no
 }
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/ipsec.conf
index d388060be..8aa168745 100755..100644
--- a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 	charondebug="tls 2"
 
 conn %default
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/strongswan.conf
index 96620d0c2..32b4d2eb1 100644
--- a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
   multiple_authentication=no
 }
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 56587b2e8..000000000
--- a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,84 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow RADIUS protocol with alice
-	iptables -A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/ipsec.conf
index fc8f84638..98e2525ba 100755..100644
--- a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/ipsec.conf
@@ -1,8 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..1eb755354
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/iptables.rules
@@ -0,0 +1,32 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# allow RADIUS protocol with alice
+-A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/strongswan.conf
index ab71e5908..5bf9dc03b 100644
--- a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-radius updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-radius updown
   multiple_authentication=no
   plugins {
     eap-radius {
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/posttest.dat b/testing/tests/ikev2/rw-eap-ttls-radius/posttest.dat
index dbe56013a..670d2e72f 100644
--- a/testing/tests/ikev2/rw-eap-ttls-radius/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/posttest.dat
@@ -1,7 +1,7 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-alice::/etc/init.d/radiusd stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+alice::killall radiusd
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/pretest.dat b/testing/tests/ikev2/rw-eap-ttls-radius/pretest.dat
index cbe1ae229..3e7fc0bb1 100644
--- a/testing/tests/ikev2/rw-eap-ttls-radius/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/pretest.dat
@@ -1,7 +1,7 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
-alice::/etc/init.d/radiusd start 
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+alice::radiusd
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/test.conf b/testing/tests/ikev2/rw-eap-ttls-radius/test.conf
index e6a786a94..20d586309 100644
--- a/testing/tests/ikev2/rw-eap-ttls-radius/test.conf
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/test.conf
@@ -1,26 +1,26 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice carol winnetou dave moon"
+VIRTHOSTS="alice carol winnetou dave moon"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
 
-# UML instances on which FreeRadius is started
+# Guest instances on which FreeRadius is started
 #
 RADIUSHOSTS="alice"
 
diff --git a/testing/tests/ikev2/rw-hash-and-url/evaltest.dat b/testing/tests/ikev2/rw-hash-and-url/evaltest.dat
index fe2a8d063..7a9a70939 100644
--- a/testing/tests/ikev2/rw-hash-and-url/evaltest.dat
+++ b/testing/tests/ikev2/rw-hash-and-url/evaltest.dat
@@ -1,14 +1,18 @@
-moon::cat /var/log/daemon.log::fetched certificate.*carol@strongswan.org::YES
-moon::cat /var/log/daemon.log::fetched certificate.*dave@strongswan.org::YES
 carol::cat /var/log/daemon.log::fetched certificate.*moon.strongswan.org::YES
-dave::cat /var/log/daemon.log::fetched certificate.*moon.strongswan.org::YES
-moon::ipsec statusall::rw.*ESTABLISHED::YES
-carol::ipsec statusall::home.*ESTABLISHED::YES
-dave::ipsec statusall::home.*ESTABLISHED::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave:: cat /var/log/daemon.log::fetched certificate.*moon.strongswan.org::YES
+moon:: cat /var/log/daemon.log::fetched certificate.*carol@strongswan.org::YES
+moon:: cat /var/log/daemon.log::fetched certificate.*dave@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
-
diff --git a/testing/tests/ikev2/rw-hash-and-url/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-hash-and-url/hosts/carol/etc/ipsec.conf
index 77046eb7d..acf5789d8 100755..100644
--- a/testing/tests/ikev2/rw-hash-and-url/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-hash-and-url/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 ca strongswan
 	cacert=strongswanCert.pem
diff --git a/testing/tests/ikev2/rw-hash-and-url/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-hash-and-url/hosts/carol/etc/strongswan.conf
index d9349846c..b294b7c22 100644
--- a/testing/tests/ikev2/rw-hash-and-url/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-hash-and-url/hosts/carol/etc/strongswan.conf
@@ -2,5 +2,5 @@
 
 charon {
   hash_and_url = yes
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/rw-hash-and-url/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-hash-and-url/hosts/dave/etc/ipsec.conf
index febaf9be2..1e1439560 100755..100644
--- a/testing/tests/ikev2/rw-hash-and-url/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-hash-and-url/hosts/dave/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 ca strongswan
 	cacert=strongswanCert.pem
diff --git a/testing/tests/ikev2/rw-hash-and-url/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-hash-and-url/hosts/dave/etc/strongswan.conf
index d9349846c..b294b7c22 100644
--- a/testing/tests/ikev2/rw-hash-and-url/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-hash-and-url/hosts/dave/etc/strongswan.conf
@@ -2,5 +2,5 @@
 
 charon {
   hash_and_url = yes
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/rw-hash-and-url/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-hash-and-url/hosts/moon/etc/ipsec.conf
index cbc60000a..cd626a720 100755..100644
--- a/testing/tests/ikev2/rw-hash-and-url/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-hash-and-url/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 ca strongswan
 	cacert=strongswanCert.pem
diff --git a/testing/tests/ikev2/rw-hash-and-url/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-hash-and-url/hosts/moon/etc/strongswan.conf
index d9349846c..b294b7c22 100644
--- a/testing/tests/ikev2/rw-hash-and-url/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-hash-and-url/hosts/moon/etc/strongswan.conf
@@ -2,5 +2,5 @@
 
 charon {
   hash_and_url = yes
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/rw-hash-and-url/posttest.dat b/testing/tests/ikev2/rw-hash-and-url/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/ikev2/rw-hash-and-url/posttest.dat
+++ b/testing/tests/ikev2/rw-hash-and-url/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-hash-and-url/pretest.dat b/testing/tests/ikev2/rw-hash-and-url/pretest.dat
index 42e9d7c24..8bbea1412 100644
--- a/testing/tests/ikev2/rw-hash-and-url/pretest.dat
+++ b/testing/tests/ikev2/rw-hash-and-url/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/ikev2/rw-hash-and-url/test.conf b/testing/tests/ikev2/rw-hash-and-url/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/ikev2/rw-hash-and-url/test.conf
+++ b/testing/tests/ikev2/rw-hash-and-url/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/rw-initiator-only/description.txt b/testing/tests/ikev2/rw-initiator-only/description.txt
new file mode 100644
index 000000000..478004162
--- /dev/null
+++ b/testing/tests/ikev2/rw-initiator-only/description.txt
@@ -0,0 +1,10 @@
+The roadwarrior <b>dave</b> tries to set up a connection to roadwarrior <b>carol</b>
+but because <b>carol</b> has set the strongswan.conf option <b>initiator_only = yes</b>
+she ignores the repeated IKE requests sent by <b>dave</b>.
+<p/>
+After the failed connection attempt by <b>dave</b>, roadwarrior <b>carol</b> sets up a
+connection to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>.
+Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
+automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, <b>carol</b> pings the client <b>alice</b> behind
+the gateway <b>moon</b>.
diff --git a/testing/tests/ikev2/rw-initiator-only/evaltest.dat b/testing/tests/ikev2/rw-initiator-only/evaltest.dat
new file mode 100644
index 000000000..80fd7c5be
--- /dev/null
+++ b/testing/tests/ikev2/rw-initiator-only/evaltest.dat
@@ -0,0 +1,8 @@
+dave::cat /var/log/daemon.log::establishing IKE_SA failed, peer not responding::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-initiator-only/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-initiator-only/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..dd2ceea60
--- /dev/null
+++ b/testing/tests/ikev2/rw-initiator-only/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,20 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_CAROL
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/ikev2/rw-initiator-only/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-initiator-only/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..dc900c4f2
--- /dev/null
+++ b/testing/tests/ikev2/rw-initiator-only/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,7 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown
+
+  initiator_only = yes
+}
diff --git a/testing/tests/ikev2/rw-initiator-only/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-initiator-only/hosts/dave/etc/ipsec.conf
new file mode 100644
index 000000000..b417977c9
--- /dev/null
+++ b/testing/tests/ikev2/rw-initiator-only/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,19 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn peer
+	left=PH_IP_DAVE
+	leftcert=daveCert.pem
+	leftid=dave@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_CAROL
+	rightid=carol@strongswan.org
+	auto=add
diff --git a/testing/tests/ikev2/rw-initiator-only/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-initiator-only/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..9251921ff
--- /dev/null
+++ b/testing/tests/ikev2/rw-initiator-only/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown
+
+  retransmit_timeout = 2
+  retransmit_base = 1.5
+  retransmit_tries = 3 
+}
diff --git a/testing/tests/ikev2/rw-initiator-only/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-initiator-only/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..acc2ef758
--- /dev/null
+++ b/testing/tests/ikev2/rw-initiator-only/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,19 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekey=no
+	reauth=no
+	keyexchange=ikev2
+
+conn rw
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	leftfirewall=yes
+	right=%any
+	auto=add
diff --git a/testing/tests/ikev2/rw-initiator-only/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-initiator-only/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..7f31b170b
--- /dev/null
+++ b/testing/tests/ikev2/rw-initiator-only/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev2/rw-initiator-only/posttest.dat b/testing/tests/ikev2/rw-initiator-only/posttest.dat
new file mode 100644
index 000000000..1865a1c60
--- /dev/null
+++ b/testing/tests/ikev2/rw-initiator-only/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-initiator-only/pretest.dat b/testing/tests/ikev2/rw-initiator-only/pretest.dat
new file mode 100644
index 000000000..fc7173430
--- /dev/null
+++ b/testing/tests/ikev2/rw-initiator-only/pretest.dat
@@ -0,0 +1,9 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+dave::ipsec up peer
+carol::ipsec up home
diff --git a/testing/tests/ikev2/rw-initiator-only/test.conf b/testing/tests/ikev2/rw-initiator-only/test.conf
new file mode 100644
index 000000000..f29298850
--- /dev/null
+++ b/testing/tests/ikev2/rw-initiator-only/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/rw-mark-in-out/description.txt b/testing/tests/ikev2/rw-mark-in-out/description.txt
index 4c35081b1..3012fc656 100644
--- a/testing/tests/ikev2/rw-mark-in-out/description.txt
+++ b/testing/tests/ikev2/rw-mark-in-out/description.txt
@@ -1,7 +1,7 @@
 The roadwarriors <b>alice</b> and <b>venus</b> sitting behind the router <b>moon</b> set up
 tunnels to gateway <b>sun</b>. Since both roadwarriors possess the same 10.1.0.0/25 subnet,
-gateway <b>sun</b> uses Source NAT after ESP decryption to map these subnets to 10.3.0.10
-and 10.3.0.20, respectively.
+gateway <b>sun</b> uses Source NAT after ESP decryption to map these subnets to PH_IP_CAROL10
+and PH_IP_DAVE10, respectively.
 <p/>
 In order to differentiate between the tunnels to <b>alice</b> and <b>venus</b>, respectively,
 <b>XFRM marks</b> are defined for both the inbound and outbound IPsec SAs and policies using
diff --git a/testing/tests/ikev2/rw-mark-in-out/evaltest.dat b/testing/tests/ikev2/rw-mark-in-out/evaltest.dat
index c248a508a..26b26204c 100644
--- a/testing/tests/ikev2/rw-mark-in-out/evaltest.dat
+++ b/testing/tests/ikev2/rw-mark-in-out/evaltest.dat
@@ -1,11 +1,11 @@
-alice::ipsec statusall::home.*INSTALLED::YES
-venus::ipsec statusall::home.*INSTALLED::YES
-sun::ipsec statusall::alice.*ESTABLISHED.*alice@strongswan.org::YES
-sun::ipsec statusall::venus.*ESTABLISHED.*venus.strongswan.org::YES
-sun::ipsec statusall::alice.*10.2.0.0/16 === 10.1.0.0/25::YES
-sun::ipsec statusall::venus.*10.2.0.0/16 === 10.1.0.0/25::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+alice::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+venus::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+sun::  ipsec status 2> /dev/null::alice.*ESTABLISHED.*sun.strongswan.org.*alice@strongswan.org::YES
+sun::  ipsec status 2> /dev/null::venus.*ESTABLISHED.*sun.strongswan.org.*venus.strongswan.org::YES
+sun::  ipsec statusall 2> /dev/null::alice.*10.2.0.0/16 === 10.1.0.0/25::YES
+sun::  ipsec statusall 2> /dev/null::venus.*10.2.0.0/16 === 10.1.0.0/25::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
 moon::tcpdump::IP alice.strongswan.org > sun.strongswan.org: ESP::YES
 moon::tcpdump::IP venus.strongswan.org > sun.strongswan.org: ESP::YES
 moon::tcpdump::IP sun.strongswan.org > alice.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-mark-in-out/hosts/alice/etc/init.d/iptables b/testing/tests/ikev2/rw-mark-in-out/hosts/alice/etc/init.d/iptables
deleted file mode 100755
index 5594bbf52..000000000
--- a/testing/tests/ikev2/rw-mark-in-out/hosts/alice/etc/init.d/iptables
+++ /dev/null
@@ -1,77 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-        # allow ESP 
-        iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-        iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-			
-	# allow MOBIKE 
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/rw-mark-in-out/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2/rw-mark-in-out/hosts/alice/etc/ipsec.conf
index dd0240b07..726aa616b 100755..100644
--- a/testing/tests/ikev2/rw-mark-in-out/hosts/alice/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-mark-in-out/hosts/alice/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/rw-mark-in-out/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/rw-mark-in-out/hosts/alice/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/rw-mark-in-out/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-mark-in-out/hosts/alice/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/ipsec.conf
index 5fa211c2a..4b549cbd5 100755..100644
--- a/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 	charondebug="knl 2"
 
 conn %default
diff --git a/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/mark_updown b/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/mark_updown
index 0d22e684d..421335ffb 100755
--- a/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/mark_updown
+++ b/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/mark_updown
@@ -73,8 +73,12 @@
 #              just the host, this will be 255.255.255.255.
 #
 #       PLUTO_MY_SOURCEIP
-#              if non-empty, then the source address for the route will be
-#              set to this IP address.
+#       PLUTO_MY_SOURCEIP4_$i
+#       PLUTO_MY_SOURCEIP6_$i
+#              contains IPv4/IPv6 virtual IP received from a responder,
+#              $i enumerates from 1 to the number of IP per address family.
+#              PLUTO_MY_SOURCEIP is a legacy variable and equals to the first
+#              virtual IP, IPv4 or IPv6.
 #
 #       PLUTO_MY_PROTOCOL
 #              is the IP protocol that will be transported.
@@ -128,9 +132,15 @@
 #              contains the remote UDP port in the case of ESP_IN_UDP
 #              encapsulation
 #
+#       PLUTO_DNS4_$i
+#       PLUTO_DNS6_$i
+#              contains IPv4/IPv6 DNS server attribute received from a
+#              responder, $i enumerates from 1 to the number of servers per
+#              address family.
+#
 
 # define a minimum PATH environment in case it is not set
-PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin"
+PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin:/usr/local/sbin"
 export PATH
 
 # uncomment to log VPN connections
diff --git a/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/rw-mark-in-out/hosts/venus/etc/init.d/iptables b/testing/tests/ikev2/rw-mark-in-out/hosts/venus/etc/init.d/iptables
deleted file mode 100755
index 5594bbf52..000000000
--- a/testing/tests/ikev2/rw-mark-in-out/hosts/venus/etc/init.d/iptables
+++ /dev/null
@@ -1,77 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-        # allow ESP 
-        iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-        iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-			
-	# allow MOBIKE 
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/rw-mark-in-out/hosts/venus/etc/ipsec.conf b/testing/tests/ikev2/rw-mark-in-out/hosts/venus/etc/ipsec.conf
index 4af93df8d..cb9b27ed7 100755..100644
--- a/testing/tests/ikev2/rw-mark-in-out/hosts/venus/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-mark-in-out/hosts/venus/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/rw-mark-in-out/hosts/venus/etc/strongswan.conf b/testing/tests/ikev2/rw-mark-in-out/hosts/venus/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/rw-mark-in-out/hosts/venus/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-mark-in-out/hosts/venus/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/rw-mark-in-out/posttest.dat b/testing/tests/ikev2/rw-mark-in-out/posttest.dat
index fae79271b..283099acb 100644
--- a/testing/tests/ikev2/rw-mark-in-out/posttest.dat
+++ b/testing/tests/ikev2/rw-mark-in-out/posttest.dat
@@ -2,9 +2,9 @@ sun::iptables -t mangle -v -n -L PREROUTING
 sun::ipsec stop
 alice::ipsec stop
 venus::ipsec stop
-alice::/etc/init.d/iptables stop 2> /dev/null
-venus::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+alice::iptables-restore < /etc/iptables.flush
+venus::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
 sun::ip route del 10.1.0.0/16 via PH_IP_MOON
 sun::conntrack -F
 sun::rm /etc/mark_updown
diff --git a/testing/tests/ikev2/rw-mark-in-out/pretest.dat b/testing/tests/ikev2/rw-mark-in-out/pretest.dat
index 3d9a5f340..8e9dd2f51 100644
--- a/testing/tests/ikev2/rw-mark-in-out/pretest.dat
+++ b/testing/tests/ikev2/rw-mark-in-out/pretest.dat
@@ -1,13 +1,12 @@
-alice::/etc/init.d/iptables start 2> /dev/null
-venus::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
+alice::iptables-restore < /etc/iptables.rules
+venus::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to PH_IP_MOON 
 sun::ip route add 10.1.0.0/16 via PH_IP_MOON 
-sun::iptables -t nat -A POSTROUTING -o eth1 -m mark --mark 10 -j SNAT --to 10.3.0.10
-sun::iptables -t nat -A POSTROUTING -o eth1 -m mark --mark 20 -j SNAT --to 10.3.0.20
-sun::iptables -t mangle -A PREROUTING -d 10.3.0.10 -j MARK --set-mark 11
-sun::iptables -t mangle -A PREROUTING -d 10.3.0.20 -j MARK --set-mark 21
+sun::iptables -t nat -A POSTROUTING -o eth1 -m mark --mark 10 -j SNAT --to PH_IP_CAROL10
+sun::iptables -t nat -A POSTROUTING -o eth1 -m mark --mark 20 -j SNAT --to PH_IP_DAVE10
+sun::iptables -t mangle -A PREROUTING -d PH_IP_CAROL10 -j MARK --set-mark 11
+sun::iptables -t mangle -A PREROUTING -d PH_IP_DAVE10 -j MARK --set-mark 21
 alice::ipsec start
 venus::ipsec start
 sun::ipsec start
diff --git a/testing/tests/ikev2/rw-mark-in-out/test.conf b/testing/tests/ikev2/rw-mark-in-out/test.conf
index ae3c190b8..105472cbe 100644
--- a/testing/tests/ikev2/rw-mark-in-out/test.conf
+++ b/testing/tests/ikev2/rw-mark-in-out/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon winnetou sun bob"
+VIRTHOSTS="alice venus moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-w-s-b.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon bob"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="alice venus sun"
diff --git a/testing/tests/ikev2/rw-pkcs8/evaltest.dat b/testing/tests/ikev2/rw-pkcs8/evaltest.dat
index 06a0f8cda..2342d024b 100644
--- a/testing/tests/ikev2/rw-pkcs8/evaltest.dat
+++ b/testing/tests/ikev2/rw-pkcs8/evaltest.dat
@@ -1,10 +1,14 @@
-moon::ipsec statusall::rw.*ESTABLISHED::YES
-carol::ipsec statusall::home.*ESTABLISHED::YES
-dave::ipsec statusall::home.*ESTABLISHED::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
-
diff --git a/testing/tests/ikev2/rw-pkcs8/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-pkcs8/hosts/carol/etc/ipsec.conf
index bcdb8641b..e72f78742 100755..100644
--- a/testing/tests/ikev2/rw-pkcs8/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-pkcs8/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/rw-pkcs8/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-pkcs8/hosts/carol/etc/strongswan.conf
index 3c22edc23..9802ea724 100644
--- a/testing/tests/ikev2/rw-pkcs8/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-pkcs8/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/rw-pkcs8/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-pkcs8/hosts/dave/etc/ipsec.conf
index ea8bc92a7..65c9819bb 100755..100644
--- a/testing/tests/ikev2/rw-pkcs8/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-pkcs8/hosts/dave/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/rw-pkcs8/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-pkcs8/hosts/dave/etc/strongswan.conf
index 3c22edc23..9802ea724 100644
--- a/testing/tests/ikev2/rw-pkcs8/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-pkcs8/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/rw-pkcs8/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-pkcs8/hosts/moon/etc/ipsec.conf
index 274521386..1ee751360 100755..100644
--- a/testing/tests/ikev2/rw-pkcs8/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-pkcs8/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/rw-pkcs8/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-pkcs8/hosts/moon/etc/strongswan.conf
index 9333bcdf4..597aebf61 100644
--- a/testing/tests/ikev2/rw-pkcs8/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-pkcs8/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
+  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/rw-pkcs8/posttest.dat b/testing/tests/ikev2/rw-pkcs8/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/ikev2/rw-pkcs8/posttest.dat
+++ b/testing/tests/ikev2/rw-pkcs8/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-pkcs8/pretest.dat b/testing/tests/ikev2/rw-pkcs8/pretest.dat
index 42e9d7c24..8bbea1412 100644
--- a/testing/tests/ikev2/rw-pkcs8/pretest.dat
+++ b/testing/tests/ikev2/rw-pkcs8/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/ikev2/rw-pkcs8/test.conf b/testing/tests/ikev2/rw-pkcs8/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/ikev2/rw-pkcs8/test.conf
+++ b/testing/tests/ikev2/rw-pkcs8/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/rw-psk-fqdn/description.txt b/testing/tests/ikev2/rw-psk-fqdn/description.txt
index d4a7c3878..47f6968ae 100644
--- a/testing/tests/ikev2/rw-psk-fqdn/description.txt
+++ b/testing/tests/ikev2/rw-psk-fqdn/description.txt
@@ -1,6 +1,6 @@
 The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each 
 to gateway <b>moon</b>. The authentication is based on distinct <b>pre-shared keys</b>
-and fully qualified domain names. Upon the successful establishment of the IPsec tunnels,
+and <b>Fully Qualified Domain Names</b>. Upon the successful establishment of the IPsec tunnels,
 <b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that
 let pass the tunneled traffic. In order to test both tunnel and firewall, both
 <b>carol</b> and <b>dave</b> ping the client <b>alice</b> behind the gateway <b>moon</b>.
diff --git a/testing/tests/ikev2/rw-psk-fqdn/evaltest.dat b/testing/tests/ikev2/rw-psk-fqdn/evaltest.dat
index 06a0f8cda..2fbcc474f 100644
--- a/testing/tests/ikev2/rw-psk-fqdn/evaltest.dat
+++ b/testing/tests/ikev2/rw-psk-fqdn/evaltest.dat
@@ -1,8 +1,14 @@
-moon::ipsec statusall::rw.*ESTABLISHED::YES
-carol::ipsec statusall::home.*ESTABLISHED::YES
-dave::ipsec statusall::home.*ESTABLISHED::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-psk-fqdn/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-psk-fqdn/hosts/carol/etc/ipsec.conf
index 6c821010a..594affa28 100755..100644
--- a/testing/tests/ikev2/rw-psk-fqdn/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-psk-fqdn/hosts/carol/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/rw-psk-fqdn/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-fqdn/hosts/carol/etc/strongswan.conf
index 882ea04a5..d84cba2b0 100644
--- a/testing/tests/ikev2/rw-psk-fqdn/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-psk-fqdn/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink socket-default updown
+  load = aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/rw-psk-fqdn/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-psk-fqdn/hosts/dave/etc/ipsec.conf
index 1af9be7f7..57f7303be 100755..100644
--- a/testing/tests/ikev2/rw-psk-fqdn/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-psk-fqdn/hosts/dave/etc/ipsec.conf
@@ -1,8 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/rw-psk-fqdn/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-fqdn/hosts/dave/etc/strongswan.conf
index 882ea04a5..d84cba2b0 100644
--- a/testing/tests/ikev2/rw-psk-fqdn/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-psk-fqdn/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink socket-default updown
+  load = aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/rw-psk-fqdn/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-psk-fqdn/hosts/moon/etc/ipsec.conf
index 97edc9047..8dc61b0b3 100755..100644
--- a/testing/tests/ikev2/rw-psk-fqdn/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-psk-fqdn/hosts/moon/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/rw-psk-fqdn/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-fqdn/hosts/moon/etc/strongswan.conf
index 882ea04a5..d84cba2b0 100644
--- a/testing/tests/ikev2/rw-psk-fqdn/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-psk-fqdn/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink socket-default updown
+  load = aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/rw-psk-fqdn/posttest.dat b/testing/tests/ikev2/rw-psk-fqdn/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/ikev2/rw-psk-fqdn/posttest.dat
+++ b/testing/tests/ikev2/rw-psk-fqdn/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-psk-fqdn/pretest.dat b/testing/tests/ikev2/rw-psk-fqdn/pretest.dat
index 282b2aec0..64ce593fb 100644
--- a/testing/tests/ikev2/rw-psk-fqdn/pretest.dat
+++ b/testing/tests/ikev2/rw-psk-fqdn/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::rm /etc/ipsec.d/cacerts/*
 carol::rm /etc/ipsec.d/cacerts/*
 dave::rm /etc/ipsec.d/cacerts/*
diff --git a/testing/tests/ikev2/rw-psk-fqdn/test.conf b/testing/tests/ikev2/rw-psk-fqdn/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/ikev2/rw-psk-fqdn/test.conf
+++ b/testing/tests/ikev2/rw-psk-fqdn/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/rw-psk-ipv4/description.txt b/testing/tests/ikev2/rw-psk-ipv4/description.txt
index 4eb66c540..b4aaa6a6a 100644
--- a/testing/tests/ikev2/rw-psk-ipv4/description.txt
+++ b/testing/tests/ikev2/rw-psk-ipv4/description.txt
@@ -1,6 +1,6 @@
 The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each 
 to gateway <b>moon</b>. The authentication is based on distinct <b>pre-shared keys</b>
-and IPv4 addresses. Upon the successful establishment of the IPsec tunnels,
+and <b>IPv4</b> addresses. Upon the successful establishment of the IPsec tunnels,
 <b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that
 let pass the tunneled traffic. In order to test both tunnel and firewall, both
 <b>carol</b> and <b>dave</b> ping the client <b>alice</b> behind the gateway <b>moon</b>.
diff --git a/testing/tests/ikev2/rw-psk-ipv4/evaltest.dat b/testing/tests/ikev2/rw-psk-ipv4/evaltest.dat
index 06a0f8cda..2bd97b76c 100644
--- a/testing/tests/ikev2/rw-psk-ipv4/evaltest.dat
+++ b/testing/tests/ikev2/rw-psk-ipv4/evaltest.dat
@@ -1,8 +1,13 @@
-moon::ipsec statusall::rw.*ESTABLISHED::YES
-carol::ipsec statusall::home.*ESTABLISHED::YES
-dave::ipsec statusall::home.*ESTABLISHED::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*\[PH_IP_CAROL].*\[PH_IP_MOON]::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*\[PH_IP_DAVE].*\[PH_IP_MOON]::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*\[PH_IP_MOON].*\[PH_IP_CAROL]::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*\[PH_IP_MOON].*\[PH_IP_DAVE]::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-psk-ipv4/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-psk-ipv4/hosts/carol/etc/ipsec.conf
index 5990f6875..13b737a91 100755..100644
--- a/testing/tests/ikev2/rw-psk-ipv4/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-psk-ipv4/hosts/carol/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/rw-psk-ipv4/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-psk-ipv4/hosts/carol/etc/ipsec.secrets
index 18a074472..57ce85d61 100644
--- a/testing/tests/ikev2/rw-psk-ipv4/hosts/carol/etc/ipsec.secrets
+++ b/testing/tests/ikev2/rw-psk-ipv4/hosts/carol/etc/ipsec.secrets
@@ -1,3 +1,3 @@
 # /etc/ipsec.secrets - strongSwan IPsec secrets file
 
-192.168.0.100 : PSK 0sFpZAZqEN6Ti9sqt4ZP5EWcqx
+PH_IP_CAROL : PSK 0sFpZAZqEN6Ti9sqt4ZP5EWcqx
diff --git a/testing/tests/ikev2/rw-psk-ipv4/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-ipv4/hosts/carol/etc/strongswan.conf
index 882ea04a5..d84cba2b0 100644
--- a/testing/tests/ikev2/rw-psk-ipv4/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-psk-ipv4/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink socket-default updown
+  load = aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/rw-psk-ipv4/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-psk-ipv4/hosts/dave/etc/ipsec.conf
index bdd50899a..27c70c125 100755..100644
--- a/testing/tests/ikev2/rw-psk-ipv4/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-psk-ipv4/hosts/dave/etc/ipsec.conf
@@ -1,8 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/rw-psk-ipv4/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-psk-ipv4/hosts/dave/etc/ipsec.secrets
index e989540e9..111de272b 100644
--- a/testing/tests/ikev2/rw-psk-ipv4/hosts/dave/etc/ipsec.secrets
+++ b/testing/tests/ikev2/rw-psk-ipv4/hosts/dave/etc/ipsec.secrets
@@ -1,3 +1,3 @@
 # /etc/ipsec.secrets - strongSwan IPsec secrets file
 
-192.168.0.200  : PSK 0sjVzONCF02ncsgiSlmIXeqhGN
+PH_IP_DAVE  : PSK 0sjVzONCF02ncsgiSlmIXeqhGN
diff --git a/testing/tests/ikev2/rw-psk-ipv4/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-ipv4/hosts/dave/etc/strongswan.conf
index 882ea04a5..d84cba2b0 100644
--- a/testing/tests/ikev2/rw-psk-ipv4/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-psk-ipv4/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink socket-default updown
+  load = aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/rw-psk-ipv4/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-psk-ipv4/hosts/moon/etc/ipsec.conf
index b99f43ef4..335977da6 100755..100644
--- a/testing/tests/ikev2/rw-psk-ipv4/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-psk-ipv4/hosts/moon/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/rw-psk-ipv4/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-psk-ipv4/hosts/moon/etc/ipsec.secrets
index ab3fb129b..6706534eb 100644
--- a/testing/tests/ikev2/rw-psk-ipv4/hosts/moon/etc/ipsec.secrets
+++ b/testing/tests/ikev2/rw-psk-ipv4/hosts/moon/etc/ipsec.secrets
@@ -1,5 +1,5 @@
 # /etc/ipsec.secrets - strongSwan IPsec secrets file
 
-192.168.0.100 : PSK 0sFpZAZqEN6Ti9sqt4ZP5EWcqx
+PH_IP_CAROL : PSK 0sFpZAZqEN6Ti9sqt4ZP5EWcqx
 
-192.168.0.200 : PSK 0sjVzONCF02ncsgiSlmIXeqhGN
+PH_IP_DAVE : PSK 0sjVzONCF02ncsgiSlmIXeqhGN
diff --git a/testing/tests/ikev2/rw-psk-ipv4/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-ipv4/hosts/moon/etc/strongswan.conf
index 882ea04a5..d84cba2b0 100644
--- a/testing/tests/ikev2/rw-psk-ipv4/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-psk-ipv4/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink socket-default updown
+  load = aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/rw-psk-ipv4/posttest.dat b/testing/tests/ikev2/rw-psk-ipv4/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/ikev2/rw-psk-ipv4/posttest.dat
+++ b/testing/tests/ikev2/rw-psk-ipv4/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-psk-ipv4/pretest.dat b/testing/tests/ikev2/rw-psk-ipv4/pretest.dat
index 282b2aec0..64ce593fb 100644
--- a/testing/tests/ikev2/rw-psk-ipv4/pretest.dat
+++ b/testing/tests/ikev2/rw-psk-ipv4/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::rm /etc/ipsec.d/cacerts/*
 carol::rm /etc/ipsec.d/cacerts/*
 dave::rm /etc/ipsec.d/cacerts/*
diff --git a/testing/tests/ikev2/rw-psk-ipv4/test.conf b/testing/tests/ikev2/rw-psk-ipv4/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/ikev2/rw-psk-ipv4/test.conf
+++ b/testing/tests/ikev2/rw-psk-ipv4/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/rw-psk-no-idr/evaltest.dat b/testing/tests/ikev2/rw-psk-no-idr/evaltest.dat
index 06a0f8cda..2342d024b 100644
--- a/testing/tests/ikev2/rw-psk-no-idr/evaltest.dat
+++ b/testing/tests/ikev2/rw-psk-no-idr/evaltest.dat
@@ -1,10 +1,14 @@
-moon::ipsec statusall::rw.*ESTABLISHED::YES
-carol::ipsec statusall::home.*ESTABLISHED::YES
-dave::ipsec statusall::home.*ESTABLISHED::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
-
diff --git a/testing/tests/ikev2/rw-psk-no-idr/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-psk-no-idr/hosts/carol/etc/ipsec.conf
index 150687104..5bc8dbe3f 100755..100644
--- a/testing/tests/ikev2/rw-psk-no-idr/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-psk-no-idr/hosts/carol/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/rw-psk-no-idr/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-no-idr/hosts/carol/etc/strongswan.conf
index 882ea04a5..924fd4757 100644
--- a/testing/tests/ikev2/rw-psk-no-idr/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-psk-no-idr/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink socket-default updown
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/rw-psk-no-idr/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-psk-no-idr/hosts/dave/etc/ipsec.conf
index 2397d6d6d..315634745 100755..100644
--- a/testing/tests/ikev2/rw-psk-no-idr/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-psk-no-idr/hosts/dave/etc/ipsec.conf
@@ -1,8 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/rw-psk-no-idr/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-no-idr/hosts/dave/etc/strongswan.conf
index 882ea04a5..924fd4757 100644
--- a/testing/tests/ikev2/rw-psk-no-idr/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-psk-no-idr/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink socket-default updown
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/rw-psk-no-idr/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-psk-no-idr/hosts/moon/etc/ipsec.conf
index 97edc9047..8dc61b0b3 100755..100644
--- a/testing/tests/ikev2/rw-psk-no-idr/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-psk-no-idr/hosts/moon/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/rw-psk-no-idr/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-no-idr/hosts/moon/etc/strongswan.conf
index 882ea04a5..924fd4757 100644
--- a/testing/tests/ikev2/rw-psk-no-idr/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-psk-no-idr/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink socket-default updown
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/rw-psk-no-idr/posttest.dat b/testing/tests/ikev2/rw-psk-no-idr/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/ikev2/rw-psk-no-idr/posttest.dat
+++ b/testing/tests/ikev2/rw-psk-no-idr/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-psk-no-idr/pretest.dat b/testing/tests/ikev2/rw-psk-no-idr/pretest.dat
index 282b2aec0..64ce593fb 100644
--- a/testing/tests/ikev2/rw-psk-no-idr/pretest.dat
+++ b/testing/tests/ikev2/rw-psk-no-idr/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::rm /etc/ipsec.d/cacerts/*
 carol::rm /etc/ipsec.d/cacerts/*
 dave::rm /etc/ipsec.d/cacerts/*
diff --git a/testing/tests/ikev2/rw-psk-no-idr/test.conf b/testing/tests/ikev2/rw-psk-no-idr/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/ikev2/rw-psk-no-idr/test.conf
+++ b/testing/tests/ikev2/rw-psk-no-idr/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/evaltest.dat b/testing/tests/ikev2/rw-psk-rsa-mixed/evaltest.dat
index 236684c57..ab398a3bb 100644
--- a/testing/tests/ikev2/rw-psk-rsa-mixed/evaltest.dat
+++ b/testing/tests/ikev2/rw-psk-rsa-mixed/evaltest.dat
@@ -1,15 +1,14 @@
-moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with pre-shared key successful::YES
-moon::cat /var/log/daemon.log::authentication of 'PH_IP_MOON' (myself) with pre-shared key::YES
-moon::ipsec statusall::rw-psk.*INSTALLED::YES
-carol::ipsec statusall::home.*ESTABLISHED::YES
-moon::cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with RSA signature successful::YES
-moon::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' (myself) with RSA signature successful::YES
-moon::ipsec statusall::rw-rsasig.*INSTALLED::YES
-dave::ipsec statusall::home.*ESTABLISHED::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with pre-shared key successful::YES
+moon:: cat /var/log/daemon.log::authentication of 'PH_IP_MOON' (myself) with pre-shared key::YES
+moon:: ipsec status 2> /dev/null::rw-psk.*INSTALLED, TUNNEL::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*\[PH_IP_MOON]::YES
+moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with RSA signature successful::YES
+moon:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' (myself) with RSA signature successful::YES
+moon:: ipsec status 2> /dev/null::rw-rsasig.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
-
diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/carol/etc/ipsec.conf
index 78c33df12..ee62325b7 100755..100644
--- a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/carol/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/carol/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/dave/etc/ipsec.conf
index e533b4b4e..65c9819bb 100755..100644
--- a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/dave/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	strictcrlpolicy=no
-        crlcheckinterval=180
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/dave/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/moon/etc/ipsec.conf
index 004993d94..c86e82b64 100755..100644
--- a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/moon/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/posttest.dat b/testing/tests/ikev2/rw-psk-rsa-mixed/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/ikev2/rw-psk-rsa-mixed/posttest.dat
+++ b/testing/tests/ikev2/rw-psk-rsa-mixed/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/pretest.dat b/testing/tests/ikev2/rw-psk-rsa-mixed/pretest.dat
index e48d11e42..446f81426 100644
--- a/testing/tests/ikev2/rw-psk-rsa-mixed/pretest.dat
+++ b/testing/tests/ikev2/rw-psk-rsa-mixed/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 carol::rm /etc/ipsec.d/cacerts/*
 moon::ipsec start
 carol::ipsec start
diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/test.conf b/testing/tests/ikev2/rw-psk-rsa-mixed/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/ikev2/rw-psk-rsa-mixed/test.conf
+++ b/testing/tests/ikev2/rw-psk-rsa-mixed/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/rw-psk-rsa-split/evaltest.dat b/testing/tests/ikev2/rw-psk-rsa-split/evaltest.dat
index 0e5bd03db..1648c9557 100644
--- a/testing/tests/ikev2/rw-psk-rsa-split/evaltest.dat
+++ b/testing/tests/ikev2/rw-psk-rsa-split/evaltest.dat
@@ -1,11 +1,16 @@
-moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with pre-shared key successful::YES
-moon::cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with pre-shared key successful::YES
-moon::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' (myself) with RSA signature successful::YES
-moon::ipsec statusall::rw.*INSTALLED::YES
-carol::ipsec statusall::home.*ESTABLISHED::YES
-dave::ipsec statusall::home.*ESTABLISHED::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with pre-shared key successful::YES
+moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with pre-shared key successful::YES
+moon:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' (myself) with RSA signature successful::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-psk-rsa-split/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-psk-rsa-split/hosts/carol/etc/ipsec.conf
index da59dfdae..72e2f7d4a 100755..100644
--- a/testing/tests/ikev2/rw-psk-rsa-split/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-psk-rsa-split/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
@@ -11,14 +8,15 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev2
-	authby=secret
 
 conn home
 	left=PH_IP_CAROL
 	leftsourceip=%config
 	leftid=carol@strongswan.org
+	leftauth=psk
 	leftfirewall=yes
 	right=PH_IP_MOON
 	rightid=@moon.strongswan.org
+	rightauth=pubkey
 	rightsubnet=10.1.0.0/16
 	auto=add
diff --git a/testing/tests/ikev2/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/rw-psk-rsa-split/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-psk-rsa-split/hosts/dave/etc/ipsec.conf
index f09d46c5b..cd7c7ae7f 100755..100644
--- a/testing/tests/ikev2/rw-psk-rsa-split/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-psk-rsa-split/hosts/dave/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
@@ -11,14 +8,15 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev2
-	authby=secret
 
 conn home
 	left=PH_IP_DAVE
 	leftsourceip=%config
 	leftid=dave@strongswan.org
+	leftauth=psk
 	leftfirewall=yes
 	right=PH_IP_MOON
 	rightid=@moon.strongswan.org
+	rightauth=pubkey
 	rightsubnet=10.1.0.0/16
 	auto=add
diff --git a/testing/tests/ikev2/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/rw-psk-rsa-split/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-psk-rsa-split/hosts/moon/etc/ipsec.conf
index fb4b9ed3a..5e743101a 100755..100644
--- a/testing/tests/ikev2/rw-psk-rsa-split/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-psk-rsa-split/hosts/moon/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
@@ -14,9 +13,11 @@ conn rw
 	left=PH_IP_MOON
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
+	leftauth=pubkey
 	leftsubnet=10.1.0.0/16
 	leftfirewall=yes
 	right=%any
+	rightauth=psk
 	rightsourceip=10.3.0.0/28
 	rightsendcert=never
 	auto=add
diff --git a/testing/tests/ikev2/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/rw-psk-rsa-split/posttest.dat b/testing/tests/ikev2/rw-psk-rsa-split/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/ikev2/rw-psk-rsa-split/posttest.dat
+++ b/testing/tests/ikev2/rw-psk-rsa-split/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-psk-rsa-split/pretest.dat b/testing/tests/ikev2/rw-psk-rsa-split/pretest.dat
index 42e9d7c24..8bbea1412 100644
--- a/testing/tests/ikev2/rw-psk-rsa-split/pretest.dat
+++ b/testing/tests/ikev2/rw-psk-rsa-split/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/ikev2/rw-psk-rsa-split/test.conf b/testing/tests/ikev2/rw-psk-rsa-split/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/ikev2/rw-psk-rsa-split/test.conf
+++ b/testing/tests/ikev2/rw-psk-rsa-split/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/rw-radius-accounting/evaltest.dat b/testing/tests/ikev2/rw-radius-accounting/evaltest.dat
index d23d6360b..ccbc769e2 100644
--- a/testing/tests/ikev2/rw-radius-accounting/evaltest.dat
+++ b/testing/tests/ikev2/rw-radius-accounting/evaltest.dat
@@ -1,15 +1,14 @@
 carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA signature successful::YES
-moon::cat /var/log/daemon.log::received EAP identity .*carol::YES
+moon:: cat /var/log/daemon.log::received EAP identity .*carol::YES
 carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
 carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with EAP successful::YES
-moon::cat /var/log/daemon.log::authentication of .*carol@strongswan.org.* with EAP successful::YES
-moon::ipsec statusall::rw-eap.*ESTABLISHED::YES
-carol::ipsec statusall::home.*ESTABLISHED::YES
+moon:: cat /var/log/daemon.log::authentication of .*carol@strongswan.org.* with EAP successful::YES
+moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
 carol::ping -c 5 -s 1392 PH_IP_ALICE::1400 bytes from PH_IP_ALICE::YES
-carol::ipsec down home::no output expected::NO
+carol::ipsec down home 2> /dev/null::no output expected::NO
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-alice::cat /var/log/radius/radacct/10.1.0.1/*::User-Name =.*carol::YES
-alice::cat /var/log/radius/radacct/10.1.0.1/*::Acct-Output-Octets = 7100::YES
-alice::cat /var/log/radius/radacct/10.1.0.1/*::Acct-Input-Octets = 7100::YES
-
+alice::cat /var/log/freeradius/radacct/PH_IP_MOON1/*::User-Name =.*carol::YES
+alice::cat /var/log/freeradius/radacct/PH_IP_MOON1/*::Acct-Output-Octets = 7100::YES
+alice::cat /var/log/freeradius/radacct/PH_IP_MOON1/*::Acct-Input-Octets = 7100::YES
diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/eap.conf b/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/eap.conf
new file mode 100644
index 000000000..623f42904
--- /dev/null
+++ b/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/eap.conf
@@ -0,0 +1,5 @@
+eap {
+  default_eap_type = md5
+  md5 {
+  }
+}
diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/proxy.conf b/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/proxy.conf
new file mode 100644
index 000000000..783587b55
--- /dev/null
+++ b/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/proxy.conf
@@ -0,0 +1,5 @@
+realm LOCAL {
+  type     = radius
+  authhost = LOCAL
+  accthost = LOCAL
+}
diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/sites-available/default
new file mode 100644
index 000000000..a67a5dcb4
--- /dev/null
+++ b/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/sites-available/default
@@ -0,0 +1,42 @@
+authorize {
+  eap {
+    ok = return
+  }
+  files
+}
+
+authenticate {
+  eap
+}
+
+preacct {
+  preprocess
+  acct_unique
+  suffix
+  files
+}
+
+accounting {
+  detail
+  unix
+  radutmp
+  attr_filter.accounting_response
+}
+
+session {
+  radutmp
+}
+
+post-auth {
+  exec
+  Post-Auth-Type REJECT {
+    attr_filter.access_reject
+  }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+  eap
+}
diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/raddb/users b/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/users
index 247b918e3..247b918e3 100644
--- a/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/raddb/users
+++ b/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/users
diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/raddb/clients.conf b/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/raddb/clients.conf
deleted file mode 100644
index f4e179aa4..000000000
--- a/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/raddb/clients.conf
+++ /dev/null
@@ -1,4 +0,0 @@
-client PH_IP_MOON1 {
-  secret    = gv6URkSs 
-  shortname = moon
-}
diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/raddb/radiusd.conf b/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/raddb/radiusd.conf
deleted file mode 100644
index 1143a0473..000000000
--- a/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/raddb/radiusd.conf
+++ /dev/null
@@ -1,120 +0,0 @@
-# radiusd.conf	-- FreeRADIUS server configuration file.
-
-prefix = /usr
-exec_prefix = ${prefix}
-sysconfdir = /etc
-localstatedir = /var
-sbindir = ${exec_prefix}/sbin
-logdir = ${localstatedir}/log/radius
-raddbdir = ${sysconfdir}/raddb
-radacctdir = ${logdir}/radacct
-
-#  name of the running server.  See also the "-n" command-line option.
-name = radiusd
-
-#  Location of config and logfiles.
-confdir = ${raddbdir}
-run_dir = ${localstatedir}/run/radiusd
-
-# Should likely be ${localstatedir}/lib/radiusd
-db_dir = ${raddbdir}
-
-# libdir: Where to find the rlm_* modules.
-libdir = ${exec_prefix}/lib
-
-#  pidfile: Where to place the PID of the RADIUS server.
-pidfile = ${run_dir}/${name}.pid
-
-#  max_request_time: The maximum time (in seconds) to handle a request.
-max_request_time = 30
-
-#  cleanup_delay: The time to wait (in seconds) before cleaning up
-cleanup_delay = 5
-
-#  max_requests: The maximum number of requests which the server keeps
-max_requests = 1024
-
-#  listen: Make the server listen on a particular IP address, and send
-listen {
-  type = auth
-  ipaddr = PH_IP_ALICE 
-  port = 0
-}
-
-#  This second "listen" section is for listening on the accounting
-#  port, too.
-#
-listen {
-  type  = acct
-  ipaddr = PH_IP_ALICE 
-  port = 0
-}
-
-#  hostname_lookups: Log the names of clients or just their IP addresses
-hostname_lookups = no
-
-#  Core dumps are a bad thing.  This should only be set to 'yes'
-allow_core_dumps = no
-
-#  Regular expressions
-regular_expressions = yes
-extended_expressions = yes
-
-#  Logging section.  The various "log_*" configuration items
-log {
-  destination = files
-  file = ${logdir}/radius.log
-  syslog_facility = daemon
-  stripped_names = no
-  auth = yes 
-  auth_badpass = yes 
-  auth_goodpass = yes 
-}
-
-#  The program to execute to do concurrency checks.
-checkrad = ${sbindir}/checkrad
-
-#  Security considerations
-security {
-  max_attributes = 200
-  reject_delay = 1
-  status_server = yes
-}
-
-# PROXY CONFIGURATION
-proxy_requests = yes
-$INCLUDE proxy.conf
-
-# CLIENTS CONFIGURATION
-$INCLUDE clients.conf
-
-# THREAD POOL CONFIGURATION
-thread pool {
-  start_servers = 5
-  max_servers = 32
-  min_spare_servers = 3
-  max_spare_servers = 10
-  max_requests_per_server = 0
-}
-
-# MODULE CONFIGURATION
-modules {
-  $INCLUDE ${confdir}/modules/
-  $INCLUDE eap.conf
-  $INCLUDE sql.conf
-  $INCLUDE sql/mysql/counter.conf
-}
-
-# Instantiation
-instantiate {
-  exec
-  expr
-  expiration
-  logintime
-}
-
-# Policies
-$INCLUDE policy.conf
-
-# Include all enabled virtual hosts
-$INCLUDE sites-enabled/
diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-radius-accounting/hosts/carol/etc/ipsec.conf
index 5f779d1af..438e1c14c 100755..100644
--- a/testing/tests/ikev2/rw-radius-accounting/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-radius-accounting/hosts/carol/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
@@ -16,6 +15,7 @@ conn home
 	leftid=carol@strongswan.org
 	leftauth=eap
 	leftfirewall=yes
+	leftsourceip=%config,%config6
 	eap_identity=carol
 	right=PH_IP_MOON
 	rightid=@moon.strongswan.org
diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-radius-accounting/hosts/carol/etc/strongswan.conf
index fe067d344..b1b418060 100644
--- a/testing/tests/ikev2/rw-radius-accounting/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-radius-accounting/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-md5 eap-identity updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-md5 eap-identity updown
 }
diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/rw-radius-accounting/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 962a418d9..000000000
--- a/testing/tests/ikev2/rw-radius-accounting/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,88 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow RADIUS protocol with alice
-	iptables -A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
-
-	# allow RADIUS accounting protocol with alice
-	iptables -A INPUT  -i eth1 -p udp --sport 1813 -s PH_IP_ALICE -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p udp --dport 1813 -d PH_IP_ALICE -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-radius-accounting/hosts/moon/etc/ipsec.conf
index 11ff84400..7d4f94f48 100755..100644
--- a/testing/tests/ikev2/rw-radius-accounting/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-radius-accounting/hosts/moon/etc/ipsec.conf
@@ -1,8 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
@@ -21,6 +19,7 @@ conn rw-eap
 	rightid=*@strongswan.org
 	rightsendcert=never
 	rightauth=eap-radius
+	rightsourceip=10.3.0.0/24,fec3::0/120
 	eap_identity=%any
 	right=%any
 	auto=add
diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/rw-radius-accounting/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..b9560a38e
--- /dev/null
+++ b/testing/tests/ikev2/rw-radius-accounting/hosts/moon/etc/iptables.rules
@@ -0,0 +1,36 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# allow RADIUS protocol with alice
+-A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
+
+# allow RADIUS accounting protocol with alice
+-A INPUT  -i eth1 -p udp --sport 1813 -s PH_IP_ALICE -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 1813 -d PH_IP_ALICE -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-radius-accounting/hosts/moon/etc/strongswan.conf
index 52927c1fd..3bf573f5d 100644
--- a/testing/tests/ikev2/rw-radius-accounting/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-radius-accounting/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-radius eap-identity updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-radius eap-identity updown
   plugins {
     eap-radius {
       secret = gv6URkSs
diff --git a/testing/tests/ikev2/rw-radius-accounting/posttest.dat b/testing/tests/ikev2/rw-radius-accounting/posttest.dat
index b1f971402..98f7a6954 100644
--- a/testing/tests/ikev2/rw-radius-accounting/posttest.dat
+++ b/testing/tests/ikev2/rw-radius-accounting/posttest.dat
@@ -1,7 +1,6 @@
 carol::ipsec stop
 moon::ipsec stop
-alice::/etc/init.d/radiusd stop
-alice::cat /var/log/radius/radacct/10.1.0.1/*
-carol::/etc/init.d/iptables stop 2> /dev/null
-moon::/etc/init.d/iptables stop 2> /dev/null
-
+alice::killall radiusd
+alice::cat /var/log/freeradius/radacct/PH_IP_MOON1/*
+carol::iptables-restore < /etc/iptables.flush
+moon::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-radius-accounting/pretest.dat b/testing/tests/ikev2/rw-radius-accounting/pretest.dat
index 30c8bd573..9f437fe85 100644
--- a/testing/tests/ikev2/rw-radius-accounting/pretest.dat
+++ b/testing/tests/ikev2/rw-radius-accounting/pretest.dat
@@ -1,7 +1,7 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-alice::rm /var/log/radius/radacct/10.1.0.1/*
-alice::/etc/init.d/radiusd start 
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+alice::rm /var/log/freeradius/radacct/PH_IP_MOON1/*
+alice::radiusd
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1
diff --git a/testing/tests/ikev2/rw-radius-accounting/test.conf b/testing/tests/ikev2/rw-radius-accounting/test.conf
index e0d77b583..6dbb1c7fd 100644
--- a/testing/tests/ikev2/rw-radius-accounting/test.conf
+++ b/testing/tests/ikev2/rw-radius-accounting/test.conf
@@ -1,26 +1,25 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice carol moon"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
-DIAGRAM="a-m-c.png"
+DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
 
-# UML instances on which FreeRadius is started
+# Guest instances on which FreeRadius is started
 #
 RADIUSHOSTS="alice"
-
diff --git a/testing/tests/ikev2/rw-whitelist/evaltest.dat b/testing/tests/ikev2/rw-whitelist/evaltest.dat
index 733cfd844..9418d6ee1 100644
--- a/testing/tests/ikev2/rw-whitelist/evaltest.dat
+++ b/testing/tests/ikev2/rw-whitelist/evaltest.dat
@@ -1,14 +1,14 @@
-moon::cat /var/log/daemon.log::whitelist functionality was already enabled::YES
-moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with RSA signature successful::YES
-moon::cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with RSA signature successful::YES
-moon::cat /var/log/daemon.log::peer identity 'dave@strongswan.org' not whitelisted::YES
-carol::ipsec status::home.*INSTALLED::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::cat /var/log/daemon.log:: received AUTHENTICATION_FAILED notify error::YES
-dave::ipsec status::home.*INSTALLED::NO
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::NO
-moon::ipsec status::rw.*ESTABLISHED.*carol@strongswan.org::YES
-moon::ipsec status::rw.*ESTABLISHED.*dave@strongswan.org::NO
+moon:: cat /var/log/daemon.log::whitelist functionality was already enabled::YES
+moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with RSA signature successful::YES
+moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with RSA signature successful::YES
+moon:: cat /var/log/daemon.log::peer identity 'dave@strongswan.org' not whitelisted::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: cat /var/log/daemon.log:: received AUTHENTICATION_FAILED notify error::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED::NO
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::NO
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::NO
diff --git a/testing/tests/ikev2/rw-whitelist/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-whitelist/hosts/carol/etc/ipsec.conf
index a19f6cfae..8c6c28bd6 100755..100644
--- a/testing/tests/ikev2/rw-whitelist/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-whitelist/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/rw-whitelist/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-whitelist/hosts/carol/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/rw-whitelist/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-whitelist/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/rw-whitelist/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-whitelist/hosts/dave/etc/ipsec.conf
index 1a89f4e5d..72b8a59c0 100755..100644
--- a/testing/tests/ikev2/rw-whitelist/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-whitelist/hosts/dave/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/rw-whitelist/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-whitelist/hosts/dave/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/rw-whitelist/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-whitelist/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/rw-whitelist/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-whitelist/hosts/moon/etc/ipsec.conf
index 0b4cded6c..85c48a7bb 100755..100644
--- a/testing/tests/ikev2/rw-whitelist/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-whitelist/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/rw-whitelist/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-whitelist/hosts/moon/etc/strongswan.conf
index 938b45518..984985a1a 100644
--- a/testing/tests/ikev2/rw-whitelist/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-whitelist/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc whitelist stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc whitelist stroke kernel-netlink socket-default updown
   plugins {
     whitelist {
       enable = yes
diff --git a/testing/tests/ikev2/rw-whitelist/posttest.dat b/testing/tests/ikev2/rw-whitelist/posttest.dat
index 1777f439f..b757d8b15 100644
--- a/testing/tests/ikev2/rw-whitelist/posttest.dat
+++ b/testing/tests/ikev2/rw-whitelist/posttest.dat
@@ -1,6 +1,6 @@
 carol::ipsec stop
 dave::ipsec stop
 moon::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-whitelist/pretest.dat b/testing/tests/ikev2/rw-whitelist/pretest.dat
index c4ac77d77..87760775a 100644
--- a/testing/tests/ikev2/rw-whitelist/pretest.dat
+++ b/testing/tests/ikev2/rw-whitelist/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 carol::ipsec start
 dave::ipsec start
 moon::ipsec start
diff --git a/testing/tests/ikev2/rw-whitelist/test.conf b/testing/tests/ikev2/rw-whitelist/test.conf
index 1a8f2a4e0..164b07ff9 100644
--- a/testing/tests/ikev2/rw-whitelist/test.conf
+++ b/testing/tests/ikev2/rw-whitelist/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon alice"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/shunt-policies/evaltest.dat b/testing/tests/ikev2/shunt-policies/evaltest.dat
index 2f6e1a91f..a6e40a817 100644
--- a/testing/tests/ikev2/shunt-policies/evaltest.dat
+++ b/testing/tests/ikev2/shunt-policies/evaltest.dat
@@ -1,16 +1,16 @@
-moon::ipsec statusall::net-net.*ESTABLISHED::YES
-sun::ipsec statusall::net-net.*ESTABLISHED::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-alice::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES
-venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::NO
-venus::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES
-moon::ping -c 1 -I PH_IP_MOON1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-moon::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
-bob::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-bob::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES
-bob::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::NO
+moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun::  ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+alice::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_req=1::YES
+venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::NO
+venus::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_req=1::YES
+moon:: ping -c 1 -I PH_IP_MOON1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+moon:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
+bob::  ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+bob::  ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_req=1::YES
+bob::  ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
 venus::ssh PH_IP_BOB hostname::bob::YES
-bob::ssh PH_IP_VENUS hostname::venus::YES
+bob::  ssh PH_IP_VENUS hostname::venus::YES
diff --git a/testing/tests/ikev2/shunt-policies/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/shunt-policies/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 2b90a14c7..000000000
--- a/testing/tests/ikev2/shunt-policies/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,84 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# allow icmp in local net
-	iptables -A INPUT  -i eth1 -p icmp -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p icmp -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ikev2/shunt-policies/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/shunt-policies/hosts/moon/etc/ipsec.conf
index a4958f295..46ca4cdc3 100755..100644
--- a/testing/tests/ikev2/shunt-policies/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/shunt-policies/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
@@ -21,7 +18,7 @@ conn local-net
 	auto=route
 
 conn venus-icmp
-	leftsubnet=10.1.0.20/32
+	leftsubnet=PH_IP_VENUS/32
 	rightsubnet=0.0.0.0/0
 	leftprotoport=icmp
 	rightprotoport=icmp
diff --git a/testing/tests/ikev2/shunt-policies/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/shunt-policies/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..af0f25209
--- /dev/null
+++ b/testing/tests/ikev2/shunt-policies/hosts/moon/etc/iptables.rules
@@ -0,0 +1,32 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# allow icmp in local net
+-A INPUT  -i eth1 -p icmp -j ACCEPT
+-A OUTPUT -o eth1 -p icmp -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/ikev2/shunt-policies/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/shunt-policies/hosts/moon/etc/strongswan.conf
index a2e9134c0..a5cd14b30 100644
--- a/testing/tests/ikev2/shunt-policies/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/shunt-policies/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
   multiple_authentication = no
   install_routes = no
 }
diff --git a/testing/tests/ikev2/shunt-policies/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/shunt-policies/hosts/sun/etc/ipsec.conf
index c3b36fb7c..cd8ea23c3 100755..100644
--- a/testing/tests/ikev2/shunt-policies/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev2/shunt-policies/hosts/sun/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/shunt-policies/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/shunt-policies/hosts/sun/etc/strongswan.conf
index cb17a9e07..8e685c862 100644
--- a/testing/tests/ikev2/shunt-policies/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/shunt-policies/hosts/sun/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
   multiple_authentication = no
 }
diff --git a/testing/tests/ikev2/shunt-policies/posttest.dat b/testing/tests/ikev2/shunt-policies/posttest.dat
index a4c96e10f..837738fc6 100644
--- a/testing/tests/ikev2/shunt-policies/posttest.dat
+++ b/testing/tests/ikev2/shunt-policies/posttest.dat
@@ -1,5 +1,5 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
 
diff --git a/testing/tests/ikev2/shunt-policies/pretest.dat b/testing/tests/ikev2/shunt-policies/pretest.dat
index 2d7a78acb..c724e5df8 100644
--- a/testing/tests/ikev2/shunt-policies/pretest.dat
+++ b/testing/tests/ikev2/shunt-policies/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 sun::ipsec start
 moon::sleep 1 
diff --git a/testing/tests/ikev2/shunt-policies/test.conf b/testing/tests/ikev2/shunt-policies/test.conf
index cf2ef7424..6b7432ca6 100644
--- a/testing/tests/ikev2/shunt-policies/test.conf
+++ b/testing/tests/ikev2/shunt-policies/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-w-s-b.png"
  
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev2/strong-keys-certs/evaltest.dat b/testing/tests/ikev2/strong-keys-certs/evaltest.dat
index 06a0f8cda..2342d024b 100644
--- a/testing/tests/ikev2/strong-keys-certs/evaltest.dat
+++ b/testing/tests/ikev2/strong-keys-certs/evaltest.dat
@@ -1,10 +1,14 @@
-moon::ipsec statusall::rw.*ESTABLISHED::YES
-carol::ipsec statusall::home.*ESTABLISHED::YES
-dave::ipsec statusall::home.*ESTABLISHED::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
-
diff --git a/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/ipsec.conf
index a7b55db24..732966f20 100755..100644
--- a/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/ipsec.conf
index 080073cd3..13636bc1e 100755..100644
--- a/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/ipsec.conf
index f33f26797..f36555445 100755..100644
--- a/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/strong-keys-certs/posttest.dat b/testing/tests/ikev2/strong-keys-certs/posttest.dat
index 9ccbaa1c2..3fd6a690e 100644
--- a/testing/tests/ikev2/strong-keys-certs/posttest.dat
+++ b/testing/tests/ikev2/strong-keys-certs/posttest.dat
@@ -1,9 +1,9 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
 moon::rm /etc/ipsec.d/private/*
 carol::rm /etc/ipsec.d/private/*
 dave::rm /etc/ipsec.d/private/*
diff --git a/testing/tests/ikev2/strong-keys-certs/pretest.dat b/testing/tests/ikev2/strong-keys-certs/pretest.dat
index de51ccdfa..dea5fc162 100644
--- a/testing/tests/ikev2/strong-keys-certs/pretest.dat
+++ b/testing/tests/ikev2/strong-keys-certs/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/ikev2/strong-keys-certs/test.conf b/testing/tests/ikev2/strong-keys-certs/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/ikev2/strong-keys-certs/test.conf
+++ b/testing/tests/ikev2/strong-keys-certs/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/two-certs/evaltest.dat b/testing/tests/ikev2/two-certs/evaltest.dat
index d32e32660..2b4476afa 100644
--- a/testing/tests/ikev2/two-certs/evaltest.dat
+++ b/testing/tests/ikev2/two-certs/evaltest.dat
@@ -1,12 +1,11 @@
-moon::cat /var/log/daemon.log::using certificate.*OU=Research, CN=carol@strongswan.org::YES
-moon::ipsec statusall::alice.*INSTALLED::YES
-carol::ipsec statusall::alice.*ESTABLISHED::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::cat /var/log/daemon.log::signature validation failed, looking for another key::YES
-moon::cat /var/log/daemon.log::using certificate.*OU=Research, SN=002, CN=carol@strongswan.org::YES
-moon::ipsec statusall::venus.*INSTALLED::YES
-carol::ipsec statusall::venus.*ESTABLISHED::YES
-carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
+moon:: cat /var/log/daemon.log::using certificate.*OU=Research, CN=carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::alice.*INSTALLED, TUNNEL::YES
+carol::ipsec status 2> /dev/null::alice.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon:: cat /var/log/daemon.log::signature validation failed, looking for another key::YES
+moon:: cat /var/log/daemon.log::using certificate.*OU=Research, SN=002, CN=carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::venus.*INSTALLED, TUNNEL::YES
+carol::ipsec status 2> /dev/null::venus.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-
diff --git a/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.conf
index 08b95659f..9ec202e3d 100755..100644
--- a/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.conf
@@ -1,10 +1,8 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
 	uniqueids=no
 	strictcrlpolicy=yes
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
@@ -20,11 +18,11 @@ conn %default
 
 conn alice 
 	leftcert=carolCert.pem
-	rightsubnet=10.1.0.10/32
+	rightsubnet=PH_IP_ALICE/32
 	auto=add
 
 conn venus
 	leftcert=carolCert-002.pem
-	rightsubnet=10.1.0.20/32
+	rightsubnet=PH_IP_VENUS/32
 	auto=add
 
diff --git a/testing/tests/ikev2/two-certs/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/two-certs/hosts/carol/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/two-certs/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/two-certs/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/two-certs/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/two-certs/hosts/moon/etc/ipsec.conf
index a93ccbc9a..d8f1443ac 100755..100644
--- a/testing/tests/ikev2/two-certs/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/two-certs/hosts/moon/etc/ipsec.conf
@@ -1,10 +1,8 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=yes
 	uniqueids=no
-	plutostart=no
+	strictcrlpolicy=yes
 
 ca strongswan
         cacert=strongswanCert.pem
@@ -25,10 +23,10 @@ conn %default
 	keyexchange=ikev2
 
 conn alice 
-	leftsubnet=10.1.0.10/32
+	leftsubnet=PH_IP_ALICE/32
 	auto=add
 
 conn venus 
-	leftsubnet=10.1.0.20/32
+	leftsubnet=PH_IP_VENUS/32
 	auto=add
 
diff --git a/testing/tests/ikev2/two-certs/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/two-certs/hosts/moon/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/two-certs/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/two-certs/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/two-certs/posttest.dat b/testing/tests/ikev2/two-certs/posttest.dat
index a1f067838..eae8c27d4 100644
--- a/testing/tests/ikev2/two-certs/posttest.dat
+++ b/testing/tests/ikev2/two-certs/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
 carol::rm /etc/ipsec.d/private/*
 carol::rm /etc/ipsec.d/certs/*
diff --git a/testing/tests/ikev2/two-certs/pretest.dat b/testing/tests/ikev2/two-certs/pretest.dat
index 716cf71e8..fe2aaec19 100644
--- a/testing/tests/ikev2/two-certs/pretest.dat
+++ b/testing/tests/ikev2/two-certs/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1
diff --git a/testing/tests/ikev2/two-certs/test.conf b/testing/tests/ikev2/two-certs/test.conf
index d0306cd25..3f6afa02e 100644
--- a/testing/tests/ikev2/two-certs/test.conf
+++ b/testing/tests/ikev2/two-certs/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon carol winnetou"
+VIRTHOSTS="alice venus moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/virtual-ip-override/evaltest.dat b/testing/tests/ikev2/virtual-ip-override/evaltest.dat
index 34ccb76ca..cb023b1fc 100644
--- a/testing/tests/ikev2/virtual-ip-override/evaltest.dat
+++ b/testing/tests/ikev2/virtual-ip-override/evaltest.dat
@@ -1,13 +1,17 @@
-moon::ipsec statusall::rw.*ESTABLISHED.*carol@strongswan.org::YES
-moon::ipsec statusall::rw.*ESTABLISHED.*dave@strongswan.org::YES
-carol::ipsec statusall::home.*INSTALLED::YES
-dave::ipsec statusall::home.*INSTALLED::YES
-moon::cat /var/log/daemon.log::peer requested virtual IP PH_IP_CAROL1::YES
-moon::cat /var/log/daemon.log::peer requested virtual IP PH_IP_DAVE1::NO
-moon::cat /var/log/daemon.log::assigning virtual IP PH_IP_CAROL1 to peer::YES
-moon::cat /var/log/daemon.log::assigning virtual IP PH_IP_DAVE1 to peer::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw-carol.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw-dave.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw-carol.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw-dave.*INSTALLED, TUNNEL::YES
+moon:: cat /var/log/daemon.log::peer requested virtual IP PH_IP_CAROL1::YES
+moon:: cat /var/log/daemon.log::peer requested virtual IP PH_IP_DAVE1::NO
+moon:: cat /var/log/daemon.log::assigning virtual IP PH_IP_CAROL1 to peer::YES
+moon:: cat /var/log/daemon.log::assigning virtual IP PH_IP_DAVE1 to peer::YES
 carol::ip addr list dev eth0::PH_IP_CAROL1::YES
 carol::ip route list table 220::src PH_IP_CAROL1::YES
-dave::ip addr list dev eth0::PH_IP_DAVE1::YES
-dave::ip route list table 220::src PH_IP_DAVE1::YES
+dave:: ip addr list dev eth0::PH_IP_DAVE1::YES
+dave:: ip route list table 220::src PH_IP_DAVE1::YES
 
diff --git a/testing/tests/ikev2/virtual-ip-override/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/virtual-ip-override/hosts/carol/etc/ipsec.conf
index c9867c7d4..62c30cf28 100755..100644
--- a/testing/tests/ikev2/virtual-ip-override/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/virtual-ip-override/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/virtual-ip-override/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/virtual-ip-override/hosts/carol/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/virtual-ip-override/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/virtual-ip-override/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/virtual-ip-override/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/virtual-ip-override/hosts/dave/etc/ipsec.conf
index 98dd99271..fa99a4c86 100755..100644
--- a/testing/tests/ikev2/virtual-ip-override/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev2/virtual-ip-override/hosts/dave/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/virtual-ip-override/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/virtual-ip-override/hosts/dave/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/virtual-ip-override/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/virtual-ip-override/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/virtual-ip-override/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/virtual-ip-override/hosts/moon/etc/ipsec.conf
index bafd1b155..a8cf08544 100755..100644
--- a/testing/tests/ikev2/virtual-ip-override/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/virtual-ip-override/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
@@ -13,7 +10,6 @@ conn %default
 	keyexchange=ikev2
 	left=PH_IP_MOON
 	leftsubnet=10.1.0.0/16
-	leftsourceip=PH_IP_MOON1
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 	leftfirewall=yes
diff --git a/testing/tests/ikev2/virtual-ip-override/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/virtual-ip-override/hosts/moon/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/virtual-ip-override/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/virtual-ip-override/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/virtual-ip-override/posttest.dat b/testing/tests/ikev2/virtual-ip-override/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/ikev2/virtual-ip-override/posttest.dat
+++ b/testing/tests/ikev2/virtual-ip-override/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/virtual-ip-override/pretest.dat b/testing/tests/ikev2/virtual-ip-override/pretest.dat
index 5ec37aae1..1765a83cd 100644
--- a/testing/tests/ikev2/virtual-ip-override/pretest.dat
+++ b/testing/tests/ikev2/virtual-ip-override/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 carol::ipsec start
 dave::ipsec start
 moon::ipsec start
diff --git a/testing/tests/ikev2/virtual-ip-override/test.conf b/testing/tests/ikev2/virtual-ip-override/test.conf
index 01c94f7fb..5139506ac 100644
--- a/testing/tests/ikev2/virtual-ip-override/test.conf
+++ b/testing/tests/ikev2/virtual-ip-override/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/virtual-ip/evaltest.dat b/testing/tests/ikev2/virtual-ip/evaltest.dat
index e3c3c7f3c..0f5df71d7 100644
--- a/testing/tests/ikev2/virtual-ip/evaltest.dat
+++ b/testing/tests/ikev2/virtual-ip/evaltest.dat
@@ -1,21 +1,25 @@
-moon::ipsec statusall::rw.*ESTABLISHED.*carol@strongswan.org::YES
-moon::ipsec statusall::rw.*ESTABLISHED.*dave@strongswan.org::YES
-carol::ipsec statusall::home.*INSTALLED::YES
-dave::ipsec statusall::home.*INSTALLED::YES
-moon::cat /var/log/daemon.log::peer requested virtual IP PH_IP_CAROL1::YES
-moon::cat /var/log/daemon.log::peer requested virtual IP PH_IP_DAVE1::YES
-moon::cat /var/log/daemon.log::assigning virtual IP PH_IP_CAROL1 to peer::YES
-moon::cat /var/log/daemon.log::assigning virtual IP PH_IP_DAVE1 to peer::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
+moon:: cat /var/log/daemon.log::peer requested virtual IP PH_IP_CAROL1::YES
+moon:: cat /var/log/daemon.log::peer requested virtual IP PH_IP_DAVE1::YES
+moon:: cat /var/log/daemon.log::assigning virtual IP PH_IP_CAROL1 to peer::YES
+moon:: cat /var/log/daemon.log::assigning virtual IP PH_IP_DAVE1 to peer::YES
 carol::ip addr list dev eth0::PH_IP_CAROL1::YES
 carol::ip route list table 220::src PH_IP_CAROL1::YES
-dave::ip addr list dev eth0::PH_IP_DAVE1::YES
-dave::ip route list table 220::src PH_IP_DAVE1::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-carol::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES
-moon::ping -c 1 PH_IP_CAROL1::64 bytes from PH_IP_CAROL1: icmp_seq=1::YES
-moon::ping -c 1 PH_IP_DAVE1::64 bytes from PH_IP_DAVE1: icmp_seq=1::YES
+dave:: ip addr list dev eth0::PH_IP_DAVE1::YES
+dave:: ip route list table 220::src PH_IP_DAVE1::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+carol::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_req=1::YES
+moon:: ping -c 1 PH_IP_CAROL1::64 bytes from PH_IP_CAROL1: icmp_req=1::YES
+moon:: ping -c 1 PH_IP_DAVE1::64 bytes from PH_IP_DAVE1: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/virtual-ip/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/virtual-ip/hosts/carol/etc/ipsec.conf
index c9867c7d4..62c30cf28 100755..100644
--- a/testing/tests/ikev2/virtual-ip/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/virtual-ip/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/virtual-ip/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/virtual-ip/hosts/carol/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/virtual-ip/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/virtual-ip/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/virtual-ip/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/virtual-ip/hosts/dave/etc/ipsec.conf
index b58ba5460..3ecb3b830 100755..100644
--- a/testing/tests/ikev2/virtual-ip/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev2/virtual-ip/hosts/dave/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/virtual-ip/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/virtual-ip/hosts/dave/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/virtual-ip/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/virtual-ip/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/virtual-ip/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/virtual-ip/hosts/moon/etc/ipsec.conf
index fb7abe556..42e4ff453 100755..100644
--- a/testing/tests/ikev2/virtual-ip/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/virtual-ip/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/virtual-ip/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/virtual-ip/hosts/moon/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/ikev2/virtual-ip/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/virtual-ip/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ikev2/virtual-ip/posttest.dat b/testing/tests/ikev2/virtual-ip/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/ikev2/virtual-ip/posttest.dat
+++ b/testing/tests/ikev2/virtual-ip/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/virtual-ip/pretest.dat b/testing/tests/ikev2/virtual-ip/pretest.dat
index 5ec37aae1..1765a83cd 100644
--- a/testing/tests/ikev2/virtual-ip/pretest.dat
+++ b/testing/tests/ikev2/virtual-ip/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 carol::ipsec start
 dave::ipsec start
 moon::ipsec start
diff --git a/testing/tests/ikev2/virtual-ip/test.conf b/testing/tests/ikev2/virtual-ip/test.conf
index 1a8f2a4e0..164b07ff9 100644
--- a/testing/tests/ikev2/virtual-ip/test.conf
+++ b/testing/tests/ikev2/virtual-ip/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon alice"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/wildcards/evaltest.dat b/testing/tests/ikev2/wildcards/evaltest.dat
index 2bc83eacd..4789640ec 100644
--- a/testing/tests/ikev2/wildcards/evaltest.dat
+++ b/testing/tests/ikev2/wildcards/evaltest.dat
@@ -1,8 +1,8 @@
-carol::ipsec status::alice.*PH_IP_CAROL.*PH_IP_ALICE::YES
-moon::ipsec status::alice.*PH_IP_ALICE.*PH_IP_CAROL::YES
-carol::ipsec status::venus.*PH_IP_CAROL.*PH_IP_VENUS::NO
-moon::ipsec status::venus.*PH_IP_VENUS.*PH_IP_CAROL::NO
-dave::ipsec status::venus.*PH_IP_DAVE.*PH_IP_VENUS::YES
-moon::ipsec status::venus.*PH_IP_VENUS.*PH_IP_DAVE::YES
-dave::ipsec status::alice.*PH_IP_DAVE.*PH_IP_ALICE::NO
-moon::ipsec status::alice.*PH_IP_ALICE.*PH_IP_DAVE::NO
+carol::ipsec status 2> /dev/null::alice..*PH_IP_CAROL.*PH_IP_ALICE::YES
+moon:: ipsec status 2> /dev/null::alice.*PH_IP_ALICE.*PH_IP_CAROL::YES
+carol::ipsec status 2> /dev/null::venus.*PH_IP_CAROL.*PH_IP_VENUS::NO
+moon:: ipsec status 2> /dev/null::venus.*PH_IP_VENUS.*PH_IP_CAROL::NO
+dave:: ipsec status 2> /dev/null::venus.*PH_IP_DAVE.*PH_IP_VENUS::YES
+moon:: ipsec status 2> /dev/null::venus.*PH_IP_VENUS.*PH_IP_DAVE::YES
+dave:: ipsec status 2> /dev/null::alice.*PH_IP_DAVE.*PH_IP_ALICE::NO
+moon:: ipsec status 2> /dev/null::alice.*PH_IP_ALICE.*PH_IP_DAVE::NO
diff --git a/testing/tests/ikev2/wildcards/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/wildcards/hosts/carol/etc/ipsec.conf
index 043160a0f..2ff604dfa 100755..100644
--- a/testing/tests/ikev2/wildcards/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/wildcards/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/wildcards/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/wildcards/hosts/carol/etc/strongswan.conf
index 88f162098..85d8c191f 100644
--- a/testing/tests/ikev2/wildcards/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/wildcards/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/wildcards/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/wildcards/hosts/dave/etc/ipsec.conf
index a01676be3..fbdc9c6a3 100755..100644
--- a/testing/tests/ikev2/wildcards/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev2/wildcards/hosts/dave/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/wildcards/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/wildcards/hosts/dave/etc/strongswan.conf
index 88f162098..85d8c191f 100644
--- a/testing/tests/ikev2/wildcards/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/wildcards/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/wildcards/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/wildcards/hosts/moon/etc/ipsec.conf
index 0523d56dd..a8183f59e 100755..100644
--- a/testing/tests/ikev2/wildcards/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/wildcards/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ikev2/wildcards/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/wildcards/hosts/moon/etc/strongswan.conf
index 88f162098..85d8c191f 100644
--- a/testing/tests/ikev2/wildcards/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/wildcards/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
 }
diff --git a/testing/tests/ikev2/wildcards/pretest.dat b/testing/tests/ikev2/wildcards/pretest.dat
index e3da87520..3c4832e5e 100644
--- a/testing/tests/ikev2/wildcards/pretest.dat
+++ b/testing/tests/ikev2/wildcards/pretest.dat
@@ -1,4 +1,3 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
 carol::ipsec start
 dave::ipsec start
 moon::ipsec start
diff --git a/testing/tests/ikev2/wildcards/test.conf b/testing/tests/ikev2/wildcards/test.conf
index 08e5cc145..9bb88d79f 100644
--- a/testing/tests/ikev2/wildcards/test.conf
+++ b/testing/tests/ikev2/wildcards/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon carol winnetou dave"
+VIRTHOSTS="alice venus moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ipv6/host2host-ikev1/evaltest.dat b/testing/tests/ipv6/host2host-ikev1/evaltest.dat
index 62fc85953..186ce4e06 100644
--- a/testing/tests/ipv6/host2host-ikev1/evaltest.dat
+++ b/testing/tests/ipv6/host2host-ikev1/evaltest.dat
@@ -1,5 +1,7 @@
-moon::ipsec status::host-host.*STATE_QUICK_I2.*IPsec SA established::YES
-sun::ipsec status::host-host.*STATE_QUICK_R2.*IPsec SA established::YES
+moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon::ipsec status 2> /dev/null::host-host.*INSTALLED, TUNNEL::YES
+sun:: ipsec status 2> /dev/null::host-host.*INSTALLED, TUNNEL::YES
 moon::ping6 -c 1 -p deadbeef ip6-sun.strongswan.org::64 bytes from ip6-sun.strongswan.org: icmp_seq=1::YES
 sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES
 sun::tcpdump::IP6 ip6-sun.strongswan.org > ip6-moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ipv6/host2host-ikev1/hosts/moon/etc/init.d/iptables b/testing/tests/ipv6/host2host-ikev1/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 521d1ce31..000000000
--- a/testing/tests/ipv6/host2host-ikev1/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,100 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/host2host-ikev1/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6/host2host-ikev1/hosts/moon/etc/ipsec.conf
index 9940e81a5..9e68eb674 100755..100644
--- a/testing/tests/ipv6/host2host-ikev1/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ipv6/host2host-ikev1/hosts/moon/etc/ipsec.conf
@@ -1,10 +1,12 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
+
+ca strongswan
+	cacert=strongswanCert.pem
+	certuribase=http://ip6-winnetou.strongswan.org/certs/
+	crluri=http://ip6-winnetou.strongswan.org/strongswan.crl
+	auto=add
 
 conn %default
 	ikelifetime=60m
@@ -12,6 +14,7 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev1
+	fragmentation=yes
 
 conn net-net
 	also=host-host
@@ -26,3 +29,4 @@ conn host-host
 	right=PH_IP6_SUN
 	rightid=@sun.strongswan.org
 	auto=add
+
diff --git a/testing/tests/ipv6/host2host-ikev1/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/host2host-ikev1/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..7f26bc4d4
--- /dev/null
+++ b/testing/tests/ipv6/host2host-ikev1/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,8 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  hash_and_url = yes
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+
+  fragment_size = 1024
+}
diff --git a/testing/tests/ipv6/host2host-ikev1/hosts/sun/etc/init.d/iptables b/testing/tests/ipv6/host2host-ikev1/hosts/sun/etc/init.d/iptables
deleted file mode 100755
index 521d1ce31..000000000
--- a/testing/tests/ipv6/host2host-ikev1/hosts/sun/etc/init.d/iptables
+++ /dev/null
@@ -1,100 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/host2host-ikev1/hosts/sun/etc/ipsec.conf b/testing/tests/ipv6/host2host-ikev1/hosts/sun/etc/ipsec.conf
index 016adc095..23bc5c627 100755..100644
--- a/testing/tests/ipv6/host2host-ikev1/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ipv6/host2host-ikev1/hosts/sun/etc/ipsec.conf
@@ -1,10 +1,12 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
+
+ca strongswan
+	cacert=strongswanCert.pem
+	certuribase=http://ip6-winnetou.strongswan.org/certs/
+	crluri=http://ip6-winnetou.strongswan.org/strongswan.crl
+	auto=add
 
 conn %default
 	ikelifetime=60m
@@ -12,6 +14,7 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev1
+	fragmentation=yes
 
 conn net-net
 	also=host-host
diff --git a/testing/tests/ipv6/host2host-ikev1/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6/host2host-ikev1/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..7f26bc4d4
--- /dev/null
+++ b/testing/tests/ipv6/host2host-ikev1/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,8 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  hash_and_url = yes
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+
+  fragment_size = 1024
+}
diff --git a/testing/tests/ipv6/host2host-ikev1/posttest.dat b/testing/tests/ipv6/host2host-ikev1/posttest.dat
index 5a9150bc8..d3bebd0c6 100644
--- a/testing/tests/ipv6/host2host-ikev1/posttest.dat
+++ b/testing/tests/ipv6/host2host-ikev1/posttest.dat
@@ -1,4 +1,6 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
+moon::ip6tables-restore < /etc/ip6tables.flush
+sun::ip6tables-restore < /etc/ip6tables.flush
diff --git a/testing/tests/ipv6/host2host-ikev1/pretest.dat b/testing/tests/ipv6/host2host-ikev1/pretest.dat
index 3536fd886..46c015387 100644
--- a/testing/tests/ipv6/host2host-ikev1/pretest.dat
+++ b/testing/tests/ipv6/host2host-ikev1/pretest.dat
@@ -1,6 +1,9 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.drop
+sun::iptables-restore < /etc/iptables.drop
+moon::ip6tables-restore < /etc/ip6tables.rules
+sun::ip6tables-restore < /etc/ip6tables.rules
 moon::ipsec start
 sun::ipsec start
-moon::sleep 2 
+moon::expect-connection host-host
+sun::expect-connection host-host
 moon::ipsec up host-host
diff --git a/testing/tests/ipv6/host2host-ikev1/test.conf b/testing/tests/ipv6/host2host-ikev1/test.conf
index 6ab5b8a96..56df1a0da 100644
--- a/testing/tests/ipv6/host2host-ikev1/test.conf
+++ b/testing/tests/ipv6/host2host-ikev1/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="moon winnetou sun"
+VIRTHOSTS="moon winnetou sun"
  
 # Corresponding block diagram
 #
 DIAGRAM="m-w-s-ip6.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ipv6/host2host-ikev2/evaltest.dat b/testing/tests/ipv6/host2host-ikev2/evaltest.dat
index e658398db..186ce4e06 100644
--- a/testing/tests/ipv6/host2host-ikev2/evaltest.dat
+++ b/testing/tests/ipv6/host2host-ikev2/evaltest.dat
@@ -1,5 +1,7 @@
-moon::ipsec status::host-host.*INSTALLED::YES
-sun::ipsec status::host-host.*INSTALLED::YES
+moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon::ipsec status 2> /dev/null::host-host.*INSTALLED, TUNNEL::YES
+sun:: ipsec status 2> /dev/null::host-host.*INSTALLED, TUNNEL::YES
 moon::ping6 -c 1 -p deadbeef ip6-sun.strongswan.org::64 bytes from ip6-sun.strongswan.org: icmp_seq=1::YES
 sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES
 sun::tcpdump::IP6 ip6-sun.strongswan.org > ip6-moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ipv6/host2host-ikev2/hosts/moon/etc/init.d/iptables b/testing/tests/ipv6/host2host-ikev2/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index b3509f8df..000000000
--- a/testing/tests/ipv6/host2host-ikev2/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,104 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow crl and certificate fetch from winnetou
-	ip6tables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP6_WINNETOU -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP6_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/host2host-ikev2/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6/host2host-ikev2/hosts/moon/etc/ipsec.conf
index 930ae5785..faee5c854 100755..100644
--- a/testing/tests/ipv6/host2host-ikev2/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ipv6/host2host-ikev2/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	strictcrlpolicy=no
-	crlcheckinterval=180
-	plutostart=no
 
 ca strongswan
 	cacert=strongswanCert.pem
diff --git a/testing/tests/ipv6/host2host-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/host2host-ikev2/hosts/moon/etc/strongswan.conf
index d9349846c..5ef523e47 100644
--- a/testing/tests/ipv6/host2host-ikev2/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ipv6/host2host-ikev2/hosts/moon/etc/strongswan.conf
@@ -2,5 +2,5 @@
 
 charon {
   hash_and_url = yes
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ipv6/host2host-ikev2/hosts/sun/etc/init.d/iptables b/testing/tests/ipv6/host2host-ikev2/hosts/sun/etc/init.d/iptables
deleted file mode 100755
index b3509f8df..000000000
--- a/testing/tests/ipv6/host2host-ikev2/hosts/sun/etc/init.d/iptables
+++ /dev/null
@@ -1,104 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow crl and certificate fetch from winnetou
-	ip6tables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP6_WINNETOU -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP6_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/host2host-ikev2/hosts/sun/etc/ipsec.conf b/testing/tests/ipv6/host2host-ikev2/hosts/sun/etc/ipsec.conf
index d7653f1c3..f4dc393ee 100755..100644
--- a/testing/tests/ipv6/host2host-ikev2/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ipv6/host2host-ikev2/hosts/sun/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	strictcrlpolicy=no
-	crlcheckinterval=180
-	plutostart=no
 
 ca strongswan
 	cacert=strongswanCert.pem
diff --git a/testing/tests/ipv6/host2host-ikev2/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6/host2host-ikev2/hosts/sun/etc/strongswan.conf
index d9349846c..5ef523e47 100644
--- a/testing/tests/ipv6/host2host-ikev2/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ipv6/host2host-ikev2/hosts/sun/etc/strongswan.conf
@@ -2,5 +2,5 @@
 
 charon {
   hash_and_url = yes
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ipv6/host2host-ikev2/posttest.dat b/testing/tests/ipv6/host2host-ikev2/posttest.dat
index 5a9150bc8..d3bebd0c6 100644
--- a/testing/tests/ipv6/host2host-ikev2/posttest.dat
+++ b/testing/tests/ipv6/host2host-ikev2/posttest.dat
@@ -1,4 +1,6 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
+moon::ip6tables-restore < /etc/ip6tables.flush
+sun::ip6tables-restore < /etc/ip6tables.flush
diff --git a/testing/tests/ipv6/host2host-ikev2/pretest.dat b/testing/tests/ipv6/host2host-ikev2/pretest.dat
index 7e97e7783..46c015387 100644
--- a/testing/tests/ipv6/host2host-ikev2/pretest.dat
+++ b/testing/tests/ipv6/host2host-ikev2/pretest.dat
@@ -1,7 +1,9 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.drop
+sun::iptables-restore < /etc/iptables.drop
+moon::ip6tables-restore < /etc/ip6tables.rules
+sun::ip6tables-restore < /etc/ip6tables.rules
 moon::ipsec start
 sun::ipsec start
-moon::sleep 2 
+moon::expect-connection host-host
+sun::expect-connection host-host
 moon::ipsec up host-host
-moon::sleep 1
diff --git a/testing/tests/ipv6/host2host-ikev2/test.conf b/testing/tests/ipv6/host2host-ikev2/test.conf
index 6ab5b8a96..56df1a0da 100644
--- a/testing/tests/ipv6/host2host-ikev2/test.conf
+++ b/testing/tests/ipv6/host2host-ikev2/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="moon winnetou sun"
+VIRTHOSTS="moon winnetou sun"
  
 # Corresponding block diagram
 #
 DIAGRAM="m-w-s-ip6.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ipv6/net2net-ikev1/evaltest.dat b/testing/tests/ipv6/net2net-ikev1/evaltest.dat
index 459b0a630..4cf23a31b 100644
--- a/testing/tests/ipv6/net2net-ikev1/evaltest.dat
+++ b/testing/tests/ipv6/net2net-ikev1/evaltest.dat
@@ -1,5 +1,7 @@
-moon::ipsec status::net-net.*STATE_QUICK_I2.*IPsec SA established::YES
-sun::ipsec status::net-net.*STATE_QUICK_R2.*IPsec SA established::YES
+moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun::  ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+sun::  ipsec status 2> /dev/null::net.net.*INSTALLED, TUNNEL::YES
 alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org: icmp_seq=1::YES
 sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES
 sun::tcpdump::IP6 ip6-sun.strongswan.org > ip6-moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ipv6/net2net-ikev1/hosts/moon/etc/init.d/iptables b/testing/tests/ipv6/net2net-ikev1/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 521d1ce31..000000000
--- a/testing/tests/ipv6/net2net-ikev1/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,100 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/net2net-ikev1/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6/net2net-ikev1/hosts/moon/etc/ipsec.conf
index bb96a71e0..4821989a9 100755..100644
--- a/testing/tests/ipv6/net2net-ikev1/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ipv6/net2net-ikev1/hosts/moon/etc/ipsec.conf
@@ -1,10 +1,12 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
+
+ca strongswan
+	cacert=strongswanCert.pem
+	certuribase=http://ip6-winnetou.strongswan.org/certs/
+	crluri=http://ip6-winnetou.strongswan.org/strongswan.crl
+	auto=add
 
 conn %default
 	ikelifetime=60m
@@ -12,6 +14,7 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev1
+	fragmentation=yes
 
 conn net-net
 	also=host-host
@@ -26,4 +29,3 @@ conn host-host
 	right=PH_IP6_SUN
 	rightid=@sun.strongswan.org
 	auto=add
-
diff --git a/testing/tests/ipv6/net2net-ikev1/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/net2net-ikev1/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..5ffc1a22a
--- /dev/null
+++ b/testing/tests/ipv6/net2net-ikev1/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,7 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+
+  fragment_size = 1024
+}
diff --git a/testing/tests/ipv6/net2net-ikev1/hosts/sun/etc/init.d/iptables b/testing/tests/ipv6/net2net-ikev1/hosts/sun/etc/init.d/iptables
deleted file mode 100755
index 521d1ce31..000000000
--- a/testing/tests/ipv6/net2net-ikev1/hosts/sun/etc/init.d/iptables
+++ /dev/null
@@ -1,100 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/net2net-ikev1/hosts/sun/etc/ipsec.conf b/testing/tests/ipv6/net2net-ikev1/hosts/sun/etc/ipsec.conf
index 016adc095..23bc5c627 100755..100644
--- a/testing/tests/ipv6/net2net-ikev1/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ipv6/net2net-ikev1/hosts/sun/etc/ipsec.conf
@@ -1,10 +1,12 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
+
+ca strongswan
+	cacert=strongswanCert.pem
+	certuribase=http://ip6-winnetou.strongswan.org/certs/
+	crluri=http://ip6-winnetou.strongswan.org/strongswan.crl
+	auto=add
 
 conn %default
 	ikelifetime=60m
@@ -12,6 +14,7 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev1
+	fragmentation=yes
 
 conn net-net
 	also=host-host
diff --git a/testing/tests/ipv6/net2net-ikev1/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6/net2net-ikev1/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..5ffc1a22a
--- /dev/null
+++ b/testing/tests/ipv6/net2net-ikev1/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,7 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+
+  fragment_size = 1024
+}
diff --git a/testing/tests/ipv6/net2net-ikev1/posttest.dat b/testing/tests/ipv6/net2net-ikev1/posttest.dat
index 4c95e2afe..078fca541 100644
--- a/testing/tests/ipv6/net2net-ikev1/posttest.dat
+++ b/testing/tests/ipv6/net2net-ikev1/posttest.dat
@@ -4,5 +4,7 @@ alice::"ip route del fec2:\:/16 via fec1:\:1"
 moon::"ip route del fec2:\:/16 via fec0:\:2"
 sun::"ip route del fec1:\:/16 via fec0:\:1"
 bob::"ip route del fec1:\:/16 via fec2:\:1"
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
+moon::ip6tables-restore < /etc/ip6tables.flush
+sun::ip6tables-restore < /etc/ip6tables.flush
diff --git a/testing/tests/ipv6/net2net-ikev1/pretest.dat b/testing/tests/ipv6/net2net-ikev1/pretest.dat
index e360bfbaa..a14b3cf79 100644
--- a/testing/tests/ipv6/net2net-ikev1/pretest.dat
+++ b/testing/tests/ipv6/net2net-ikev1/pretest.dat
@@ -1,10 +1,13 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.drop
+sun::iptables-restore < /etc/iptables.drop
+moon::ip6tables-restore < /etc/ip6tables.rules
+sun::ip6tables-restore < /etc/ip6tables.rules
 alice::"ip route add fec2:\:/16 via fec1:\:1"
 moon::"ip route add fec2:\:/16 via fec0:\:2"
 sun::"ip route add fec1:\:/16 via fec0:\:1"
 bob::"ip route add fec1:\:/16 via fec2:\:1"
 moon::ipsec start
 sun::ipsec start
-moon::sleep 2 
+moon::expect-connection net-net
+sun::expect-connection net-net
 moon::ipsec up net-net
diff --git a/testing/tests/ipv6/net2net-ikev1/test.conf b/testing/tests/ipv6/net2net-ikev1/test.conf
index 991d884db..55b90befe 100644
--- a/testing/tests/ipv6/net2net-ikev1/test.conf
+++ b/testing/tests/ipv6/net2net-ikev1/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
  
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b-ip6.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ipv6/net2net-ikev2/evaltest.dat b/testing/tests/ipv6/net2net-ikev2/evaltest.dat
index 1b4e7c88a..4cf23a31b 100644
--- a/testing/tests/ipv6/net2net-ikev2/evaltest.dat
+++ b/testing/tests/ipv6/net2net-ikev2/evaltest.dat
@@ -1,5 +1,7 @@
-moon::ipsec status::net-net.*INSTALLED::YES
-sun::ipsec status::net.net.*INSTALLED::YES
+moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun::  ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+sun::  ipsec status 2> /dev/null::net.net.*INSTALLED, TUNNEL::YES
 alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org: icmp_seq=1::YES
 sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES
 sun::tcpdump::IP6 ip6-sun.strongswan.org > ip6-moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ipv6/net2net-ikev2/hosts/moon/etc/init.d/iptables b/testing/tests/ipv6/net2net-ikev2/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index b3509f8df..000000000
--- a/testing/tests/ipv6/net2net-ikev2/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,104 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow crl and certificate fetch from winnetou
-	ip6tables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP6_WINNETOU -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP6_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/net2net-ikev2/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6/net2net-ikev2/hosts/moon/etc/ipsec.conf
index 155cf1d4c..c3dca0d7e 100755..100644
--- a/testing/tests/ipv6/net2net-ikev2/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ipv6/net2net-ikev2/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	strictcrlpolicy=no
-	crlcheckinterval=180
-	plutostart=no
 
 ca strongswan
 	cacert=strongswanCert.pem
diff --git a/testing/tests/ipv6/net2net-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/net2net-ikev2/hosts/moon/etc/strongswan.conf
index d9349846c..5ef523e47 100644
--- a/testing/tests/ipv6/net2net-ikev2/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ipv6/net2net-ikev2/hosts/moon/etc/strongswan.conf
@@ -2,5 +2,5 @@
 
 charon {
   hash_and_url = yes
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ipv6/net2net-ikev2/hosts/sun/etc/init.d/iptables b/testing/tests/ipv6/net2net-ikev2/hosts/sun/etc/init.d/iptables
deleted file mode 100755
index b3509f8df..000000000
--- a/testing/tests/ipv6/net2net-ikev2/hosts/sun/etc/init.d/iptables
+++ /dev/null
@@ -1,104 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow crl and certificate fetch from winnetou
-	ip6tables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP6_WINNETOU -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP6_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/net2net-ikev2/hosts/sun/etc/ipsec.conf b/testing/tests/ipv6/net2net-ikev2/hosts/sun/etc/ipsec.conf
index 09abc7b02..d2673d93d 100755..100644
--- a/testing/tests/ipv6/net2net-ikev2/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ipv6/net2net-ikev2/hosts/sun/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	strictcrlpolicy=no
-	crlcheckinterval=180
-	plutostart=no
 
 ca strongswan
 	cacert=strongswanCert.pem
diff --git a/testing/tests/ipv6/net2net-ikev2/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6/net2net-ikev2/hosts/sun/etc/strongswan.conf
index d9349846c..5ef523e47 100644
--- a/testing/tests/ipv6/net2net-ikev2/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ipv6/net2net-ikev2/hosts/sun/etc/strongswan.conf
@@ -2,5 +2,5 @@
 
 charon {
   hash_and_url = yes
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ipv6/net2net-ikev2/posttest.dat b/testing/tests/ipv6/net2net-ikev2/posttest.dat
index 4c95e2afe..078fca541 100644
--- a/testing/tests/ipv6/net2net-ikev2/posttest.dat
+++ b/testing/tests/ipv6/net2net-ikev2/posttest.dat
@@ -4,5 +4,7 @@ alice::"ip route del fec2:\:/16 via fec1:\:1"
 moon::"ip route del fec2:\:/16 via fec0:\:2"
 sun::"ip route del fec1:\:/16 via fec0:\:1"
 bob::"ip route del fec1:\:/16 via fec2:\:1"
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
+moon::ip6tables-restore < /etc/ip6tables.flush
+sun::ip6tables-restore < /etc/ip6tables.flush
diff --git a/testing/tests/ipv6/net2net-ikev2/pretest.dat b/testing/tests/ipv6/net2net-ikev2/pretest.dat
index 8a8af2ccb..a14b3cf79 100644
--- a/testing/tests/ipv6/net2net-ikev2/pretest.dat
+++ b/testing/tests/ipv6/net2net-ikev2/pretest.dat
@@ -1,11 +1,13 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.drop
+sun::iptables-restore < /etc/iptables.drop
+moon::ip6tables-restore < /etc/ip6tables.rules
+sun::ip6tables-restore < /etc/ip6tables.rules
 alice::"ip route add fec2:\:/16 via fec1:\:1"
 moon::"ip route add fec2:\:/16 via fec0:\:2"
 sun::"ip route add fec1:\:/16 via fec0:\:1"
 bob::"ip route add fec1:\:/16 via fec2:\:1"
 moon::ipsec start
 sun::ipsec start
-moon::sleep 2 
+moon::expect-connection net-net
+sun::expect-connection net-net
 moon::ipsec up net-net
-moon::sleep 1
diff --git a/testing/tests/ipv6/net2net-ikev2/test.conf b/testing/tests/ipv6/net2net-ikev2/test.conf
index 991d884db..55b90befe 100644
--- a/testing/tests/ipv6/net2net-ikev2/test.conf
+++ b/testing/tests/ipv6/net2net-ikev2/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
  
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b-ip6.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/evaltest.dat b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/evaltest.dat
index 077899e36..151b73c27 100644
--- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/evaltest.dat
+++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/evaltest.dat
@@ -1,5 +1,7 @@
-moon::ipsec status::net-net.*STATE_QUICK_I2.*IPsec SA established::YES
-sun::ipsec status::net.net.*STATE_QUICK_R2.*IPsec SA established::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun::  ipsec status 2> /dev/null::net.net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+sun::  ipsec status 2> /dev/null::net.net.*INSTALLED, TUNNEL::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
 sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES
 sun::tcpdump::IP6 ip6-sun.strongswan.org > ip6-moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/moon/etc/init.d/iptables b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 25074a0f1..000000000
--- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,107 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow last UDP fragment
-	ip6tables -A INPUT -i eth0 -p udp -m frag --fraglast -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/moon/etc/ipsec.conf
index 1781313cc..c43086f76 100755..100644
--- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/moon/etc/ipsec.conf
@@ -1,10 +1,12 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	strictcrlpolicy=no
-	crlcheckinterval=180
-	charonstart=no
-	plutodebug=control
+
+ca strongswan
+	cacert=strongswanCert.pem
+	certuribase=http://ip6-winnetou.strongswan.org/certs/
+	crluri=http://ip6-winnetou.strongswan.org/strongswan.crl
+	auto=add
 
 conn %default
 	ikelifetime=60m
@@ -12,7 +14,7 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev1
-	mobike=no
+	fragmentation=yes
 
 conn net-net
 	also=host-host
@@ -23,6 +25,7 @@ conn host-host
 	left=PH_IP6_MOON
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
+	leftfirewall=yes
 	right=PH_IP6_SUN
 	rightid=@sun.strongswan.org
 	auto=add
diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..5ffc1a22a
--- /dev/null
+++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,7 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+
+  fragment_size = 1024
+}
diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/sun/etc/init.d/iptables b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/sun/etc/init.d/iptables
deleted file mode 100755
index 25074a0f1..000000000
--- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/sun/etc/init.d/iptables
+++ /dev/null
@@ -1,107 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow last UDP fragment
-	ip6tables -A INPUT -i eth0 -p udp -m frag --fraglast -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/sun/etc/ipsec.conf b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/sun/etc/ipsec.conf
index 2caf09104..8e6478c51 100755..100644
--- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/sun/etc/ipsec.conf
@@ -1,10 +1,12 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	strictcrlpolicy=no
-	crlcheckinterval=180
-	charonstart=no
-	plutodebug=control
+
+ca strongswan
+	cacert=strongswanCert.pem
+	certuribase=http://ip6-winnetou.strongswan.org/certs/
+	crluri=http://ip6-winnetou.org/strongswan.crl
+	auto=add
 
 conn %default
 	ikelifetime=60m
@@ -12,7 +14,7 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev1
-	mobike=no
+	fragmentation=yes
 
 conn net-net
 	also=host-host
@@ -23,6 +25,7 @@ conn host-host
 	left=PH_IP6_SUN
 	leftcert=sunCert.pem
 	leftid=@sun.strongswan.org
+	leftfirewall=yes
 	right=PH_IP6_MOON
 	rightid=@moon.strongswan.org
 	auto=add
diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..d4b9a55a4
--- /dev/null
+++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,7 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+
+  fragment_size=1024
+}
diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/posttest.dat b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/posttest.dat
index dff181797..d3bebd0c6 100644
--- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/posttest.dat
+++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/posttest.dat
@@ -1,2 +1,6 @@
 moon::ipsec stop
 sun::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
+moon::ip6tables-restore < /etc/ip6tables.flush
+sun::ip6tables-restore < /etc/ip6tables.flush
diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/pretest.dat b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/pretest.dat
index a96b719bf..812ccd162 100644
--- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/pretest.dat
+++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/pretest.dat
@@ -1,7 +1,9 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
-sun::echo 1 > /proc/sys/net/ipv4/ip_forward
+moon::iptables-restore < /etc/iptables.drop
+sun::iptables-restore < /etc/iptables.drop
+moon::ip6tables-restore < /etc/ip6tables.rules
+sun::ip6tables-restore < /etc/ip6tables.rules
 moon::ipsec start
 sun::ipsec start
-moon::sleep 2 
+moon::expect-connection net-net
+sun::expect-connection net-net
 moon::ipsec up net-net
-moon::sleep 2 
diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/test.conf b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/test.conf
index cab801a1c..8f8d9222d 100644
--- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/test.conf
+++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
  
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b-ip4-in-ip6.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/evaltest.dat b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/evaltest.dat
index 76c138e63..151b73c27 100644
--- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/evaltest.dat
+++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/evaltest.dat
@@ -1,5 +1,7 @@
-moon::ipsec status::net-net.*INSTALLED::YES
-sun::ipsec status::net.net.*INSTALLED::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun::  ipsec status 2> /dev/null::net.net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+sun::  ipsec status 2> /dev/null::net.net.*INSTALLED, TUNNEL::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
 sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES
 sun::tcpdump::IP6 ip6-sun.strongswan.org > ip6-moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/init.d/iptables b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index b3509f8df..000000000
--- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,104 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow crl and certificate fetch from winnetou
-	ip6tables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP6_WINNETOU -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP6_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/ipsec.conf
index c47ff8059..704737eaf 100755..100644
--- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	strictcrlpolicy=no
-	crlcheckinterval=180
-	plutostart=no
 
 ca strongswan
 	cacert=strongswanCert.pem
diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/strongswan.conf
index d9349846c..5ef523e47 100644
--- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/strongswan.conf
@@ -2,5 +2,5 @@
 
 charon {
   hash_and_url = yes
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/init.d/iptables b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/init.d/iptables
deleted file mode 100755
index b3509f8df..000000000
--- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/init.d/iptables
+++ /dev/null
@@ -1,104 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow crl and certificate fetch from winnetou
-	ip6tables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP6_WINNETOU -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP6_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/ipsec.conf b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/ipsec.conf
index c1041bd87..a880b12a1 100755..100644
--- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	strictcrlpolicy=no
-	crlcheckinterval=180
-	plutostart=no
 
 ca strongswan
 	cacert=strongswanCert.pem
diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/strongswan.conf
index d9349846c..5ef523e47 100644
--- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/strongswan.conf
@@ -2,5 +2,5 @@
 
 charon {
   hash_and_url = yes
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/posttest.dat b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/posttest.dat
index 5a9150bc8..d3bebd0c6 100644
--- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/posttest.dat
+++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/posttest.dat
@@ -1,4 +1,6 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
+moon::ip6tables-restore < /etc/ip6tables.flush
+sun::ip6tables-restore < /etc/ip6tables.flush
diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/pretest.dat b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/pretest.dat
index a88456d52..812ccd162 100644
--- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/pretest.dat
+++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/pretest.dat
@@ -1,7 +1,9 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.drop
+sun::iptables-restore < /etc/iptables.drop
+moon::ip6tables-restore < /etc/ip6tables.rules
+sun::ip6tables-restore < /etc/ip6tables.rules
 moon::ipsec start
 sun::ipsec start
-moon::sleep 2 
+moon::expect-connection net-net
+sun::expect-connection net-net
 moon::ipsec up net-net
-moon::sleep 2 
diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/test.conf b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/test.conf
index cab801a1c..8f8d9222d 100644
--- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/test.conf
+++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
  
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b-ip4-in-ip6.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/evaltest.dat b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/evaltest.dat
index 2f73ef7d8..803cf5ef5 100644
--- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/evaltest.dat
+++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/evaltest.dat
@@ -1,5 +1,7 @@
-moon::ipsec status::net-net.*STATE_QUICK_I2.*IPsec SA established::YES
-sun::ipsec status::net.net.*STATE_QUICK_R2.*IPsec SA established::YES
+moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun::  ipsec status 2> /dev/null::net.net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+sun::  ipsec status 2> /dev/null::net.net.*INSTALLED, TUNNEL::YES
 alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org: icmp_seq=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/init.d/iptables b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 25074a0f1..000000000
--- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,107 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow last UDP fragment
-	ip6tables -A INPUT -i eth0 -p udp -m frag --fraglast -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/ip6tables.rules b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/ip6tables.rules
new file mode 100644
index 000000000..409f2e9bb
--- /dev/null
+++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/ip6tables.rules
@@ -0,0 +1,20 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow ICMPv6 neighbor-solicitations
+-A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
+-A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
+
+# allow ICMPv6 neighbor-advertisements
+-A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
+-A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
+
+# log dropped packets
+-A INPUT  -j LOG --log-prefix " IN: "
+-A OUTPUT -j LOG --log-prefix " OUT: "
+
+COMMIT
diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/ipsec.conf
index 773d2ed48..93660a2d8 100755..100644
--- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	strictcrlpolicy=no
-	crlcheckinterval=180
-	plutodebug=control
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -15,10 +11,10 @@ conn %default
 
 conn net-net 
 	left=PH_IP_MOON
-	leftnexthop=%direct
 	leftsubnet=fec1::0/16
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
+	leftfirewall=yes
 	right=PH_IP_SUN
 	rightsubnet=fec2::0/16
 	rightid=@sun.strongswan.org
diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/strongswan.conf
index 1cfd1eb1f..d18c788fa 100644
--- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
-pluto {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 x509 gmp random hmac kernel-netlink
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+  install_routes = no
 }
diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/init.d/iptables b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/init.d/iptables
deleted file mode 100755
index 25074a0f1..000000000
--- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/init.d/iptables
+++ /dev/null
@@ -1,107 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow last UDP fragment
-	ip6tables -A INPUT -i eth0 -p udp -m frag --fraglast -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/ip6tables.rules b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/ip6tables.rules
new file mode 100644
index 000000000..409f2e9bb
--- /dev/null
+++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/ip6tables.rules
@@ -0,0 +1,20 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow ICMPv6 neighbor-solicitations
+-A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
+-A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
+
+# allow ICMPv6 neighbor-advertisements
+-A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
+-A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
+
+# log dropped packets
+-A INPUT  -j LOG --log-prefix " IN: "
+-A OUTPUT -j LOG --log-prefix " OUT: "
+
+COMMIT
diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/ipsec.conf b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/ipsec.conf
index bb3f4f765..30dadee78 100755..100644
--- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	strictcrlpolicy=no
-	crlcheckinterval=180
-	plutodebug=control
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -15,10 +11,10 @@ conn %default
 
 conn net-net
 	left=PH_IP_SUN
-	leftnexthop=%direct
 	leftsubnet=fec2::0/16
 	leftcert=sunCert.pem
 	leftid=@sun.strongswan.org
+	leftfirewall=yes
 	right=PH_IP_MOON
 	rightsubnet=fec1::0/16
 	rightid=@moon.strongswan.org
diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/strongswan.conf
index 1cfd1eb1f..be176e981 100644
--- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
-pluto {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 x509 gmp random hmac kernel-netlink
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+  install_routes=no
 }
diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/posttest.dat b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/posttest.dat
index 7a8af32bc..078fca541 100644
--- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/posttest.dat
+++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/posttest.dat
@@ -1,6 +1,10 @@
 moon::ipsec stop
 sun::ipsec stop
 alice::"ip route del fec2:\:/16 via fec1:\:1"
-moon::"ip route del fec2:\:/16 via fec0:\:2" 
-sun::"ip route del fec1:\:/16 via fec0:\:1" 
+moon::"ip route del fec2:\:/16 via fec0:\:2"
+sun::"ip route del fec1:\:/16 via fec0:\:1"
 bob::"ip route del fec1:\:/16 via fec2:\:1"
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
+moon::ip6tables-restore < /etc/ip6tables.flush
+sun::ip6tables-restore < /etc/ip6tables.flush
diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/pretest.dat b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/pretest.dat
index 130058a40..58711bc06 100644
--- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/pretest.dat
+++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/pretest.dat
@@ -1,11 +1,13 @@
-moon::echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-sun::echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
+moon::ip6tables-restore < /etc/ip6tables.rules
+sun::ip6tables-restore < /etc/ip6tables.rules
 alice::"ip route add fec2:\:/16 via fec1:\:1"
-moon::"ip route add fec2:\:/16 via fec0:\:2" 
-sun::"ip route add fec1:\:/16 via fec0:\:1" 
+moon::"ip route add fec2:\:/16 via fec0:\:2"
+sun::"ip route add fec1:\:/16 via fec0:\:1"
 bob::"ip route add fec1:\:/16 via fec2:\:1"
 moon::ipsec start
 sun::ipsec start
-moon::sleep 2 
+moon::expect-connection net-net
+sun::expect-connection net-net
 moon::ipsec up net-net
-moon::sleep 1
diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/test.conf b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/test.conf
index d5d55c749..fe141076d 100644
--- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/test.conf
+++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
  
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b-ip6-in-ip4.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/evaltest.dat b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/evaltest.dat
index 833553f27..803cf5ef5 100644
--- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/evaltest.dat
+++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/evaltest.dat
@@ -1,5 +1,7 @@
-moon::ipsec status::net-net.*INSTALLED::YES
-sun::ipsec status::net.net.*INSTALLED::YES
+moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun::  ipsec status 2> /dev/null::net.net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+sun::  ipsec status 2> /dev/null::net.net.*INSTALLED, TUNNEL::YES
 alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org: icmp_seq=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/init.d/iptables b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index d556762b7..000000000
--- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,104 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-        # allow ICMPv6 neighbor-solicitations
-        ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-        ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-
-        # allow ICMPv6 neighbor-advertisements
-        ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-        ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/ip6tables.rules b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/ip6tables.rules
new file mode 100644
index 000000000..409f2e9bb
--- /dev/null
+++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/ip6tables.rules
@@ -0,0 +1,20 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow ICMPv6 neighbor-solicitations
+-A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
+-A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
+
+# allow ICMPv6 neighbor-advertisements
+-A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
+-A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
+
+# log dropped packets
+-A INPUT  -j LOG --log-prefix " IN: "
+-A OUTPUT -j LOG --log-prefix " OUT: "
+
+COMMIT
diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/ipsec.conf
index a452c7a35..f1cbd5576 100755..100644
--- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	strictcrlpolicy=no
-	crlcheckinterval=180
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/strongswan.conf
index 393ea64f9..d18c788fa 100644
--- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
   install_routes = no
 }
diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/init.d/iptables b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/init.d/iptables
deleted file mode 100755
index 21ff88d0d..000000000
--- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/init.d/iptables
+++ /dev/null
@@ -1,108 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-        # allow ICMPv6 neighbor-solicitations
-        ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-        ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-
-        # allow ICMPv6 neighbor-advertisements
-        ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-        ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-        # allow crl fetch from winnetou
-        iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-        iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/ip6tables.rules b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/ip6tables.rules
new file mode 100644
index 000000000..409f2e9bb
--- /dev/null
+++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/ip6tables.rules
@@ -0,0 +1,20 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow ICMPv6 neighbor-solicitations
+-A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
+-A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
+
+# allow ICMPv6 neighbor-advertisements
+-A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
+-A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
+
+# log dropped packets
+-A INPUT  -j LOG --log-prefix " IN: "
+-A OUTPUT -j LOG --log-prefix " OUT: "
+
+COMMIT
diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/ipsec.conf b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/ipsec.conf
index 448cccbb7..1f1fa6c51 100755..100644
--- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	strictcrlpolicy=no
-	crlcheckinterval=180
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/strongswan.conf
index 014b5d935..be176e981 100644
--- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
   install_routes=no
 }
diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/posttest.dat b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/posttest.dat
index c78d884ee..078fca541 100644
--- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/posttest.dat
+++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/posttest.dat
@@ -1,8 +1,10 @@
 moon::ipsec stop
 sun::ipsec stop
 alice::"ip route del fec2:\:/16 via fec1:\:1"
-moon::"ip route del fec2:\:/16 via fec0:\:2" 
-sun::"ip route del fec1:\:/16 via fec0:\:1" 
+moon::"ip route del fec2:\:/16 via fec0:\:2"
+sun::"ip route del fec1:\:/16 via fec0:\:1"
 bob::"ip route del fec1:\:/16 via fec2:\:1"
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
+moon::ip6tables-restore < /etc/ip6tables.flush
+sun::ip6tables-restore < /etc/ip6tables.flush
diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/pretest.dat b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/pretest.dat
index 7781f9b9f..58711bc06 100644
--- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/pretest.dat
+++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/pretest.dat
@@ -1,11 +1,13 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
+moon::ip6tables-restore < /etc/ip6tables.rules
+sun::ip6tables-restore < /etc/ip6tables.rules
 alice::"ip route add fec2:\:/16 via fec1:\:1"
-moon::"ip route add fec2:\:/16 via fec0:\:2" 
-sun::"ip route add fec1:\:/16 via fec0:\:1" 
+moon::"ip route add fec2:\:/16 via fec0:\:2"
+sun::"ip route add fec1:\:/16 via fec0:\:1"
 bob::"ip route add fec1:\:/16 via fec2:\:1"
 moon::ipsec start
 sun::ipsec start
-moon::sleep 2 
+moon::expect-connection net-net
+sun::expect-connection net-net
 moon::ipsec up net-net
-moon::sleep 1
diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/test.conf b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/test.conf
index d5d55c749..fe141076d 100644
--- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/test.conf
+++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
  
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b-ip6-in-ip4.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/evaltest.dat b/testing/tests/ipv6/net2net-rfc3779-ikev2/evaltest.dat
index a311992b7..3b0a3eeca 100644
--- a/testing/tests/ipv6/net2net-rfc3779-ikev2/evaltest.dat
+++ b/testing/tests/ipv6/net2net-rfc3779-ikev2/evaltest.dat
@@ -1,7 +1,9 @@
-moon::ipsec status::net-net.*INSTALLED::YES
-sun::ipsec status::net.net.*INSTALLED::YES
-moon::cat /var/log/daemon.log::TS fec2:\:/16 is contained in address block constraint fec2:\:/16::YES
-sun::cat /var/log/daemon.log::TS fec1:\:/16 is contained in address block constraint fec1:\:/16::YES
+moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun::  ipsec status 2> /dev/null::net.net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+sun::  ipsec status 2> /dev/null::net.net.*INSTALLED, TUNNEL::YES
+moon:: cat /var/log/daemon.log::TS fec2:\:/16 is contained in address block constraint fec2:\:/16::YES
+sun::  cat /var/log/daemon.log::TS fec1:\:/16 is contained in address block constraint fec1:\:/16::YES
 alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org: icmp_seq=1::YES
 sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES
 sun::tcpdump::IP6 ip6-sun.strongswan.org > ip6-moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/init.d/iptables b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index b3509f8df..000000000
--- a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,104 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow crl and certificate fetch from winnetou
-	ip6tables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP6_WINNETOU -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP6_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/ipsec.conf
index 846a3f794..46b9ad415 100755..100644
--- a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	strictcrlpolicy=no
-	crlcheckinterval=180
-	plutostart=no
 
 ca strongswan
 	cacert=strongswanCert.pem
diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/strongswan.conf
index 94873ddeb..2b824dc55 100644
--- a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/strongswan.conf
@@ -2,5 +2,5 @@
 
 charon {
   hash_and_url = yes
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation addrblock hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation addrblock hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/init.d/iptables b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/init.d/iptables
deleted file mode 100755
index b3509f8df..000000000
--- a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/init.d/iptables
+++ /dev/null
@@ -1,104 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow crl and certificate fetch from winnetou
-	ip6tables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP6_WINNETOU -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP6_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/ipsec.conf b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/ipsec.conf
index adf411da5..4a0f911a3 100755..100644
--- a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	strictcrlpolicy=no
-	crlcheckinterval=180
-	plutostart=no
 
 ca strongswan
 	cacert=strongswanCert.pem
diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/strongswan.conf
index 94873ddeb..2b824dc55 100644
--- a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/strongswan.conf
@@ -2,5 +2,5 @@
 
 charon {
   hash_and_url = yes
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation addrblock hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation addrblock hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/posttest.dat b/testing/tests/ipv6/net2net-rfc3779-ikev2/posttest.dat
index 4c95e2afe..078fca541 100644
--- a/testing/tests/ipv6/net2net-rfc3779-ikev2/posttest.dat
+++ b/testing/tests/ipv6/net2net-rfc3779-ikev2/posttest.dat
@@ -4,5 +4,7 @@ alice::"ip route del fec2:\:/16 via fec1:\:1"
 moon::"ip route del fec2:\:/16 via fec0:\:2"
 sun::"ip route del fec1:\:/16 via fec0:\:1"
 bob::"ip route del fec1:\:/16 via fec2:\:1"
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
+moon::ip6tables-restore < /etc/ip6tables.flush
+sun::ip6tables-restore < /etc/ip6tables.flush
diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/pretest.dat b/testing/tests/ipv6/net2net-rfc3779-ikev2/pretest.dat
index 8a8af2ccb..a14b3cf79 100644
--- a/testing/tests/ipv6/net2net-rfc3779-ikev2/pretest.dat
+++ b/testing/tests/ipv6/net2net-rfc3779-ikev2/pretest.dat
@@ -1,11 +1,13 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.drop
+sun::iptables-restore < /etc/iptables.drop
+moon::ip6tables-restore < /etc/ip6tables.rules
+sun::ip6tables-restore < /etc/ip6tables.rules
 alice::"ip route add fec2:\:/16 via fec1:\:1"
 moon::"ip route add fec2:\:/16 via fec0:\:2"
 sun::"ip route add fec1:\:/16 via fec0:\:1"
 bob::"ip route add fec1:\:/16 via fec2:\:1"
 moon::ipsec start
 sun::ipsec start
-moon::sleep 2 
+moon::expect-connection net-net
+sun::expect-connection net-net
 moon::ipsec up net-net
-moon::sleep 1
diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/test.conf b/testing/tests/ipv6/net2net-rfc3779-ikev2/test.conf
index 991d884db..55b90befe 100644
--- a/testing/tests/ipv6/net2net-rfc3779-ikev2/test.conf
+++ b/testing/tests/ipv6/net2net-rfc3779-ikev2/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
  
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b-ip6.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ipv6/rw-ikev1/description.txt b/testing/tests/ipv6/rw-ikev1/description.txt
index 046c4b50c..17461370e 100644
--- a/testing/tests/ipv6/rw-ikev1/description.txt
+++ b/testing/tests/ipv6/rw-ikev1/description.txt
@@ -1,7 +1,7 @@
-The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>.
-The authentication is based on <b>X.509 certificates</b>. Upon the successful
-establishment of the IPsec tunnel, <b>leftfirewall=yes</b> automatically inserts
-ip6tables-based firewall rules that let pass the tunneled traffic.
-In order to test both the IPv6 ESP tunnel and the firewall rules, <b>carol</b>
-sends an IPv6 ICMP request to the client <b>alice</b> behind the gateway <b>moon</b>
+The roadwarriors <b>carol</b> and <b>dave</b> set up an IPv6 connection each 
+to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>.
+Upon the successful establishment of the IPv6 ESP tunnels, <b>leftfirewall=yes</b>
+automatically inserts ip6tables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> send
+an IPv6 ICMP request to the client <b>alice</b> behind the gateway <b>moon</b>
 using the ping6 command.
diff --git a/testing/tests/ipv6/rw-ikev1/evaltest.dat b/testing/tests/ipv6/rw-ikev1/evaltest.dat
index 894e9118e..0e125b70e 100644
--- a/testing/tests/ipv6/rw-ikev1/evaltest.dat
+++ b/testing/tests/ipv6/rw-ikev1/evaltest.dat
@@ -1,5 +1,15 @@
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
 carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
+dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
 moon::tcpdump::IP6 ip6-carol.strongswan.org > ip6-moon.strongswan.org: ESP::YES
 moon::tcpdump::IP6 ip6-moon.strongswan.org > ip6-carol.strongswan.org: ESP::YES
+moon::tcpdump::IP6 ip6-dave.strongswan.org > ip6-moon.strongswan.org: ESP::YES
+moon::tcpdump::IP6 ip6-moon.strongswan.org > ip6-dave.strongswan.org: ESP::YES
+
diff --git a/testing/tests/ipv6/rw-ikev1/hosts/carol/etc/init.d/iptables b/testing/tests/ipv6/rw-ikev1/hosts/carol/etc/init.d/iptables
deleted file mode 100755
index 521d1ce31..000000000
--- a/testing/tests/ipv6/rw-ikev1/hosts/carol/etc/init.d/iptables
+++ /dev/null
@@ -1,100 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/rw-ikev1/hosts/carol/etc/ipsec.conf b/testing/tests/ipv6/rw-ikev1/hosts/carol/etc/ipsec.conf
index 363c910b0..4bcfd19dd 100755..100644
--- a/testing/tests/ipv6/rw-ikev1/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ipv6/rw-ikev1/hosts/carol/etc/ipsec.conf
@@ -1,10 +1,12 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
+
+ca strongswan
+	cacert=strongswanCert.pem
+	certuribase=http://ip6-winnetou.strongswan.org/certs/
+	crluri=http://ip6-winnetou.strongswan.org/strongswan.crl
+	auto=add
 
 conn %default
 	ikelifetime=60m
@@ -12,6 +14,7 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev1
+	fragmentation=yes
 
 conn home
 	left=PH_IP6_CAROL
@@ -19,10 +22,6 @@ conn home
 	leftid=carol@strongswan.org
 	leftfirewall=yes
 	right=PH_IP6_MOON
-	rightsubnet=fec1::/16
 	rightid=@moon.strongswan.org
+	rightsubnet=fec1::/16
 	auto=add
-
-
-
-
diff --git a/testing/tests/ipv6/rw-ikev1/hosts/carol/etc/strongswan.conf b/testing/tests/ipv6/rw-ikev1/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..5ffc1a22a
--- /dev/null
+++ b/testing/tests/ipv6/rw-ikev1/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,7 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+
+  fragment_size = 1024
+}
diff --git a/testing/tests/ikev1/mode-config-push/hosts/dave/etc/ipsec.conf b/testing/tests/ipv6/rw-ikev1/hosts/dave/etc/ipsec.conf
index ba47559a0..125303638 100755..100644
--- a/testing/tests/ikev1/mode-config-push/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ipv6/rw-ikev1/hosts/dave/etc/ipsec.conf
@@ -1,10 +1,12 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
+
+ca strongswan
+	cacert=strongswanCert.pem
+	certuribase=http://ip6-winnetou.strongswan.org/certs/
+	crluri=http://ip6-winnetou.strongswan.org/strongswan.crl
+	auto=add
 
 conn %default
 	ikelifetime=60m
@@ -12,19 +14,14 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev1
+	fragmentation=yes
 
 conn home
-	left=PH_IP_DAVE
-	leftsourceip=%modeconfig
+	left=PH_IP6_DAVE
 	leftcert=daveCert.pem
 	leftid=dave@strongswan.org
 	leftfirewall=yes
-	right=PH_IP_MOON
-	rightsubnet=10.1.0.0/16
+	right=PH_IP6_MOON
 	rightid=@moon.strongswan.org
-	modeconfig=push
+	rightsubnet=fec1::/16
 	auto=add
-
-
-
-
diff --git a/testing/tests/ipv6/rw-ikev1/hosts/dave/etc/strongswan.conf b/testing/tests/ipv6/rw-ikev1/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..5ffc1a22a
--- /dev/null
+++ b/testing/tests/ipv6/rw-ikev1/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,7 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+
+  fragment_size = 1024
+}
diff --git a/testing/tests/ipv6/rw-ikev1/hosts/moon/etc/init.d/iptables b/testing/tests/ipv6/rw-ikev1/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 521d1ce31..000000000
--- a/testing/tests/ipv6/rw-ikev1/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,100 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/rw-ikev1/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6/rw-ikev1/hosts/moon/etc/ipsec.conf
index 1b5a2aced..880b1b2e7 100755..100644
--- a/testing/tests/ipv6/rw-ikev1/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ipv6/rw-ikev1/hosts/moon/etc/ipsec.conf
@@ -1,10 +1,12 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
+
+ca strongswan
+	cacert=strongswanCert.pem
+	certuribase=http://ip6-winnetou.strongswan.org/certs/
+	crluri=http://ip6-winnetou.strongswan.org/strongswan.crl
+	auto=add
 
 conn %default
 	ikelifetime=60m
@@ -12,6 +14,7 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev1
+	fragmentation=yes
 
 conn rw
 	left=PH_IP6_MOON
@@ -19,5 +22,5 @@ conn rw
 	leftid=@moon.strongswan.org
 	leftsubnet=fec1::/16
 	leftfirewall=yes
-	right=%any6
+	right=%any
 	auto=add
diff --git a/testing/tests/ipv6/rw-ikev1/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/rw-ikev1/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..5ffc1a22a
--- /dev/null
+++ b/testing/tests/ipv6/rw-ikev1/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,7 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+
+  fragment_size = 1024
+}
diff --git a/testing/tests/ipv6/rw-ikev1/posttest.dat b/testing/tests/ipv6/rw-ikev1/posttest.dat
index d37b96f9c..4e59395e3 100644
--- a/testing/tests/ipv6/rw-ikev1/posttest.dat
+++ b/testing/tests/ipv6/rw-ikev1/posttest.dat
@@ -1,6 +1,12 @@
 moon::ipsec stop
 carol::ipsec stop
+dave::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
+moon::ip6tables-restore < /etc/ip6tables.flush
+carol::ip6tables-restore < /etc/ip6tables.flush
+dave::ip6tables-restore < /etc/ip6tables.flush
 alice::"ip route del fec0:\:/16 via fec1:\:1"
 carol::"ip route del fec1:\:/16 via fec0:\:1"
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+dave::"ip route del fec1:\:/16 via fec0:\:1"
diff --git a/testing/tests/ipv6/rw-ikev1/pretest.dat b/testing/tests/ipv6/rw-ikev1/pretest.dat
index 2b3bf90a7..f60be3887 100644
--- a/testing/tests/ipv6/rw-ikev1/pretest.dat
+++ b/testing/tests/ipv6/rw-ikev1/pretest.dat
@@ -1,8 +1,17 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.drop
+carol::iptables-restore < /etc/iptables.drop
+dave::iptables-restore < /etc/iptables.drop
+moon::ip6tables-restore < /etc/ip6tables.rules
+carol::ip6tables-restore < /etc/ip6tables.rules
+dave::ip6tables-restore < /etc/ip6tables.rules
 alice::"ip route add fec0:\:/16 via fec1:\:1"
 carol::"ip route add fec1:\:/16 via fec0:\:1"
-carol::ipsec start
+dave::"ip route add fec1:\:/16 via fec0:\:1"
 moon::ipsec start
-carol::sleep 2
+carol::ipsec start
+dave::ipsec start
+moon::expect-connection rw
+carol::expect-connection home
+dave::expect-connection home
 carol::ipsec up home
+dave::ipsec up home
diff --git a/testing/tests/ipv6/rw-ikev1/test.conf b/testing/tests/ipv6/rw-ikev1/test.conf
index bce9814db..05bb8ab6d 100644
--- a/testing/tests/ipv6/rw-ikev1/test.conf
+++ b/testing/tests/ipv6/rw-ikev1/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
-DIAGRAM="a-m-c-w-ip6.png"
+DIAGRAM="a-m-c-w-d-ip6.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
-IPSECHOSTS="moon carol"
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ipv6/rw-ikev2/evaltest.dat b/testing/tests/ipv6/rw-ikev2/evaltest.dat
index cee1853c4..0e125b70e 100644
--- a/testing/tests/ipv6/rw-ikev2/evaltest.dat
+++ b/testing/tests/ipv6/rw-ikev2/evaltest.dat
@@ -1,8 +1,13 @@
-moon::ipsec statusall::rw.*ESTABLISHED::YES
-carol::ipsec statusall::home.*ESTABLISHED::YES
-dave::ipsec statusall::home.*ESTABLISHED::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
 carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
-dave::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
+dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
 moon::tcpdump::IP6 ip6-carol.strongswan.org > ip6-moon.strongswan.org: ESP::YES
 moon::tcpdump::IP6 ip6-moon.strongswan.org > ip6-carol.strongswan.org: ESP::YES
 moon::tcpdump::IP6 ip6-dave.strongswan.org > ip6-moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ipv6/rw-ikev2/hosts/carol/etc/init.d/iptables b/testing/tests/ipv6/rw-ikev2/hosts/carol/etc/init.d/iptables
deleted file mode 100755
index b3509f8df..000000000
--- a/testing/tests/ipv6/rw-ikev2/hosts/carol/etc/init.d/iptables
+++ /dev/null
@@ -1,104 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow crl and certificate fetch from winnetou
-	ip6tables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP6_WINNETOU -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP6_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/rw-ikev2/hosts/carol/etc/ipsec.conf b/testing/tests/ipv6/rw-ikev2/hosts/carol/etc/ipsec.conf
index e544e948f..21166b2d0 100755..100644
--- a/testing/tests/ipv6/rw-ikev2/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ipv6/rw-ikev2/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 ca strongswan
 	cacert=strongswanCert.pem
diff --git a/testing/tests/ipv6/rw-ikev2/hosts/carol/etc/strongswan.conf b/testing/tests/ipv6/rw-ikev2/hosts/carol/etc/strongswan.conf
index d9349846c..5ef523e47 100644
--- a/testing/tests/ipv6/rw-ikev2/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ipv6/rw-ikev2/hosts/carol/etc/strongswan.conf
@@ -2,5 +2,5 @@
 
 charon {
   hash_and_url = yes
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ipv6/rw-ikev2/hosts/dave/etc/init.d/iptables b/testing/tests/ipv6/rw-ikev2/hosts/dave/etc/init.d/iptables
deleted file mode 100755
index b3509f8df..000000000
--- a/testing/tests/ipv6/rw-ikev2/hosts/dave/etc/init.d/iptables
+++ /dev/null
@@ -1,104 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow crl and certificate fetch from winnetou
-	ip6tables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP6_WINNETOU -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP6_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/rw-ikev2/hosts/dave/etc/ipsec.conf b/testing/tests/ipv6/rw-ikev2/hosts/dave/etc/ipsec.conf
index 58bc25b0b..9513be833 100755..100644
--- a/testing/tests/ipv6/rw-ikev2/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ipv6/rw-ikev2/hosts/dave/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 ca strongswan
 	cacert=strongswanCert.pem
diff --git a/testing/tests/ipv6/rw-ikev2/hosts/dave/etc/strongswan.conf b/testing/tests/ipv6/rw-ikev2/hosts/dave/etc/strongswan.conf
index d9349846c..5ef523e47 100644
--- a/testing/tests/ipv6/rw-ikev2/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ipv6/rw-ikev2/hosts/dave/etc/strongswan.conf
@@ -2,5 +2,5 @@
 
 charon {
   hash_and_url = yes
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ipv6/rw-ikev2/hosts/moon/etc/init.d/iptables b/testing/tests/ipv6/rw-ikev2/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index b3509f8df..000000000
--- a/testing/tests/ipv6/rw-ikev2/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,104 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow crl and certificate fetch from winnetou
-	ip6tables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP6_WINNETOU -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP6_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/rw-ikev2/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6/rw-ikev2/hosts/moon/etc/ipsec.conf
index 378e7bfd7..4bed27ec5 100755..100644
--- a/testing/tests/ipv6/rw-ikev2/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ipv6/rw-ikev2/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 ca strongswan
 	cacert=strongswanCert.pem
diff --git a/testing/tests/ipv6/rw-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/rw-ikev2/hosts/moon/etc/strongswan.conf
index d9349846c..5ef523e47 100644
--- a/testing/tests/ipv6/rw-ikev2/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ipv6/rw-ikev2/hosts/moon/etc/strongswan.conf
@@ -2,5 +2,5 @@
 
 charon {
   hash_and_url = yes
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ipv6/rw-ikev2/posttest.dat b/testing/tests/ipv6/rw-ikev2/posttest.dat
index 07e89d7da..4e59395e3 100644
--- a/testing/tests/ipv6/rw-ikev2/posttest.dat
+++ b/testing/tests/ipv6/rw-ikev2/posttest.dat
@@ -1,9 +1,12 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
+moon::ip6tables-restore < /etc/ip6tables.flush
+carol::ip6tables-restore < /etc/ip6tables.flush
+dave::ip6tables-restore < /etc/ip6tables.flush
 alice::"ip route del fec0:\:/16 via fec1:\:1"
 carol::"ip route del fec1:\:/16 via fec0:\:1"
 dave::"ip route del fec1:\:/16 via fec0:\:1"
diff --git a/testing/tests/ipv6/rw-ikev2/pretest.dat b/testing/tests/ipv6/rw-ikev2/pretest.dat
index 7da0c1028..f60be3887 100644
--- a/testing/tests/ipv6/rw-ikev2/pretest.dat
+++ b/testing/tests/ipv6/rw-ikev2/pretest.dat
@@ -1,13 +1,17 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.drop
+carol::iptables-restore < /etc/iptables.drop
+dave::iptables-restore < /etc/iptables.drop
+moon::ip6tables-restore < /etc/ip6tables.rules
+carol::ip6tables-restore < /etc/ip6tables.rules
+dave::ip6tables-restore < /etc/ip6tables.rules
 alice::"ip route add fec0:\:/16 via fec1:\:1"
 carol::"ip route add fec1:\:/16 via fec0:\:1"
 dave::"ip route add fec1:\:/16 via fec0:\:1"
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
-carol::sleep 1
+moon::expect-connection rw
+carol::expect-connection home
+dave::expect-connection home
 carol::ipsec up home
 dave::ipsec up home
-dave::sleep 2 
diff --git a/testing/tests/ipv6/rw-ikev2/test.conf b/testing/tests/ipv6/rw-ikev2/test.conf
index 80cf5e3a1..05bb8ab6d 100644
--- a/testing/tests/ipv6/rw-ikev2/test.conf
+++ b/testing/tests/ipv6/rw-ikev2/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d-ip6.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/description.txt b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/description.txt
new file mode 100644
index 000000000..f9412611b
--- /dev/null
+++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/description.txt
@@ -0,0 +1,10 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up an IPv6-in-IPv4 tunnel connection each 
+to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>.
+Both <b>carol</b> and <b>dave</b> request a virtual IPv6 address from <b>moon</b> via
+the IKEv1 mode config payload.
+<p/>
+Upon the successful establishment of the ESP tunnels, <b>leftfirewall=yes</b>
+automatically inserts ip6tables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> send
+an IPv6 ICMP request to the client <b>alice</b> behind the gateway <b>moon</b>
+using the ping6 command.
diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/evaltest.dat b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/evaltest.dat
new file mode 100644
index 000000000..f6dc9aa3e
--- /dev/null
+++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/evaltest.dat
@@ -0,0 +1,15 @@
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
+carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
+dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
+moon::tcpdump::carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::moon.strongswan.org > dave.strongswan.org: ESP::YES
+
diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/carol/etc/ip6tables.rules b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/carol/etc/ip6tables.rules
new file mode 100644
index 000000000..409f2e9bb
--- /dev/null
+++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/carol/etc/ip6tables.rules
@@ -0,0 +1,20 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow ICMPv6 neighbor-solicitations
+-A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
+-A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
+
+# allow ICMPv6 neighbor-advertisements
+-A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
+-A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
+
+# log dropped packets
+-A INPUT  -j LOG --log-prefix " IN: "
+-A OUTPUT -j LOG --log-prefix " OUT: "
+
+COMMIT
diff --git a/testing/tests/ikev1/ip-two-pools/hosts/carol/etc/ipsec.conf b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/carol/etc/ipsec.conf
index 99a8c60ff..8aba6f0b1 100755..100644
--- a/testing/tests/ikev1/ip-two-pools/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/carol/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-	plutodebug=control
 
 conn %default
 	ikelifetime=60m
@@ -15,10 +11,11 @@ conn %default
 
 conn home
 	left=PH_IP_CAROL
-	leftsourceip=%config
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
+	leftsourceip=%config
 	leftfirewall=yes
 	right=PH_IP_MOON
 	rightid=@moon.strongswan.org
+	rightsubnet=fec1::/16
 	auto=add
diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/carol/etc/strongswan.conf b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..5ef523e47
--- /dev/null
+++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  hash_and_url = yes
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/dave/etc/ip6tables.rules b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/dave/etc/ip6tables.rules
new file mode 100644
index 000000000..409f2e9bb
--- /dev/null
+++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/dave/etc/ip6tables.rules
@@ -0,0 +1,20 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow ICMPv6 neighbor-solicitations
+-A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
+-A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
+
+# allow ICMPv6 neighbor-advertisements
+-A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
+-A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
+
+# log dropped packets
+-A INPUT  -j LOG --log-prefix " IN: "
+-A OUTPUT -j LOG --log-prefix " OUT: "
+
+COMMIT
diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/dave/etc/ipsec.conf b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/dave/etc/ipsec.conf
new file mode 100644
index 000000000..d0ff82c2d
--- /dev/null
+++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,21 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+
+conn home
+	left=PH_IP_DAVE
+	leftcert=daveCert.pem
+	leftid=dave@strongswan.org
+	leftsourceip=%config
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=fec1::/16
+	auto=add
diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/dave/etc/strongswan.conf b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..5ef523e47
--- /dev/null
+++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  hash_and_url = yes
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/moon/etc/ip6tables.rules b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/moon/etc/ip6tables.rules
new file mode 100644
index 000000000..409f2e9bb
--- /dev/null
+++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/moon/etc/ip6tables.rules
@@ -0,0 +1,20 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow ICMPv6 neighbor-solicitations
+-A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
+-A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
+
+# allow ICMPv6 neighbor-advertisements
+-A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
+-A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
+
+# log dropped packets
+-A INPUT  -j LOG --log-prefix " IN: "
+-A OUTPUT -j LOG --log-prefix " OUT: "
+
+COMMIT
diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..e77d7b608
--- /dev/null
+++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,20 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+
+conn rw
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=fec1::/16
+	leftfirewall=yes
+	right=%any
+	rightsourceip=fec3::/120
+	auto=add
diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..5ef523e47
--- /dev/null
+++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  hash_and_url = yes
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/posttest.dat b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/posttest.dat
new file mode 100644
index 000000000..ebe5e2a80
--- /dev/null
+++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/posttest.dat
@@ -0,0 +1,10 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
+moon::ip6tables-restore < /etc/ip6tables.flush
+carol::ip6tables-restore < /etc/ip6tables.flush
+dave::ip6tables-restore < /etc/ip6tables.flush
+alice::"ip route del fec3:\:/16 via fec1:\:1"
diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/pretest.dat b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/pretest.dat
new file mode 100644
index 000000000..e73bde487
--- /dev/null
+++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/pretest.dat
@@ -0,0 +1,15 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+moon::ip6tables-restore < /etc/ip6tables.rules
+carol::ip6tables-restore < /etc/ip6tables.rules
+dave::ip6tables-restore < /etc/ip6tables.rules
+alice::"ip route add fec3:\:/16 via fec1:\:1"
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+moon::expect-connection rw
+carol::expect-connection home
+dave::expect-connection home
+carol::ipsec up home
+dave::ipsec up home
diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/test.conf b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/test.conf
new file mode 100644
index 000000000..05bb8ab6d
--- /dev/null
+++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d-ip6.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/description.txt b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/description.txt
new file mode 100644
index 000000000..237e6fa52
--- /dev/null
+++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/description.txt
@@ -0,0 +1,10 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up an IPv6-in-IPv4 tunnel connection each 
+to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>.
+Both <b>carol</b> and <b>dave</b> request a virtual IPv6 address from <b>moon</b> via
+the IKEv2 configuration payload.
+<p/>
+Upon the successful establishment of the ESP tunnels, <b>leftfirewall=yes</b>
+automatically inserts ip6tables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> send
+an IPv6 ICMP request to the client <b>alice</b> behind the gateway <b>moon</b>
+using the ping6 command.
diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/evaltest.dat b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/evaltest.dat
new file mode 100644
index 000000000..f6dc9aa3e
--- /dev/null
+++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/evaltest.dat
@@ -0,0 +1,15 @@
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
+carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
+dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
+moon::tcpdump::carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::moon.strongswan.org > dave.strongswan.org: ESP::YES
+
diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/carol/etc/ip6tables.rules b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/carol/etc/ip6tables.rules
new file mode 100644
index 000000000..409f2e9bb
--- /dev/null
+++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/carol/etc/ip6tables.rules
@@ -0,0 +1,20 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow ICMPv6 neighbor-solicitations
+-A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
+-A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
+
+# allow ICMPv6 neighbor-advertisements
+-A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
+-A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
+
+# log dropped packets
+-A INPUT  -j LOG --log-prefix " IN: "
+-A OUTPUT -j LOG --log-prefix " OUT: "
+
+COMMIT
diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/carol/etc/ipsec.conf b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..1ca1c6c26
--- /dev/null
+++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,21 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_CAROL
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	leftsourceip=%config
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=fec1::/16
+	auto=add
diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/carol/etc/strongswan.conf b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..5ef523e47
--- /dev/null
+++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  hash_and_url = yes
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/dave/etc/ip6tables.rules b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/dave/etc/ip6tables.rules
new file mode 100644
index 000000000..409f2e9bb
--- /dev/null
+++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/dave/etc/ip6tables.rules
@@ -0,0 +1,20 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow ICMPv6 neighbor-solicitations
+-A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
+-A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
+
+# allow ICMPv6 neighbor-advertisements
+-A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
+-A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
+
+# log dropped packets
+-A INPUT  -j LOG --log-prefix " IN: "
+-A OUTPUT -j LOG --log-prefix " OUT: "
+
+COMMIT
diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/dave/etc/ipsec.conf b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/dave/etc/ipsec.conf
new file mode 100644
index 000000000..bba2d96f7
--- /dev/null
+++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,21 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_DAVE
+	leftcert=daveCert.pem
+	leftid=dave@strongswan.org
+	leftsourceip=%config
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=fec1::/16
+	auto=add
diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/dave/etc/strongswan.conf b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..5ef523e47
--- /dev/null
+++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  hash_and_url = yes
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/moon/etc/ip6tables.rules b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/moon/etc/ip6tables.rules
new file mode 100644
index 000000000..409f2e9bb
--- /dev/null
+++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/moon/etc/ip6tables.rules
@@ -0,0 +1,20 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow ICMPv6 neighbor-solicitations
+-A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
+-A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
+
+# allow ICMPv6 neighbor-advertisements
+-A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
+-A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
+
+# log dropped packets
+-A INPUT  -j LOG --log-prefix " IN: "
+-A OUTPUT -j LOG --log-prefix " OUT: "
+
+COMMIT
diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..5ea245568
--- /dev/null
+++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,20 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn rw
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=fec1::/16
+	leftfirewall=yes
+	right=%any
+	rightsourceip=fec3::/120
+	auto=add
diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..5ef523e47
--- /dev/null
+++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  hash_and_url = yes
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/posttest.dat b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/posttest.dat
new file mode 100644
index 000000000..ebe5e2a80
--- /dev/null
+++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/posttest.dat
@@ -0,0 +1,10 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
+moon::ip6tables-restore < /etc/ip6tables.flush
+carol::ip6tables-restore < /etc/ip6tables.flush
+dave::ip6tables-restore < /etc/ip6tables.flush
+alice::"ip route del fec3:\:/16 via fec1:\:1"
diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/pretest.dat b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/pretest.dat
new file mode 100644
index 000000000..e73bde487
--- /dev/null
+++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/pretest.dat
@@ -0,0 +1,15 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+moon::ip6tables-restore < /etc/ip6tables.rules
+carol::ip6tables-restore < /etc/ip6tables.rules
+dave::ip6tables-restore < /etc/ip6tables.rules
+alice::"ip route add fec3:\:/16 via fec1:\:1"
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+moon::expect-connection rw
+carol::expect-connection home
+dave::expect-connection home
+carol::ipsec up home
+dave::ipsec up home
diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/test.conf b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/test.conf
new file mode 100644
index 000000000..05bb8ab6d
--- /dev/null
+++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d-ip6.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ipv6/rw-psk-ikev1/description.txt b/testing/tests/ipv6/rw-psk-ikev1/description.txt
index 81072ebf6..66fc09053 100644
--- a/testing/tests/ipv6/rw-psk-ikev1/description.txt
+++ b/testing/tests/ipv6/rw-psk-ikev1/description.txt
@@ -1,5 +1,7 @@
-The roadwarrior <b>carol</b> sets up an IPv6 tunnel connection to gateway <b>moon</b>.
-The authentication is based on <b>Preshared Keys</b> (PSK) and <b>IPv6 addresses</b> (ID_IPV6_ADDR).
-<b>firewall=yes</b> automatically inserts ip6tables-based firewall rules that let pass
-the tunneled traffic. In order to test the tunnel <b>carol</b> sends an IPv6
-ICMP request to client <b>alice</b> behind the gateway <b>moon</b> using the ping6 command.
+The roadwarriors <b>carol</b> and <b>dave</b> set up an IPv6 tunnel connection each 
+to gateway <b>moon</b>. The authentication is based on distinct <b>pre-shared keys</b>
+and IPv6 addresses. Upon the successful establishment of the IPsec tunnels,
+<b>leftfirewall=yes</b> automatically inserts ip6tables-based firewall rules that
+let pass the tunneled traffic. In order to test both tunnel and firewall, both
+<b>carol</b> and <b>dave</b> send an IPv6 ICMP request to client <b>alice</b>
+behind the gateway <b>moon</b> using the ping6 command.
diff --git a/testing/tests/ipv6/rw-psk-ikev1/evaltest.dat b/testing/tests/ipv6/rw-psk-ikev1/evaltest.dat
index 4046d0bbc..16982a736 100644
--- a/testing/tests/ipv6/rw-psk-ikev1/evaltest.dat
+++ b/testing/tests/ipv6/rw-psk-ikev1/evaltest.dat
@@ -1,5 +1,15 @@
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*\[fec0.*:10].*\[fec0.*:1]::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*\[fec0.*:20].*\[fec0.*:1]::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*\[fec0.*:1].*\[fec0.*:10]::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*\[fec0.*:1].*\[fec0.*:20]::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
 carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
+dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
 moon::tcpdump::IP6 ip6-carol.strongswan.org > ip6-moon.strongswan.org: ESP::YES
-moon::tcpdump::IP6 ip6-moon.strongswan.org  > ip6-carol.strongswan.org: ESP::YES
+moon::tcpdump::IP6 ip6-moon.strongswan.org > ip6-carol.strongswan.org: ESP::YES
+moon::tcpdump::IP6 ip6-dave.strongswan.org > ip6-moon.strongswan.org: ESP::YES
+moon::tcpdump::IP6 ip6-moon.strongswan.org > ip6-dave.strongswan.org: ESP::YES
+
diff --git a/testing/tests/ipv6/rw-psk-ikev1/hosts/carol/etc/init.d/iptables b/testing/tests/ipv6/rw-psk-ikev1/hosts/carol/etc/init.d/iptables
deleted file mode 100755
index 521d1ce31..000000000
--- a/testing/tests/ipv6/rw-psk-ikev1/hosts/carol/etc/init.d/iptables
+++ /dev/null
@@ -1,100 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/rw-psk-ikev1/hosts/carol/etc/ipsec.conf b/testing/tests/ipv6/rw-psk-ikev1/hosts/carol/etc/ipsec.conf
index 76135d1ee..47080139f 100755..100644
--- a/testing/tests/ipv6/rw-psk-ikev1/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ipv6/rw-psk-ikev1/hosts/carol/etc/ipsec.conf
@@ -1,8 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -11,7 +9,7 @@ conn %default
 	keyingtries=1
 	keyexchange=ikev1
 	authby=secret
-	
+
 conn home
 	left=PH_IP6_CAROL
 	leftfirewall=yes
diff --git a/testing/tests/ipv6/rw-psk-ikev1/hosts/carol/etc/ipsec.secrets b/testing/tests/ipv6/rw-psk-ikev1/hosts/carol/etc/ipsec.secrets
index 42c84fc49..2abcb4e0a 100644
--- a/testing/tests/ipv6/rw-psk-ikev1/hosts/carol/etc/ipsec.secrets
+++ b/testing/tests/ipv6/rw-psk-ikev1/hosts/carol/etc/ipsec.secrets
@@ -1,3 +1,3 @@
 # /etc/ipsec.secrets - strongSwan IPsec secrets file
 
-PH_IP6_CAROL PH_IP6_MOON : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
+PH_IP6_CAROL : PSK 0sFpZAZqEN6Ti9sqt4ZP5EWcqx
diff --git a/testing/tests/ipv6/rw-psk-ikev1/hosts/carol/etc/strongswan.conf b/testing/tests/ipv6/rw-psk-ikev1/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..699d8fdb1
--- /dev/null
+++ b/testing/tests/ipv6/rw-psk-ikev1/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce hmac stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ipv6/rw-psk-ikev1/hosts/dave/etc/ipsec.conf b/testing/tests/ipv6/rw-psk-ikev1/hosts/dave/etc/ipsec.conf
new file mode 100644
index 000000000..c59d32a14
--- /dev/null
+++ b/testing/tests/ipv6/rw-psk-ikev1/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,19 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	strictcrlpolicy=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev1
+	authby=secret
+
+conn home
+	left=PH_IP6_DAVE
+	leftfirewall=yes
+	right=PH_IP6_MOON
+	rightsubnet=fec1::/16
+	auto=add
diff --git a/testing/tests/ipv6/rw-psk-ikev1/hosts/dave/etc/ipsec.secrets b/testing/tests/ipv6/rw-psk-ikev1/hosts/dave/etc/ipsec.secrets
new file mode 100644
index 000000000..2375cd559
--- /dev/null
+++ b/testing/tests/ipv6/rw-psk-ikev1/hosts/dave/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+PH_IP6_DAVE  : PSK 0sjVzONCF02ncsgiSlmIXeqhGN
diff --git a/testing/tests/ipv6/rw-psk-ikev1/hosts/dave/etc/strongswan.conf b/testing/tests/ipv6/rw-psk-ikev1/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..699d8fdb1
--- /dev/null
+++ b/testing/tests/ipv6/rw-psk-ikev1/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce hmac stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ipv6/rw-psk-ikev1/hosts/moon/etc/init.d/iptables b/testing/tests/ipv6/rw-psk-ikev1/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 521d1ce31..000000000
--- a/testing/tests/ipv6/rw-psk-ikev1/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,100 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/rw-psk-ikev1/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6/rw-psk-ikev1/hosts/moon/etc/ipsec.conf
index 69b154bcf..7d32866b5 100755..100644
--- a/testing/tests/ipv6/rw-psk-ikev1/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ipv6/rw-psk-ikev1/hosts/moon/etc/ipsec.conf
@@ -1,8 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -11,10 +9,10 @@ conn %default
 	keyingtries=1
 	keyexchange=ikev1
 	authby=secret
-	
+
 conn rw
 	left=PH_IP6_MOON
 	leftsubnet=fec1::/16
 	leftfirewall=yes
-	right=%any6
+	right=%any
 	auto=add
diff --git a/testing/tests/ipv6/rw-psk-ikev1/hosts/moon/etc/ipsec.secrets b/testing/tests/ipv6/rw-psk-ikev1/hosts/moon/etc/ipsec.secrets
index ac738c1aa..88c418353 100644
--- a/testing/tests/ipv6/rw-psk-ikev1/hosts/moon/etc/ipsec.secrets
+++ b/testing/tests/ipv6/rw-psk-ikev1/hosts/moon/etc/ipsec.secrets
@@ -1,3 +1,5 @@
 # /etc/ipsec.secrets - strongSwan IPsec secrets file
 
-PH_IP6_MOON %any6 : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
+PH_IP6_CAROL : PSK 0sFpZAZqEN6Ti9sqt4ZP5EWcqx
+
+PH_IP6_DAVE  : PSK 0sjVzONCF02ncsgiSlmIXeqhGN
diff --git a/testing/tests/ipv6/rw-psk-ikev1/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/rw-psk-ikev1/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..699d8fdb1
--- /dev/null
+++ b/testing/tests/ipv6/rw-psk-ikev1/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce hmac stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ipv6/rw-psk-ikev1/posttest.dat b/testing/tests/ipv6/rw-psk-ikev1/posttest.dat
index d37b96f9c..4e59395e3 100644
--- a/testing/tests/ipv6/rw-psk-ikev1/posttest.dat
+++ b/testing/tests/ipv6/rw-psk-ikev1/posttest.dat
@@ -1,6 +1,12 @@
 moon::ipsec stop
 carol::ipsec stop
+dave::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
+moon::ip6tables-restore < /etc/ip6tables.flush
+carol::ip6tables-restore < /etc/ip6tables.flush
+dave::ip6tables-restore < /etc/ip6tables.flush
 alice::"ip route del fec0:\:/16 via fec1:\:1"
 carol::"ip route del fec1:\:/16 via fec0:\:1"
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+dave::"ip route del fec1:\:/16 via fec0:\:1"
diff --git a/testing/tests/ipv6/rw-psk-ikev1/pretest.dat b/testing/tests/ipv6/rw-psk-ikev1/pretest.dat
index 6fbbccaae..93a96ec36 100644
--- a/testing/tests/ipv6/rw-psk-ikev1/pretest.dat
+++ b/testing/tests/ipv6/rw-psk-ikev1/pretest.dat
@@ -1,10 +1,20 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.drop
+carol::iptables-restore < /etc/iptables.drop
+dave::iptables-restore < /etc/iptables.drop
+moon::ip6tables-restore < /etc/ip6tables.rules
+carol::ip6tables-restore < /etc/ip6tables.rules
+dave::ip6tables-restore < /etc/ip6tables.rules
 alice::"ip route add fec0:\:/16 via fec1:\:1"
 carol::"ip route add fec1:\:/16 via fec0:\:1"
+dave::"ip route add fec1:\:/16 via fec0:\:1"
 moon::rm /etc/ipsec.d/cacerts/*
 carol::rm /etc/ipsec.d/cacerts/*
-carol::ipsec start
+dave::rm /etc/ipsec.d/cacerts/*
 moon::ipsec start
-carol::sleep 2
+carol::ipsec start
+dave::ipsec start
+moon::expect-connection rw
+carol::expect-connection home
+dave::expect-connection home
 carol::ipsec up home
+dave::ipsec up home
diff --git a/testing/tests/ipv6/rw-psk-ikev1/test.conf b/testing/tests/ipv6/rw-psk-ikev1/test.conf
index bce9814db..05bb8ab6d 100644
--- a/testing/tests/ipv6/rw-psk-ikev1/test.conf
+++ b/testing/tests/ipv6/rw-psk-ikev1/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
-DIAGRAM="a-m-c-w-ip6.png"
+DIAGRAM="a-m-c-w-d-ip6.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
-IPSECHOSTS="moon carol"
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ipv6/rw-psk-ikev2/evaltest.dat b/testing/tests/ipv6/rw-psk-ikev2/evaltest.dat
index cee1853c4..16982a736 100644
--- a/testing/tests/ipv6/rw-psk-ikev2/evaltest.dat
+++ b/testing/tests/ipv6/rw-psk-ikev2/evaltest.dat
@@ -1,8 +1,13 @@
-moon::ipsec statusall::rw.*ESTABLISHED::YES
-carol::ipsec statusall::home.*ESTABLISHED::YES
-dave::ipsec statusall::home.*ESTABLISHED::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*\[fec0.*:10].*\[fec0.*:1]::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*\[fec0.*:20].*\[fec0.*:1]::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*\[fec0.*:1].*\[fec0.*:10]::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*\[fec0.*:1].*\[fec0.*:20]::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
 carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
-dave::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
+dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
 moon::tcpdump::IP6 ip6-carol.strongswan.org > ip6-moon.strongswan.org: ESP::YES
 moon::tcpdump::IP6 ip6-moon.strongswan.org > ip6-carol.strongswan.org: ESP::YES
 moon::tcpdump::IP6 ip6-dave.strongswan.org > ip6-moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ipv6/rw-psk-ikev2/hosts/carol/etc/init.d/iptables b/testing/tests/ipv6/rw-psk-ikev2/hosts/carol/etc/init.d/iptables
deleted file mode 100755
index 6c437fe03..000000000
--- a/testing/tests/ipv6/rw-psk-ikev2/hosts/carol/etc/init.d/iptables
+++ /dev/null
@@ -1,100 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/rw-psk-ikev2/hosts/carol/etc/ipsec.conf b/testing/tests/ipv6/rw-psk-ikev2/hosts/carol/etc/ipsec.conf
index b656b9ec7..eed683f72 100755..100644
--- a/testing/tests/ipv6/rw-psk-ikev2/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ipv6/rw-psk-ikev2/hosts/carol/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ipv6/rw-psk-ikev2/hosts/carol/etc/strongswan.conf b/testing/tests/ipv6/rw-psk-ikev2/hosts/carol/etc/strongswan.conf
index 882ea04a5..699d8fdb1 100644
--- a/testing/tests/ipv6/rw-psk-ikev2/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ipv6/rw-psk-ikev2/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink socket-default updown
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ipv6/rw-psk-ikev2/hosts/dave/etc/init.d/iptables b/testing/tests/ipv6/rw-psk-ikev2/hosts/dave/etc/init.d/iptables
deleted file mode 100755
index 6c437fe03..000000000
--- a/testing/tests/ipv6/rw-psk-ikev2/hosts/dave/etc/init.d/iptables
+++ /dev/null
@@ -1,100 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/rw-psk-ikev2/hosts/dave/etc/ipsec.conf b/testing/tests/ipv6/rw-psk-ikev2/hosts/dave/etc/ipsec.conf
index c62f4ff07..3b45adb0d 100755..100644
--- a/testing/tests/ipv6/rw-psk-ikev2/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ipv6/rw-psk-ikev2/hosts/dave/etc/ipsec.conf
@@ -2,7 +2,6 @@
 
 config setup
 	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ipv6/rw-psk-ikev2/hosts/dave/etc/strongswan.conf b/testing/tests/ipv6/rw-psk-ikev2/hosts/dave/etc/strongswan.conf
index 882ea04a5..699d8fdb1 100644
--- a/testing/tests/ipv6/rw-psk-ikev2/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ipv6/rw-psk-ikev2/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink socket-default updown
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ipv6/rw-psk-ikev2/hosts/moon/etc/init.d/iptables b/testing/tests/ipv6/rw-psk-ikev2/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 6c437fe03..000000000
--- a/testing/tests/ipv6/rw-psk-ikev2/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,100 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/rw-psk-ikev2/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6/rw-psk-ikev2/hosts/moon/etc/ipsec.conf
index 0cf988768..f6c4c6ab9 100755..100644
--- a/testing/tests/ipv6/rw-psk-ikev2/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ipv6/rw-psk-ikev2/hosts/moon/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/ipv6/rw-psk-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/rw-psk-ikev2/hosts/moon/etc/strongswan.conf
index 882ea04a5..699d8fdb1 100644
--- a/testing/tests/ipv6/rw-psk-ikev2/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ipv6/rw-psk-ikev2/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink socket-default updown
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ipv6/rw-psk-ikev2/posttest.dat b/testing/tests/ipv6/rw-psk-ikev2/posttest.dat
index 07e89d7da..4e59395e3 100644
--- a/testing/tests/ipv6/rw-psk-ikev2/posttest.dat
+++ b/testing/tests/ipv6/rw-psk-ikev2/posttest.dat
@@ -1,9 +1,12 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
+moon::ip6tables-restore < /etc/ip6tables.flush
+carol::ip6tables-restore < /etc/ip6tables.flush
+dave::ip6tables-restore < /etc/ip6tables.flush
 alice::"ip route del fec0:\:/16 via fec1:\:1"
 carol::"ip route del fec1:\:/16 via fec0:\:1"
 dave::"ip route del fec1:\:/16 via fec0:\:1"
diff --git a/testing/tests/ipv6/rw-psk-ikev2/pretest.dat b/testing/tests/ipv6/rw-psk-ikev2/pretest.dat
index e3040d125..93a96ec36 100644
--- a/testing/tests/ipv6/rw-psk-ikev2/pretest.dat
+++ b/testing/tests/ipv6/rw-psk-ikev2/pretest.dat
@@ -1,6 +1,9 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.drop
+carol::iptables-restore < /etc/iptables.drop
+dave::iptables-restore < /etc/iptables.drop
+moon::ip6tables-restore < /etc/ip6tables.rules
+carol::ip6tables-restore < /etc/ip6tables.rules
+dave::ip6tables-restore < /etc/ip6tables.rules
 alice::"ip route add fec0:\:/16 via fec1:\:1"
 carol::"ip route add fec1:\:/16 via fec0:\:1"
 dave::"ip route add fec1:\:/16 via fec0:\:1"
@@ -10,7 +13,8 @@ dave::rm /etc/ipsec.d/cacerts/*
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
-carol::sleep 1
+moon::expect-connection rw
+carol::expect-connection home
+dave::expect-connection home
 carol::ipsec up home
 dave::ipsec up home
-dave::sleep 1
diff --git a/testing/tests/ipv6/rw-psk-ikev2/test.conf b/testing/tests/ipv6/rw-psk-ikev2/test.conf
index 80cf5e3a1..05bb8ab6d 100644
--- a/testing/tests/ipv6/rw-psk-ikev2/test.conf
+++ b/testing/tests/ipv6/rw-psk-ikev2/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d-ip6.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/evaltest.dat b/testing/tests/ipv6/rw-rfc3779-ikev2/evaltest.dat
index 4ed973ca4..551eae263 100644
--- a/testing/tests/ipv6/rw-rfc3779-ikev2/evaltest.dat
+++ b/testing/tests/ipv6/rw-rfc3779-ikev2/evaltest.dat
@@ -1,12 +1,17 @@
-moon::ipsec statusall::rw.*ESTABLISHED::YES
-carol::ipsec statusall::home.*ESTABLISHED::YES
-dave::ipsec statusall::home.*ESTABLISHED::YES
-moon::cat /var/log/daemon.log::TS fec0:\:10/128 is contained in address block constraint fec0:\:10/128::YES
-moon::cat /var/log/daemon.log::TS fec0:\:20/128 is contained in address block constraint fec0:\:20/128::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
+moon:: cat /var/log/daemon.log::TS fec0:\:10/128 is contained in address block constraint fec0:\:10/128::YES
+moon:: cat /var/log/daemon.log::TS fec0:\:20/128 is contained in address block constraint fec0:\:20/128::YES
 carol::cat /var/log/daemon.log::TS fec1:\:/16 is contained in address block constraint fec1:\:/16::YES
-dave::cat /var/log/daemon.log::TS fec1:\:/16 is contained in address block constraint fec1:\:/16::YES
+dave:: cat /var/log/daemon.log::TS fec1:\:/16 is contained in address block constraint fec1:\:/16::YES
 carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
-dave::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
+dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
 moon::tcpdump::IP6 ip6-carol.strongswan.org > ip6-moon.strongswan.org: ESP::YES
 moon::tcpdump::IP6 ip6-moon.strongswan.org > ip6-carol.strongswan.org: ESP::YES
 moon::tcpdump::IP6 ip6-dave.strongswan.org > ip6-moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/init.d/iptables b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/init.d/iptables
deleted file mode 100755
index b3509f8df..000000000
--- a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/init.d/iptables
+++ /dev/null
@@ -1,104 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow crl and certificate fetch from winnetou
-	ip6tables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP6_WINNETOU -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP6_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/ipsec.conf b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/ipsec.conf
index b4138be8d..a2e054e13 100755..100644
--- a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 ca strongswan
 	cacert=strongswanCert.pem
diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/strongswan.conf b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/strongswan.conf
index 94873ddeb..2b824dc55 100644
--- a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/strongswan.conf
@@ -2,5 +2,5 @@
 
 charon {
   hash_and_url = yes
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation addrblock hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation addrblock hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/init.d/iptables b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/init.d/iptables
deleted file mode 100755
index b3509f8df..000000000
--- a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/init.d/iptables
+++ /dev/null
@@ -1,104 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow crl and certificate fetch from winnetou
-	ip6tables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP6_WINNETOU -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP6_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/ipsec.conf b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/ipsec.conf
index cc7e09b4e..8d275e2bd 100755..100644
--- a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 ca strongswan
 	cacert=strongswanCert.pem
diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/strongswan.conf b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/strongswan.conf
index 94873ddeb..e2593c173 100644
--- a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/strongswan.conf
@@ -2,5 +2,5 @@
 
 charon {
   hash_and_url = yes
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation addrblock hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 nonce revocation addrblock hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/init.d/iptables b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index b3509f8df..000000000
--- a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,104 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow crl and certificate fetch from winnetou
-	ip6tables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP6_WINNETOU -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP6_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/ipsec.conf
index 4832bb89f..236302350 100755..100644
--- a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 ca strongswan
 	cacert=strongswanCert.pem
diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/strongswan.conf
index 94873ddeb..2b824dc55 100644
--- a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/strongswan.conf
@@ -2,5 +2,5 @@
 
 charon {
   hash_and_url = yes
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation addrblock hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation addrblock hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/posttest.dat b/testing/tests/ipv6/rw-rfc3779-ikev2/posttest.dat
index 07e89d7da..4e59395e3 100644
--- a/testing/tests/ipv6/rw-rfc3779-ikev2/posttest.dat
+++ b/testing/tests/ipv6/rw-rfc3779-ikev2/posttest.dat
@@ -1,9 +1,12 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
+moon::ip6tables-restore < /etc/ip6tables.flush
+carol::ip6tables-restore < /etc/ip6tables.flush
+dave::ip6tables-restore < /etc/ip6tables.flush
 alice::"ip route del fec0:\:/16 via fec1:\:1"
 carol::"ip route del fec1:\:/16 via fec0:\:1"
 dave::"ip route del fec1:\:/16 via fec0:\:1"
diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/pretest.dat b/testing/tests/ipv6/rw-rfc3779-ikev2/pretest.dat
index 7da0c1028..f60be3887 100644
--- a/testing/tests/ipv6/rw-rfc3779-ikev2/pretest.dat
+++ b/testing/tests/ipv6/rw-rfc3779-ikev2/pretest.dat
@@ -1,13 +1,17 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.drop
+carol::iptables-restore < /etc/iptables.drop
+dave::iptables-restore < /etc/iptables.drop
+moon::ip6tables-restore < /etc/ip6tables.rules
+carol::ip6tables-restore < /etc/ip6tables.rules
+dave::ip6tables-restore < /etc/ip6tables.rules
 alice::"ip route add fec0:\:/16 via fec1:\:1"
 carol::"ip route add fec1:\:/16 via fec0:\:1"
 dave::"ip route add fec1:\:/16 via fec0:\:1"
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
-carol::sleep 1
+moon::expect-connection rw
+carol::expect-connection home
+dave::expect-connection home
 carol::ipsec up home
 dave::ipsec up home
-dave::sleep 2 
diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/test.conf b/testing/tests/ipv6/rw-rfc3779-ikev2/test.conf
index 80cf5e3a1..05bb8ab6d 100644
--- a/testing/tests/ipv6/rw-rfc3779-ikev2/test.conf
+++ b/testing/tests/ipv6/rw-rfc3779-ikev2/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d-ip6.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ipv6/transport-ikev1/evaltest.dat b/testing/tests/ipv6/transport-ikev1/evaltest.dat
index 2010557c1..5ae9d2c12 100644
--- a/testing/tests/ipv6/transport-ikev1/evaltest.dat
+++ b/testing/tests/ipv6/transport-ikev1/evaltest.dat
@@ -1,7 +1,9 @@
-moon::ipsec status::host-host.*STATE_QUICK_I2.*IPsec SA established::YES
-sun::ipsec status::host-host.*STATE_QUICK_R2.*IPsec SA established::YES
+moon::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun:: ipsec status 2> /dev/null::host-host.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon::ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES
+sun:: ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES
 moon::ip xfrm state::mode transport::YES
-sun::ip xfrm state::mode transport::YES
+sun:: ip xfrm state::mode transport::YES
 moon::ping6 -c 1 -p deadbeef ip6-sun.strongswan.org::64 bytes from ip6-sun.strongswan.org: icmp_seq=1::YES
 sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES
 sun::tcpdump::IP6 ip6-sun.strongswan.org > ip6-moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ipv6/transport-ikev1/hosts/moon/etc/init.d/iptables b/testing/tests/ipv6/transport-ikev1/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 521d1ce31..000000000
--- a/testing/tests/ipv6/transport-ikev1/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,100 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/transport-ikev1/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6/transport-ikev1/hosts/moon/etc/ipsec.conf
index 69ba50530..f2938f307 100755..100644
--- a/testing/tests/ipv6/transport-ikev1/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ipv6/transport-ikev1/hosts/moon/etc/ipsec.conf
@@ -1,10 +1,12 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
+
+ca strongswan
+	cacert=strongswanCert.pem
+	certuribase=http://ip6-winnetou.strongswan.org/certs/
+	crluri=http://ip6-winnetou.strongswan.org/strongswan.crl
+	auto=add
 
 conn %default
 	ikelifetime=60m
@@ -12,6 +14,7 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev1
+	fragmentation=yes
 
 conn host-host
 	left=PH_IP6_MOON
diff --git a/testing/tests/ipv6/transport-ikev1/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/transport-ikev1/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..5ffc1a22a
--- /dev/null
+++ b/testing/tests/ipv6/transport-ikev1/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,7 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+
+  fragment_size = 1024
+}
diff --git a/testing/tests/ipv6/transport-ikev1/hosts/sun/etc/init.d/iptables b/testing/tests/ipv6/transport-ikev1/hosts/sun/etc/init.d/iptables
deleted file mode 100755
index 521d1ce31..000000000
--- a/testing/tests/ipv6/transport-ikev1/hosts/sun/etc/init.d/iptables
+++ /dev/null
@@ -1,100 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/transport-ikev1/hosts/sun/etc/ipsec.conf b/testing/tests/ipv6/transport-ikev1/hosts/sun/etc/ipsec.conf
index a7c6b18c7..9af8aa862 100755..100644
--- a/testing/tests/ipv6/transport-ikev1/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ipv6/transport-ikev1/hosts/sun/etc/ipsec.conf
@@ -1,10 +1,12 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
+
+ca strongswan
+	cacert=strongswanCert.pem
+	certuribase=http://ip6-winnetou.strongswan.org/certs/
+	crluri=http://ip6-winnetou.strongswan.org/strongswan.crl
+	auto=add
 
 conn %default
 	ikelifetime=60m
@@ -12,6 +14,7 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev1
+	fragmentation=yes
 
 conn host-host
 	left=PH_IP6_SUN
diff --git a/testing/tests/ipv6/transport-ikev1/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6/transport-ikev1/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..5ffc1a22a
--- /dev/null
+++ b/testing/tests/ipv6/transport-ikev1/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,7 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+
+  fragment_size = 1024
+}
diff --git a/testing/tests/ipv6/transport-ikev1/posttest.dat b/testing/tests/ipv6/transport-ikev1/posttest.dat
index 5a9150bc8..d3bebd0c6 100644
--- a/testing/tests/ipv6/transport-ikev1/posttest.dat
+++ b/testing/tests/ipv6/transport-ikev1/posttest.dat
@@ -1,4 +1,6 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
+moon::ip6tables-restore < /etc/ip6tables.flush
+sun::ip6tables-restore < /etc/ip6tables.flush
diff --git a/testing/tests/ipv6/transport-ikev1/pretest.dat b/testing/tests/ipv6/transport-ikev1/pretest.dat
index 3536fd886..46c015387 100644
--- a/testing/tests/ipv6/transport-ikev1/pretest.dat
+++ b/testing/tests/ipv6/transport-ikev1/pretest.dat
@@ -1,6 +1,9 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.drop
+sun::iptables-restore < /etc/iptables.drop
+moon::ip6tables-restore < /etc/ip6tables.rules
+sun::ip6tables-restore < /etc/ip6tables.rules
 moon::ipsec start
 sun::ipsec start
-moon::sleep 2 
+moon::expect-connection host-host
+sun::expect-connection host-host
 moon::ipsec up host-host
diff --git a/testing/tests/ipv6/transport-ikev1/test.conf b/testing/tests/ipv6/transport-ikev1/test.conf
index 6ab5b8a96..56df1a0da 100644
--- a/testing/tests/ipv6/transport-ikev1/test.conf
+++ b/testing/tests/ipv6/transport-ikev1/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="moon winnetou sun"
+VIRTHOSTS="moon winnetou sun"
  
 # Corresponding block diagram
 #
 DIAGRAM="m-w-s-ip6.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/ipv6/transport-ikev2/evaltest.dat b/testing/tests/ipv6/transport-ikev2/evaltest.dat
index f1e26e7ea..0dfba54ea 100644
--- a/testing/tests/ipv6/transport-ikev2/evaltest.dat
+++ b/testing/tests/ipv6/transport-ikev2/evaltest.dat
@@ -1,8 +1,10 @@
+moon::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun:: ipsec status 2> /dev/null::host-host.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon::ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES
+sun:: ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES
 moon::cat /var/log/daemon.log::parsed IKE_AUTH response.*N(USE_TRANSP)::YES
-moon::ipsec status::host-host.*INSTALLED.*TRANSPORT::YES
-sun::ipsec status::host-host.*INSTALLED.*TRANSPORT::YES
 moon::ip xfrm state::mode transport::YES
-sun::ip xfrm state::mode transport::YES
+sun:: ip xfrm state::mode transport::YES
 moon::ping6 -c 1 -p deadbeef ip6-sun.strongswan.org::64 bytes from ip6-sun.strongswan.org: icmp_seq=1::YES
 sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES
 sun::tcpdump::IP6 ip6-sun.strongswan.org > ip6-moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ipv6/transport-ikev2/hosts/moon/etc/init.d/iptables b/testing/tests/ipv6/transport-ikev2/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index b1e7073af..000000000
--- a/testing/tests/ipv6/transport-ikev2/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,104 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow crl and certficate fetch from winnetou
-	ip6tables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP6_WINNETOU -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP6_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/transport-ikev2/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6/transport-ikev2/hosts/moon/etc/ipsec.conf
index 0d9e275b7..a48b6cbc6 100755..100644
--- a/testing/tests/ipv6/transport-ikev2/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ipv6/transport-ikev2/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	strictcrlpolicy=no
-	crlcheckinterval=180
-	plutostart=no
 
 ca strongswan
 	cacert=strongswanCert.pem
diff --git a/testing/tests/ipv6/transport-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/transport-ikev2/hosts/moon/etc/strongswan.conf
index d9349846c..5ef523e47 100644
--- a/testing/tests/ipv6/transport-ikev2/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ipv6/transport-ikev2/hosts/moon/etc/strongswan.conf
@@ -2,5 +2,5 @@
 
 charon {
   hash_and_url = yes
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ipv6/transport-ikev2/hosts/sun/etc/init.d/iptables b/testing/tests/ipv6/transport-ikev2/hosts/sun/etc/init.d/iptables
deleted file mode 100755
index b3509f8df..000000000
--- a/testing/tests/ipv6/transport-ikev2/hosts/sun/etc/init.d/iptables
+++ /dev/null
@@ -1,104 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow crl and certificate fetch from winnetou
-	ip6tables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP6_WINNETOU -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP6_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/ipv6/transport-ikev2/hosts/sun/etc/ipsec.conf b/testing/tests/ipv6/transport-ikev2/hosts/sun/etc/ipsec.conf
index 26949985e..e80eb8101 100755..100644
--- a/testing/tests/ipv6/transport-ikev2/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ipv6/transport-ikev2/hosts/sun/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	strictcrlpolicy=no
-	crlcheckinterval=180
-	plutostart=no
 
 ca strongswan
 	cacert=strongswanCert.pem
diff --git a/testing/tests/ipv6/transport-ikev2/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6/transport-ikev2/hosts/sun/etc/strongswan.conf
index d9349846c..5ef523e47 100644
--- a/testing/tests/ipv6/transport-ikev2/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ipv6/transport-ikev2/hosts/sun/etc/strongswan.conf
@@ -2,5 +2,5 @@
 
 charon {
   hash_and_url = yes
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/ipv6/transport-ikev2/posttest.dat b/testing/tests/ipv6/transport-ikev2/posttest.dat
index 5a9150bc8..d3bebd0c6 100644
--- a/testing/tests/ipv6/transport-ikev2/posttest.dat
+++ b/testing/tests/ipv6/transport-ikev2/posttest.dat
@@ -1,4 +1,6 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
+moon::ip6tables-restore < /etc/ip6tables.flush
+sun::ip6tables-restore < /etc/ip6tables.flush
diff --git a/testing/tests/ipv6/transport-ikev2/pretest.dat b/testing/tests/ipv6/transport-ikev2/pretest.dat
index 7e97e7783..46c015387 100644
--- a/testing/tests/ipv6/transport-ikev2/pretest.dat
+++ b/testing/tests/ipv6/transport-ikev2/pretest.dat
@@ -1,7 +1,9 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.drop
+sun::iptables-restore < /etc/iptables.drop
+moon::ip6tables-restore < /etc/ip6tables.rules
+sun::ip6tables-restore < /etc/ip6tables.rules
 moon::ipsec start
 sun::ipsec start
-moon::sleep 2 
+moon::expect-connection host-host
+sun::expect-connection host-host
 moon::ipsec up host-host
-moon::sleep 1
diff --git a/testing/tests/ipv6/transport-ikev2/test.conf b/testing/tests/ipv6/transport-ikev2/test.conf
index 6ab5b8a96..56df1a0da 100644
--- a/testing/tests/ipv6/transport-ikev2/test.conf
+++ b/testing/tests/ipv6/transport-ikev2/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="moon winnetou sun"
+VIRTHOSTS="moon winnetou sun"
  
 # Corresponding block diagram
 #
 DIAGRAM="m-w-s-ip6.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/libipsec/net2net-cert/description.txt b/testing/tests/libipsec/net2net-cert/description.txt
new file mode 100644
index 000000000..433d97574
--- /dev/null
+++ b/testing/tests/libipsec/net2net-cert/description.txt
@@ -0,0 +1,8 @@
+A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
+The authentication is based on <b>X.509 certificates</b> and the <b>kernel-libipsec</b> 
+plugin is used for userland IPsec ESP encryption.
+<p/>
+Upon the successful establishment of the IPsec tunnel, an updown script automatically
+inserts iptables-based firewall rules that let pass the traffic tunneled via the
+<b>ipsec0</b> tun interface. In order to test both tunnel and firewall, client <b>alice</b>
+behind gateway <b>moon</b> pings client <b>bob</b> located behind gateway <b>sun</b>.
diff --git a/testing/tests/libipsec/net2net-cert/evaltest.dat b/testing/tests/libipsec/net2net-cert/evaltest.dat
new file mode 100644
index 000000000..f702ceadf
--- /dev/null
+++ b/testing/tests/libipsec/net2net-cert/evaltest.dat
@@ -0,0 +1,7 @@
+moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+sun::tcpdump::IP moon.strongswan.org.4500 > sun.strongswan.org.4500: UDP-encap: ESP::YES
+sun::tcpdump::IP sun.strongswan.org.4500 > moon.strongswan.org.4500: UDP-encap: ESP::YES
diff --git a/testing/tests/libipsec/net2net-cert/hosts/moon/etc/ipsec.conf b/testing/tests/libipsec/net2net-cert/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..631adfcd3
--- /dev/null
+++ b/testing/tests/libipsec/net2net-cert/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	mobike=no
+
+conn net-net 
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	leftupdown=/etc/updown
+	right=PH_IP_SUN
+	rightid=@sun.strongswan.org
+	rightsubnet=10.2.0.0/16
+	auto=add
diff --git a/testing/tests/libipsec/net2net-cert/hosts/moon/etc/strongswan.conf b/testing/tests/libipsec/net2net-cert/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..97bb34aed
--- /dev/null
+++ b/testing/tests/libipsec/net2net-cert/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-libipsec kernel-netlink socket-default updown
+  multiple_authentication = no
+}
diff --git a/testing/tests/ikev1/rw-mark-in-out/hosts/sun/etc/mark_updown b/testing/tests/libipsec/net2net-cert/hosts/moon/etc/updown
index 0d22e684d..1a68ada0e 100755
--- a/testing/tests/ikev1/rw-mark-in-out/hosts/sun/etc/mark_updown
+++ b/testing/tests/libipsec/net2net-cert/hosts/moon/etc/updown
@@ -1,10 +1,10 @@
 #! /bin/sh
-# updown script setting inbound marks on ESP traffic in the mangle chain
+# iproute2 version, default updown script
 #
 # Copyright (C) 2003-2004 Nigel Meteringham
 # Copyright (C) 2003-2004 Tuomo Soini
 # Copyright (C) 2002-2004 Michael Richardson
-# Copyright (C) 2005-2010 Andreas Steffen <andreas.steffen@strongswan.org>
+# Copyright (C) 2005-2007 Andreas Steffen <andreas.steffen@strongswan.org>
 #
 # This program is free software; you can redistribute it and/or modify it
 # under the terms of the GNU General Public License as published by the
@@ -51,6 +51,9 @@
 #       PLUTO_REQID
 #              is the requid of the ESP policy
 #
+#       PLUTO_UNIQUEID
+#              is the unique identifier of the associated IKE_SA
+#
 #       PLUTO_ME
 #              is the IP address of our host.
 #
@@ -73,8 +76,12 @@
 #              just the host, this will be 255.255.255.255.
 #
 #       PLUTO_MY_SOURCEIP
-#              if non-empty, then the source address for the route will be
-#              set to this IP address.
+#       PLUTO_MY_SOURCEIP4_$i
+#       PLUTO_MY_SOURCEIP6_$i
+#              contains IPv4/IPv6 virtual IP received from a responder,
+#              $i enumerates from 1 to the number of IP per address family.
+#              PLUTO_MY_SOURCEIP is a legacy variable and equals to the first
+#              virtual IP, IPv4 or IPv6.
 #
 #       PLUTO_MY_PROTOCOL
 #              is the IP protocol that will be transported.
@@ -128,6 +135,12 @@
 #              contains the remote UDP port in the case of ESP_IN_UDP
 #              encapsulation
 #
+#       PLUTO_DNS4_$i
+#       PLUTO_DNS6_$i
+#              contains IPv4/IPv6 DNS server attribute received from a
+#              responder, $i enumerates from 1 to the number of servers per
+#              address family.
+#
 
 # define a minimum PATH environment in case it is not set
 PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin"
@@ -298,18 +311,6 @@ else
 	IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
 fi
 
-# is there an inbound mark to be set?
-if [ -n "$PLUTO_MARK_IN" ]
-then
-	if [ -n "$PLUTO_UDP_ENC" ]
-	then
-	    SET_MARK="-p udp --sport $PLUTO_UDP_ENC"
-	else
-		SET_MARK="-p esp"
-	fi
-	SET_MARK="$SET_MARK -s $PLUTO_PEER -j MARK --set-mark $PLUTO_MARK_IN"
-fi
-
 # are there port numbers?
 if [ "$PLUTO_MY_PORT" != 0 ]
 then
@@ -382,10 +383,37 @@ unroute-host:*|unroute-client:*)
 up-host:)
 	# connection to me coming up
 	# If you are doing a custom version, firewall commands go here.
-	if [ -n "$PLUTO_MARK_IN" ]
-	then
-	    iptables -t mangle -A PREROUTING $SET_MARK
-	fi
+	;;
+down-host:)
+	# connection to me going down
+	# If you are doing a custom version, firewall commands go here.
+	;;
+up-client:)
+	# connection to my client subnet coming up
+	# If you are doing a custom version, firewall commands go here.
+	PLUTO_INTERFACE=ipsec0
+	iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT
+	;;
+down-client:)
+	# connection to my client subnet going down
+	# If you are doing a custom version, firewall commands go here.
+	PLUTO_INTERFACE=ipsec0
+	iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT
+	;;
+up-host:iptables)
+	# connection to me, with (left/right)firewall=yes, coming up
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
 	iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
 	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
 	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
@@ -406,13 +434,10 @@ up-host:)
 	  fi
 	fi
 	;;
-down-host:)
-	# connection to me going down
-	# If you are doing a custom version, firewall commands go here.
-	if [ -n "$PLUTO_MARK_IN" ]
-	then
-	    iptables -t mangle -D PREROUTING $SET_MARK
-	fi
+down-host:iptables)
+	# connection to me, with (left/right)firewall=yes, going down
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
 	iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
 	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
 	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
@@ -433,13 +458,10 @@ down-host:)
 	  fi
 	fi
 	;;
-up-client:)
-	# connection to my client subnet coming up
-	# If you are doing a custom version, firewall commands go here.
-	if [ -n "$PLUTO_MARK_IN" ]
-	then
-	    iptables -t mangle -A PREROUTING $SET_MARK
-	fi
+up-client:iptables)
+	# connection to client subnet, with (left/right)firewall=yes, coming up
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
 	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
 	then
 	  iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
@@ -475,13 +497,10 @@ up-client:)
 	  fi
 	fi
 	;;
-down-client:)
-	# connection to my client subnet going down
-	# If you are doing a custom version, firewall commands go here.
-	if [ -n "$PLUTO_MARK_IN" ]
-	then
-	    iptables -t mangle -D PREROUTING $SET_MARK
-	fi
+down-client:iptables)
+	# connection to client subnet, with (left/right)firewall=yes, going down
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
 	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
 	then
 	  iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
@@ -521,6 +540,165 @@ down-client:)
 	  fi
 	fi
 	;;
+#
+# IPv6
+#
+prepare-host-v6:*|prepare-client-v6:*)
+	;;
+route-host-v6:*|route-client-v6:*)
+	# connection to me or my client subnet being routed
+	#uproute_v6
+	;;
+unroute-host-v6:*|unroute-client-v6:*)
+	# connection to me or my client subnet being unrouted
+	#downroute_v6
+	;;
+up-host-v6:)
+	# connection to me coming up
+	# If you are doing a custom version, firewall commands go here.
+	;;
+down-host-v6:)
+	# connection to me going down
+	# If you are doing a custom version, firewall commands go here.
+	;;
+up-client-v6:)
+	# connection to my client subnet coming up
+	# If you are doing a custom version, firewall commands go here.
+	;;
+down-client-v6:)
+	# connection to my client subnet going down
+	# If you are doing a custom version, firewall commands go here.
+	;;
+up-host-v6:iptables)
+	# connection to me, with (left/right)firewall=yes, coming up
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	#
+	# log IPsec host connection setup
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+	  else
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+	  fi
+	fi
+	;;
+down-host-v6:iptables)
+	# connection to me, with (left/right)firewall=yes, going down
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	#
+	# log IPsec host connection teardown
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+	  else
+	    logger -t $TAG -p $FAC_PRIO -- \
+	    "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+	  fi
+	fi
+	;;
+up-client-v6:iptables)
+	# connection to client subnet, with (left/right)firewall=yes, coming up
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
+	then
+	  ip6tables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+	  ip6tables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
+	# a virtual IP requires an INPUT and OUTPUT rule on the host
+	# or sometimes host access via the internal IP is needed
+	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+	then
+	  ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	  ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+	fi
+	#
+	# log IPsec client connection setup
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  else
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  fi
+	fi
+	;;
+down-client-v6:iptables)
+	# connection to client subnet, with (left/right)firewall=yes, going down
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
+	then
+	  ip6tables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+	         $IPSEC_POLICY_OUT -j ACCEPT
+	  ip6tables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
+	         $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
+	# a virtual IP requires an INPUT and OUTPUT rule on the host
+	# or sometimes host access via the internal IP is needed
+	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+	then
+	  ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
+	         $IPSEC_POLICY_IN -j ACCEPT
+	  ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+	         $IPSEC_POLICY_OUT -j ACCEPT
+	fi
+	#
+	# log IPsec client connection teardown
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  else
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  fi
+	fi
+	;;
 *)	echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
 	exit 1
 	;;
diff --git a/testing/tests/ikev2/nat-portswitch/hosts/sun/etc/ipsec.conf b/testing/tests/libipsec/net2net-cert/hosts/sun/etc/ipsec.conf
index a7722142f..b16440aa1 100644
--- a/testing/tests/ikev2/nat-portswitch/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/libipsec/net2net-cert/hosts/sun/etc/ipsec.conf
@@ -1,20 +1,22 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
-version	2.0	# conforms to second version of ipsec.conf specification
-
 config setup
-	plutostart=no
 
 conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+        keyingtries=1
+	keyexchange=ikev2
+	mobike=no
+
+conn net-net 
 	left=PH_IP_SUN
 	leftcert=sunCert.pem
 	leftid=@sun.strongswan.org
 	leftsubnet=10.2.0.0/16
-	keyexchange=ikev2
-	
-conn rw-alice
-	right=%any
-	rightcert=aliceCert.pem
-	rightid=alice@strongswan.org
+	leftupdown=/etc/updown
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
 	rightsubnet=10.1.0.0/16
 	auto=add
diff --git a/testing/tests/libipsec/net2net-cert/hosts/sun/etc/strongswan.conf b/testing/tests/libipsec/net2net-cert/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..97bb34aed
--- /dev/null
+++ b/testing/tests/libipsec/net2net-cert/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-libipsec kernel-netlink socket-default updown
+  multiple_authentication = no
+}
diff --git a/testing/tests/ikev2/nat-two-rw-mark/hosts/sun/etc/mark_updown b/testing/tests/libipsec/net2net-cert/hosts/sun/etc/updown
index 0d22e684d..1a68ada0e 100755
--- a/testing/tests/ikev2/nat-two-rw-mark/hosts/sun/etc/mark_updown
+++ b/testing/tests/libipsec/net2net-cert/hosts/sun/etc/updown
@@ -1,10 +1,10 @@
 #! /bin/sh
-# updown script setting inbound marks on ESP traffic in the mangle chain
+# iproute2 version, default updown script
 #
 # Copyright (C) 2003-2004 Nigel Meteringham
 # Copyright (C) 2003-2004 Tuomo Soini
 # Copyright (C) 2002-2004 Michael Richardson
-# Copyright (C) 2005-2010 Andreas Steffen <andreas.steffen@strongswan.org>
+# Copyright (C) 2005-2007 Andreas Steffen <andreas.steffen@strongswan.org>
 #
 # This program is free software; you can redistribute it and/or modify it
 # under the terms of the GNU General Public License as published by the
@@ -51,6 +51,9 @@
 #       PLUTO_REQID
 #              is the requid of the ESP policy
 #
+#       PLUTO_UNIQUEID
+#              is the unique identifier of the associated IKE_SA
+#
 #       PLUTO_ME
 #              is the IP address of our host.
 #
@@ -73,8 +76,12 @@
 #              just the host, this will be 255.255.255.255.
 #
 #       PLUTO_MY_SOURCEIP
-#              if non-empty, then the source address for the route will be
-#              set to this IP address.
+#       PLUTO_MY_SOURCEIP4_$i
+#       PLUTO_MY_SOURCEIP6_$i
+#              contains IPv4/IPv6 virtual IP received from a responder,
+#              $i enumerates from 1 to the number of IP per address family.
+#              PLUTO_MY_SOURCEIP is a legacy variable and equals to the first
+#              virtual IP, IPv4 or IPv6.
 #
 #       PLUTO_MY_PROTOCOL
 #              is the IP protocol that will be transported.
@@ -128,6 +135,12 @@
 #              contains the remote UDP port in the case of ESP_IN_UDP
 #              encapsulation
 #
+#       PLUTO_DNS4_$i
+#       PLUTO_DNS6_$i
+#              contains IPv4/IPv6 DNS server attribute received from a
+#              responder, $i enumerates from 1 to the number of servers per
+#              address family.
+#
 
 # define a minimum PATH environment in case it is not set
 PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin"
@@ -298,18 +311,6 @@ else
 	IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
 fi
 
-# is there an inbound mark to be set?
-if [ -n "$PLUTO_MARK_IN" ]
-then
-	if [ -n "$PLUTO_UDP_ENC" ]
-	then
-	    SET_MARK="-p udp --sport $PLUTO_UDP_ENC"
-	else
-		SET_MARK="-p esp"
-	fi
-	SET_MARK="$SET_MARK -s $PLUTO_PEER -j MARK --set-mark $PLUTO_MARK_IN"
-fi
-
 # are there port numbers?
 if [ "$PLUTO_MY_PORT" != 0 ]
 then
@@ -382,10 +383,37 @@ unroute-host:*|unroute-client:*)
 up-host:)
 	# connection to me coming up
 	# If you are doing a custom version, firewall commands go here.
-	if [ -n "$PLUTO_MARK_IN" ]
-	then
-	    iptables -t mangle -A PREROUTING $SET_MARK
-	fi
+	;;
+down-host:)
+	# connection to me going down
+	# If you are doing a custom version, firewall commands go here.
+	;;
+up-client:)
+	# connection to my client subnet coming up
+	# If you are doing a custom version, firewall commands go here.
+	PLUTO_INTERFACE=ipsec0
+	iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT
+	;;
+down-client:)
+	# connection to my client subnet going down
+	# If you are doing a custom version, firewall commands go here.
+	PLUTO_INTERFACE=ipsec0
+	iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT
+	;;
+up-host:iptables)
+	# connection to me, with (left/right)firewall=yes, coming up
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
 	iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
 	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
 	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
@@ -406,13 +434,10 @@ up-host:)
 	  fi
 	fi
 	;;
-down-host:)
-	# connection to me going down
-	# If you are doing a custom version, firewall commands go here.
-	if [ -n "$PLUTO_MARK_IN" ]
-	then
-	    iptables -t mangle -D PREROUTING $SET_MARK
-	fi
+down-host:iptables)
+	# connection to me, with (left/right)firewall=yes, going down
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
 	iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
 	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
 	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
@@ -433,13 +458,10 @@ down-host:)
 	  fi
 	fi
 	;;
-up-client:)
-	# connection to my client subnet coming up
-	# If you are doing a custom version, firewall commands go here.
-	if [ -n "$PLUTO_MARK_IN" ]
-	then
-	    iptables -t mangle -A PREROUTING $SET_MARK
-	fi
+up-client:iptables)
+	# connection to client subnet, with (left/right)firewall=yes, coming up
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
 	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
 	then
 	  iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
@@ -475,13 +497,10 @@ up-client:)
 	  fi
 	fi
 	;;
-down-client:)
-	# connection to my client subnet going down
-	# If you are doing a custom version, firewall commands go here.
-	if [ -n "$PLUTO_MARK_IN" ]
-	then
-	    iptables -t mangle -D PREROUTING $SET_MARK
-	fi
+down-client:iptables)
+	# connection to client subnet, with (left/right)firewall=yes, going down
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
 	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
 	then
 	  iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
@@ -521,6 +540,165 @@ down-client:)
 	  fi
 	fi
 	;;
+#
+# IPv6
+#
+prepare-host-v6:*|prepare-client-v6:*)
+	;;
+route-host-v6:*|route-client-v6:*)
+	# connection to me or my client subnet being routed
+	#uproute_v6
+	;;
+unroute-host-v6:*|unroute-client-v6:*)
+	# connection to me or my client subnet being unrouted
+	#downroute_v6
+	;;
+up-host-v6:)
+	# connection to me coming up
+	# If you are doing a custom version, firewall commands go here.
+	;;
+down-host-v6:)
+	# connection to me going down
+	# If you are doing a custom version, firewall commands go here.
+	;;
+up-client-v6:)
+	# connection to my client subnet coming up
+	# If you are doing a custom version, firewall commands go here.
+	;;
+down-client-v6:)
+	# connection to my client subnet going down
+	# If you are doing a custom version, firewall commands go here.
+	;;
+up-host-v6:iptables)
+	# connection to me, with (left/right)firewall=yes, coming up
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	#
+	# log IPsec host connection setup
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+	  else
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+	  fi
+	fi
+	;;
+down-host-v6:iptables)
+	# connection to me, with (left/right)firewall=yes, going down
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	#
+	# log IPsec host connection teardown
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+	  else
+	    logger -t $TAG -p $FAC_PRIO -- \
+	    "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+	  fi
+	fi
+	;;
+up-client-v6:iptables)
+	# connection to client subnet, with (left/right)firewall=yes, coming up
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
+	then
+	  ip6tables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+	  ip6tables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
+	# a virtual IP requires an INPUT and OUTPUT rule on the host
+	# or sometimes host access via the internal IP is needed
+	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+	then
+	  ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	  ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+	fi
+	#
+	# log IPsec client connection setup
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  else
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  fi
+	fi
+	;;
+down-client-v6:iptables)
+	# connection to client subnet, with (left/right)firewall=yes, going down
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
+	then
+	  ip6tables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+	         $IPSEC_POLICY_OUT -j ACCEPT
+	  ip6tables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
+	         $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
+	# a virtual IP requires an INPUT and OUTPUT rule on the host
+	# or sometimes host access via the internal IP is needed
+	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+	then
+	  ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
+	         $IPSEC_POLICY_IN -j ACCEPT
+	  ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+	         $IPSEC_POLICY_OUT -j ACCEPT
+	fi
+	#
+	# log IPsec client connection teardown
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  else
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  fi
+	fi
+	;;
 *)	echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
 	exit 1
 	;;
diff --git a/testing/tests/libipsec/net2net-cert/posttest.dat b/testing/tests/libipsec/net2net-cert/posttest.dat
new file mode 100644
index 000000000..1f7aa73a1
--- /dev/null
+++ b/testing/tests/libipsec/net2net-cert/posttest.dat
@@ -0,0 +1,4 @@
+moon::ipsec stop
+sun::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/libipsec/net2net-cert/pretest.dat b/testing/tests/libipsec/net2net-cert/pretest.dat
new file mode 100644
index 000000000..c724e5df8
--- /dev/null
+++ b/testing/tests/libipsec/net2net-cert/pretest.dat
@@ -0,0 +1,6 @@
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
+moon::ipsec start
+sun::ipsec start
+moon::sleep 1 
+moon::ipsec up net-net
diff --git a/testing/tests/libipsec/net2net-cert/test.conf b/testing/tests/libipsec/net2net-cert/test.conf
new file mode 100644
index 000000000..646b8b3e6
--- /dev/null
+++ b/testing/tests/libipsec/net2net-cert/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-w-s-b.png"
+ 
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
diff --git a/testing/tests/libipsec/rw-suite-b/description.txt b/testing/tests/libipsec/rw-suite-b/description.txt
new file mode 100644
index 000000000..a1b09405a
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/description.txt
@@ -0,0 +1,10 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection to gateway <b>moon</b>.
+The authentication is based on Suite B with <b>128 bit</b> security based on <b>X.509 ECDSA</b>
+certificates, <b>ECP Diffie-Hellman</b> groups and <b>AES-GCM</b> authenticated encryption.
+The <b>kernel-libipsec</b> plugin is used for userland IPsec AES-GCM authenticated ESP
+encryption.
+<p/>
+Upon the successful establishment of the IPsec tunnel, an updown script automatically
+inserts iptables-based firewall rules that let pass the traffic tunneled via the <b>ipsec0</b>
+tun interface. In order to test both tunnel and firewall, <b>carol</b> and <b>dave</b> ping
+the client <b>alice</b> behind the gateway <b>moon</b>.
diff --git a/testing/tests/libipsec/rw-suite-b/evaltest.dat b/testing/tests/libipsec/rw-suite-b/evaltest.dat
new file mode 100644
index 000000000..d59ea3c34
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/evaltest.dat
@@ -0,0 +1,19 @@
+carol::cat /var/log/daemon.log::openssl FIPS mode(2) - enabled::YES
+dave:: cat /var/log/daemon.log::openssl FIPS mode(2) - enabled::YES 
+moon:: cat /var/log/daemon.log::openssl FIPS mode(2) - enabled::YES
+moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA-256 signature successful::YES
+moon:: cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with ECDSA-256 signature successful::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon::tcpdump::IP carol.strongswan.org.4500 > moon.strongswan.org.4500: UDP-encap: ESP::YES
+moon::tcpdump::IP moon.strongswan.org.4500 > carol.strongswan.org.4500: UDP-encap: ESP::YES
+moon::tcpdump::IP dave.strongswan.org.4500 > moon.strongswan.org.4500: UDP-encap: ESP::YES
+moon::tcpdump::IP moon.strongswan.org.4500 > dave.strongswan.org.4500: UDP-encap: ESP::YES
diff --git a/testing/tests/ikev1/crl-from-cache/hosts/carol/etc/ipsec.conf b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.conf
index bb1879b1d..8106e28d2 100755..100644
--- a/testing/tests/ikev1/crl-from-cache/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.conf
@@ -1,24 +1,23 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=yes
-	cachecrls=yes
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
-	keyexchange=ikev1
+	keyexchange=ikev2
+	ike=aes128gcm128-prfsha256-ecp256!
+	esp=aes128gcm128-ecp256!
+
+conn home
 	left=PH_IP_CAROL
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
-
-conn home
+	leftsourceip=%config
+	leftupdown=/etc/updown
 	right=PH_IP_MOON
-	rightsubnet=10.1.0.0/16
 	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
 	auto=add
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem
new file mode 100644
index 000000000..3480a434a
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICyDCCAiqgAwIBAgIJAPaidX4i76aJMAkGByqGSM49BAEwSDELMAkGA1UEBhMC
+Q0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9uZ1N3
+YW4gRUMgUm9vdCBDQTAeFw0wODA2MjIxNDM2MDZaFw0xODA2MjAxNDM2MDZaMEgx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD
+ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0EwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYA
+BAEUx1NvjNKzbDHaRPMsqIf/6SbUpzBa78N/WIyF6rYj8e5McAqfTfzUfFJZYoQn
+/mbP3VfjOxRuMDjrlfvdgMxwkwFDigWQfHg3CJbS7eQjjO1MrxxIJUtfSTnF29tM
+h6IYMdxaZKloCGCOrpmGCGdxD2/KwoX1SA3BlnjaNt7kSTonkqOBujCBtzAPBgNV
+HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUul35cbYTtWrR3bo2
+t6rSwe6P2NIweAYDVR0jBHEwb4AUul35cbYTtWrR3bo2t6rSwe6P2NKhTKRKMEgx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD
+ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0GCCQD2onV+Iu+miTAJBgcqhkjOPQQBA4GM
+ADCBiAJCAL5pU3X6NYWjOYe0cxrah27UxtUDLUNkFG/Ojl+gOH4QB0CKY0HXNyrq
+cgba73dXF/U0Cg3Ij/9g4Kd9GgYq0GlSAkIAqgqMKqXni8wbeGMJE2Mn2/8aHM3Q
+3flpHSoeNWOe/VzpRviw+VRgA4vbhhKUXBtQSiea77/DXLwOp5w7rkBoEUg=
+-----END CERTIFICATE-----
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.d/certs/carolCert.pem
new file mode 100644
index 000000000..a85635faf
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.d/certs/carolCert.pem
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICXzCCAcCgAwIBAgIBCTAKBggqhkjOPQQDBDBIMQswCQYDVQQGEwJDSDEZMBcG
+A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS
+b290IENBMB4XDTEzMDYyODA3MjczOFoXDTE4MDYwMjA3MjczOFowXzELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB
+IDI1NiBiaXQxHTAbBgNVBAMUFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMFkwEwYHKoZI
+zj0CAQYIKoZIzj0DAQcDQgAEwYQaBELkyAVAzNzWJr9LqoK8gdKDv+Ns6D+ZQSAj
+BuX3bs5ZIn7BrRxYd+mbnpZ2in7FjXPWkcLkIK/cgay2n6OBgzCBgDAfBgNVHSME
+GDAWgBS6XflxthO1atHduja3qtLB7o/Y0jAfBgNVHREEGDAWgRRjYXJvbEBzdHJv
+bmdzd2FuLm9yZzA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vY3JsLnN0cm9uZ3N3
+YW4ub3JnL3N0cm9uZ3N3YW5fZWMuY3JsMAoGCCqGSM49BAMEA4GMADCBiAJCAIU5
+nZLSfuiHElf7SFHl/sXCTSQ5FhEjSdhpMUvsgwq0vnEJRRdsdEOmmtVT5yQFHDUR
+Z9YVl4/zP5EFyUepvCH5AkIB2WFJ5WZ3Ds76Tq9AxAPaFbsQapGgOmrRZ6lGkj49
+hzLfARkvr+fTbOrttOC4yTIfnYVygA2G1cQYzceY/JiSk00=
+-----END CERTIFICATE-----
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.d/private/carolKey.pem
new file mode 100644
index 000000000..d29ddb9ee
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.d/private/carolKey.pem
@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIMDstKxdv/vNBPfM8iHvn5g5/8T5aRSnlh27HHt6iTfGoAoGCCqGSM49
+AwEHoUQDQgAEwYQaBELkyAVAzNzWJr9LqoK8gdKDv+Ns6D+ZQSAjBuX3bs5ZIn7B
+rRxYd+mbnpZ2in7FjXPWkcLkIK/cgay2nw==
+-----END EC PRIVATE KEY-----
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.secrets b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..3d6725162
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: ECDSA carolKey.pem
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/strongswan.conf b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..06bcaa1e5
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,15 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = soup pem pkcs1 pkcs8 random nonce x509 revocation openssl stroke kernel-libipsec kernel-netlink socket-default updown
+
+  initiator_only = yes
+}
+
+libstrongswan {
+  plugins {
+    openssl {
+      fips_mode = 2
+    }
+  }
+}
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/updown b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/updown
new file mode 100755
index 000000000..15c239466
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/updown
@@ -0,0 +1,746 @@
+#! /bin/sh
+# iproute2 version, default updown script
+#
+# Copyright (C) 2003-2004 Nigel Meteringham
+# Copyright (C) 2003-2004 Tuomo Soini
+# Copyright (C) 2002-2004 Michael Richardson
+# Copyright (C) 2005-2007 Andreas Steffen <andreas.steffen@strongswan.org>
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at your
+# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# for more details.
+
+# CAUTION:  Installing a new version of strongSwan will install a new
+# copy of this script, wiping out any custom changes you make.  If
+# you need changes, make a copy of this under another name, and customize
+# that, and use the (left/right)updown parameters in ipsec.conf to make
+# strongSwan use yours instead of this default one.
+
+# things that this script gets (from ipsec_pluto(8) man page)
+#
+#      PLUTO_VERSION
+#              indicates  what  version of this interface is being
+#              used.  This document describes version  1.1.   This
+#              is upwardly compatible with version 1.0.
+#
+#       PLUTO_VERB
+#              specifies the name of the operation to be performed
+#              (prepare-host, prepare-client, up-host, up-client,
+#              down-host, or down-client).  If the address family
+#              for security gateway to security gateway communica-
+#              tions is IPv6, then a suffix of -v6 is added to the
+#              verb.
+#
+#       PLUTO_CONNECTION
+#              is the name of the  connection  for  which  we  are
+#              routing.
+#
+#       PLUTO_NEXT_HOP
+#              is the next hop to which packets bound for the peer
+#              must be sent.
+#
+#       PLUTO_INTERFACE
+#              is the name of the ipsec interface to be used.
+#
+#       PLUTO_REQID
+#              is the requid of the ESP policy
+#
+#       PLUTO_UNIQUEID
+#              is the unique identifier of the associated IKE_SA
+#
+#       PLUTO_ME
+#              is the IP address of our host.
+#
+#       PLUTO_MY_ID
+#              is the ID of our host.
+#
+#       PLUTO_MY_CLIENT
+#              is the IP address / count of our client subnet.  If
+#              the  client  is  just  the  host,  this will be the
+#              host's own IP address / max (where max  is  32  for
+#              IPv4 and 128 for IPv6).
+#
+#       PLUTO_MY_CLIENT_NET
+#              is the IP address of our client net.  If the client
+#              is just the host, this will be the  host's  own  IP
+#              address.
+#
+#       PLUTO_MY_CLIENT_MASK
+#              is  the  mask for our client net.  If the client is
+#              just the host, this will be 255.255.255.255.
+#
+#       PLUTO_MY_SOURCEIP
+#       PLUTO_MY_SOURCEIP4_$i
+#       PLUTO_MY_SOURCEIP6_$i
+#              contains IPv4/IPv6 virtual IP received from a responder,
+#              $i enumerates from 1 to the number of IP per address family.
+#              PLUTO_MY_SOURCEIP is a legacy variable and equals to the first
+#              virtual IP, IPv4 or IPv6.
+#
+#       PLUTO_MY_PROTOCOL
+#              is the IP protocol that will be transported.
+#
+#       PLUTO_MY_PORT
+#              is  the  UDP/TCP  port  to  which  the IPsec SA  is
+#              restricted on our side.
+#
+#       PLUTO_PEER
+#              is the IP address of our peer.
+#
+#       PLUTO_PEER_ID
+#              is the ID of our peer.
+#
+#       PLUTO_PEER_CA
+#              is the CA which issued the cert of our peer.
+#
+#       PLUTO_PEER_CLIENT
+#              is the IP address / count of the peer's client sub-
+#              net.   If the client is just the peer, this will be
+#              the peer's own IP address / max (where  max  is  32
+#              for IPv4 and 128 for IPv6).
+#
+#       PLUTO_PEER_CLIENT_NET
+#              is the IP address of the peer's client net.  If the
+#              client is just the peer, this will  be  the  peer's
+#              own IP address.
+#
+#       PLUTO_PEER_CLIENT_MASK
+#              is  the  mask  for  the  peer's client net.  If the
+#              client   is   just   the   peer,   this   will   be
+#              255.255.255.255.
+#
+#       PLUTO_PEER_PROTOCOL
+#              is the IP protocol that will be transported.
+#
+#       PLUTO_PEER_PORT
+#              is  the  UDP/TCP  port  to  which  the IPsec SA  is
+#              restricted on the peer side.
+#
+#       PLUTO_XAUTH_ID
+#              is an optional user ID employed by the XAUTH protocol
+#
+#       PLUTO_MARK_IN
+#              is an optional XFRM mark set on the inbound IPsec SA
+#
+#       PLUTO_MARK_OUT
+#              is an optional XFRM mark set on the outbound IPsec SA
+#
+#       PLUTO_UDP_ENC
+#              contains the remote UDP port in the case of ESP_IN_UDP
+#              encapsulation
+#
+#       PLUTO_DNS4_$i
+#       PLUTO_DNS6_$i
+#              contains IPv4/IPv6 DNS server attribute received from a
+#              responder, $i enumerates from 1 to the number of servers per
+#              address family.
+#
+
+# define a minimum PATH environment in case it is not set
+PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin"
+export PATH
+
+# uncomment to log VPN connections
+VPN_LOGGING=1
+#
+# tag put in front of each log entry:
+TAG=vpn
+#
+# syslog facility and priority used:
+FAC_PRIO=local0.notice
+#
+# to create a special vpn logging file, put the following line into
+# the syslog configuration file /etc/syslog.conf:
+#
+# local0.notice                   -/var/log/vpn
+
+# in order to use source IP routing the Linux kernel options
+# CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES
+# must be enabled
+#
+# special routing table for sourceip routes
+SOURCEIP_ROUTING_TABLE=220
+#
+# priority of the sourceip routing table
+SOURCEIP_ROUTING_TABLE_PRIO=220
+
+# check interface version
+case "$PLUTO_VERSION" in
+1.[0|1])	# Older Pluto?!?  Play it safe, script may be using new features.
+	echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
+	echo "$0: 	called by obsolete Pluto?" >&2
+	exit 2
+	;;
+1.*)	;;
+*)	echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2
+	exit 2
+	;;
+esac
+
+# check parameter(s)
+case "$1:$*" in
+':')			# no parameters
+	;;
+iptables:iptables)	# due to (left/right)firewall; for default script only
+	;;
+custom:*)		# custom parameters (see above CAUTION comment)
+	;;
+*)	echo "$0: unknown parameters \`$*'" >&2
+	exit 2
+	;;
+esac
+
+# utility functions for route manipulation
+# Meddling with this stuff should not be necessary and requires great care.
+uproute() {
+	doroute add
+	ip route flush cache
+}
+downroute() {
+	doroute delete
+	ip route flush cache
+}
+
+addsource() {
+	st=0
+	if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local
+	then
+	    it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE"
+	    oops="`eval $it 2>&1`"
+	    st=$?
+	    if test " $oops" = " " -a " $st" != " 0"
+	    then
+		oops="silent error, exit status $st"
+	    fi
+	    if test " $oops" != " " -o " $st" != " 0"
+	    then
+		echo "$0: addsource \`$it' failed ($oops)" >&2
+	    fi
+	fi
+	return $st
+}
+
+doroute() {
+	st=0
+
+	if [ -z "$PLUTO_MY_SOURCEIP" ]
+	then
+	    for dir in /etc/sysconfig /etc/conf.d; do
+		if [ -f "$dir/defaultsource" ]
+		then
+		    . "$dir/defaultsource"
+		fi
+	    done
+
+	    if [ -n "$DEFAULTSOURCE" ]
+	    then
+		PLUTO_MY_SOURCEIP=$DEFAULTSOURCE
+	    fi
+        fi
+
+	if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
+	then
+	    # leave because no route entry is required
+	    return $st
+	fi
+
+	parms1="$PLUTO_PEER_CLIENT"
+
+	if [ -n "$PLUTO_NEXT_HOP" ]
+	then
+	    parms2="via $PLUTO_NEXT_HOP"
+	else
+	    parms2="via $PLUTO_PEER"
+	fi
+	parms2="$parms2 dev $PLUTO_INTERFACE"
+
+	parms3=
+	if [ -n "$PLUTO_MY_SOURCEIP" ]
+	then
+	    if test "$1" = "add"
+	    then
+		addsource
+		if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE"
+		then
+		    ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE
+		fi
+	    fi
+	    parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE"
+	fi
+
+	case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
+	"0.0.0.0/0.0.0.0")
+		# opportunistic encryption work around
+		# need to provide route that eclipses default, without
+		# replacing it.
+		it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
+			ip route $1 128.0.0.0/1 $parms2 $parms3"
+		;;
+	*)	it="ip route $1 $parms1 $parms2 $parms3"
+		;;
+	esac
+	oops="`eval $it 2>&1`"
+	st=$?
+	if test " $oops" = " " -a " $st" != " 0"
+	then
+	    oops="silent error, exit status $st"
+	fi
+	if test " $oops" != " " -o " $st" != " 0"
+	then
+	    echo "$0: doroute \`$it' failed ($oops)" >&2
+	fi
+	return $st
+}
+
+# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY
+if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ]
+then
+	KLIPS=1
+	IPSEC_POLICY_IN=""
+	IPSEC_POLICY_OUT=""
+else
+	KLIPS=
+	IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID"
+	IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
+	IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
+fi
+
+# are there port numbers?
+if [ "$PLUTO_MY_PORT" != 0 ]
+then
+	S_MY_PORT="--sport $PLUTO_MY_PORT"
+	D_MY_PORT="--dport $PLUTO_MY_PORT"
+fi
+if [ "$PLUTO_PEER_PORT" != 0 ]
+then
+	S_PEER_PORT="--sport $PLUTO_PEER_PORT"
+	D_PEER_PORT="--dport $PLUTO_PEER_PORT"
+fi
+
+# resolve octal escape sequences
+PLUTO_MY_ID=`printf "$PLUTO_MY_ID"`
+PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"`
+
+# the big choice
+case "$PLUTO_VERB:$1" in
+prepare-host:*|prepare-client:*)
+	if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
+	then
+	    # exit because no route will be added,
+	    # so that existing routes can stay
+	    exit 0
+	fi
+
+	# delete possibly-existing route (preliminary to adding a route)
+	case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
+	"0.0.0.0/0.0.0.0")
+		# need to provide route that eclipses default, without
+		# replacing it.
+		parms1="0.0.0.0/1"
+		parms2="128.0.0.0/1"
+		it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1"
+		oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`"
+		;;
+	*)
+		parms="$PLUTO_PEER_CLIENT"
+		it="ip route delete $parms 2>&1"
+		oops="`ip route delete $parms 2>&1`"
+		;;
+	esac
+	status="$?"
+	if test " $oops" = " " -a " $status" != " 0"
+	then
+		oops="silent error, exit status $status"
+	fi
+	case "$oops" in
+	*'RTNETLINK answers: No such process'*)
+		# This is what route (currently -- not documented!) gives
+		# for "could not find such a route".
+		oops=
+		status=0
+		;;
+	esac
+	if test " $oops" != " " -o " $status" != " 0"
+	then
+		echo "$0: \`$it' failed ($oops)" >&2
+	fi
+	exit $status
+	;;
+route-host:*|route-client:*)
+	# connection to me or my client subnet being routed
+	uproute
+	;;
+unroute-host:*|unroute-client:*)
+	# connection to me or my client subnet being unrouted
+	downroute
+	;;
+up-host:)
+	# connection to me coming up
+	# If you are doing a custom version, firewall commands go here.
+	PLUTO_INTERFACE=ipsec0
+	iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_ME $D_MY_PORT -j ACCEPT
+	iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_ME $S_MY_PORT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	;;
+down-host:)
+	# connection to me going down
+	# If you are doing a custom version, firewall commands go here.
+	PLUTO_INTERFACE=ipsec0
+ 	iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_ME $D_MY_PORT -j ACCEPT
+	iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_ME $S_MY_PORT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	;;
+up-client:)
+	# connection to my client subnet coming up
+	# If you are doing a custom version, firewall commands go here.
+	PLUTO_INTERFACE=ipsec0
+        if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
+        then
+	    iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+		-s $PLUTO_MY_CLIENT $S_MY_PORT \
+		-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	    iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+		-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+		-d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT
+	fi
+	#
+	# a virtual IP requires an INPUT and OUTPUT rule on the host
+	# or sometimes host access via the internal IP is needed
+	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+	then
+	    iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+		-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+		-d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT
+	    iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+		-s $PLUTO_MY_CLIENT $S_MY_PORT \
+		-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	fi
+	;;
+down-client:)
+	# connection to my client subnet going down
+	# If you are doing a custom version, firewall commands go here.
+	PLUTO_INTERFACE=ipsec0
+	iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT
+	#
+	# a virtual IP requires an INPUT and OUTPUT rule on the host
+	# or sometimes host access via the internal IP is needed
+	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+	then
+	    iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ 		-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+		-d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT
+	    iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+		-s $PLUTO_MY_CLIENT $S_MY_PORT \
+		-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	fi
+	;;
+up-host:iptables)
+	# connection to me, with (left/right)firewall=yes, coming up
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	#
+	# log IPsec host connection setup
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+	  else
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+	  fi
+	fi
+	;;
+down-host:iptables)
+	# connection to me, with (left/right)firewall=yes, going down
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	#
+	# log IPsec host connection teardown
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+	  else
+	    logger -t $TAG -p $FAC_PRIO -- \
+	    "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+	  fi
+	fi
+	;;
+up-client:iptables)
+	# connection to client subnet, with (left/right)firewall=yes, coming up
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
+	then
+	  iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+	  iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
+	# a virtual IP requires an INPUT and OUTPUT rule on the host
+	# or sometimes host access via the internal IP is needed
+	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+	then
+	  iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	  iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+	fi
+	#
+	# log IPsec client connection setup
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  else
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  fi
+	fi
+	;;
+down-client:iptables)
+	# connection to client subnet, with (left/right)firewall=yes, going down
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
+	then
+	  iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+	         $IPSEC_POLICY_OUT -j ACCEPT
+	  iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
+	         $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
+	# a virtual IP requires an INPUT and OUTPUT rule on the host
+	# or sometimes host access via the internal IP is needed
+	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+	then
+	  iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
+	         $IPSEC_POLICY_IN -j ACCEPT
+	  iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+	         $IPSEC_POLICY_OUT -j ACCEPT
+	fi
+	#
+	# log IPsec client connection teardown
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  else
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  fi
+	fi
+	;;
+#
+# IPv6
+#
+prepare-host-v6:*|prepare-client-v6:*)
+	;;
+route-host-v6:*|route-client-v6:*)
+	# connection to me or my client subnet being routed
+	#uproute_v6
+	;;
+unroute-host-v6:*|unroute-client-v6:*)
+	# connection to me or my client subnet being unrouted
+	#downroute_v6
+	;;
+up-host-v6:)
+	# connection to me coming up
+	# If you are doing a custom version, firewall commands go here.
+	;;
+down-host-v6:)
+	# connection to me going down
+	# If you are doing a custom version, firewall commands go here.
+	;;
+up-client-v6:)
+	# connection to my client subnet coming up
+	# If you are doing a custom version, firewall commands go here.
+	;;
+down-client-v6:)
+	# connection to my client subnet going down
+	# If you are doing a custom version, firewall commands go here.
+	;;
+up-host-v6:iptables)
+	# connection to me, with (left/right)firewall=yes, coming up
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	#
+	# log IPsec host connection setup
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+	  else
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+	  fi
+	fi
+	;;
+down-host-v6:iptables)
+	# connection to me, with (left/right)firewall=yes, going down
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	#
+	# log IPsec host connection teardown
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+	  else
+	    logger -t $TAG -p $FAC_PRIO -- \
+	    "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+	  fi
+	fi
+	;;
+up-client-v6:iptables)
+	# connection to client subnet, with (left/right)firewall=yes, coming up
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
+	then
+	  ip6tables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+	  ip6tables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
+	# a virtual IP requires an INPUT and OUTPUT rule on the host
+	# or sometimes host access via the internal IP is needed
+	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+	then
+	  ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	  ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+	fi
+	#
+	# log IPsec client connection setup
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  else
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  fi
+	fi
+	;;
+down-client-v6:iptables)
+	# connection to client subnet, with (left/right)firewall=yes, going down
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
+	then
+	  ip6tables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+	         $IPSEC_POLICY_OUT -j ACCEPT
+	  ip6tables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
+	         $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
+	# a virtual IP requires an INPUT and OUTPUT rule on the host
+	# or sometimes host access via the internal IP is needed
+	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+	then
+	  ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
+	         $IPSEC_POLICY_IN -j ACCEPT
+	  ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+	         $IPSEC_POLICY_OUT -j ACCEPT
+	fi
+	#
+	# log IPsec client connection teardown
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  else
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  fi
+	fi
+	;;
+*)	echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
+	exit 1
+	;;
+esac
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.conf b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.conf
new file mode 100644
index 000000000..9b6ca682a
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	ike=aes128gcm128-prfsha256-ecp256!
+	esp=aes128gcm128-ecp256!
+
+conn home 
+	left=PH_IP_DAVE
+	leftcert=daveCert.pem
+	leftid=dave@strongswan.org
+	leftsourceip=%config
+	leftupdown=/etc/updown
+	right=PH_IP_MOON
+	rightid=moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem
new file mode 100644
index 000000000..3480a434a
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICyDCCAiqgAwIBAgIJAPaidX4i76aJMAkGByqGSM49BAEwSDELMAkGA1UEBhMC
+Q0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9uZ1N3
+YW4gRUMgUm9vdCBDQTAeFw0wODA2MjIxNDM2MDZaFw0xODA2MjAxNDM2MDZaMEgx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD
+ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0EwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYA
+BAEUx1NvjNKzbDHaRPMsqIf/6SbUpzBa78N/WIyF6rYj8e5McAqfTfzUfFJZYoQn
+/mbP3VfjOxRuMDjrlfvdgMxwkwFDigWQfHg3CJbS7eQjjO1MrxxIJUtfSTnF29tM
+h6IYMdxaZKloCGCOrpmGCGdxD2/KwoX1SA3BlnjaNt7kSTonkqOBujCBtzAPBgNV
+HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUul35cbYTtWrR3bo2
+t6rSwe6P2NIweAYDVR0jBHEwb4AUul35cbYTtWrR3bo2t6rSwe6P2NKhTKRKMEgx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD
+ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0GCCQD2onV+Iu+miTAJBgcqhkjOPQQBA4GM
+ADCBiAJCAL5pU3X6NYWjOYe0cxrah27UxtUDLUNkFG/Ojl+gOH4QB0CKY0HXNyrq
+cgba73dXF/U0Cg3Ij/9g4Kd9GgYq0GlSAkIAqgqMKqXni8wbeGMJE2Mn2/8aHM3Q
+3flpHSoeNWOe/VzpRviw+VRgA4vbhhKUXBtQSiea77/DXLwOp5w7rkBoEUg=
+-----END CERTIFICATE-----
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.d/certs/daveCert.pem b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.d/certs/daveCert.pem
new file mode 100644
index 000000000..c83be145d
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.d/certs/daveCert.pem
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICXDCCAb2gAwIBAgIBCzAKBggqhkjOPQQDBDBIMQswCQYDVQQGEwJDSDEZMBcG
+A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS
+b290IENBMB4XDTEzMDYyODA3MzMyOFoXDTE4MDYwMjA3MzMyOFowXjELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB
+IDI1NiBiaXQxHDAaBgNVBAMUE2RhdmVAc3Ryb25nc3dhbi5vcmcwWTATBgcqhkjO
+PQIBBggqhkjOPQMBBwNCAAQ0aUuue3BcBvF6aEISID4c+mVBJyvSm2fPVRRkAQqh
+RktTHMYDWY6B8e/iGr4GDeF5bjr46vMB5eEtVx3chWbQo4GBMH8wHwYDVR0jBBgw
+FoAUul35cbYTtWrR3bo2t6rSwe6P2NIwHgYDVR0RBBcwFYETZGF2ZUBzdHJvbmdz
+d2FuLm9yZzA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vY3JsLnN0cm9uZ3N3YW4u
+b3JnL3N0cm9uZ3N3YW5fZWMuY3JsMAoGCCqGSM49BAMEA4GMADCBiAJCAd5ols9c
+CP6HPtfMXbPlSpUDKSRyB3c5Ix2Yn3z5ogMM1QSoS88FW8D7KKsb0qTY5TnlAls3
+45PmauVwEbI2cV6qAkIBphvsmhYWMnt/QMOij7DinihEL9Ib1vxOS2boUos6sHWi
+gj3wfHyfgHM3Pgt0YYoZxELDIxcLVJeoa1TmNey7IaI=
+-----END CERTIFICATE-----
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.d/private/daveKey.pem
new file mode 100644
index 000000000..17e94022e
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.d/private/daveKey.pem
@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEICwxFtCsSqIAzwZDyxHclTRdz/tGzAY7fP/vPoxqr8vuoAoGCCqGSM49
+AwEHoUQDQgAENGlLrntwXAbxemhCEiA+HPplQScr0ptnz1UUZAEKoUZLUxzGA1mO
+gfHv4hq+Bg3heW46+OrzAeXhLVcd3IVm0A==
+-----END EC PRIVATE KEY-----
diff --git a/testing/tests/ikev1/multi-level-ca-pathlen/hosts/carol/etc/ipsec.secrets b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.secrets
index fac55d63b..ebd3a2839 100644
--- a/testing/tests/ikev1/multi-level-ca-pathlen/hosts/carol/etc/ipsec.secrets
+++ b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.secrets
@@ -1,3 +1,3 @@
 # /etc/ipsec.secrets - strongSwan IPsec secrets file
 
-: RSA carolKey.pem
+: ECDSA daveKey.pem
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/iptables.flush b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/iptables.flush
new file mode 100644
index 000000000..b3ab63c51
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/iptables.flush
@@ -0,0 +1,21 @@
+*filter
+
+-F
+
+-P INPUT ACCEPT
+-P OUTPUT ACCEPT
+-P FORWARD ACCEPT
+
+COMMIT
+
+*nat
+
+-F
+
+COMMIT
+
+*mangle
+
+-F
+
+COMMIT
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/iptables.rules b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/iptables.rules
new file mode 100644
index 000000000..3d99c0197
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/iptables.rules
@@ -0,0 +1,32 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s 192.168.0.150 -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d 192.168.0.150 -j ACCEPT
+
+# allow traffic tunnelled via IPsec
+-A INPUT  -i eth0 -m policy --dir in  --pol ipsec --proto esp -j ACCEPT
+-A OUTPUT -o eth0 -m policy --dir out --pol ipsec --proto esp -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/strongswan.conf b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..06bcaa1e5
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,15 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = soup pem pkcs1 pkcs8 random nonce x509 revocation openssl stroke kernel-libipsec kernel-netlink socket-default updown
+
+  initiator_only = yes
+}
+
+libstrongswan {
+  plugins {
+    openssl {
+      fips_mode = 2
+    }
+  }
+}
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/updown b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/updown
new file mode 100755
index 000000000..15c239466
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/updown
@@ -0,0 +1,746 @@
+#! /bin/sh
+# iproute2 version, default updown script
+#
+# Copyright (C) 2003-2004 Nigel Meteringham
+# Copyright (C) 2003-2004 Tuomo Soini
+# Copyright (C) 2002-2004 Michael Richardson
+# Copyright (C) 2005-2007 Andreas Steffen <andreas.steffen@strongswan.org>
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at your
+# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# for more details.
+
+# CAUTION:  Installing a new version of strongSwan will install a new
+# copy of this script, wiping out any custom changes you make.  If
+# you need changes, make a copy of this under another name, and customize
+# that, and use the (left/right)updown parameters in ipsec.conf to make
+# strongSwan use yours instead of this default one.
+
+# things that this script gets (from ipsec_pluto(8) man page)
+#
+#      PLUTO_VERSION
+#              indicates  what  version of this interface is being
+#              used.  This document describes version  1.1.   This
+#              is upwardly compatible with version 1.0.
+#
+#       PLUTO_VERB
+#              specifies the name of the operation to be performed
+#              (prepare-host, prepare-client, up-host, up-client,
+#              down-host, or down-client).  If the address family
+#              for security gateway to security gateway communica-
+#              tions is IPv6, then a suffix of -v6 is added to the
+#              verb.
+#
+#       PLUTO_CONNECTION
+#              is the name of the  connection  for  which  we  are
+#              routing.
+#
+#       PLUTO_NEXT_HOP
+#              is the next hop to which packets bound for the peer
+#              must be sent.
+#
+#       PLUTO_INTERFACE
+#              is the name of the ipsec interface to be used.
+#
+#       PLUTO_REQID
+#              is the requid of the ESP policy
+#
+#       PLUTO_UNIQUEID
+#              is the unique identifier of the associated IKE_SA
+#
+#       PLUTO_ME
+#              is the IP address of our host.
+#
+#       PLUTO_MY_ID
+#              is the ID of our host.
+#
+#       PLUTO_MY_CLIENT
+#              is the IP address / count of our client subnet.  If
+#              the  client  is  just  the  host,  this will be the
+#              host's own IP address / max (where max  is  32  for
+#              IPv4 and 128 for IPv6).
+#
+#       PLUTO_MY_CLIENT_NET
+#              is the IP address of our client net.  If the client
+#              is just the host, this will be the  host's  own  IP
+#              address.
+#
+#       PLUTO_MY_CLIENT_MASK
+#              is  the  mask for our client net.  If the client is
+#              just the host, this will be 255.255.255.255.
+#
+#       PLUTO_MY_SOURCEIP
+#       PLUTO_MY_SOURCEIP4_$i
+#       PLUTO_MY_SOURCEIP6_$i
+#              contains IPv4/IPv6 virtual IP received from a responder,
+#              $i enumerates from 1 to the number of IP per address family.
+#              PLUTO_MY_SOURCEIP is a legacy variable and equals to the first
+#              virtual IP, IPv4 or IPv6.
+#
+#       PLUTO_MY_PROTOCOL
+#              is the IP protocol that will be transported.
+#
+#       PLUTO_MY_PORT
+#              is  the  UDP/TCP  port  to  which  the IPsec SA  is
+#              restricted on our side.
+#
+#       PLUTO_PEER
+#              is the IP address of our peer.
+#
+#       PLUTO_PEER_ID
+#              is the ID of our peer.
+#
+#       PLUTO_PEER_CA
+#              is the CA which issued the cert of our peer.
+#
+#       PLUTO_PEER_CLIENT
+#              is the IP address / count of the peer's client sub-
+#              net.   If the client is just the peer, this will be
+#              the peer's own IP address / max (where  max  is  32
+#              for IPv4 and 128 for IPv6).
+#
+#       PLUTO_PEER_CLIENT_NET
+#              is the IP address of the peer's client net.  If the
+#              client is just the peer, this will  be  the  peer's
+#              own IP address.
+#
+#       PLUTO_PEER_CLIENT_MASK
+#              is  the  mask  for  the  peer's client net.  If the
+#              client   is   just   the   peer,   this   will   be
+#              255.255.255.255.
+#
+#       PLUTO_PEER_PROTOCOL
+#              is the IP protocol that will be transported.
+#
+#       PLUTO_PEER_PORT
+#              is  the  UDP/TCP  port  to  which  the IPsec SA  is
+#              restricted on the peer side.
+#
+#       PLUTO_XAUTH_ID
+#              is an optional user ID employed by the XAUTH protocol
+#
+#       PLUTO_MARK_IN
+#              is an optional XFRM mark set on the inbound IPsec SA
+#
+#       PLUTO_MARK_OUT
+#              is an optional XFRM mark set on the outbound IPsec SA
+#
+#       PLUTO_UDP_ENC
+#              contains the remote UDP port in the case of ESP_IN_UDP
+#              encapsulation
+#
+#       PLUTO_DNS4_$i
+#       PLUTO_DNS6_$i
+#              contains IPv4/IPv6 DNS server attribute received from a
+#              responder, $i enumerates from 1 to the number of servers per
+#              address family.
+#
+
+# define a minimum PATH environment in case it is not set
+PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin"
+export PATH
+
+# uncomment to log VPN connections
+VPN_LOGGING=1
+#
+# tag put in front of each log entry:
+TAG=vpn
+#
+# syslog facility and priority used:
+FAC_PRIO=local0.notice
+#
+# to create a special vpn logging file, put the following line into
+# the syslog configuration file /etc/syslog.conf:
+#
+# local0.notice                   -/var/log/vpn
+
+# in order to use source IP routing the Linux kernel options
+# CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES
+# must be enabled
+#
+# special routing table for sourceip routes
+SOURCEIP_ROUTING_TABLE=220
+#
+# priority of the sourceip routing table
+SOURCEIP_ROUTING_TABLE_PRIO=220
+
+# check interface version
+case "$PLUTO_VERSION" in
+1.[0|1])	# Older Pluto?!?  Play it safe, script may be using new features.
+	echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
+	echo "$0: 	called by obsolete Pluto?" >&2
+	exit 2
+	;;
+1.*)	;;
+*)	echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2
+	exit 2
+	;;
+esac
+
+# check parameter(s)
+case "$1:$*" in
+':')			# no parameters
+	;;
+iptables:iptables)	# due to (left/right)firewall; for default script only
+	;;
+custom:*)		# custom parameters (see above CAUTION comment)
+	;;
+*)	echo "$0: unknown parameters \`$*'" >&2
+	exit 2
+	;;
+esac
+
+# utility functions for route manipulation
+# Meddling with this stuff should not be necessary and requires great care.
+uproute() {
+	doroute add
+	ip route flush cache
+}
+downroute() {
+	doroute delete
+	ip route flush cache
+}
+
+addsource() {
+	st=0
+	if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local
+	then
+	    it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE"
+	    oops="`eval $it 2>&1`"
+	    st=$?
+	    if test " $oops" = " " -a " $st" != " 0"
+	    then
+		oops="silent error, exit status $st"
+	    fi
+	    if test " $oops" != " " -o " $st" != " 0"
+	    then
+		echo "$0: addsource \`$it' failed ($oops)" >&2
+	    fi
+	fi
+	return $st
+}
+
+doroute() {
+	st=0
+
+	if [ -z "$PLUTO_MY_SOURCEIP" ]
+	then
+	    for dir in /etc/sysconfig /etc/conf.d; do
+		if [ -f "$dir/defaultsource" ]
+		then
+		    . "$dir/defaultsource"
+		fi
+	    done
+
+	    if [ -n "$DEFAULTSOURCE" ]
+	    then
+		PLUTO_MY_SOURCEIP=$DEFAULTSOURCE
+	    fi
+        fi
+
+	if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
+	then
+	    # leave because no route entry is required
+	    return $st
+	fi
+
+	parms1="$PLUTO_PEER_CLIENT"
+
+	if [ -n "$PLUTO_NEXT_HOP" ]
+	then
+	    parms2="via $PLUTO_NEXT_HOP"
+	else
+	    parms2="via $PLUTO_PEER"
+	fi
+	parms2="$parms2 dev $PLUTO_INTERFACE"
+
+	parms3=
+	if [ -n "$PLUTO_MY_SOURCEIP" ]
+	then
+	    if test "$1" = "add"
+	    then
+		addsource
+		if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE"
+		then
+		    ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE
+		fi
+	    fi
+	    parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE"
+	fi
+
+	case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
+	"0.0.0.0/0.0.0.0")
+		# opportunistic encryption work around
+		# need to provide route that eclipses default, without
+		# replacing it.
+		it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
+			ip route $1 128.0.0.0/1 $parms2 $parms3"
+		;;
+	*)	it="ip route $1 $parms1 $parms2 $parms3"
+		;;
+	esac
+	oops="`eval $it 2>&1`"
+	st=$?
+	if test " $oops" = " " -a " $st" != " 0"
+	then
+	    oops="silent error, exit status $st"
+	fi
+	if test " $oops" != " " -o " $st" != " 0"
+	then
+	    echo "$0: doroute \`$it' failed ($oops)" >&2
+	fi
+	return $st
+}
+
+# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY
+if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ]
+then
+	KLIPS=1
+	IPSEC_POLICY_IN=""
+	IPSEC_POLICY_OUT=""
+else
+	KLIPS=
+	IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID"
+	IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
+	IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
+fi
+
+# are there port numbers?
+if [ "$PLUTO_MY_PORT" != 0 ]
+then
+	S_MY_PORT="--sport $PLUTO_MY_PORT"
+	D_MY_PORT="--dport $PLUTO_MY_PORT"
+fi
+if [ "$PLUTO_PEER_PORT" != 0 ]
+then
+	S_PEER_PORT="--sport $PLUTO_PEER_PORT"
+	D_PEER_PORT="--dport $PLUTO_PEER_PORT"
+fi
+
+# resolve octal escape sequences
+PLUTO_MY_ID=`printf "$PLUTO_MY_ID"`
+PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"`
+
+# the big choice
+case "$PLUTO_VERB:$1" in
+prepare-host:*|prepare-client:*)
+	if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
+	then
+	    # exit because no route will be added,
+	    # so that existing routes can stay
+	    exit 0
+	fi
+
+	# delete possibly-existing route (preliminary to adding a route)
+	case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
+	"0.0.0.0/0.0.0.0")
+		# need to provide route that eclipses default, without
+		# replacing it.
+		parms1="0.0.0.0/1"
+		parms2="128.0.0.0/1"
+		it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1"
+		oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`"
+		;;
+	*)
+		parms="$PLUTO_PEER_CLIENT"
+		it="ip route delete $parms 2>&1"
+		oops="`ip route delete $parms 2>&1`"
+		;;
+	esac
+	status="$?"
+	if test " $oops" = " " -a " $status" != " 0"
+	then
+		oops="silent error, exit status $status"
+	fi
+	case "$oops" in
+	*'RTNETLINK answers: No such process'*)
+		# This is what route (currently -- not documented!) gives
+		# for "could not find such a route".
+		oops=
+		status=0
+		;;
+	esac
+	if test " $oops" != " " -o " $status" != " 0"
+	then
+		echo "$0: \`$it' failed ($oops)" >&2
+	fi
+	exit $status
+	;;
+route-host:*|route-client:*)
+	# connection to me or my client subnet being routed
+	uproute
+	;;
+unroute-host:*|unroute-client:*)
+	# connection to me or my client subnet being unrouted
+	downroute
+	;;
+up-host:)
+	# connection to me coming up
+	# If you are doing a custom version, firewall commands go here.
+	PLUTO_INTERFACE=ipsec0
+	iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_ME $D_MY_PORT -j ACCEPT
+	iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_ME $S_MY_PORT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	;;
+down-host:)
+	# connection to me going down
+	# If you are doing a custom version, firewall commands go here.
+	PLUTO_INTERFACE=ipsec0
+ 	iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_ME $D_MY_PORT -j ACCEPT
+	iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_ME $S_MY_PORT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	;;
+up-client:)
+	# connection to my client subnet coming up
+	# If you are doing a custom version, firewall commands go here.
+	PLUTO_INTERFACE=ipsec0
+        if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
+        then
+	    iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+		-s $PLUTO_MY_CLIENT $S_MY_PORT \
+		-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	    iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+		-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+		-d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT
+	fi
+	#
+	# a virtual IP requires an INPUT and OUTPUT rule on the host
+	# or sometimes host access via the internal IP is needed
+	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+	then
+	    iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+		-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+		-d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT
+	    iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+		-s $PLUTO_MY_CLIENT $S_MY_PORT \
+		-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	fi
+	;;
+down-client:)
+	# connection to my client subnet going down
+	# If you are doing a custom version, firewall commands go here.
+	PLUTO_INTERFACE=ipsec0
+	iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT
+	#
+	# a virtual IP requires an INPUT and OUTPUT rule on the host
+	# or sometimes host access via the internal IP is needed
+	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+	then
+	    iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ 		-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+		-d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT
+	    iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+		-s $PLUTO_MY_CLIENT $S_MY_PORT \
+		-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	fi
+	;;
+up-host:iptables)
+	# connection to me, with (left/right)firewall=yes, coming up
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	#
+	# log IPsec host connection setup
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+	  else
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+	  fi
+	fi
+	;;
+down-host:iptables)
+	# connection to me, with (left/right)firewall=yes, going down
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	#
+	# log IPsec host connection teardown
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+	  else
+	    logger -t $TAG -p $FAC_PRIO -- \
+	    "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+	  fi
+	fi
+	;;
+up-client:iptables)
+	# connection to client subnet, with (left/right)firewall=yes, coming up
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
+	then
+	  iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+	  iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
+	# a virtual IP requires an INPUT and OUTPUT rule on the host
+	# or sometimes host access via the internal IP is needed
+	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+	then
+	  iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	  iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+	fi
+	#
+	# log IPsec client connection setup
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  else
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  fi
+	fi
+	;;
+down-client:iptables)
+	# connection to client subnet, with (left/right)firewall=yes, going down
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
+	then
+	  iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+	         $IPSEC_POLICY_OUT -j ACCEPT
+	  iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
+	         $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
+	# a virtual IP requires an INPUT and OUTPUT rule on the host
+	# or sometimes host access via the internal IP is needed
+	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+	then
+	  iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
+	         $IPSEC_POLICY_IN -j ACCEPT
+	  iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+	         $IPSEC_POLICY_OUT -j ACCEPT
+	fi
+	#
+	# log IPsec client connection teardown
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  else
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  fi
+	fi
+	;;
+#
+# IPv6
+#
+prepare-host-v6:*|prepare-client-v6:*)
+	;;
+route-host-v6:*|route-client-v6:*)
+	# connection to me or my client subnet being routed
+	#uproute_v6
+	;;
+unroute-host-v6:*|unroute-client-v6:*)
+	# connection to me or my client subnet being unrouted
+	#downroute_v6
+	;;
+up-host-v6:)
+	# connection to me coming up
+	# If you are doing a custom version, firewall commands go here.
+	;;
+down-host-v6:)
+	# connection to me going down
+	# If you are doing a custom version, firewall commands go here.
+	;;
+up-client-v6:)
+	# connection to my client subnet coming up
+	# If you are doing a custom version, firewall commands go here.
+	;;
+down-client-v6:)
+	# connection to my client subnet going down
+	# If you are doing a custom version, firewall commands go here.
+	;;
+up-host-v6:iptables)
+	# connection to me, with (left/right)firewall=yes, coming up
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	#
+	# log IPsec host connection setup
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+	  else
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+	  fi
+	fi
+	;;
+down-host-v6:iptables)
+	# connection to me, with (left/right)firewall=yes, going down
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	#
+	# log IPsec host connection teardown
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+	  else
+	    logger -t $TAG -p $FAC_PRIO -- \
+	    "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+	  fi
+	fi
+	;;
+up-client-v6:iptables)
+	# connection to client subnet, with (left/right)firewall=yes, coming up
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
+	then
+	  ip6tables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+	  ip6tables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
+	# a virtual IP requires an INPUT and OUTPUT rule on the host
+	# or sometimes host access via the internal IP is needed
+	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+	then
+	  ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	  ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+	fi
+	#
+	# log IPsec client connection setup
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  else
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  fi
+	fi
+	;;
+down-client-v6:iptables)
+	# connection to client subnet, with (left/right)firewall=yes, going down
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
+	then
+	  ip6tables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+	         $IPSEC_POLICY_OUT -j ACCEPT
+	  ip6tables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
+	         $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
+	# a virtual IP requires an INPUT and OUTPUT rule on the host
+	# or sometimes host access via the internal IP is needed
+	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+	then
+	  ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
+	         $IPSEC_POLICY_IN -j ACCEPT
+	  ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+	         $IPSEC_POLICY_OUT -j ACCEPT
+	fi
+	#
+	# log IPsec client connection teardown
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  else
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  fi
+	fi
+	;;
+*)	echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
+	exit 1
+	;;
+esac
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.conf b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..733592087
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekey=no
+	reauth=no
+	keyexchange=ikev2
+	ike=aes128gcm128-prfsha256-ecp256!
+	esp=aes128gcm128-ecp256!
+
+conn rw
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	leftupdown=/etc/updown
+	right=%any
+	rightsourceip=10.3.0.0/24
+	auto=add
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem
new file mode 100644
index 000000000..3480a434a
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICyDCCAiqgAwIBAgIJAPaidX4i76aJMAkGByqGSM49BAEwSDELMAkGA1UEBhMC
+Q0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9uZ1N3
+YW4gRUMgUm9vdCBDQTAeFw0wODA2MjIxNDM2MDZaFw0xODA2MjAxNDM2MDZaMEgx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD
+ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0EwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYA
+BAEUx1NvjNKzbDHaRPMsqIf/6SbUpzBa78N/WIyF6rYj8e5McAqfTfzUfFJZYoQn
+/mbP3VfjOxRuMDjrlfvdgMxwkwFDigWQfHg3CJbS7eQjjO1MrxxIJUtfSTnF29tM
+h6IYMdxaZKloCGCOrpmGCGdxD2/KwoX1SA3BlnjaNt7kSTonkqOBujCBtzAPBgNV
+HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUul35cbYTtWrR3bo2
+t6rSwe6P2NIweAYDVR0jBHEwb4AUul35cbYTtWrR3bo2t6rSwe6P2NKhTKRKMEgx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD
+ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0GCCQD2onV+Iu+miTAJBgcqhkjOPQQBA4GM
+ADCBiAJCAL5pU3X6NYWjOYe0cxrah27UxtUDLUNkFG/Ojl+gOH4QB0CKY0HXNyrq
+cgba73dXF/U0Cg3Ij/9g4Kd9GgYq0GlSAkIAqgqMKqXni8wbeGMJE2Mn2/8aHM3Q
+3flpHSoeNWOe/VzpRviw+VRgA4vbhhKUXBtQSiea77/DXLwOp5w7rkBoEUg=
+-----END CERTIFICATE-----
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.d/certs/moonCert.pem b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.d/certs/moonCert.pem
new file mode 100644
index 000000000..a3b043e82
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.d/certs/moonCert.pem
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICXDCCAb2gAwIBAgIBBzAKBggqhkjOPQQDBDBIMQswCQYDVQQGEwJDSDEZMBcG
+A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS
+b290IENBMB4XDTEzMDYyODA3MTc0M1oXDTE4MDYwMjA3MTc0M1owXjELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB
+IDI1NiBiaXQxHDAaBgNVBAMTE21vb24uc3Ryb25nc3dhbi5vcmcwWTATBgcqhkjO
+PQIBBggqhkjOPQMBBwNCAATf97+pfDnyPIA9gf6bYTZiIjNBAbCjCIqxxWou/oMq
+/9V1O20vyI/dg2g3yzTdzESUa+X81fop+i2n9ymBqI1No4GBMH8wHwYDVR0jBBgw
+FoAUul35cbYTtWrR3bo2t6rSwe6P2NIwHgYDVR0RBBcwFYITbW9vbi5zdHJvbmdz
+d2FuLm9yZzA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vY3JsLnN0cm9uZ3N3YW4u
+b3JnL3N0cm9uZ3N3YW5fZWMuY3JsMAoGCCqGSM49BAMEA4GMADCBiAJCALNndw3C
+DDWCb0f+6P6hxkqiYmUpv39XrioZrLbw+MjMD2WAchbj60KibBep1cVwIq3kWIJ6
+Jj0tYXG+f6yjmImqAkIBGOGRm+MQZxPFdYZoJZq5QXwIN0w2hJxmLIxBASW4PLdl
+RLIlvW/XTJObdb0VVYmClg0HTSvuuYOJrzwdyd8D1w0=
+-----END CERTIFICATE-----
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.d/private/moonKey.pem
new file mode 100644
index 000000000..5bd2778a9
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.d/private/moonKey.pem
@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIHWBnv6tDi/CTTWOQi/0XME7r8Wd5GRPaXx3wNTElpSvoAoGCCqGSM49
+AwEHoUQDQgAE3/e/qXw58jyAPYH+m2E2YiIzQQGwowiKscVqLv6DKv/VdTttL8iP
+3YNoN8s03cxElGvl/NX6Kfotp/cpgaiNTQ==
+-----END EC PRIVATE KEY-----
diff --git a/testing/tests/ikev1/multi-level-ca-revoked/hosts/carol/etc/ipsec.secrets b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.secrets
index fac55d63b..1ef3eccb5 100644
--- a/testing/tests/ikev1/multi-level-ca-revoked/hosts/carol/etc/ipsec.secrets
+++ b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.secrets
@@ -1,3 +1,3 @@
 # /etc/ipsec.secrets - strongSwan IPsec secrets file
 
-: RSA carolKey.pem
+: ECDSA moonKey.pem
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/strongswan.conf b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..efa0575e5
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,13 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = soup pem pkcs1 pkcs8 random nonce x509 revocation openssl stroke kernel-libipsec kernel-netlink socket-default updown
+}
+
+libstrongswan {
+  plugins {
+    openssl {
+      fips_mode = 2 
+    }
+  }
+}
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/updown b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/updown
new file mode 100755
index 000000000..15c239466
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/updown
@@ -0,0 +1,746 @@
+#! /bin/sh
+# iproute2 version, default updown script
+#
+# Copyright (C) 2003-2004 Nigel Meteringham
+# Copyright (C) 2003-2004 Tuomo Soini
+# Copyright (C) 2002-2004 Michael Richardson
+# Copyright (C) 2005-2007 Andreas Steffen <andreas.steffen@strongswan.org>
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at your
+# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# for more details.
+
+# CAUTION:  Installing a new version of strongSwan will install a new
+# copy of this script, wiping out any custom changes you make.  If
+# you need changes, make a copy of this under another name, and customize
+# that, and use the (left/right)updown parameters in ipsec.conf to make
+# strongSwan use yours instead of this default one.
+
+# things that this script gets (from ipsec_pluto(8) man page)
+#
+#      PLUTO_VERSION
+#              indicates  what  version of this interface is being
+#              used.  This document describes version  1.1.   This
+#              is upwardly compatible with version 1.0.
+#
+#       PLUTO_VERB
+#              specifies the name of the operation to be performed
+#              (prepare-host, prepare-client, up-host, up-client,
+#              down-host, or down-client).  If the address family
+#              for security gateway to security gateway communica-
+#              tions is IPv6, then a suffix of -v6 is added to the
+#              verb.
+#
+#       PLUTO_CONNECTION
+#              is the name of the  connection  for  which  we  are
+#              routing.
+#
+#       PLUTO_NEXT_HOP
+#              is the next hop to which packets bound for the peer
+#              must be sent.
+#
+#       PLUTO_INTERFACE
+#              is the name of the ipsec interface to be used.
+#
+#       PLUTO_REQID
+#              is the requid of the ESP policy
+#
+#       PLUTO_UNIQUEID
+#              is the unique identifier of the associated IKE_SA
+#
+#       PLUTO_ME
+#              is the IP address of our host.
+#
+#       PLUTO_MY_ID
+#              is the ID of our host.
+#
+#       PLUTO_MY_CLIENT
+#              is the IP address / count of our client subnet.  If
+#              the  client  is  just  the  host,  this will be the
+#              host's own IP address / max (where max  is  32  for
+#              IPv4 and 128 for IPv6).
+#
+#       PLUTO_MY_CLIENT_NET
+#              is the IP address of our client net.  If the client
+#              is just the host, this will be the  host's  own  IP
+#              address.
+#
+#       PLUTO_MY_CLIENT_MASK
+#              is  the  mask for our client net.  If the client is
+#              just the host, this will be 255.255.255.255.
+#
+#       PLUTO_MY_SOURCEIP
+#       PLUTO_MY_SOURCEIP4_$i
+#       PLUTO_MY_SOURCEIP6_$i
+#              contains IPv4/IPv6 virtual IP received from a responder,
+#              $i enumerates from 1 to the number of IP per address family.
+#              PLUTO_MY_SOURCEIP is a legacy variable and equals to the first
+#              virtual IP, IPv4 or IPv6.
+#
+#       PLUTO_MY_PROTOCOL
+#              is the IP protocol that will be transported.
+#
+#       PLUTO_MY_PORT
+#              is  the  UDP/TCP  port  to  which  the IPsec SA  is
+#              restricted on our side.
+#
+#       PLUTO_PEER
+#              is the IP address of our peer.
+#
+#       PLUTO_PEER_ID
+#              is the ID of our peer.
+#
+#       PLUTO_PEER_CA
+#              is the CA which issued the cert of our peer.
+#
+#       PLUTO_PEER_CLIENT
+#              is the IP address / count of the peer's client sub-
+#              net.   If the client is just the peer, this will be
+#              the peer's own IP address / max (where  max  is  32
+#              for IPv4 and 128 for IPv6).
+#
+#       PLUTO_PEER_CLIENT_NET
+#              is the IP address of the peer's client net.  If the
+#              client is just the peer, this will  be  the  peer's
+#              own IP address.
+#
+#       PLUTO_PEER_CLIENT_MASK
+#              is  the  mask  for  the  peer's client net.  If the
+#              client   is   just   the   peer,   this   will   be
+#              255.255.255.255.
+#
+#       PLUTO_PEER_PROTOCOL
+#              is the IP protocol that will be transported.
+#
+#       PLUTO_PEER_PORT
+#              is  the  UDP/TCP  port  to  which  the IPsec SA  is
+#              restricted on the peer side.
+#
+#       PLUTO_XAUTH_ID
+#              is an optional user ID employed by the XAUTH protocol
+#
+#       PLUTO_MARK_IN
+#              is an optional XFRM mark set on the inbound IPsec SA
+#
+#       PLUTO_MARK_OUT
+#              is an optional XFRM mark set on the outbound IPsec SA
+#
+#       PLUTO_UDP_ENC
+#              contains the remote UDP port in the case of ESP_IN_UDP
+#              encapsulation
+#
+#       PLUTO_DNS4_$i
+#       PLUTO_DNS6_$i
+#              contains IPv4/IPv6 DNS server attribute received from a
+#              responder, $i enumerates from 1 to the number of servers per
+#              address family.
+#
+
+# define a minimum PATH environment in case it is not set
+PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin"
+export PATH
+
+# uncomment to log VPN connections
+VPN_LOGGING=1
+#
+# tag put in front of each log entry:
+TAG=vpn
+#
+# syslog facility and priority used:
+FAC_PRIO=local0.notice
+#
+# to create a special vpn logging file, put the following line into
+# the syslog configuration file /etc/syslog.conf:
+#
+# local0.notice                   -/var/log/vpn
+
+# in order to use source IP routing the Linux kernel options
+# CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES
+# must be enabled
+#
+# special routing table for sourceip routes
+SOURCEIP_ROUTING_TABLE=220
+#
+# priority of the sourceip routing table
+SOURCEIP_ROUTING_TABLE_PRIO=220
+
+# check interface version
+case "$PLUTO_VERSION" in
+1.[0|1])	# Older Pluto?!?  Play it safe, script may be using new features.
+	echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
+	echo "$0: 	called by obsolete Pluto?" >&2
+	exit 2
+	;;
+1.*)	;;
+*)	echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2
+	exit 2
+	;;
+esac
+
+# check parameter(s)
+case "$1:$*" in
+':')			# no parameters
+	;;
+iptables:iptables)	# due to (left/right)firewall; for default script only
+	;;
+custom:*)		# custom parameters (see above CAUTION comment)
+	;;
+*)	echo "$0: unknown parameters \`$*'" >&2
+	exit 2
+	;;
+esac
+
+# utility functions for route manipulation
+# Meddling with this stuff should not be necessary and requires great care.
+uproute() {
+	doroute add
+	ip route flush cache
+}
+downroute() {
+	doroute delete
+	ip route flush cache
+}
+
+addsource() {
+	st=0
+	if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local
+	then
+	    it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE"
+	    oops="`eval $it 2>&1`"
+	    st=$?
+	    if test " $oops" = " " -a " $st" != " 0"
+	    then
+		oops="silent error, exit status $st"
+	    fi
+	    if test " $oops" != " " -o " $st" != " 0"
+	    then
+		echo "$0: addsource \`$it' failed ($oops)" >&2
+	    fi
+	fi
+	return $st
+}
+
+doroute() {
+	st=0
+
+	if [ -z "$PLUTO_MY_SOURCEIP" ]
+	then
+	    for dir in /etc/sysconfig /etc/conf.d; do
+		if [ -f "$dir/defaultsource" ]
+		then
+		    . "$dir/defaultsource"
+		fi
+	    done
+
+	    if [ -n "$DEFAULTSOURCE" ]
+	    then
+		PLUTO_MY_SOURCEIP=$DEFAULTSOURCE
+	    fi
+        fi
+
+	if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
+	then
+	    # leave because no route entry is required
+	    return $st
+	fi
+
+	parms1="$PLUTO_PEER_CLIENT"
+
+	if [ -n "$PLUTO_NEXT_HOP" ]
+	then
+	    parms2="via $PLUTO_NEXT_HOP"
+	else
+	    parms2="via $PLUTO_PEER"
+	fi
+	parms2="$parms2 dev $PLUTO_INTERFACE"
+
+	parms3=
+	if [ -n "$PLUTO_MY_SOURCEIP" ]
+	then
+	    if test "$1" = "add"
+	    then
+		addsource
+		if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE"
+		then
+		    ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE
+		fi
+	    fi
+	    parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE"
+	fi
+
+	case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
+	"0.0.0.0/0.0.0.0")
+		# opportunistic encryption work around
+		# need to provide route that eclipses default, without
+		# replacing it.
+		it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
+			ip route $1 128.0.0.0/1 $parms2 $parms3"
+		;;
+	*)	it="ip route $1 $parms1 $parms2 $parms3"
+		;;
+	esac
+	oops="`eval $it 2>&1`"
+	st=$?
+	if test " $oops" = " " -a " $st" != " 0"
+	then
+	    oops="silent error, exit status $st"
+	fi
+	if test " $oops" != " " -o " $st" != " 0"
+	then
+	    echo "$0: doroute \`$it' failed ($oops)" >&2
+	fi
+	return $st
+}
+
+# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY
+if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ]
+then
+	KLIPS=1
+	IPSEC_POLICY_IN=""
+	IPSEC_POLICY_OUT=""
+else
+	KLIPS=
+	IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID"
+	IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
+	IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
+fi
+
+# are there port numbers?
+if [ "$PLUTO_MY_PORT" != 0 ]
+then
+	S_MY_PORT="--sport $PLUTO_MY_PORT"
+	D_MY_PORT="--dport $PLUTO_MY_PORT"
+fi
+if [ "$PLUTO_PEER_PORT" != 0 ]
+then
+	S_PEER_PORT="--sport $PLUTO_PEER_PORT"
+	D_PEER_PORT="--dport $PLUTO_PEER_PORT"
+fi
+
+# resolve octal escape sequences
+PLUTO_MY_ID=`printf "$PLUTO_MY_ID"`
+PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"`
+
+# the big choice
+case "$PLUTO_VERB:$1" in
+prepare-host:*|prepare-client:*)
+	if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
+	then
+	    # exit because no route will be added,
+	    # so that existing routes can stay
+	    exit 0
+	fi
+
+	# delete possibly-existing route (preliminary to adding a route)
+	case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
+	"0.0.0.0/0.0.0.0")
+		# need to provide route that eclipses default, without
+		# replacing it.
+		parms1="0.0.0.0/1"
+		parms2="128.0.0.0/1"
+		it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1"
+		oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`"
+		;;
+	*)
+		parms="$PLUTO_PEER_CLIENT"
+		it="ip route delete $parms 2>&1"
+		oops="`ip route delete $parms 2>&1`"
+		;;
+	esac
+	status="$?"
+	if test " $oops" = " " -a " $status" != " 0"
+	then
+		oops="silent error, exit status $status"
+	fi
+	case "$oops" in
+	*'RTNETLINK answers: No such process'*)
+		# This is what route (currently -- not documented!) gives
+		# for "could not find such a route".
+		oops=
+		status=0
+		;;
+	esac
+	if test " $oops" != " " -o " $status" != " 0"
+	then
+		echo "$0: \`$it' failed ($oops)" >&2
+	fi
+	exit $status
+	;;
+route-host:*|route-client:*)
+	# connection to me or my client subnet being routed
+	uproute
+	;;
+unroute-host:*|unroute-client:*)
+	# connection to me or my client subnet being unrouted
+	downroute
+	;;
+up-host:)
+	# connection to me coming up
+	# If you are doing a custom version, firewall commands go here.
+	PLUTO_INTERFACE=ipsec0
+	iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_ME $D_MY_PORT -j ACCEPT
+	iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_ME $S_MY_PORT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	;;
+down-host:)
+	# connection to me going down
+	# If you are doing a custom version, firewall commands go here.
+	PLUTO_INTERFACE=ipsec0
+ 	iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_ME $D_MY_PORT -j ACCEPT
+	iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_ME $S_MY_PORT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	;;
+up-client:)
+	# connection to my client subnet coming up
+	# If you are doing a custom version, firewall commands go here.
+	PLUTO_INTERFACE=ipsec0
+        if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
+        then
+	    iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+		-s $PLUTO_MY_CLIENT $S_MY_PORT \
+		-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	    iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+		-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+		-d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT
+	fi
+	#
+	# a virtual IP requires an INPUT and OUTPUT rule on the host
+	# or sometimes host access via the internal IP is needed
+	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+	then
+	    iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+		-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+		-d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT
+	    iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+		-s $PLUTO_MY_CLIENT $S_MY_PORT \
+		-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	fi
+	;;
+down-client:)
+	# connection to my client subnet going down
+	# If you are doing a custom version, firewall commands go here.
+	PLUTO_INTERFACE=ipsec0
+	iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT
+	#
+	# a virtual IP requires an INPUT and OUTPUT rule on the host
+	# or sometimes host access via the internal IP is needed
+	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+	then
+	    iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ 		-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+		-d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT
+	    iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+		-s $PLUTO_MY_CLIENT $S_MY_PORT \
+		-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	fi
+	;;
+up-host:iptables)
+	# connection to me, with (left/right)firewall=yes, coming up
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	#
+	# log IPsec host connection setup
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+	  else
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+	  fi
+	fi
+	;;
+down-host:iptables)
+	# connection to me, with (left/right)firewall=yes, going down
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	#
+	# log IPsec host connection teardown
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+	  else
+	    logger -t $TAG -p $FAC_PRIO -- \
+	    "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+	  fi
+	fi
+	;;
+up-client:iptables)
+	# connection to client subnet, with (left/right)firewall=yes, coming up
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
+	then
+	  iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+	  iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
+	# a virtual IP requires an INPUT and OUTPUT rule on the host
+	# or sometimes host access via the internal IP is needed
+	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+	then
+	  iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	  iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+	fi
+	#
+	# log IPsec client connection setup
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  else
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  fi
+	fi
+	;;
+down-client:iptables)
+	# connection to client subnet, with (left/right)firewall=yes, going down
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
+	then
+	  iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+	         $IPSEC_POLICY_OUT -j ACCEPT
+	  iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
+	         $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
+	# a virtual IP requires an INPUT and OUTPUT rule on the host
+	# or sometimes host access via the internal IP is needed
+	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+	then
+	  iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
+	         $IPSEC_POLICY_IN -j ACCEPT
+	  iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+	         $IPSEC_POLICY_OUT -j ACCEPT
+	fi
+	#
+	# log IPsec client connection teardown
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  else
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  fi
+	fi
+	;;
+#
+# IPv6
+#
+prepare-host-v6:*|prepare-client-v6:*)
+	;;
+route-host-v6:*|route-client-v6:*)
+	# connection to me or my client subnet being routed
+	#uproute_v6
+	;;
+unroute-host-v6:*|unroute-client-v6:*)
+	# connection to me or my client subnet being unrouted
+	#downroute_v6
+	;;
+up-host-v6:)
+	# connection to me coming up
+	# If you are doing a custom version, firewall commands go here.
+	;;
+down-host-v6:)
+	# connection to me going down
+	# If you are doing a custom version, firewall commands go here.
+	;;
+up-client-v6:)
+	# connection to my client subnet coming up
+	# If you are doing a custom version, firewall commands go here.
+	;;
+down-client-v6:)
+	# connection to my client subnet going down
+	# If you are doing a custom version, firewall commands go here.
+	;;
+up-host-v6:iptables)
+	# connection to me, with (left/right)firewall=yes, coming up
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	#
+	# log IPsec host connection setup
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+	  else
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+	  fi
+	fi
+	;;
+down-host-v6:iptables)
+	# connection to me, with (left/right)firewall=yes, going down
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	    -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	    -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	    -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+	    -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+	#
+	# log IPsec host connection teardown
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+	  else
+	    logger -t $TAG -p $FAC_PRIO -- \
+	    "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+	  fi
+	fi
+	;;
+up-client-v6:iptables)
+	# connection to client subnet, with (left/right)firewall=yes, coming up
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
+	then
+	  ip6tables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+	  ip6tables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
+	# a virtual IP requires an INPUT and OUTPUT rule on the host
+	# or sometimes host access via the internal IP is needed
+	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+	then
+	  ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+	  ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+	fi
+	#
+	# log IPsec client connection setup
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  else
+	    logger -t $TAG -p $FAC_PRIO \
+	      "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  fi
+	fi
+	;;
+down-client-v6:iptables)
+	# connection to client subnet, with (left/right)firewall=yes, going down
+	# This is used only by the default updown script, not by your custom
+	# ones, so do not mess with it; see CAUTION comment up at top.
+	if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
+	then
+	  ip6tables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+	         $IPSEC_POLICY_OUT -j ACCEPT
+	  ip6tables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
+	         $IPSEC_POLICY_IN -j ACCEPT
+	fi
+	#
+	# a virtual IP requires an INPUT and OUTPUT rule on the host
+	# or sometimes host access via the internal IP is needed
+	if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+	then
+	  ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+	      -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+	      -d $PLUTO_MY_CLIENT $D_MY_PORT \
+	         $IPSEC_POLICY_IN -j ACCEPT
+	  ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+	      -s $PLUTO_MY_CLIENT $S_MY_PORT \
+	      -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+	         $IPSEC_POLICY_OUT -j ACCEPT
+	fi
+	#
+	# log IPsec client connection teardown
+	if [ $VPN_LOGGING ]
+	then
+	  if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+	  then
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  else
+	    logger -t $TAG -p $FAC_PRIO -- \
+	      "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+	  fi
+	fi
+	;;
+*)	echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
+	exit 1
+	;;
+esac
diff --git a/testing/tests/libipsec/rw-suite-b/posttest.dat b/testing/tests/libipsec/rw-suite-b/posttest.dat
new file mode 100644
index 000000000..1865a1c60
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/libipsec/rw-suite-b/pretest.dat b/testing/tests/libipsec/rw-suite-b/pretest.dat
new file mode 100644
index 000000000..8bbea1412
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/pretest.dat
@@ -0,0 +1,9 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+carol::ipsec up home
+dave::ipsec up home
diff --git a/testing/tests/libipsec/rw-suite-b/test.conf b/testing/tests/libipsec/rw-suite-b/test.conf
new file mode 100644
index 000000000..f29298850
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/openssl-ikev1/alg-camellia/description.txt b/testing/tests/openssl-ikev1/alg-camellia/description.txt
index 915e6c211..b3515c333 100644
--- a/testing/tests/openssl-ikev1/alg-camellia/description.txt
+++ b/testing/tests/openssl-ikev1/alg-camellia/description.txt
@@ -1,4 +1,4 @@
-Roadwarrior <b>carol</b> proposes  to gateway <b>moon</b> the cipher suite
-<b>CAMELLIA_CBC_192 / HMAC_SHA2_384 / MODP_3072</b> for the IKE protocol and 
-<b>CAMELLIA_CBC_192 / HMAC_SHA2_384_192 </b> for ESP packets. A ping from <b>carol</b> to
-<b>alice</b> successfully checks the established tunnel.
+Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the IKE cipher suite <b>CAMELLIA_CBC_256 /
+HMAC_SHA2_512_256 / MODP_2048</b> by defining <b>ike=camellia256-sha256-modp2048</b> as well as
+the ESP cipher suite <b>CAMELLIA_CBC_192 / HMAC_SHA1_96</b> by defining <b>esp=camellia192-sha1</b>
+in ipsec.conf. A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/openssl-ikev1/alg-camellia/evaltest.dat b/testing/tests/openssl-ikev1/alg-camellia/evaltest.dat
index a3360e5a5..4d614bf7e 100644
--- a/testing/tests/openssl-ikev1/alg-camellia/evaltest.dat
+++ b/testing/tests/openssl-ikev1/alg-camellia/evaltest.dat
@@ -1,11 +1,11 @@
-carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES
-carol::ipsec statusall::IKE proposal: CAMELLIA_CBC_192/HMAC_SHA2_384/MODP_3072::YES
-moon::ipsec statusall::IKE proposal: CAMELLIA_CBC_192/HMAC_SHA2_384/MODP_3072::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
-carol::ipsec statusall::ESP proposal: CAMELLIA_CBC_192/HMAC_SHA2_384::YES
-moon::ipsec statusall::ESP proposal: CAMELLIA_CBC_192/HMAC_SHA2_384::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
+moon:: ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048::YES
+carol::ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon:: ipsec statusall 2> /dev/null::CAMELLIA_CBC_192/HMAC_SHA1_96::YES
+carol::ipsec statusall 2> /dev/null::CAMELLIA_CBC_192/HMAC_SHA1_96::YES
+moon:: ip xfrm state::enc cbc(camellia)::YES
 carol::ip xfrm state::enc cbc(camellia)::YES
-moon::ip xfrm state::enc cbc(camellia)::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 208::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 208::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 196::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 196::YES
diff --git a/testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/ipsec.conf
index 982b2fdb2..7a276806e 100755..100644
--- a/testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug="control crypt"
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -12,14 +8,15 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev1
-	ike=camellia192-sha384-modp3072!
-	esp=camellia192-sha384!
+	ike=camellia256-sha512-modp2048!
+	esp=camellia192-sha1!
 
 conn home
 	left=PH_IP_CAROL
+	leftfirewall=yes
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
 	right=PH_IP_MOON
 	rightsubnet=10.1.0.0/16
 	rightid=@moon.strongswan.org
-	auto=add
+	auto=add 
diff --git a/testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/strongswan.conf
index 1ea14c6f2..c4ac99166 100644
--- a/testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/strongswan.conf
@@ -1,11 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
-pluto {
-  load = pem pkcs1 openssl random hmac curl kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
+charon {
+  load = curl pem pkcs1 openssl revocation random nonce hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/ipsec.conf
index b6f719256..fb892a041 100755..100644
--- a/testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/ipsec.conf
@@ -1,25 +1,21 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug="control crypt"
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-       
+
 conn %default
 	ikelifetime=60m
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev1
-	ike=camellia192-sha384-modp3072!
-	esp=camellia192-sha384!
+	ike=camellia256-sha512-modp2048!
+	esp=camellia192-sha1!
 
 conn rw
 	left=PH_IP_MOON
+	leftfirewall=yes
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 	leftsubnet=10.1.0.0/16
 	right=%any
-	rightid=carol@strongswan.org
 	auto=add
diff --git a/testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/strongswan.conf
index 1ea14c6f2..c4ac99166 100644
--- a/testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/strongswan.conf
@@ -1,11 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
-pluto {
-  load = pem pkcs1 openssl random hmac curl kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
+charon {
+  load = curl pem pkcs1 openssl revocation random nonce hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/openssl-ikev1/alg-camellia/posttest.dat b/testing/tests/openssl-ikev1/alg-camellia/posttest.dat
index c6d6235f9..046d4cfdc 100644
--- a/testing/tests/openssl-ikev1/alg-camellia/posttest.dat
+++ b/testing/tests/openssl-ikev1/alg-camellia/posttest.dat
@@ -1,2 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/openssl-ikev1/alg-camellia/pretest.dat b/testing/tests/openssl-ikev1/alg-camellia/pretest.dat
index 6d2eeb5f9..388339fb8 100644
--- a/testing/tests/openssl-ikev1/alg-camellia/pretest.dat
+++ b/testing/tests/openssl-ikev1/alg-camellia/pretest.dat
@@ -1,5 +1,7 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
-carol::ipsec start
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
-carol::sleep 2 
+carol::ipsec start
+carol::sleep 1
 carol::ipsec up home
+carol::sleep 1
diff --git a/testing/tests/openssl-ikev1/alg-camellia/test.conf b/testing/tests/openssl-ikev1/alg-camellia/test.conf
index 6abbb89a9..4a5fc470f 100644
--- a/testing/tests/openssl-ikev1/alg-camellia/test.conf
+++ b/testing/tests/openssl-ikev1/alg-camellia/test.conf
@@ -1,22 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
-
diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/description.txt b/testing/tests/openssl-ikev1/alg-ecp-high/description.txt
index f2b26fd7c..a1f31495d 100644
--- a/testing/tests/openssl-ikev1/alg-ecp-high/description.txt
+++ b/testing/tests/openssl-ikev1/alg-ecp-high/description.txt
@@ -1,8 +1,8 @@
 The roadwarrior <b>carol</b> and the gateway <b>moon</b> use the <b>openssl</b>
-plugin based on the <b>OpenSSL</b> library for all cryptographical and X.509 certificate
-functions whereas roadwarrior <b>dave</b> uses the default <b>strongSwan</b> cryptographical
-plugins <b>aes des sha1 sha2 md5 gmp x509</b> plus the <b>openssl</b> plugin for 
-the Elliptic Curve Diffie-Hellman groups only.
+plugin based on the <b>OpenSSL</b> library for all cryptographical and X.509
+certificate functions whereas roadwarrior <b>dave</b> uses the default <b>strongSwan</b>
+cryptographical plugins <b>aes des sha1 sha2 md5 gmp x509</b> plus the <b>openssl</b>
+plugin for the Elliptic Curve Diffie-Hellman groups only.
 <p>
 The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each 
 to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>.
diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/evaltest.dat b/testing/tests/openssl-ikev1/alg-ecp-high/evaltest.dat
index 6a6802780..ac7d8cd98 100644
--- a/testing/tests/openssl-ikev1/alg-ecp-high/evaltest.dat
+++ b/testing/tests/openssl-ikev1/alg-ecp-high/evaltest.dat
@@ -1,11 +1,15 @@
-moon::cat /var/log/auth.log::ECP_256.*refused due to strict flag::YES
-moon::ipsec statusall::IPsec SA established::YES
-carol::ipsec statusall::IPsec SA established::YES
-carol::ipsec statusall::IKE proposal: AES_CBC_192/HMAC_SHA2_384/ECP_384::YES
-dave::ipsec statusall::IPsec SA established::YES
-dave::ipsec statusall::IKE proposal: AES_CBC_256/HMAC_SHA2_512/ECP_521::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
+carol::ipsec statusall 2> /dev/null::home.*AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_384::YES
+dave:: ipsec statusall 2> /dev/null::home.*AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/ECP_521::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/ipsec.conf
index 432fa52ea..2ed83f06a 100755..100644
--- a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-	plutodebug=control
 
 conn %default
 	ikelifetime=60m
@@ -12,7 +8,7 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev1
-	ike=aes192-sha384-ecp256,aes192-sha384-ecp384!
+	ike=aes128-sha256-ecp256,aes192-sha384-ecp384!
 
 conn home
 	left=PH_IP_CAROL
diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/strongswan.conf
index 1ea14c6f2..0bbf93a18 100644
--- a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/strongswan.conf
@@ -1,11 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
-pluto {
-  load = pem pkcs1 openssl random hmac curl kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
+charon {
+  load = curl pem pkcs1 openssl revocation random nonce hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/dave/etc/ipsec.conf
index 28304eb41..105ec3ce4 100755..100644
--- a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/dave/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-	plutodebug=control
 
 conn %default
 	ikelifetime=60m
@@ -12,7 +8,7 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev1
-	ike=aes256-sha512-ecp256,aes256-sha512-ecp521!
+	ike=aes128-sha256-ecp256,aes256-sha512-ecp521!
 
 conn home
 	left=PH_IP_DAVE
diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/dave/etc/strongswan.conf
index 913e599ae..785772254 100644
--- a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/dave/etc/strongswan.conf
@@ -1,11 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
-pluto {
-  load = aes des sha1 sha2 md5 random pem pkcs1 x509 gmp pem pkcs1 openssl hmac curl kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp pem pkcs1 x509 openssl revocation random nonce hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/ipsec.conf
index d6737f6e0..0a312b394 100755..100644
--- a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-	plutodebug=control
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/strongswan.conf
index 1ea14c6f2..0bbf93a18 100644
--- a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/strongswan.conf
@@ -1,11 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
-pluto {
-  load = pem pkcs1 openssl random hmac curl kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
+charon {
+  load = curl pem pkcs1 openssl revocation random nonce hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/posttest.dat b/testing/tests/openssl-ikev1/alg-ecp-high/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/openssl-ikev1/alg-ecp-high/posttest.dat
+++ b/testing/tests/openssl-ikev1/alg-ecp-high/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/pretest.dat b/testing/tests/openssl-ikev1/alg-ecp-high/pretest.dat
index 42e9d7c24..8bbea1412 100644
--- a/testing/tests/openssl-ikev1/alg-ecp-high/pretest.dat
+++ b/testing/tests/openssl-ikev1/alg-ecp-high/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/test.conf b/testing/tests/openssl-ikev1/alg-ecp-high/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/openssl-ikev1/alg-ecp-high/test.conf
+++ b/testing/tests/openssl-ikev1/alg-ecp-high/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/description.txt b/testing/tests/openssl-ikev1/alg-ecp-low/description.txt
index 5b0241433..84b6eb4bf 100644
--- a/testing/tests/openssl-ikev1/alg-ecp-low/description.txt
+++ b/testing/tests/openssl-ikev1/alg-ecp-low/description.txt
@@ -1,8 +1,8 @@
 The roadwarrior <b>carol</b> and the gateway <b>moon</b> use the <b>openssl</b>
-plugin based on the <b>OpenSSL</b> library for all cryptographical and X.509 certificate
-functions whereas roadwarrior <b>dave</b> uses the default <b>strongSwan</b> cryptographical
-plugins <b>aes des sha1 sha2 md5 gmp x509</b> plus the <b>openssl</b> plugin for 
-the Elliptic Curve Diffie-Hellman groups only.
+plugin based on the <b>OpenSSL</b> library for all cryptographical and X.509 
+certificate functions whereas roadwarrior <b>dave</b> uses the default <b>strongSwan</b>
+cryptographical plugins <b>aes des sha1 sha2 md5 gmp x509</b> plus the <b>openssl</b>
+plugin for the Elliptic Curve Diffie-Hellman groups only.
 <p>
 The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each 
 to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>.
diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/evaltest.dat b/testing/tests/openssl-ikev1/alg-ecp-low/evaltest.dat
index 3c5ae4138..178d541da 100644
--- a/testing/tests/openssl-ikev1/alg-ecp-low/evaltest.dat
+++ b/testing/tests/openssl-ikev1/alg-ecp-low/evaltest.dat
@@ -1,11 +1,15 @@
-moon::cat /var/log/auth.log::ECP_192.*refused due to strict flag::YES
-moon::ipsec statusall::IPsec SA established::YES
-carol::ipsec statusall::IPsec SA established::YES
-carol::ipsec statusall::IKE proposal: AES_CBC_128/HMAC_SHA2_256/ECP_224::YES
-dave::ipsec statusall::IPsec SA established::YES
-dave::ipsec statusall::IKE proposal: AES_CBC_128/HMAC_SHA2_256/ECP_256::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
+carol::ipsec statusall 2> /dev/null::home.*3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_224::YES
+dave:: ipsec statusall 2> /dev/null::home.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/ipsec.conf
index 5a4d82699..6fe17a9ee 100755..100644
--- a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-	plutodebug=control
 
 conn %default
 	ikelifetime=60m
@@ -12,7 +8,7 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev1
-	ike=aes128-sha256-ecp192,aes128-sha256-ecp224!
+	ike=aes192-sha384-ecp192,3des-sha256-ecp224!
 
 conn home
 	left=PH_IP_CAROL
diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/strongswan.conf
index 1ea14c6f2..0bbf93a18 100644
--- a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/strongswan.conf
@@ -1,11 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
-pluto {
-  load = pem pkcs1 openssl random hmac curl kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
+charon {
+  load = curl pem pkcs1 openssl revocation random nonce hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/dave/etc/ipsec.conf
index ac828c182..ade897727 100755..100644
--- a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/dave/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-	plutodebug=control
 
 conn %default
 	ikelifetime=60m
@@ -12,7 +8,7 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev1
-	ike=aes128-sha256-ecp192,aes128-sha256-ecp256!
+	ike=aes192-sha384-ecp192,aes128-sha256-ecp256!
 
 conn home
 	left=PH_IP_DAVE
diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/dave/etc/strongswan.conf
index 913e599ae..785772254 100644
--- a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/dave/etc/strongswan.conf
@@ -1,11 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
-pluto {
-  load = aes des sha1 sha2 md5 random pem pkcs1 x509 gmp pem pkcs1 openssl hmac curl kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp pem pkcs1 x509 openssl revocation random nonce hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/ipsec.conf
index 870271c87..3992b52fb 100755..100644
--- a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/ipsec.conf
@@ -1,10 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-	plutodebug=control
 
 conn %default
 	ikelifetime=60m
@@ -12,7 +8,7 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev1
-	ike=aes128-sha256-ecp224,aes128-sha256-ecp256!
+	ike=3des-sha256-ecp224,aes128-sha256-ecp256!
 
 conn rw
 	left=PH_IP_MOON
diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/strongswan.conf
index 1ea14c6f2..0bbf93a18 100644
--- a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/strongswan.conf
@@ -1,11 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
-pluto {
-  load = pem pkcs1 openssl random hmac curl kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
+charon {
+  load = curl pem pkcs1 openssl revocation random nonce hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/posttest.dat b/testing/tests/openssl-ikev1/alg-ecp-low/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/openssl-ikev1/alg-ecp-low/posttest.dat
+++ b/testing/tests/openssl-ikev1/alg-ecp-low/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/pretest.dat b/testing/tests/openssl-ikev1/alg-ecp-low/pretest.dat
index 42e9d7c24..8bbea1412 100644
--- a/testing/tests/openssl-ikev1/alg-ecp-low/pretest.dat
+++ b/testing/tests/openssl-ikev1/alg-ecp-low/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/test.conf b/testing/tests/openssl-ikev1/alg-ecp-low/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/openssl-ikev1/alg-ecp-low/test.conf
+++ b/testing/tests/openssl-ikev1/alg-ecp-low/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/evaltest.dat b/testing/tests/openssl-ikev1/ecdsa-certs/evaltest.dat
index 2aea10135..69c893f0c 100644
--- a/testing/tests/openssl-ikev1/ecdsa-certs/evaltest.dat
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/evaltest.dat
@@ -1,13 +1,19 @@
-moon::cat /var/log/auth.log::ECDSA-256 signature check passed::YES
-moon::cat /var/log/auth.log::ECDSA-384 signature check passed::YES 
-carol::cat /var/log/auth.log::ECDSA-256 signature check passed::YES
-dave::cat /var/log/auth.log::ECDSA-384 signature check passed::YES 
-moon::ipsec statusall::carol.*IPsec SA established::YES
-moon::ipsec statusall::dave.*IPsec SA established::YES
-carol::ipsec statusall::home.*IPsec SA established::YES
-dave::ipsec statusall::home.*IPsec SA established::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
+moon:: cat /var/log/daemon.log::looking for ECDSA-256 signature peer configs matching.*carol@strongswan.org::YES
+moon:: cat /var/log/daemon.log::looking for ECDSA-384 signature peer configs matching.*dave@strongswan.org::YES
+moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA successful::YES
+moon:: cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with ECDSA successful::YES
+carol::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA successful::YES
+dave:: cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA successful::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.conf
index b0b6ff738..58914391c 100755..100644
--- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	plutodebug=control
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.d/certs/carolCert.pem
index 29709926a..a85635faf 100644
--- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.d/certs/carolCert.pem
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.d/certs/carolCert.pem
@@ -1,18 +1,15 @@
 -----BEGIN CERTIFICATE-----
-MIIC7zCCAlGgAwIBAgIBBDAJBgcqhkjOPQQBMEgxCzAJBgNVBAYTAkNIMRkwFwYD
-VQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdTd2FuIEVDIFJv
-b3QgQ0EwHhcNMDgwNjIyMTYyOTE4WhcNMTMwNjIxMTYyOTE4WjBfMQswCQYDVQQG
-EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEWMBQGA1UECxMNRUNEU0Eg
-MjU2IGJpdDEdMBsGA1UEAxQUY2Fyb2xAc3Ryb25nc3dhbi5vcmcwWTATBgcqhkjO
-PQIBBggqhkjOPQMBBwNCAAQgp/Z/GgzvVCDdVcIYqERml0KroZEaVqiF8uy8dlTS
-4mxNs6snDdEWh/LzXTd3NVnCihT2XgHxOk8NrX4hBMMYo4IBFDCCARAwCQYDVR0T
-BAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYEFLdhGhurno1dU2SMx7UGXpa/lgJ9
-MHgGA1UdIwRxMG+AFLpd+XG2E7Vq0d26Nreq0sHuj9jSoUykSjBIMQswCQYDVQQG
-EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25n
-U3dhbiBFQyBSb290IENBggkA9qJ1fiLvpokwHwYDVR0RBBgwFoEUY2Fyb2xAc3Ry
-b25nc3dhbi5vcmcwPAYDVR0fBDUwMzAxoC+gLYYraHR0cDovL2NybC5zdHJvbmdz
-d2FuLm9yZy9zdHJvbmdzd2FuX2VjLmNybDAJBgcqhkjOPQQBA4GMADCBiAJCATa+
-sBFW3vCx/JgLyxU85F2QuLO0/zdNBhIU0kN7kr1cYBBr8mpbhuNKm6iFe2DsFJZx
-ii3DQjwvG46is2Njzi4vAkIA72lPodCDtAFpD/2PUxjzo6xTAFazUejobkdDTUXn
-s0f8qIzzeQuTwLbp6pDmR/JGzhAeRvQT82njCo0PJ8Hbz1c=
+MIICXzCCAcCgAwIBAgIBCTAKBggqhkjOPQQDBDBIMQswCQYDVQQGEwJDSDEZMBcG
+A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS
+b290IENBMB4XDTEzMDYyODA3MjczOFoXDTE4MDYwMjA3MjczOFowXzELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB
+IDI1NiBiaXQxHTAbBgNVBAMUFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMFkwEwYHKoZI
+zj0CAQYIKoZIzj0DAQcDQgAEwYQaBELkyAVAzNzWJr9LqoK8gdKDv+Ns6D+ZQSAj
+BuX3bs5ZIn7BrRxYd+mbnpZ2in7FjXPWkcLkIK/cgay2n6OBgzCBgDAfBgNVHSME
+GDAWgBS6XflxthO1atHduja3qtLB7o/Y0jAfBgNVHREEGDAWgRRjYXJvbEBzdHJv
+bmdzd2FuLm9yZzA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vY3JsLnN0cm9uZ3N3
+YW4ub3JnL3N0cm9uZ3N3YW5fZWMuY3JsMAoGCCqGSM49BAMEA4GMADCBiAJCAIU5
+nZLSfuiHElf7SFHl/sXCTSQ5FhEjSdhpMUvsgwq0vnEJRRdsdEOmmtVT5yQFHDUR
+Z9YVl4/zP5EFyUepvCH5AkIB2WFJ5WZ3Ds76Tq9AxAPaFbsQapGgOmrRZ6lGkj49
+hzLfARkvr+fTbOrttOC4yTIfnYVygA2G1cQYzceY/JiSk00=
 -----END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.d/private/carolKey.pem
index 5f21c1012..0a0b83889 100644
--- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.d/private/carolKey.pem
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.d/private/carolKey.pem
@@ -1,8 +1,8 @@
 -----BEGIN EC PRIVATE KEY-----
 Proc-Type: 4,ENCRYPTED
-DEK-Info: AES-128-CBC,F36088B0517117B50C1A436E5C84526E
+DEK-Info: DES-EDE3-CBC,0F93D8FBCA4CAA40
 
-Zulq4O8x8i4P2I8+Ewe2pPJT8K2kzX9JjGhquFKaZdEG1YmXqIdMz41DA1b9cQjt
-KJstY10Gzc/C6Hv9v/ljfplcnumYBFdFsqvQ/Z0xh/G9u/J1gXjghhrQCUXbFble
-RVSwozA9IcCC9yQdhYyazF+85DR+p8AyQ5w2unOvuOk=
+jyvWqe7yjLux30mLeMsjlEjWu1A7u4xdRUg/R+JzsUxnFDpJKOEd5LgXSExrgVwD
+RMlH6vVkZPboxmveOH8lXDVUyscYLLLTianw9R+Vj3zm6x7kT1CaNryLKfQSCVE8
+QGsF+LrF7/uIS+4RePGQyGv4C3pbBCB168+e362WnjQ=
 -----END EC PRIVATE KEY-----
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/strongswan.conf
index 1ea14c6f2..0bbf93a18 100644
--- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/strongswan.conf
@@ -1,11 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
-pluto {
-  load = pem pkcs1 openssl random hmac curl kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
+charon {
+  load = curl pem pkcs1 openssl revocation random nonce hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.conf
index 23813b20b..150c63bc7 100755..100644
--- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.conf
@@ -1,10 +1,7 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	plutodebug=control
-	charonstart=no
-	
+
 conn %default
 	ikelifetime=60m
 	keylife=20m
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.d/certs/daveCert.pem b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.d/certs/daveCert.pem
index 075d8f1e5..e97709a3f 100644
--- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.d/certs/daveCert.pem
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.d/certs/daveCert.pem
@@ -1,19 +1,16 @@
 -----BEGIN CERTIFICATE-----
-MIIDCTCCAmygAwIBAgIBAzAJBgcqhkjOPQQBMEgxCzAJBgNVBAYTAkNIMRkwFwYD
-VQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdTd2FuIEVDIFJv
-b3QgQ0EwHhcNMDgwNjIyMTYxMzU5WhcNMTMwNjIxMTYxMzU5WjBeMQswCQYDVQQG
-EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEWMBQGA1UECxMNRUNEU0Eg
-Mzg0IGJpdDEcMBoGA1UEAxQTZGF2ZUBzdHJvbmdzd2FuLm9yZzB2MBAGByqGSM49
-AgEGBSuBBAAiA2IABPxEg8AaVNAwCXqg0p21Zc7YzPLA3voAWf233CZJpsjb1w3y
-IeTUeIeGU7aLWAyuXgeBsx+lKzWy00LzPELOgK+3ulTHzBZg7s8kMGhwPWfV4JLA
-zrso5+i64+Y4wvRCBaOCARMwggEPMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0G
-A1UdDgQWBBQxJAy8gaP3RNBt1WTD27/IMzANmTB4BgNVHSMEcTBvgBS6XflxthO1
-atHduja3qtLB7o/Y0qFMpEowSDELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4
-IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9uZ1N3YW4gRUMgUm9vdCBDQYIJAPai
-dX4i76aJMB4GA1UdEQQXMBWBE2RhdmVAc3Ryb25nc3dhbi5vcmcwPAYDVR0fBDUw
-MzAxoC+gLYYraHR0cDovL2NybC5zdHJvbmdzd2FuLm9yZy9zdHJvbmdzd2FuX2Vj
-LmNybDAJBgcqhkjOPQQBA4GLADCBhwJCAZaqaroyGwqd7nb5dVVWjTK8glVzDFJH
-ru4F6R+7fDCGEOaFlxf4GRkSrvQQA8vfgo6Md9XjBwq0r+9s3xt5xJjJAkElSo1/
-wyn8KQ3XN07UIaMvPctipq2OgpfteQK/F81CtZ+YCLEQt3xT7NQpriaKwGQxJAQv
-g+Z+grJzTppAqpwRpg==
+MIICeTCCAdqgAwIBAgIBDDAKBggqhkjOPQQDBDBIMQswCQYDVQQGEwJDSDEZMBcG
+A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS
+b290IENBMB4XDTEzMDYyODA3MzUxOVoXDTE4MDYwMjA3MzUxOVowXjELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB
+IDM4NCBiaXQxHDAaBgNVBAMUE2RhdmVAc3Ryb25nc3dhbi5vcmcwdjAQBgcqhkjO
+PQIBBgUrgQQAIgNiAATVOQOBWOH7PhHx/mc+y5+uDpW/maSCkGwpnPP1dWQl4Dpr
+DokGZC8P+pm1j0sBvzbSCuHZCAkaSptYavgv4VVJ/X5u89tnj6QqQt/AtuPjCL7r
+3k3F0Nsj/TGSjRmcMr6jgYEwfzAfBgNVHSMEGDAWgBS6XflxthO1atHduja3qtLB
+7o/Y0jAeBgNVHREEFzAVgRNkYXZlQHN0cm9uZ3N3YW4ub3JnMDwGA1UdHwQ1MDMw
+MaAvoC2GK2h0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dhbl9lYy5j
+cmwwCgYIKoZIzj0EAwQDgYwAMIGIAkIB/x2+UiGE5T7229M2Ic2BMYLWSBQlZJeT
+d3uniJb3NAkeQAhDgj0TOxVdMz1SkgScLRS2RKYpsxiVsV+tVuijTMQCQgHn1WtY
+iiSY7OWcX9hQEqWDV0TxoNcgInEhsmtMbseCpR0dYXYsm54oC0pqVBeKp0GC7KJr
+ZEmeb0/mRB56osgppA==
 -----END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.d/private/daveKey.pem
index f628f88e5..574c86a2e 100644
--- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.d/private/daveKey.pem
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.d/private/daveKey.pem
@@ -1,6 +1,6 @@
 -----BEGIN EC PRIVATE KEY-----
-MIGkAgEBBDCF8kl4ftfgcvWH2myFxhc22CUT63uPy28fqUMibnpRS/wf/pfxIrVX
-+BhxpUhWS2agBwYFK4EEACKhZANiAAT8RIPAGlTQMAl6oNKdtWXO2MzywN76AFn9
-t9wmSabI29cN8iHk1HiHhlO2i1gMrl4HgbMfpSs1stNC8zxCzoCvt7pUx8wWYO7P
-JDBocD1n1eCSwM67KOfouuPmOML0QgU=
+MIGkAgEBBDCFbFPkGF4ez8EzHm6pTVCr17Q1+GACxn7m0EE4UVoq7RQBNk4NOxhE
+hJZpquwjgqegBwYFK4EEACKhZANiAATVOQOBWOH7PhHx/mc+y5+uDpW/maSCkGwp
+nPP1dWQl4DprDokGZC8P+pm1j0sBvzbSCuHZCAkaSptYavgv4VVJ/X5u89tnj6Qq
+Qt/AtuPjCL7r3k3F0Nsj/TGSjRmcMr4=
 -----END EC PRIVATE KEY-----
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/strongswan.conf
index 4c5d53dff..0bbf93a18 100644
--- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/strongswan.conf
@@ -1,11 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
-pluto {
-  load = pem pkcs1 pem pkcs1 openssl random hmac curl kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
+charon {
+  load = curl pem pkcs1 openssl revocation random nonce hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.conf
index f22a4ac4c..5cf82c6b8 100755..100644
--- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	plutodebug=control
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
@@ -12,21 +9,11 @@ conn %default
 	keyingtries=1
 	keyexchange=ikev1
 
-conn carol
-	also=moon
-	leftcert=moon_ec256_Cert.pem
-	rightid=carol@strongswan.org
-	auto=add
-
-conn dave
-	also=moon
-	leftcert=moon_ec384_Cert.pem
-	rightid=dave@strongswan.org
-	auto=add
-
-conn moon 
+conn rw
 	left=PH_IP_MOON
+	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 	leftsubnet=10.1.0.0/16
 	leftfirewall=yes
 	right=%any
+	auto=add
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/certs/moonCert.pem b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/certs/moonCert.pem
new file mode 100644
index 000000000..25f0538a7
--- /dev/null
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/certs/moonCert.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICnTCCAf+gAwIBAgIBDTAKBggqhkjOPQQDBDBIMQswCQYDVQQGEwJDSDEZMBcG
+A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS
+b290IENBMB4XDTEzMDYyODEwMDIxNloXDTE4MDYwMjEwMDIxNlowXTELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFTATBgNVBAsTDEVDU0Eg
+NTIxIGJpdDEcMBoGA1UEAxMTbW9vbi5zdHJvbmdzd2FuLm9yZzCBmzAQBgcqhkjO
+PQIBBgUrgQQAIwOBhgAEAGWctqQ4b4fNSACnlcg5A3nxHU5X5qir+Ep8QziYNokU
+ri9N6ZPX3ipNlVAi6AYS7MXWZCBiT2g0yGFfwSxPha/rATR3m7acgyGQt0BE2UJ0
+Z7ZfjkjUPaKKEhmw0fy2t5gUhPaXMBXnu5hGjUz4gaaApsaJtr5eEwdQ0II9DG71
+tSA2o4GBMH8wHwYDVR0jBBgwFoAUul35cbYTtWrR3bo2t6rSwe6P2NIwHgYDVR0R
+BBcwFYITbW9vbi5zdHJvbmdzd2FuLm9yZzA8BgNVHR8ENTAzMDGgL6AthitodHRw
+Oi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW5fZWMuY3JsMAoGCCqGSM49
+BAMEA4GLADCBhwJBAjPn1KkfPOlfn51b6AtISSpccCsKJ6LhJiSLuQp0SzMrg3mv
+vSIkNpVrUigW0VVMwcanW3UuYKSxMBl3Z30+RpYCQgGh8v1XO4SO3DmVLD9+JLil
+9Dp0TNkzNLdOqeuIX6ili5yhnLU8chwSlpJ9d81FdAjHP9EDPO+7fTswC2vYL+Rm
+2A==
+-----END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/certs/moon_ec256_Cert.pem b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/certs/moon_ec256_Cert.pem
deleted file mode 100644
index d5e61558e..000000000
--- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/certs/moon_ec256_Cert.pem
+++ /dev/null
@@ -1,18 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIC7DCCAk+gAwIBAgIBBTAJBgcqhkjOPQQBMEgxCzAJBgNVBAYTAkNIMRkwFwYD
-VQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdTd2FuIEVDIFJv
-b3QgQ0EwHhcNMDkwNjEyMTYwNjMzWhcNMTQwNjExMTYwNjMzWjBeMQswCQYDVQQG
-EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEWMBQGA1UECxMNRUNEU0Eg
-MjU2IGJpdDEcMBoGA1UEAxMTbW9vbi5zdHJvbmdzd2FuLm9yZzBZMBMGByqGSM49
-AgEGCCqGSM49AwEHA0IABIU/UvJ7ro2AYsFWXZKH9K4FD9O5kNfi3/H3+10kAy6s
-eQUab8qaAhTahBHuywzanVTiJPK5caQSvnpt+z1RJDqjggETMIIBDzAJBgNVHRME
-AjAAMAsGA1UdDwQEAwIDqDAdBgNVHQ4EFgQUq1PybZZ+RZuJICuoDUhXdLy/iacw
-eAYDVR0jBHEwb4AUul35cbYTtWrR3bo2t6rSwe6P2NKhTKRKMEgxCzAJBgNVBAYT
-AkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdT
-d2FuIEVDIFJvb3QgQ0GCCQD2onV+Iu+miTAeBgNVHREEFzAVghNtb29uLnN0cm9u
-Z3N3YW4ub3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuc3Ryb25nc3dh
-bi5vcmcvc3Ryb25nc3dhbl9lYy5jcmwwCQYHKoZIzj0EAQOBiwAwgYcCQWYZnZLl
-iimVcAs5p7SXpHmcnlIX9C4EFzNtY+zoDfPM9Qx/vGY2hKa65tyhepn5RFyNqH6d
-slr5EBqoT5Vt86kJAkIAx/dyiLLqT0+lJiyxjLQuAaLRWHwlgq7jaUhoQusxno62
-dIfe0U1QjgumA+zXoAnbLBF3KnnrKvHByv7ejeH0Ys4=
------END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/certs/moon_ec384_Cert.pem b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/certs/moon_ec384_Cert.pem
deleted file mode 100644
index 45224b09b..000000000
--- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/certs/moon_ec384_Cert.pem
+++ /dev/null
@@ -1,19 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDCjCCAmygAwIBAgIBBjAJBgcqhkjOPQQBMEgxCzAJBgNVBAYTAkNIMRkwFwYD
-VQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdTd2FuIEVDIFJv
-b3QgQ0EwHhcNMDkwNjEyMTYwNzA2WhcNMTQwNjExMTYwNzA2WjBeMQswCQYDVQQG
-EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEWMBQGA1UECxMNRUNEU0Eg
-Mzg0IGJpdDEcMBoGA1UEAxMTbW9vbi5zdHJvbmdzd2FuLm9yZzB2MBAGByqGSM49
-AgEGBSuBBAAiA2IABK4TajAd1pgzhJJsmyjw1Zb/CdEe0eWKmEyP1OjmwRwS37Tx
-3wV9C9ZzCYBsJlvbH53kyeZYoAojUL5sXDVBq8qu23jSjBCesypSiNt/8akt+4bg
-a4qMN2zutd/U1fC5C6OCARMwggEPMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0G
-A1UdDgQWBBT43sZUBjwcO+QW4PXk7KoOxxkm3jB4BgNVHSMEcTBvgBS6XflxthO1
-atHduja3qtLB7o/Y0qFMpEowSDELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4
-IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9uZ1N3YW4gRUMgUm9vdCBDQYIJAPai
-dX4i76aJMB4GA1UdEQQXMBWCE21vb24uc3Ryb25nc3dhbi5vcmcwPAYDVR0fBDUw
-MzAxoC+gLYYraHR0cDovL2NybC5zdHJvbmdzd2FuLm9yZy9zdHJvbmdzd2FuX2Vj
-LmNybDAJBgcqhkjOPQQBA4GMADCBiAJCAUfrzEnQUA0dqpo9I2YaFh3Y+QnFosTg
-b46jcbxm/LbIeWDxwU2HK3Qfo+tGsXJnh73lKo8B0o+OsXt4gP+GQutCAkIBu7Aw
-0iUx8d84SqHiBZBDIk/X6NV62YZXVhO9rPON0r/kdmeZ8OvPD53JgE64irFf6Wp+
-3ictLD61ItW0nxNHlcE=
------END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/private/moonKey.pem
new file mode 100644
index 000000000..a1ba4c9b9
--- /dev/null
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/private/moonKey.pem
@@ -0,0 +1,7 @@
+-----BEGIN EC PRIVATE KEY-----
+MIHcAgEBBEIB2FqpGVb6Q8oGdL/boMxg+9G1lKAFqWXVm1jhjmrTyyc6lFJ5Hcix
++G8ZaNPJ7fLC3NU4uxW3Y9wo1K6yMDfqZhugBwYFK4EEACOhgYkDgYYABABlnLak
+OG+HzUgAp5XIOQN58R1OV+aoq/hKfEM4mDaJFK4vTemT194qTZVQIugGEuzF1mQg
+Yk9oNMhhX8EsT4Wv6wE0d5u2nIMhkLdARNlCdGe2X45I1D2iihIZsNH8treYFIT2
+lzAV57uYRo1M+IGmgKbGiba+XhMHUNCCPQxu9bUgNg==
+-----END EC PRIVATE KEY-----
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/private/moon_ec256_Key.pem b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/private/moon_ec256_Key.pem
deleted file mode 100644
index 66b6315f9..000000000
--- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/private/moon_ec256_Key.pem
+++ /dev/null
@@ -1,5 +0,0 @@
------BEGIN EC PRIVATE KEY-----
-MHcCAQEEIE+rz/5axOOEvTVs9nnmKyF1v/rgmdIvam+BfSSS1SGpoAoGCCqGSM49
-AwEHoUQDQgAEhT9S8nuujYBiwVZdkof0rgUP07mQ1+Lf8ff7XSQDLqx5BRpvypoC
-FNqEEe7LDNqdVOIk8rlxpBK+em37PVEkOg==
------END EC PRIVATE KEY-----
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/private/moon_ec384_Key.pem b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/private/moon_ec384_Key.pem
deleted file mode 100644
index 64f7fcfd1..000000000
--- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/private/moon_ec384_Key.pem
+++ /dev/null
@@ -1,6 +0,0 @@
------BEGIN EC PRIVATE KEY-----
-MIGkAgEBBDDvvge4iZDHIaL0IDBs4gVesErZZWOud3NysAEayGW4iTb6wjQLtIVF
-1i7d8lV6Uc2gBwYFK4EEACKhZANiAASuE2owHdaYM4SSbJso8NWW/wnRHtHliphM
-j9To5sEcEt+08d8FfQvWcwmAbCZb2x+d5MnmWKAKI1C+bFw1QavKrtt40owQnrMq
-Uojbf/GpLfuG4GuKjDds7rXf1NXwuQs=
------END EC PRIVATE KEY-----
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.secrets b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.secrets
index 8a8812e0f..1ef3eccb5 100644
--- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.secrets
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.secrets
@@ -1,5 +1,3 @@
 # /etc/ipsec.secrets - strongSwan IPsec secrets file
 
-: ECDSA moon_ec256_Key.pem
-
-: ECDSA moon_ec384_Key.pem
+: ECDSA moonKey.pem
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/strongswan.conf
index 1ea14c6f2..0bbf93a18 100644
--- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/strongswan.conf
@@ -1,11 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
-pluto {
-  load = pem pkcs1 openssl random hmac curl kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
+charon {
+  load = curl pem pkcs1 openssl revocation random nonce hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/posttest.dat b/testing/tests/openssl-ikev1/ecdsa-certs/posttest.dat
index 73fe3096d..1865a1c60 100644
--- a/testing/tests/openssl-ikev1/ecdsa-certs/posttest.dat
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/posttest.dat
@@ -1,8 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
-moon::rm /etc/ipsec.d/private/*
-moon::rm /etc/ipsec.d/certs/*
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/pretest.dat b/testing/tests/openssl-ikev1/ecdsa-certs/pretest.dat
index 42e9d7c24..8bbea1412 100644
--- a/testing/tests/openssl-ikev1/ecdsa-certs/pretest.dat
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/test.conf b/testing/tests/openssl-ikev1/ecdsa-certs/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/openssl-ikev1/ecdsa-certs/test.conf
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/openssl-ikev1/rw-cert/description.txt b/testing/tests/openssl-ikev1/rw-cert/description.txt
deleted file mode 100644
index 5185b5216..000000000
--- a/testing/tests/openssl-ikev1/rw-cert/description.txt
+++ /dev/null
@@ -1,12 +0,0 @@
-The roadwarrior <b>carol</b> and the gateway <b>moon</b> use the <b>openssl</b>
-plugin based on the <b>OpenSSL</b> library for all cryptographical and X.509
-certificate functions whereas roadwarrior <b>dave</b> uses the default <b>strongSwan</b>
-cryptographical plugins <b>aes des sha1 sha2 md5 gmp</b> and <b>x509</b>.
-<p>
-The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each 
-to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>.
-Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
-automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
-In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping
-the client <b>alice</b> behind the gateway <b>moon</b>.
-
diff --git a/testing/tests/openssl-ikev1/rw-cert/evaltest.dat b/testing/tests/openssl-ikev1/rw-cert/evaltest.dat
deleted file mode 100644
index 1a9b9159f..000000000
--- a/testing/tests/openssl-ikev1/rw-cert/evaltest.dat
+++ /dev/null
@@ -1,10 +0,0 @@
-moon::ipsec statusall::IPsec SA established::YES
-carol::ipsec statusall::IPsec SA established::YES
-dave::ipsec statusall::IPsec SA established::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
-moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
-
diff --git a/testing/tests/openssl-ikev1/rw-cert/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev1/rw-cert/hosts/carol/etc/ipsec.conf
deleted file mode 100755
index 80dae3719..000000000
--- a/testing/tests/openssl-ikev1/rw-cert/hosts/carol/etc/ipsec.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-	plutodebug=control
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	ike=3des-sha1-modp1536!
-
-conn home
-	left=PH_IP_CAROL
-	leftcert=carolCert.pem
-	leftid=carol@strongswan.org
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-	rightsubnet=10.1.0.0/16
-	auto=add
diff --git a/testing/tests/openssl-ikev1/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev1/rw-cert/hosts/carol/etc/strongswan.conf
deleted file mode 100644
index a8fecbc2f..000000000
--- a/testing/tests/openssl-ikev1/rw-cert/hosts/carol/etc/strongswan.conf
+++ /dev/null
@@ -1,15 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = test-vectors pem pkcs1 openssl random hmac curl kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-  integrity_test = yes
-  crypto_test {
-    on_add = yes
-  }
-}
diff --git a/testing/tests/openssl-ikev1/rw-cert/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev1/rw-cert/hosts/dave/etc/ipsec.conf
deleted file mode 100755
index 73167caad..000000000
--- a/testing/tests/openssl-ikev1/rw-cert/hosts/dave/etc/ipsec.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-	plutodebug=control
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	ike=aes256-sha256-modp2048!
-
-conn home
-	left=PH_IP_DAVE
-	leftcert=daveCert.pem
-	leftid=dave@strongswan.org
-	leftfirewall=yes
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-	rightsubnet=10.1.0.0/16
-	auto=add
diff --git a/testing/tests/openssl-ikev1/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev1/rw-cert/hosts/dave/etc/strongswan.conf
deleted file mode 100644
index 85164eeb7..000000000
--- a/testing/tests/openssl-ikev1/rw-cert/hosts/dave/etc/strongswan.conf
+++ /dev/null
@@ -1,16 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = test-vectors aes des sha1 sha2 md5 pem pkcs1 x509 gmp random hmac curl kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-  integrity_test = yes
-  crypto_test {
-    required = yes
-    on_add = yes
-  }
-}
diff --git a/testing/tests/openssl-ikev1/rw-cert/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev1/rw-cert/hosts/moon/etc/ipsec.conf
deleted file mode 100755
index f365b07da..000000000
--- a/testing/tests/openssl-ikev1/rw-cert/hosts/moon/etc/ipsec.conf
+++ /dev/null
@@ -1,24 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-	plutodebug=control
-
-conn %default
-	ikelifetime=60m
-	keylife=20m
-	rekeymargin=3m
-	keyingtries=1
-	keyexchange=ikev1
-	ike=aes256-sha256-modp2048,3des-sha1-modp1536!
-
-conn rw
-	left=PH_IP_MOON
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-	leftsubnet=10.1.0.0/16
-	leftfirewall=yes
-	right=%any
-	auto=add
diff --git a/testing/tests/openssl-ikev1/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev1/rw-cert/hosts/moon/etc/strongswan.conf
deleted file mode 100644
index 763503e29..000000000
--- a/testing/tests/openssl-ikev1/rw-cert/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,16 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-pluto {
-  load = test-vectors pem pkcs1 openssl random hmac curl kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
-  integrity_test = yes
-  crypto_test {
-    on_add = yes
-  }
-}
-
diff --git a/testing/tests/openssl-ikev1/rw-cert/posttest.dat b/testing/tests/openssl-ikev1/rw-cert/posttest.dat
deleted file mode 100644
index 7cebd7f25..000000000
--- a/testing/tests/openssl-ikev1/rw-cert/posttest.dat
+++ /dev/null
@@ -1,6 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/openssl-ikev1/rw-cert/pretest.dat b/testing/tests/openssl-ikev1/rw-cert/pretest.dat
deleted file mode 100644
index 42e9d7c24..000000000
--- a/testing/tests/openssl-ikev1/rw-cert/pretest.dat
+++ /dev/null
@@ -1,9 +0,0 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
-carol::sleep 1
-carol::ipsec up home
-dave::ipsec up home
diff --git a/testing/tests/openssl-ikev1/rw-cert/test.conf b/testing/tests/openssl-ikev1/rw-cert/test.conf
deleted file mode 100644
index 70416826e..000000000
--- a/testing/tests/openssl-ikev1/rw-cert/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice moon carol winnetou dave"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w-d.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/openssl-ikev2/alg-aes-gcm/description.txt b/testing/tests/openssl-ikev2/alg-aes-gcm/description.txt
new file mode 100644
index 000000000..cfa7a11b9
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-aes-gcm/description.txt
@@ -0,0 +1,16 @@
+The roadwarrior <b>carol</b> and the gateway <b>moon</b> use the <b>openssl</b>
+plugin based on the <b>OpenSSL</b> library for all cryptographical and X.509 certificate
+functions whereas roadwarrior <b>dave</b> uses the default <b>strongSwan</b> cryptographical
+plugins <b>aes des sha1 sha2 md5 gmp hmac gcm</b> and <b>x509</b>.
+<p/>
+Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the cipher suite
+<b>AES_GCM_16_256</b> both for IKE and ESP by defining <b>ike=aes256gcm16-prfsha512-modp2048</b>
+(or alternatively <b>aes256gcm128</b>) and <b>esp=aes256gcm16-modp2048</b> in ipsec.conf,
+respectively.
+<p/>
+Roadwarrior <b>dave</b> proposes to gateway <b>moon</b> the cipher suite
+<b>AES_GCM_16_128</b> both for IKE and ESP by defining <b>ike=aes128gcm16-prfsha256-modp1536</b>
+(or alternatively <b>aes128gcm128</b>) and <b>esp=aes128gcm16-modp1536</b> in ipsec.conf,
+respectively.
+<p/>
+A ping by <b>carol</b> and <b>dave</b> to <b>alice</b> successfully checks the established tunnels.
diff --git a/testing/tests/openssl-ikev2/alg-aes-gcm/evaltest.dat b/testing/tests/openssl-ikev2/alg-aes-gcm/evaltest.dat
new file mode 100644
index 000000000..4cf89b765
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-aes-gcm/evaltest.dat
@@ -0,0 +1,26 @@
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon:: ipsec statusall 2> /dev/null::rw\[1].*IKE proposal: AES_GCM_16_256::YES
+moon:: ipsec statusall 2> /dev/null::rw\[2].*IKE proposal: AES_GCM_16_128::YES
+carol::ipsec statusall 2> /dev/null::IKE proposal: AES_GCM_16_256::YES
+dave:: ipsec statusall 2> /dev/null::IKE proposal: AES_GCM_16_128::YES
+moon:: ipsec statusall 2> /dev/null::rw[{]1}.*AES_GCM_16_256,::YES
+moon:: ipsec statusall 2> /dev/null::rw[{]2}.*AES_GCM_16_128,::YES
+carol::ipsec statusall 2> /dev/null::AES_GCM_16_256,::YES
+dave:: ipsec statusall 2> /dev/null::AES_GCM_16_128,::YES
+moon:: ip xfrm state::aead rfc4106(gcm(aes))::YES
+carol::ip xfrm state::aead rfc4106(gcm(aes))::YES
+dave:: ip xfrm state::aead rfc4106(gcm(aes))::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 184::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 184::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP.*length 184::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP.*length 184::YES
+
diff --git a/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..c0016ff61
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	ike=aes256gcm128-prfsha512-modp2048!
+	esp=aes256gcm128-modp2048!
+
+conn home
+	left=PH_IP_CAROL
+	leftfirewall=yes
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add 
diff --git a/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..5481f7b72
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl pem pkcs1 random nonce revocation openssl stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/dave/etc/ipsec.conf
new file mode 100644
index 000000000..335eda02c
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	ike=aes128gcm128-prfsha256-modp1536!
+	esp=aes128gcm128-modp1536!
+
+conn home
+	left=PH_IP_DAVE
+	leftfirewall=yes
+	leftcert=daveCert.pem
+	leftid=dave@strongswan.org
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add 
diff --git a/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..564e4ea8c
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac gcm stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..566298bed
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,21 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	ike=aes256gcm16-prfsha512-modp2048,aes128gcm16-prfsha256-modp1536!
+	esp=aes256gcm16-modp2048,aes128gcm16-modp1536!
+
+conn rw
+	left=PH_IP_MOON
+	leftfirewall=yes
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	right=%any
+	auto=add
diff --git a/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..5481f7b72
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl pem pkcs1 random nonce revocation openssl stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/openssl-ikev2/alg-aes-gcm/posttest.dat b/testing/tests/openssl-ikev2/alg-aes-gcm/posttest.dat
new file mode 100644
index 000000000..1865a1c60
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-aes-gcm/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/openssl-ikev2/alg-aes-gcm/pretest.dat b/testing/tests/openssl-ikev2/alg-aes-gcm/pretest.dat
new file mode 100644
index 000000000..972d93053
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-aes-gcm/pretest.dat
@@ -0,0 +1,9 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1 
+carol::ipsec up home
+dave::ipsec up home
diff --git a/testing/tests/openssl-ikev2/alg-aes-gcm/test.conf b/testing/tests/openssl-ikev2/alg-aes-gcm/test.conf
new file mode 100644
index 000000000..c3f38054b
--- /dev/null
+++ b/testing/tests/openssl-ikev2/alg-aes-gcm/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol dave winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/openssl-ikev2/alg-blowfish/evaltest.dat b/testing/tests/openssl-ikev2/alg-blowfish/evaltest.dat
index f1b33895b..cd83c56b4 100644
--- a/testing/tests/openssl-ikev2/alg-blowfish/evaltest.dat
+++ b/testing/tests/openssl-ikev2/alg-blowfish/evaltest.dat
@@ -1,16 +1,17 @@
-moon::ipsec statusall::rw.*ESTABLISHED::YES
-carol::ipsec statusall::home.*ESTABLISHED::YES
-carol::ipsec statusall::IKE proposal: BLOWFISH_CBC_256/HMAC_SHA2_512_256::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
-carol::ipsec statusall::BLOWFISH_CBC_192/HMAC_SHA2_256_128,::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+carol::ipsec statusall 2> /dev/null::IKE proposal: BLOWFISH_CBC_256/HMAC_SHA2_512_256::YES
+dave:: ipsec statusall 2> /dev/null::IKE proposal: BLOWFISH_CBC_128/HMAC_SHA2_256_128::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
+carol::ipsec statusall 2> /dev/null::BLOWFISH_CBC_192/HMAC_SHA2_384_192,::YES
+dave:: ipsec statusall 2> /dev/null::BLOWFISH_CBC_128/HMAC_SHA2_256_128,::YES
 carol::ip -s xfrm state::enc cbc(blowfish).*(192 bits)::YES
-dave::ipsec statusall::home.*ESTABLISHED::YES
-dave::ipsec statusall::IKE proposal: BLOWFISH_CBC_128/HMAC_SHA2_256_128::YES
-dave::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::ipsec statusall::BLOWFISH_CBC_128/HMAC_SHA1_96,::YES
-dave::ip -s xfrm state::enc cbc(blowfish).*(128 bits)::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 184::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 184::YES
-moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP.*length 180::YES
-moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP.*length 180::YES
+dave:: ip -s xfrm state::enc cbc(blowfish).*(128 bits)::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 192::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 192::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP.*length 184::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP.*length 184::YES
 
diff --git a/testing/tests/openssl-ikev2/alg-blowfish/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-blowfish/hosts/carol/etc/ipsec.conf
index 62e181012..adee238e6 100755..100644
--- a/testing/tests/openssl-ikev2/alg-blowfish/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/openssl-ikev2/alg-blowfish/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
@@ -12,7 +9,7 @@ conn %default
 	keyingtries=1
 	keyexchange=ikev2
 	ike=blowfish256-sha512-modp2048!
-	esp=blowfish192-sha256!
+	esp=blowfish192-sha384!
 
 conn home
 	left=PH_IP_CAROL
diff --git a/testing/tests/openssl-ikev2/alg-blowfish/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-blowfish/hosts/carol/etc/strongswan.conf
index bdbdad2e5..0bbf93a18 100644
--- a/testing/tests/openssl-ikev2/alg-blowfish/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/alg-blowfish/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl pem pkcs1 openssl revocation random hmac stroke kernel-netlink socket-default updown
+  load = curl pem pkcs1 openssl revocation random nonce hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/openssl-ikev2/alg-blowfish/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-blowfish/hosts/dave/etc/ipsec.conf
index 26f3f3a04..e22322431 100755..100644
--- a/testing/tests/openssl-ikev2/alg-blowfish/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/openssl-ikev2/alg-blowfish/hosts/dave/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
@@ -12,7 +9,7 @@ conn %default
 	keyingtries=1
 	keyexchange=ikev2
 	ike=blowfish128-sha256-modp1536!
-	esp=blowfish128-sha1!
+	esp=blowfish128-sha256!
 
 conn home
 	left=PH_IP_DAVE
diff --git a/testing/tests/openssl-ikev2/alg-blowfish/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-blowfish/hosts/dave/etc/strongswan.conf
index bdbdad2e5..0bbf93a18 100644
--- a/testing/tests/openssl-ikev2/alg-blowfish/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/alg-blowfish/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl pem pkcs1 openssl revocation random hmac stroke kernel-netlink socket-default updown
+  load = curl pem pkcs1 openssl revocation random nonce hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/openssl-ikev2/alg-blowfish/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-blowfish/hosts/moon/etc/ipsec.conf
index 31a00f7fb..43bbb36a9 100755..100644
--- a/testing/tests/openssl-ikev2/alg-blowfish/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/openssl-ikev2/alg-blowfish/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
@@ -12,7 +9,7 @@ conn %default
 	keyingtries=1
 	keyexchange=ikev2
 	ike=blowfish256-sha512-modp2048,blowfish128-sha256-modp1536!
-	esp=blowfish192-sha256,blowfish128-sha1!
+	esp=blowfish192-sha384,blowfish128-sha256!
 
 conn rw
 	left=PH_IP_MOON
diff --git a/testing/tests/openssl-ikev2/alg-blowfish/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-blowfish/hosts/moon/etc/strongswan.conf
index bdbdad2e5..0bbf93a18 100644
--- a/testing/tests/openssl-ikev2/alg-blowfish/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/alg-blowfish/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl pem pkcs1 openssl revocation random hmac stroke kernel-netlink socket-default updown
+  load = curl pem pkcs1 openssl revocation random nonce hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/openssl-ikev2/alg-blowfish/posttest.dat b/testing/tests/openssl-ikev2/alg-blowfish/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/openssl-ikev2/alg-blowfish/posttest.dat
+++ b/testing/tests/openssl-ikev2/alg-blowfish/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/openssl-ikev2/alg-blowfish/pretest.dat b/testing/tests/openssl-ikev2/alg-blowfish/pretest.dat
index 42e9d7c24..8bbea1412 100644
--- a/testing/tests/openssl-ikev2/alg-blowfish/pretest.dat
+++ b/testing/tests/openssl-ikev2/alg-blowfish/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/openssl-ikev2/alg-blowfish/test.conf b/testing/tests/openssl-ikev2/alg-blowfish/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/openssl-ikev2/alg-blowfish/test.conf
+++ b/testing/tests/openssl-ikev2/alg-blowfish/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/openssl-ikev2/alg-camellia/evaltest.dat b/testing/tests/openssl-ikev2/alg-camellia/evaltest.dat
index d77c4806e..4d614bf7e 100644
--- a/testing/tests/openssl-ikev2/alg-camellia/evaltest.dat
+++ b/testing/tests/openssl-ikev2/alg-camellia/evaltest.dat
@@ -1,11 +1,11 @@
-moon::ipsec statusall::rw.*INSTALLED::YES
-carol::ipsec statusall::home.*INSTALLED::YES
-moon::ipsec statusall::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048::YES
-carol::ipsec statusall::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::ipsec statusall::CAMELLIA_CBC_192/HMAC_SHA1_96::YES
-carol::ipsec statusall::CAMELLIA_CBC_192/HMAC_SHA1_96::YES
-moon::ip xfrm state::enc cbc(camellia)::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
+moon:: ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048::YES
+carol::ipsec statusall 2> /dev/null::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon:: ipsec statusall 2> /dev/null::CAMELLIA_CBC_192/HMAC_SHA1_96::YES
+carol::ipsec statusall 2> /dev/null::CAMELLIA_CBC_192/HMAC_SHA1_96::YES
+moon:: ip xfrm state::enc cbc(camellia)::YES
 carol::ip xfrm state::enc cbc(camellia)::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 196::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 196::YES
diff --git a/testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/ipsec.conf
index 37f8a7ecf..004295437 100755..100644
--- a/testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=yes
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf
index e96dfe574..c4ac99166 100644
--- a/testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl pem pkcs1 openssl revocation random hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl pem pkcs1 openssl revocation random nonce hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/ipsec.conf
index f8d7e3fe9..0f6a4f569 100755..100644
--- a/testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=yes
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf
index e96dfe574..c4ac99166 100644
--- a/testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl pem pkcs1 openssl revocation random hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl pem pkcs1 openssl revocation random nonce hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/openssl-ikev2/alg-camellia/posttest.dat b/testing/tests/openssl-ikev2/alg-camellia/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/openssl-ikev2/alg-camellia/posttest.dat
+++ b/testing/tests/openssl-ikev2/alg-camellia/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/openssl-ikev2/alg-camellia/pretest.dat b/testing/tests/openssl-ikev2/alg-camellia/pretest.dat
index 3c3df0196..886fdf55c 100644
--- a/testing/tests/openssl-ikev2/alg-camellia/pretest.dat
+++ b/testing/tests/openssl-ikev2/alg-camellia/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1 
diff --git a/testing/tests/openssl-ikev2/alg-camellia/test.conf b/testing/tests/openssl-ikev2/alg-camellia/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/openssl-ikev2/alg-camellia/test.conf
+++ b/testing/tests/openssl-ikev2/alg-camellia/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/evaltest.dat b/testing/tests/openssl-ikev2/alg-ecp-high/evaltest.dat
index 009936466..375ed86a1 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-high/evaltest.dat
+++ b/testing/tests/openssl-ikev2/alg-ecp-high/evaltest.dat
@@ -1,12 +1,17 @@
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[4]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
 carol::cat /var/log/daemon.log::ECP_256.*ECP_384::YES
-dave::cat /var/log/daemon.log::ECP_256.*ECP_521::YES
-moon::ipsec statusall::rw.*ESTABLISHED::YES
-carol::ipsec statusall::home.*ESTABLISHED::YES
-carol::ipsec statusall::home.*AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_384::YES
-dave::ipsec statusall::home.*ESTABLISHED::YES
-dave::ipsec statusall::home.*AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/ECP_521::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave:: cat /var/log/daemon.log::ECP_256.*ECP_521::YES
+carol::ipsec statusall 2> /dev/null::home.*AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_384::YES
+dave:: ipsec statusall 2> /dev/null::home.*AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/ECP_521::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/ipsec.conf
index 0550a09b4..2fd776e25 100755..100644
--- a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
@@ -11,7 +8,7 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev2
-	ike=aes192-sha384-ecp256,aes192-sha384-ecp384!
+	ike=aes128-sha256-ecp256,aes192-sha384-ecp384!
 
 conn home
 	left=PH_IP_CAROL
diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/strongswan.conf
index b9da84efb..0bbf93a18 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/strongswan.conf
@@ -1,9 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl pem pkcs1 openssl revocation random hmac stroke kernel-netlink socket-default updown
-}
-
-libstrongswan {
-  ecp_x_coordinate_only = no
+  load = curl pem pkcs1 openssl revocation random nonce hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/ipsec.conf
index 22026fc36..8d8989ed7 100755..100644
--- a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
@@ -11,7 +8,7 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev2
-	ike=aes256-sha512-ecp256,aes256-sha512-ecp521!
+	ike=aes128-sha256-ecp256,aes256-sha512-ecp521!
 
 conn home
 	left=PH_IP_DAVE
diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/strongswan.conf
index 01fd353c1..785772254 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/strongswan.conf
@@ -1,9 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 random gmp pem pkcs1 x509 openssl revocation hmac stroke kernel-netlink socket-default updown
-}
-
-libstrongswan {
-  ecp_x_coordinate_only = no
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp pem pkcs1 x509 openssl revocation random nonce hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/ipsec.conf
index ffe13d259..addcc6175 100755..100644
--- a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/strongswan.conf
index b9da84efb..0bbf93a18 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/strongswan.conf
@@ -1,9 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl pem pkcs1 openssl revocation random hmac stroke kernel-netlink socket-default updown
-}
-
-libstrongswan {
-  ecp_x_coordinate_only = no
+  load = curl pem pkcs1 openssl revocation random nonce hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/posttest.dat b/testing/tests/openssl-ikev2/alg-ecp-high/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-high/posttest.dat
+++ b/testing/tests/openssl-ikev2/alg-ecp-high/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/pretest.dat b/testing/tests/openssl-ikev2/alg-ecp-high/pretest.dat
index 42e9d7c24..8bbea1412 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-high/pretest.dat
+++ b/testing/tests/openssl-ikev2/alg-ecp-high/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/test.conf b/testing/tests/openssl-ikev2/alg-ecp-high/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-high/test.conf
+++ b/testing/tests/openssl-ikev2/alg-ecp-high/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/evaltest.dat b/testing/tests/openssl-ikev2/alg-ecp-low/evaltest.dat
index e2073d9be..c46ed1dd2 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-low/evaltest.dat
+++ b/testing/tests/openssl-ikev2/alg-ecp-low/evaltest.dat
@@ -1,12 +1,17 @@
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[4]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
 carol::cat /var/log/daemon.log::ECP_192.*ECP_224::YES
-dave::cat /var/log/daemon.log::ECP_192.*ECP_256::YES
-moon::ipsec statusall::rw.*ESTABLISHED::YES
-carol::ipsec statusall::home.*ESTABLISHED::YES
-carol::ipsec statusall::home.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_224::YES
-dave::ipsec statusall::home.*ESTABLISHED::YES
-dave::ipsec statusall::home.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave:: cat /var/log/daemon.log::ECP_192.*ECP_256::YES
+carol::ipsec statusall 2> /dev/null::home.*3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_224::YES
+dave:: ipsec statusall 2> /dev/null::home.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/ipsec.conf
index 6a15b3f54..b754c29ba 100755..100644
--- a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
@@ -11,7 +8,7 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev2
-	ike=aes128-sha256-ecp192,aes128-sha256-ecp224!
+	ike=aes192-sha384-ecp192,3des-sha256-ecp224!
 
 conn home
 	left=PH_IP_CAROL
diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/strongswan.conf
index b9da84efb..0bbf93a18 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/strongswan.conf
@@ -1,9 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl pem pkcs1 openssl revocation random hmac stroke kernel-netlink socket-default updown
-}
-
-libstrongswan {
-  ecp_x_coordinate_only = no
+  load = curl pem pkcs1 openssl revocation random nonce hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/ipsec.conf
index b4bdf456f..b5e9215c5 100755..100644
--- a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
@@ -11,7 +8,7 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev2
-	ike=aes128-sha256-ecp192,aes128-sha256-ecp256!
+	ike=aes192-sha384-ecp192,aes128-sha256-ecp256!
 
 conn home
 	left=PH_IP_DAVE
diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/strongswan.conf
index 01fd353c1..785772254 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/strongswan.conf
@@ -1,9 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 random gmp pem pkcs1 x509 openssl revocation hmac stroke kernel-netlink socket-default updown
-}
-
-libstrongswan {
-  ecp_x_coordinate_only = no
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp pem pkcs1 x509 openssl revocation random nonce hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/ipsec.conf
index 64ec0f12c..2e4a15ec3 100755..100644
--- a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
@@ -11,7 +8,7 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev2
-	ike=aes128-sha256-ecp224,aes128-sha256-ecp256!
+	ike=3des-sha256-ecp224,aes128-sha256-ecp256!
 
 conn rw
 	left=PH_IP_MOON
diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/strongswan.conf
index b9da84efb..0bbf93a18 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/strongswan.conf
@@ -1,9 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl pem pkcs1 openssl revocation random hmac stroke kernel-netlink socket-default updown
-}
-
-libstrongswan {
-  ecp_x_coordinate_only = no
+  load = curl pem pkcs1 openssl revocation random nonce hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/posttest.dat b/testing/tests/openssl-ikev2/alg-ecp-low/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-low/posttest.dat
+++ b/testing/tests/openssl-ikev2/alg-ecp-low/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/pretest.dat b/testing/tests/openssl-ikev2/alg-ecp-low/pretest.dat
index 42e9d7c24..8bbea1412 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-low/pretest.dat
+++ b/testing/tests/openssl-ikev2/alg-ecp-low/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/test.conf b/testing/tests/openssl-ikev2/alg-ecp-low/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/openssl-ikev2/alg-ecp-low/test.conf
+++ b/testing/tests/openssl-ikev2/alg-ecp-low/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/openssl-ikev2/critical-extension/evaltest.dat b/testing/tests/openssl-ikev2/critical-extension/evaltest.dat
index 1c23dcad6..cc904c8bc 100644
--- a/testing/tests/openssl-ikev2/critical-extension/evaltest.dat
+++ b/testing/tests/openssl-ikev2/critical-extension/evaltest.dat
@@ -1,6 +1,6 @@
 moon::cat /var/log/daemon.log::sending end entity cert::YES
 moon::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES
-sun::cat /var/log/daemon.log::found unsupported critical X.509 extension::YES
-sun::cat /var/log/daemon.log::building CRED_CERTIFICATE - ANY failed::YES
-sun::cat /var/log/daemon.log::loading certificate from 'sunCert.der' failed::YES
-sun::cat /var/log/daemon.log::building CRED_CERTIFICATE - X509 failed::YES
+sun:: cat /var/log/daemon.log::found unsupported critical X.509 extension::YES
+sun:: cat /var/log/daemon.log::building CRED_CERTIFICATE - ANY failed::YES
+sun:: cat /var/log/daemon.log::loading certificate from 'sunCert.der' failed::YES
+sun:: cat /var/log/daemon.log::building CRED_CERTIFICATE - X509 failed::YES
diff --git a/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/ipsec.conf
index 2e3c9dde4..3b065774f 100755..100644
--- a/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/strongswan.conf
index f4ab41f2c..628476313 100644
--- a/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl pem pkcs1 random openssl revocation hmac stroke kernel-netlink socket-default updown
+  load = curl pem pkcs1 random nonce openssl revocation hmac stroke kernel-netlink socket-default updown
   multiple_authentication = no
 }
 
diff --git a/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/ipsec.conf b/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/ipsec.conf
index 19e197131..2b4406d75 100755..100644
--- a/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/strongswan.conf b/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/strongswan.conf
index c45805ca6..444a41dbc 100644
--- a/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl pem pkcs1 random openssl revocation hmac stroke kernel-netlink socket-default updown
+  load = curl pem pkcs1 random nonce openssl revocation hmac stroke kernel-netlink socket-default updown
   multiple_authentication = no
 }
diff --git a/testing/tests/openssl-ikev2/critical-extension/posttest.dat b/testing/tests/openssl-ikev2/critical-extension/posttest.dat
index a4c96e10f..837738fc6 100644
--- a/testing/tests/openssl-ikev2/critical-extension/posttest.dat
+++ b/testing/tests/openssl-ikev2/critical-extension/posttest.dat
@@ -1,5 +1,5 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
 
diff --git a/testing/tests/openssl-ikev2/critical-extension/pretest.dat b/testing/tests/openssl-ikev2/critical-extension/pretest.dat
index 2d7a78acb..c724e5df8 100644
--- a/testing/tests/openssl-ikev2/critical-extension/pretest.dat
+++ b/testing/tests/openssl-ikev2/critical-extension/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 sun::ipsec start
 moon::sleep 1 
diff --git a/testing/tests/openssl-ikev2/critical-extension/test.conf b/testing/tests/openssl-ikev2/critical-extension/test.conf
index 41ee3037e..b286ef6eb 100644
--- a/testing/tests/openssl-ikev2/critical-extension/test.conf
+++ b/testing/tests/openssl-ikev2/critical-extension/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b.png"
  
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS=""
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/evaltest.dat b/testing/tests/openssl-ikev2/ecdsa-certs/evaltest.dat
index 868da5776..0110bb996 100644
--- a/testing/tests/openssl-ikev2/ecdsa-certs/evaltest.dat
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/evaltest.dat
@@ -1,12 +1,17 @@
-moon::cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA-256 signature successful::YES
-moon::cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with ECDSA-384 signature successful::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
+moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA-256 signature successful::YES
+moon:: cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with ECDSA-384 signature successful::YES
 carol::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA-521 signature successful::YES
-dave::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA-521 signature successful::YES
-moon::ipsec statusall::rw.*ESTABLISHED::YES
-carol::ipsec statusall::home.*ESTABLISHED::YES
-dave::ipsec statusall::home.*ESTABLISHED::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave:: cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA-521 signature successful::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.conf
index c75d6b2a1..dd2ceea60 100755..100644
--- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.d/certs/carolCert.pem
index 29709926a..a85635faf 100644
--- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.d/certs/carolCert.pem
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.d/certs/carolCert.pem
@@ -1,18 +1,15 @@
 -----BEGIN CERTIFICATE-----
-MIIC7zCCAlGgAwIBAgIBBDAJBgcqhkjOPQQBMEgxCzAJBgNVBAYTAkNIMRkwFwYD
-VQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdTd2FuIEVDIFJv
-b3QgQ0EwHhcNMDgwNjIyMTYyOTE4WhcNMTMwNjIxMTYyOTE4WjBfMQswCQYDVQQG
-EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEWMBQGA1UECxMNRUNEU0Eg
-MjU2IGJpdDEdMBsGA1UEAxQUY2Fyb2xAc3Ryb25nc3dhbi5vcmcwWTATBgcqhkjO
-PQIBBggqhkjOPQMBBwNCAAQgp/Z/GgzvVCDdVcIYqERml0KroZEaVqiF8uy8dlTS
-4mxNs6snDdEWh/LzXTd3NVnCihT2XgHxOk8NrX4hBMMYo4IBFDCCARAwCQYDVR0T
-BAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYEFLdhGhurno1dU2SMx7UGXpa/lgJ9
-MHgGA1UdIwRxMG+AFLpd+XG2E7Vq0d26Nreq0sHuj9jSoUykSjBIMQswCQYDVQQG
-EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25n
-U3dhbiBFQyBSb290IENBggkA9qJ1fiLvpokwHwYDVR0RBBgwFoEUY2Fyb2xAc3Ry
-b25nc3dhbi5vcmcwPAYDVR0fBDUwMzAxoC+gLYYraHR0cDovL2NybC5zdHJvbmdz
-d2FuLm9yZy9zdHJvbmdzd2FuX2VjLmNybDAJBgcqhkjOPQQBA4GMADCBiAJCATa+
-sBFW3vCx/JgLyxU85F2QuLO0/zdNBhIU0kN7kr1cYBBr8mpbhuNKm6iFe2DsFJZx
-ii3DQjwvG46is2Njzi4vAkIA72lPodCDtAFpD/2PUxjzo6xTAFazUejobkdDTUXn
-s0f8qIzzeQuTwLbp6pDmR/JGzhAeRvQT82njCo0PJ8Hbz1c=
+MIICXzCCAcCgAwIBAgIBCTAKBggqhkjOPQQDBDBIMQswCQYDVQQGEwJDSDEZMBcG
+A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS
+b290IENBMB4XDTEzMDYyODA3MjczOFoXDTE4MDYwMjA3MjczOFowXzELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB
+IDI1NiBiaXQxHTAbBgNVBAMUFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMFkwEwYHKoZI
+zj0CAQYIKoZIzj0DAQcDQgAEwYQaBELkyAVAzNzWJr9LqoK8gdKDv+Ns6D+ZQSAj
+BuX3bs5ZIn7BrRxYd+mbnpZ2in7FjXPWkcLkIK/cgay2n6OBgzCBgDAfBgNVHSME
+GDAWgBS6XflxthO1atHduja3qtLB7o/Y0jAfBgNVHREEGDAWgRRjYXJvbEBzdHJv
+bmdzd2FuLm9yZzA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vY3JsLnN0cm9uZ3N3
+YW4ub3JnL3N0cm9uZ3N3YW5fZWMuY3JsMAoGCCqGSM49BAMEA4GMADCBiAJCAIU5
+nZLSfuiHElf7SFHl/sXCTSQ5FhEjSdhpMUvsgwq0vnEJRRdsdEOmmtVT5yQFHDUR
+Z9YVl4/zP5EFyUepvCH5AkIB2WFJ5WZ3Ds76Tq9AxAPaFbsQapGgOmrRZ6lGkj49
+hzLfARkvr+fTbOrttOC4yTIfnYVygA2G1cQYzceY/JiSk00=
 -----END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.d/private/carolKey.pem
index 5f21c1012..d2f97f858 100644
--- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.d/private/carolKey.pem
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.d/private/carolKey.pem
@@ -1,8 +1,8 @@
 -----BEGIN EC PRIVATE KEY-----
 Proc-Type: 4,ENCRYPTED
-DEK-Info: AES-128-CBC,F36088B0517117B50C1A436E5C84526E
+DEK-Info: AES-128-CBC,0C53E74E6B5AC2D7475EFF30478B9D5F
 
-Zulq4O8x8i4P2I8+Ewe2pPJT8K2kzX9JjGhquFKaZdEG1YmXqIdMz41DA1b9cQjt
-KJstY10Gzc/C6Hv9v/ljfplcnumYBFdFsqvQ/Z0xh/G9u/J1gXjghhrQCUXbFble
-RVSwozA9IcCC9yQdhYyazF+85DR+p8AyQ5w2unOvuOk=
+eHLtgaAjHt0sWRnBnRAt8CEPjak58pCwVbH+7Vfz2dy//GRvZviPA/TEQDtznPde
+v5yIDGUe6vvtoY4oXemGi5SQiP8KAuaKylMQEjm2FHYwT/SgIwk5EZZjI4CcFBnK
+NWV3z5oPiW6hZebwUHWaioSAYK1awOtFcp0l4UGA31U=
 -----END EC PRIVATE KEY-----
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/strongswan.conf
index bdbdad2e5..0bbf93a18 100644
--- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl pem pkcs1 openssl revocation random hmac stroke kernel-netlink socket-default updown
+  load = curl pem pkcs1 openssl revocation random nonce hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.conf
index 080ce9bce..4c6e11f16 100755..100644
--- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.d/certs/daveCert.pem b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.d/certs/daveCert.pem
index 075d8f1e5..e97709a3f 100644
--- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.d/certs/daveCert.pem
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.d/certs/daveCert.pem
@@ -1,19 +1,16 @@
 -----BEGIN CERTIFICATE-----
-MIIDCTCCAmygAwIBAgIBAzAJBgcqhkjOPQQBMEgxCzAJBgNVBAYTAkNIMRkwFwYD
-VQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdTd2FuIEVDIFJv
-b3QgQ0EwHhcNMDgwNjIyMTYxMzU5WhcNMTMwNjIxMTYxMzU5WjBeMQswCQYDVQQG
-EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEWMBQGA1UECxMNRUNEU0Eg
-Mzg0IGJpdDEcMBoGA1UEAxQTZGF2ZUBzdHJvbmdzd2FuLm9yZzB2MBAGByqGSM49
-AgEGBSuBBAAiA2IABPxEg8AaVNAwCXqg0p21Zc7YzPLA3voAWf233CZJpsjb1w3y
-IeTUeIeGU7aLWAyuXgeBsx+lKzWy00LzPELOgK+3ulTHzBZg7s8kMGhwPWfV4JLA
-zrso5+i64+Y4wvRCBaOCARMwggEPMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0G
-A1UdDgQWBBQxJAy8gaP3RNBt1WTD27/IMzANmTB4BgNVHSMEcTBvgBS6XflxthO1
-atHduja3qtLB7o/Y0qFMpEowSDELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4
-IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9uZ1N3YW4gRUMgUm9vdCBDQYIJAPai
-dX4i76aJMB4GA1UdEQQXMBWBE2RhdmVAc3Ryb25nc3dhbi5vcmcwPAYDVR0fBDUw
-MzAxoC+gLYYraHR0cDovL2NybC5zdHJvbmdzd2FuLm9yZy9zdHJvbmdzd2FuX2Vj
-LmNybDAJBgcqhkjOPQQBA4GLADCBhwJCAZaqaroyGwqd7nb5dVVWjTK8glVzDFJH
-ru4F6R+7fDCGEOaFlxf4GRkSrvQQA8vfgo6Md9XjBwq0r+9s3xt5xJjJAkElSo1/
-wyn8KQ3XN07UIaMvPctipq2OgpfteQK/F81CtZ+YCLEQt3xT7NQpriaKwGQxJAQv
-g+Z+grJzTppAqpwRpg==
+MIICeTCCAdqgAwIBAgIBDDAKBggqhkjOPQQDBDBIMQswCQYDVQQGEwJDSDEZMBcG
+A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS
+b290IENBMB4XDTEzMDYyODA3MzUxOVoXDTE4MDYwMjA3MzUxOVowXjELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB
+IDM4NCBiaXQxHDAaBgNVBAMUE2RhdmVAc3Ryb25nc3dhbi5vcmcwdjAQBgcqhkjO
+PQIBBgUrgQQAIgNiAATVOQOBWOH7PhHx/mc+y5+uDpW/maSCkGwpnPP1dWQl4Dpr
+DokGZC8P+pm1j0sBvzbSCuHZCAkaSptYavgv4VVJ/X5u89tnj6QqQt/AtuPjCL7r
+3k3F0Nsj/TGSjRmcMr6jgYEwfzAfBgNVHSMEGDAWgBS6XflxthO1atHduja3qtLB
+7o/Y0jAeBgNVHREEFzAVgRNkYXZlQHN0cm9uZ3N3YW4ub3JnMDwGA1UdHwQ1MDMw
+MaAvoC2GK2h0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dhbl9lYy5j
+cmwwCgYIKoZIzj0EAwQDgYwAMIGIAkIB/x2+UiGE5T7229M2Ic2BMYLWSBQlZJeT
+d3uniJb3NAkeQAhDgj0TOxVdMz1SkgScLRS2RKYpsxiVsV+tVuijTMQCQgHn1WtY
+iiSY7OWcX9hQEqWDV0TxoNcgInEhsmtMbseCpR0dYXYsm54oC0pqVBeKp0GC7KJr
+ZEmeb0/mRB56osgppA==
 -----END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.d/private/daveKey.pem
index f628f88e5..574c86a2e 100644
--- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.d/private/daveKey.pem
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.d/private/daveKey.pem
@@ -1,6 +1,6 @@
 -----BEGIN EC PRIVATE KEY-----
-MIGkAgEBBDCF8kl4ftfgcvWH2myFxhc22CUT63uPy28fqUMibnpRS/wf/pfxIrVX
-+BhxpUhWS2agBwYFK4EEACKhZANiAAT8RIPAGlTQMAl6oNKdtWXO2MzywN76AFn9
-t9wmSabI29cN8iHk1HiHhlO2i1gMrl4HgbMfpSs1stNC8zxCzoCvt7pUx8wWYO7P
-JDBocD1n1eCSwM67KOfouuPmOML0QgU=
+MIGkAgEBBDCFbFPkGF4ez8EzHm6pTVCr17Q1+GACxn7m0EE4UVoq7RQBNk4NOxhE
+hJZpquwjgqegBwYFK4EEACKhZANiAATVOQOBWOH7PhHx/mc+y5+uDpW/maSCkGwp
+nPP1dWQl4DprDokGZC8P+pm1j0sBvzbSCuHZCAkaSptYavgv4VVJ/X5u89tnj6Qq
+Qt/AtuPjCL7r3k3F0Nsj/TGSjRmcMr4=
 -----END EC PRIVATE KEY-----
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/strongswan.conf
index bdbdad2e5..0bbf93a18 100644
--- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl pem pkcs1 openssl revocation random hmac stroke kernel-netlink socket-default updown
+  load = curl pem pkcs1 openssl revocation random nonce hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.conf
index c932101d2..e67d9af9b 100755..100644
--- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.d/certs/moonCert.pem b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.d/certs/moonCert.pem
index 5178c7f38..25f0538a7 100644
--- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.d/certs/moonCert.pem
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.d/certs/moonCert.pem
@@ -1,20 +1,17 @@
 -----BEGIN CERTIFICATE-----
-MIIDMDCCApKgAwIBAgIBATAJBgcqhkjOPQQBMEgxCzAJBgNVBAYTAkNIMRkwFwYD
-VQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdTd2FuIEVDIFJv
-b3QgQ0EwHhcNMDgwNjIyMTQ0MzA3WhcNMTMwNjIxMTQ0MzA3WjBeMQswCQYDVQQG
-EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEWMBQGA1UECxMNRUNEU0Eg
+MIICnTCCAf+gAwIBAgIBDTAKBggqhkjOPQQDBDBIMQswCQYDVQQGEwJDSDEZMBcG
+A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS
+b290IENBMB4XDTEzMDYyODEwMDIxNloXDTE4MDYwMjEwMDIxNlowXTELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFTATBgNVBAsTDEVDU0Eg
 NTIxIGJpdDEcMBoGA1UEAxMTbW9vbi5zdHJvbmdzd2FuLm9yZzCBmzAQBgcqhkjO
-PQIBBgUrgQQAIwOBhgAEALmnl/PUy9v7Qsc914kdzY+TQ6VY2192oRoa9SkpxXrs
-5GnWSJoz3yinpPHdchH0UknKt/C2Ik2k7izDH/Zau5gNAD1PqBrYWtcP+sLnH1G9
-BTibraniAUSpSaDhiWrfTteRNWqkzZI37a6YfKcBZozQcvYMW1co15EwZTptqykX
-Eepuo4IBEzCCAQ8wCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYEFDVU
-Hzs47lOG0dHsezm6aFqdwJwfMHgGA1UdIwRxMG+AFLpd+XG2E7Vq0d26Nreq0sHu
-j9jSoUykSjBIMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dh
-bjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBSb290IENBggkA9qJ1fiLvpokwHgYD
-VR0RBBcwFYITbW9vbi5zdHJvbmdzd2FuLm9yZzA8BgNVHR8ENTAzMDGgL6Athito
-dHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW5fZWMuY3JsMAkGByqG
-SM49BAEDgYwAMIGIAkIBDgZs1pXvm8SwT9S1m6nIHwuZsJDsDri/PWM6NXdMUXEt
-l0p8cfq8PbJlK/0+eLz8Ec1zpWuF5vasFHkVhauHdnECQgEVuYTrlry9gAx7G4kH
-mne2yDxTclEDziWxPG4UkZbkGttf9eZlsXmNoX/Z/fojXxMYZaPqM3eOT2h6ezMD
-CI9WpQ==
+PQIBBgUrgQQAIwOBhgAEAGWctqQ4b4fNSACnlcg5A3nxHU5X5qir+Ep8QziYNokU
+ri9N6ZPX3ipNlVAi6AYS7MXWZCBiT2g0yGFfwSxPha/rATR3m7acgyGQt0BE2UJ0
+Z7ZfjkjUPaKKEhmw0fy2t5gUhPaXMBXnu5hGjUz4gaaApsaJtr5eEwdQ0II9DG71
+tSA2o4GBMH8wHwYDVR0jBBgwFoAUul35cbYTtWrR3bo2t6rSwe6P2NIwHgYDVR0R
+BBcwFYITbW9vbi5zdHJvbmdzd2FuLm9yZzA8BgNVHR8ENTAzMDGgL6AthitodHRw
+Oi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW5fZWMuY3JsMAoGCCqGSM49
+BAMEA4GLADCBhwJBAjPn1KkfPOlfn51b6AtISSpccCsKJ6LhJiSLuQp0SzMrg3mv
+vSIkNpVrUigW0VVMwcanW3UuYKSxMBl3Z30+RpYCQgGh8v1XO4SO3DmVLD9+JLil
+9Dp0TNkzNLdOqeuIX6ili5yhnLU8chwSlpJ9d81FdAjHP9EDPO+7fTswC2vYL+Rm
+2A==
 -----END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.d/private/moonKey.pem
index beab0485f..a1ba4c9b9 100644
--- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.d/private/moonKey.pem
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.d/private/moonKey.pem
@@ -1,7 +1,7 @@
 -----BEGIN EC PRIVATE KEY-----
-MIHcAgEBBEIBrBxHEGICJRNkhm0HWfARp+dIzm6Lw7eCbQXNM6jSGL4DVNDVCV42
-yOKQqifWEcNWxO+wWtBaz91IF5hz/m4TbOGgBwYFK4EEACOhgYkDgYYABAC5p5fz
-1Mvb+0LHPdeJHc2Pk0OlWNtfdqEaGvUpKcV67ORp1kiaM98op6Tx3XIR9FJJyrfw
-tiJNpO4swx/2WruYDQA9T6ga2FrXD/rC5x9RvQU4m62p4gFEqUmg4Ylq307XkTVq
-pM2SN+2umHynAWaM0HL2DFtXKNeRMGU6baspFxHqbg==
+MIHcAgEBBEIB2FqpGVb6Q8oGdL/boMxg+9G1lKAFqWXVm1jhjmrTyyc6lFJ5Hcix
++G8ZaNPJ7fLC3NU4uxW3Y9wo1K6yMDfqZhugBwYFK4EEACOhgYkDgYYABABlnLak
+OG+HzUgAp5XIOQN58R1OV+aoq/hKfEM4mDaJFK4vTemT194qTZVQIugGEuzF1mQg
+Yk9oNMhhX8EsT4Wv6wE0d5u2nIMhkLdARNlCdGe2X45I1D2iihIZsNH8treYFIT2
+lzAV57uYRo1M+IGmgKbGiba+XhMHUNCCPQxu9bUgNg==
 -----END EC PRIVATE KEY-----
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/strongswan.conf
index bdbdad2e5..0bbf93a18 100644
--- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl pem pkcs1 openssl revocation random hmac stroke kernel-netlink socket-default updown
+  load = curl pem pkcs1 openssl revocation random nonce hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/posttest.dat b/testing/tests/openssl-ikev2/ecdsa-certs/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/openssl-ikev2/ecdsa-certs/posttest.dat
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/pretest.dat b/testing/tests/openssl-ikev2/ecdsa-certs/pretest.dat
index 42e9d7c24..8bbea1412 100644
--- a/testing/tests/openssl-ikev2/ecdsa-certs/pretest.dat
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/test.conf b/testing/tests/openssl-ikev2/ecdsa-certs/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/openssl-ikev2/ecdsa-certs/test.conf
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/evaltest.dat b/testing/tests/openssl-ikev2/ecdsa-pkcs8/evaltest.dat
index 868da5776..8a4215dcc 100644
--- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/evaltest.dat
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/evaltest.dat
@@ -1,12 +1,13 @@
-moon::cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA-256 signature successful::YES
-moon::cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with ECDSA-384 signature successful::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA-256 signature successful::YES
+moon:: cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with ECDSA-384 signature successful::YES
 carol::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA-521 signature successful::YES
-dave::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA-521 signature successful::YES
-moon::ipsec statusall::rw.*ESTABLISHED::YES
-carol::ipsec statusall::home.*ESTABLISHED::YES
-dave::ipsec statusall::home.*ESTABLISHED::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave:: cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA-521 signature successful::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.conf
index c75d6b2a1..dd2ceea60 100755..100644
--- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.d/certs/carolCert.pem
index 29709926a..a85635faf 100644
--- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.d/certs/carolCert.pem
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.d/certs/carolCert.pem
@@ -1,18 +1,15 @@
 -----BEGIN CERTIFICATE-----
-MIIC7zCCAlGgAwIBAgIBBDAJBgcqhkjOPQQBMEgxCzAJBgNVBAYTAkNIMRkwFwYD
-VQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdTd2FuIEVDIFJv
-b3QgQ0EwHhcNMDgwNjIyMTYyOTE4WhcNMTMwNjIxMTYyOTE4WjBfMQswCQYDVQQG
-EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEWMBQGA1UECxMNRUNEU0Eg
-MjU2IGJpdDEdMBsGA1UEAxQUY2Fyb2xAc3Ryb25nc3dhbi5vcmcwWTATBgcqhkjO
-PQIBBggqhkjOPQMBBwNCAAQgp/Z/GgzvVCDdVcIYqERml0KroZEaVqiF8uy8dlTS
-4mxNs6snDdEWh/LzXTd3NVnCihT2XgHxOk8NrX4hBMMYo4IBFDCCARAwCQYDVR0T
-BAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYEFLdhGhurno1dU2SMx7UGXpa/lgJ9
-MHgGA1UdIwRxMG+AFLpd+XG2E7Vq0d26Nreq0sHuj9jSoUykSjBIMQswCQYDVQQG
-EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25n
-U3dhbiBFQyBSb290IENBggkA9qJ1fiLvpokwHwYDVR0RBBgwFoEUY2Fyb2xAc3Ry
-b25nc3dhbi5vcmcwPAYDVR0fBDUwMzAxoC+gLYYraHR0cDovL2NybC5zdHJvbmdz
-d2FuLm9yZy9zdHJvbmdzd2FuX2VjLmNybDAJBgcqhkjOPQQBA4GMADCBiAJCATa+
-sBFW3vCx/JgLyxU85F2QuLO0/zdNBhIU0kN7kr1cYBBr8mpbhuNKm6iFe2DsFJZx
-ii3DQjwvG46is2Njzi4vAkIA72lPodCDtAFpD/2PUxjzo6xTAFazUejobkdDTUXn
-s0f8qIzzeQuTwLbp6pDmR/JGzhAeRvQT82njCo0PJ8Hbz1c=
+MIICXzCCAcCgAwIBAgIBCTAKBggqhkjOPQQDBDBIMQswCQYDVQQGEwJDSDEZMBcG
+A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS
+b290IENBMB4XDTEzMDYyODA3MjczOFoXDTE4MDYwMjA3MjczOFowXzELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB
+IDI1NiBiaXQxHTAbBgNVBAMUFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMFkwEwYHKoZI
+zj0CAQYIKoZIzj0DAQcDQgAEwYQaBELkyAVAzNzWJr9LqoK8gdKDv+Ns6D+ZQSAj
+BuX3bs5ZIn7BrRxYd+mbnpZ2in7FjXPWkcLkIK/cgay2n6OBgzCBgDAfBgNVHSME
+GDAWgBS6XflxthO1atHduja3qtLB7o/Y0jAfBgNVHREEGDAWgRRjYXJvbEBzdHJv
+bmdzd2FuLm9yZzA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vY3JsLnN0cm9uZ3N3
+YW4ub3JnL3N0cm9uZ3N3YW5fZWMuY3JsMAoGCCqGSM49BAMEA4GMADCBiAJCAIU5
+nZLSfuiHElf7SFHl/sXCTSQ5FhEjSdhpMUvsgwq0vnEJRRdsdEOmmtVT5yQFHDUR
+Z9YVl4/zP5EFyUepvCH5AkIB2WFJ5WZ3Ds76Tq9AxAPaFbsQapGgOmrRZ6lGkj49
+hzLfARkvr+fTbOrttOC4yTIfnYVygA2G1cQYzceY/JiSk00=
 -----END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.d/private/carolKey.pem
index 5151408c4..681c1ee67 100644
--- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.d/private/carolKey.pem
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.d/private/carolKey.pem
@@ -1,6 +1,6 @@
 -----BEGIN ENCRYPTED PRIVATE KEY-----
-MIGwMBsGCSqGSIb3DQEFAzAOBAgzSp1guD3Y3wICCAAEgZD3lUKsfeQ6rwQA2Q2U
-VIyw2+53Z6kfn2vs9I8M197o4AtunwMJ7N6XY441fzcCbstmZ4HoubcuqCXsw5BA
-liVtV0+vnMY6ViJ5OKgzBNGYW39Bu1A5/2NHh0Hsaoop6VPEY67KyhxHBrBrX6fk
-Hn5eZyUKHa6NNGK9bWLqR8CjRNYQpg8NlwUIIxuFFTBw9oc=
+MIGwMBsGCSqGSIb3DQEFAzAOBAhvrv2j+DAo4AICCAAEgZAkhslW1CuYRZ7SKigR
+p/5suJU4xR6scHyS1yVYtrTC99Ha287MuS1/KUf0DZasx89AxoYcOgr+YvuIrUYw
+/f8cNmkcw3E2EvGwy7VVtqf12M+j4B2eUSNjaQvw4sQvxFPlbETocWYaLOOZrgr1
+/+b5n4o4VZ/MYDyfxmgNNluXaVGz9xP5pTvHI7ocDJzh5d4=
 -----END ENCRYPTED PRIVATE KEY-----
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/strongswan.conf
index 35c522d0e..440bdaa4b 100644
--- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl pem pkcs1 pkcs8 openssl revocation random hmac stroke kernel-netlink socket-default updown
+  load = curl pem pkcs1 pkcs8 openssl revocation random nonce hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.conf
index 080ce9bce..4c6e11f16 100755..100644
--- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.d/certs/daveCert.pem b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.d/certs/daveCert.pem
index 075d8f1e5..e97709a3f 100644
--- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.d/certs/daveCert.pem
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.d/certs/daveCert.pem
@@ -1,19 +1,16 @@
 -----BEGIN CERTIFICATE-----
-MIIDCTCCAmygAwIBAgIBAzAJBgcqhkjOPQQBMEgxCzAJBgNVBAYTAkNIMRkwFwYD
-VQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdTd2FuIEVDIFJv
-b3QgQ0EwHhcNMDgwNjIyMTYxMzU5WhcNMTMwNjIxMTYxMzU5WjBeMQswCQYDVQQG
-EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEWMBQGA1UECxMNRUNEU0Eg
-Mzg0IGJpdDEcMBoGA1UEAxQTZGF2ZUBzdHJvbmdzd2FuLm9yZzB2MBAGByqGSM49
-AgEGBSuBBAAiA2IABPxEg8AaVNAwCXqg0p21Zc7YzPLA3voAWf233CZJpsjb1w3y
-IeTUeIeGU7aLWAyuXgeBsx+lKzWy00LzPELOgK+3ulTHzBZg7s8kMGhwPWfV4JLA
-zrso5+i64+Y4wvRCBaOCARMwggEPMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0G
-A1UdDgQWBBQxJAy8gaP3RNBt1WTD27/IMzANmTB4BgNVHSMEcTBvgBS6XflxthO1
-atHduja3qtLB7o/Y0qFMpEowSDELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4
-IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9uZ1N3YW4gRUMgUm9vdCBDQYIJAPai
-dX4i76aJMB4GA1UdEQQXMBWBE2RhdmVAc3Ryb25nc3dhbi5vcmcwPAYDVR0fBDUw
-MzAxoC+gLYYraHR0cDovL2NybC5zdHJvbmdzd2FuLm9yZy9zdHJvbmdzd2FuX2Vj
-LmNybDAJBgcqhkjOPQQBA4GLADCBhwJCAZaqaroyGwqd7nb5dVVWjTK8glVzDFJH
-ru4F6R+7fDCGEOaFlxf4GRkSrvQQA8vfgo6Md9XjBwq0r+9s3xt5xJjJAkElSo1/
-wyn8KQ3XN07UIaMvPctipq2OgpfteQK/F81CtZ+YCLEQt3xT7NQpriaKwGQxJAQv
-g+Z+grJzTppAqpwRpg==
+MIICeTCCAdqgAwIBAgIBDDAKBggqhkjOPQQDBDBIMQswCQYDVQQGEwJDSDEZMBcG
+A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS
+b290IENBMB4XDTEzMDYyODA3MzUxOVoXDTE4MDYwMjA3MzUxOVowXjELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB
+IDM4NCBiaXQxHDAaBgNVBAMUE2RhdmVAc3Ryb25nc3dhbi5vcmcwdjAQBgcqhkjO
+PQIBBgUrgQQAIgNiAATVOQOBWOH7PhHx/mc+y5+uDpW/maSCkGwpnPP1dWQl4Dpr
+DokGZC8P+pm1j0sBvzbSCuHZCAkaSptYavgv4VVJ/X5u89tnj6QqQt/AtuPjCL7r
+3k3F0Nsj/TGSjRmcMr6jgYEwfzAfBgNVHSMEGDAWgBS6XflxthO1atHduja3qtLB
+7o/Y0jAeBgNVHREEFzAVgRNkYXZlQHN0cm9uZ3N3YW4ub3JnMDwGA1UdHwQ1MDMw
+MaAvoC2GK2h0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dhbl9lYy5j
+cmwwCgYIKoZIzj0EAwQDgYwAMIGIAkIB/x2+UiGE5T7229M2Ic2BMYLWSBQlZJeT
+d3uniJb3NAkeQAhDgj0TOxVdMz1SkgScLRS2RKYpsxiVsV+tVuijTMQCQgHn1WtY
+iiSY7OWcX9hQEqWDV0TxoNcgInEhsmtMbseCpR0dYXYsm54oC0pqVBeKp0GC7KJr
+ZEmeb0/mRB56osgppA==
 -----END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.d/private/daveKey.pem
index 6555adac1..6dca1f239 100644
--- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.d/private/daveKey.pem
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.d/private/daveKey.pem
@@ -1,8 +1,8 @@
 -----BEGIN ENCRYPTED PRIVATE KEY-----
-MIIBBTBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIYdanoOIx6X4CAggA
-MBQGCCqGSIb3DQMHBAjoXTbsYeKpJwSBwBRbP2I3UOHWIrQhM7OqdWGt1+phdNy8
-5Xbus6e/DUp8xalohZD/QTZT3QpMEDuqJ0U3OIB01RWUmlPeUBx+NaPvLb/tQCZg
-iLwdq5E9otbO9nK9G7NDeV22VigMZhZgtpdKqw7TAqgkzqpGfyM+mcUygiGxWwWC
-UyC4G3rxyZVL2zRS/iDpJCIn2kceQk+mu+or3oX5rzzH82b69RQt36gEvd2rX/WU
-gHH/XkNXhL0y0yRkVhowKHE2ZwMNTDbM3g==
+MIIBBTBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQI9Dxjbv7bnuoCAggA
+MBQGCCqGSIb3DQMHBAjONh5rePJ/owSBwG8qgvCeUae7yZQRM1iEa90zq1yrS71z
+l5dEFzeFnYcu25qVK6IkYRHUFZIDGep+2Ep33+IrCYadV69AjCdM3Lnl+cjp+vVn
+o1ZvXoNKMor0AHyuTbHI/xdOrd2ZFjkWITnXX2qHTKViFFBoMGo7Jb9XI2eAT4hF
+0Z2EaAzl383eBQ/Wb/Jr0c+cwi5lvRLW5OKp48mQ5++8wJlaw+7W1MxPVhggG6U3
+lVzl9N+aLEFOSr0b8EMTDywJNBJZcNOQZw==
 -----END ENCRYPTED PRIVATE KEY-----
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/strongswan.conf
index 35c522d0e..440bdaa4b 100644
--- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl pem pkcs1 pkcs8 openssl revocation random hmac stroke kernel-netlink socket-default updown
+  load = curl pem pkcs1 pkcs8 openssl revocation random nonce hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.conf
index c932101d2..e67d9af9b 100755..100644
--- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.d/certs/moonCert.pem b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.d/certs/moonCert.pem
index 5178c7f38..25f0538a7 100644
--- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.d/certs/moonCert.pem
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.d/certs/moonCert.pem
@@ -1,20 +1,17 @@
 -----BEGIN CERTIFICATE-----
-MIIDMDCCApKgAwIBAgIBATAJBgcqhkjOPQQBMEgxCzAJBgNVBAYTAkNIMRkwFwYD
-VQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdTd2FuIEVDIFJv
-b3QgQ0EwHhcNMDgwNjIyMTQ0MzA3WhcNMTMwNjIxMTQ0MzA3WjBeMQswCQYDVQQG
-EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEWMBQGA1UECxMNRUNEU0Eg
+MIICnTCCAf+gAwIBAgIBDTAKBggqhkjOPQQDBDBIMQswCQYDVQQGEwJDSDEZMBcG
+A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS
+b290IENBMB4XDTEzMDYyODEwMDIxNloXDTE4MDYwMjEwMDIxNlowXTELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFTATBgNVBAsTDEVDU0Eg
 NTIxIGJpdDEcMBoGA1UEAxMTbW9vbi5zdHJvbmdzd2FuLm9yZzCBmzAQBgcqhkjO
-PQIBBgUrgQQAIwOBhgAEALmnl/PUy9v7Qsc914kdzY+TQ6VY2192oRoa9SkpxXrs
-5GnWSJoz3yinpPHdchH0UknKt/C2Ik2k7izDH/Zau5gNAD1PqBrYWtcP+sLnH1G9
-BTibraniAUSpSaDhiWrfTteRNWqkzZI37a6YfKcBZozQcvYMW1co15EwZTptqykX
-Eepuo4IBEzCCAQ8wCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYEFDVU
-Hzs47lOG0dHsezm6aFqdwJwfMHgGA1UdIwRxMG+AFLpd+XG2E7Vq0d26Nreq0sHu
-j9jSoUykSjBIMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dh
-bjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBSb290IENBggkA9qJ1fiLvpokwHgYD
-VR0RBBcwFYITbW9vbi5zdHJvbmdzd2FuLm9yZzA8BgNVHR8ENTAzMDGgL6Athito
-dHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW5fZWMuY3JsMAkGByqG
-SM49BAEDgYwAMIGIAkIBDgZs1pXvm8SwT9S1m6nIHwuZsJDsDri/PWM6NXdMUXEt
-l0p8cfq8PbJlK/0+eLz8Ec1zpWuF5vasFHkVhauHdnECQgEVuYTrlry9gAx7G4kH
-mne2yDxTclEDziWxPG4UkZbkGttf9eZlsXmNoX/Z/fojXxMYZaPqM3eOT2h6ezMD
-CI9WpQ==
+PQIBBgUrgQQAIwOBhgAEAGWctqQ4b4fNSACnlcg5A3nxHU5X5qir+Ep8QziYNokU
+ri9N6ZPX3ipNlVAi6AYS7MXWZCBiT2g0yGFfwSxPha/rATR3m7acgyGQt0BE2UJ0
+Z7ZfjkjUPaKKEhmw0fy2t5gUhPaXMBXnu5hGjUz4gaaApsaJtr5eEwdQ0II9DG71
+tSA2o4GBMH8wHwYDVR0jBBgwFoAUul35cbYTtWrR3bo2t6rSwe6P2NIwHgYDVR0R
+BBcwFYITbW9vbi5zdHJvbmdzd2FuLm9yZzA8BgNVHR8ENTAzMDGgL6AthitodHRw
+Oi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW5fZWMuY3JsMAoGCCqGSM49
+BAMEA4GLADCBhwJBAjPn1KkfPOlfn51b6AtISSpccCsKJ6LhJiSLuQp0SzMrg3mv
+vSIkNpVrUigW0VVMwcanW3UuYKSxMBl3Z30+RpYCQgGh8v1XO4SO3DmVLD9+JLil
+9Dp0TNkzNLdOqeuIX6ili5yhnLU8chwSlpJ9d81FdAjHP9EDPO+7fTswC2vYL+Rm
+2A==
 -----END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.d/private/moonKey.pem
index 5c31d677c..04db7f7e0 100644
--- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.d/private/moonKey.pem
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.d/private/moonKey.pem
@@ -1,8 +1,8 @@
 -----BEGIN PRIVATE KEY-----
-MIHuAgEAMBAGByqGSM49AgEGBSuBBAAjBIHWMIHTAgEBBEIBrBxHEGICJRNkhm0H
-WfARp+dIzm6Lw7eCbQXNM6jSGL4DVNDVCV42yOKQqifWEcNWxO+wWtBaz91IF5hz
-/m4TbOGhgYkDgYYABAC5p5fz1Mvb+0LHPdeJHc2Pk0OlWNtfdqEaGvUpKcV67ORp
-1kiaM98op6Tx3XIR9FJJyrfwtiJNpO4swx/2WruYDQA9T6ga2FrXD/rC5x9RvQU4
-m62p4gFEqUmg4Ylq307XkTVqpM2SN+2umHynAWaM0HL2DFtXKNeRMGU6baspFxHq
-bg==
+MIHuAgEAMBAGByqGSM49AgEGBSuBBAAjBIHWMIHTAgEBBEIB2FqpGVb6Q8oGdL/b
+oMxg+9G1lKAFqWXVm1jhjmrTyyc6lFJ5Hcix+G8ZaNPJ7fLC3NU4uxW3Y9wo1K6y
+MDfqZhuhgYkDgYYABABlnLakOG+HzUgAp5XIOQN58R1OV+aoq/hKfEM4mDaJFK4v
+TemT194qTZVQIugGEuzF1mQgYk9oNMhhX8EsT4Wv6wE0d5u2nIMhkLdARNlCdGe2
+X45I1D2iihIZsNH8treYFIT2lzAV57uYRo1M+IGmgKbGiba+XhMHUNCCPQxu9bUg
+Ng==
 -----END PRIVATE KEY-----
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/strongswan.conf
index 35c522d0e..440bdaa4b 100644
--- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl pem pkcs1 pkcs8 openssl revocation random hmac stroke kernel-netlink socket-default updown
+  load = curl pem pkcs1 pkcs8 openssl revocation random nonce hmac stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/posttest.dat b/testing/tests/openssl-ikev2/ecdsa-pkcs8/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/posttest.dat
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/pretest.dat b/testing/tests/openssl-ikev2/ecdsa-pkcs8/pretest.dat
index 42e9d7c24..8bbea1412 100644
--- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/pretest.dat
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/test.conf b/testing/tests/openssl-ikev2/ecdsa-pkcs8/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/test.conf
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev1/net2net-pgp-v4/description.txt b/testing/tests/openssl-ikev2/net2net-pkcs12/description.txt
index c82eec9ba..e66ea1918 100644
--- a/testing/tests/ikev1/net2net-pgp-v4/description.txt
+++ b/testing/tests/openssl-ikev2/net2net-pkcs12/description.txt
@@ -1,6 +1,8 @@
 A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
-The authentication is based on <b>OpenPGP V4 keys</b>. Upon the successful
-establishment of the IPsec tunnel, <b>leftfirewall=yes</b> automatically
+The authentication is based on <b>X.509 certificates</b> and an RSA private key stored in
+<b>PKCS12</b> format.
+<p/>
+Upon the successful establishment of the IPsec tunnel, <b>leftfirewall=yes</b> automatically
 inserts iptables-based firewall rules that let pass the tunneled traffic.
 In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b>
 pings client <b>bob</b> located behind gateway <b>sun</b>.
diff --git a/testing/tests/openssl-ikev2/net2net-pkcs12/evaltest.dat b/testing/tests/openssl-ikev2/net2net-pkcs12/evaltest.dat
new file mode 100644
index 000000000..2b37cad99
--- /dev/null
+++ b/testing/tests/openssl-ikev2/net2net-pkcs12/evaltest.dat
@@ -0,0 +1,7 @@
+moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..0296e1804
--- /dev/null
+++ b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,21 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	mobike=no
+
+conn net-net 
+	left=PH_IP_MOON
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	leftfirewall=yes
+	right=PH_IP_SUN
+	rightid=@sun.strongswan.org
+	rightsubnet=10.2.0.0/16
+	auto=add
diff --git a/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.d/private/moonCert.p12 b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.d/private/moonCert.p12
new file mode 100644
index 000000000..d3cca4fd5
--- /dev/null
+++ b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.d/private/moonCert.p12
diff --git a/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.secrets b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..802cfc681
--- /dev/null
+++ b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: P12 moonCert.p12 "kUqd8O7mzbjXNJKQ"
diff --git a/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..2074a4d8f
--- /dev/null
+++ b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl pem nonce revocation openssl stroke kernel-netlink socket-default updown
+  multiple_authentication = no
+}
diff --git a/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.conf b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.conf
new file mode 100644
index 000000000..6dcedd0e6
--- /dev/null
+++ b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,21 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+        keyingtries=1
+	keyexchange=ikev2
+	mobike=no
+
+conn net-net 
+	left=PH_IP_SUN
+	leftid=@sun.strongswan.org
+	leftsubnet=10.2.0.0/16
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.d/private/sunCert.p12 b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.d/private/sunCert.p12
new file mode 100644
index 000000000..1a9e2aa01
--- /dev/null
+++ b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.d/private/sunCert.p12
diff --git a/testing/tests/ikev1/rw-psk-rsa-mixed/hosts/carol/etc/ipsec.secrets b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.secrets
index 1b721dc58..3dc85528c 100644
--- a/testing/tests/ikev1/rw-psk-rsa-mixed/hosts/carol/etc/ipsec.secrets
+++ b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.secrets
@@ -1,6 +1,7 @@
 # /etc/ipsec.secrets - strongSwan IPsec secrets file
 
-: PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
+: P12 sunCert.p12 "IxjQVCF3JGI+MoPi"
+
 
 
 
diff --git a/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/strongswan.conf b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..2074a4d8f
--- /dev/null
+++ b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl pem nonce revocation openssl stroke kernel-netlink socket-default updown
+  multiple_authentication = no
+}
diff --git a/testing/tests/openssl-ikev2/net2net-pkcs12/posttest.dat b/testing/tests/openssl-ikev2/net2net-pkcs12/posttest.dat
new file mode 100644
index 000000000..0fbba487c
--- /dev/null
+++ b/testing/tests/openssl-ikev2/net2net-pkcs12/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+sun::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
+moon::rm /etc/ipsec.d/private/moonCert.p12
+sun::rm /etc/ipsec.d/private/sunCert.p12
diff --git a/testing/tests/openssl-ikev2/net2net-pkcs12/pretest.dat b/testing/tests/openssl-ikev2/net2net-pkcs12/pretest.dat
new file mode 100644
index 000000000..3492238f0
--- /dev/null
+++ b/testing/tests/openssl-ikev2/net2net-pkcs12/pretest.dat
@@ -0,0 +1,10 @@
+moon::rm /etc/ipsec.d/private/moonKey.pem
+moon::rm /etc/ipsec.d/cacerts/strongswanCert.pem
+sun::rm /etc/ipsec.d/private/sunKey.pem
+sun::rm /etc/ipsec.d/cacerts/strongswanCert.pem
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
+moon::ipsec start
+sun::ipsec start
+moon::sleep 1 
+moon::ipsec up net-net
diff --git a/testing/tests/openssl-ikev2/net2net-pkcs12/test.conf b/testing/tests/openssl-ikev2/net2net-pkcs12/test.conf
new file mode 100644
index 000000000..646b8b3e6
--- /dev/null
+++ b/testing/tests/openssl-ikev2/net2net-pkcs12/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-w-s-b.png"
+ 
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
diff --git a/testing/tests/openssl-ikev2/rw-cert/evaltest.dat b/testing/tests/openssl-ikev2/rw-cert/evaltest.dat
index 06a0f8cda..ba661975b 100644
--- a/testing/tests/openssl-ikev2/rw-cert/evaltest.dat
+++ b/testing/tests/openssl-ikev2/rw-cert/evaltest.dat
@@ -1,8 +1,13 @@
-moon::ipsec statusall::rw.*ESTABLISHED::YES
-carol::ipsec statusall::home.*ESTABLISHED::YES
-dave::ipsec statusall::home.*ESTABLISHED::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/ipsec.conf
index 4a8baa3ae..213cd70fa 100755..100644
--- a/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/strongswan.conf
index 2b862e1b3..9f31821cd 100644
--- a/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl test-vectors pem pkcs1 openssl revocation random hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown
+  load = curl test-vectors pem pkcs1 openssl revocation nonce xcbc cmac ctr ccm stroke kernel-netlink socket-default updown
 }
 
 libstrongswan {
diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/ipsec.conf
index 42f03aab3..653316fde 100755..100644
--- a/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/strongswan.conf
index 4e74127fe..5708510ef 100644
--- a/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown
+  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown
 }
 
 libstrongswan {
diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/ipsec.conf
index 2e84f2e6a..16299b339 100755..100644
--- a/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/strongswan.conf
index 48b7d16f2..f065861dc 100644
--- a/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl test-vectors pem pkcs1 openssl revocation random hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown
+  load = curl test-vectors pem pkcs1 openssl revocation nonce xcbc cmac ctr ccm stroke kernel-netlink socket-default updown
 }
 
 libstrongswan {
diff --git a/testing/tests/openssl-ikev2/rw-cert/posttest.dat b/testing/tests/openssl-ikev2/rw-cert/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/openssl-ikev2/rw-cert/posttest.dat
+++ b/testing/tests/openssl-ikev2/rw-cert/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/openssl-ikev2/rw-cert/pretest.dat b/testing/tests/openssl-ikev2/rw-cert/pretest.dat
index 42e9d7c24..8bbea1412 100644
--- a/testing/tests/openssl-ikev2/rw-cert/pretest.dat
+++ b/testing/tests/openssl-ikev2/rw-cert/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/openssl-ikev2/rw-cert/test.conf b/testing/tests/openssl-ikev2/rw-cert/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/openssl-ikev2/rw-cert/test.conf
+++ b/testing/tests/openssl-ikev2/rw-cert/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/evaltest.dat b/testing/tests/openssl-ikev2/rw-eap-tls-only/evaltest.dat
index 41ebec307..a2c02f630 100644
--- a/testing/tests/openssl-ikev2/rw-eap-tls-only/evaltest.dat
+++ b/testing/tests/openssl-ikev2/rw-eap-tls-only/evaltest.dat
@@ -1,10 +1,10 @@
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED::YES
+moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED::YES
 carol::cat /var/log/daemon.log::server requested EAP_TLS authentication::YES
 carol::cat /var/log/daemon.log::negotiated TLS 1.2 using suite TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256::YES
 carol::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES
-carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, OU=ECDSA 521 bit, CN=moon.strongswan.org' with EAP successful::YES
-moon::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, OU=ECDSA 256 bit, CN=carol@strongswan.org' with EAP successful::YES
-moon::ipsec statusall::rw-eap.*ESTABLISHED::YES
-carol::ipsec statusall::home.*ESTABLISHED::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, OU=ECSA 521 bit, CN=moon.strongswan.org' with EAP successful::YES
+moon:: cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, OU=ECDSA 256 bit, CN=carol@strongswan.org' with EAP successful::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf
index 02ece4738..c8f63bced 100755..100644
--- a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 	charondebug="tls 2"
 
 conn %default
@@ -19,7 +18,8 @@ conn home
 	leftauth=eap
 	leftfirewall=yes
 	right=PH_IP_MOON
-	rightid="C=CH, O=Linux strongSwan, OU=ECDSA 521 bit, CN=moon.strongswan.org"
+	rightid="C=CH, O=Linux strongSwan, OU=ECSA 521 bit, CN=moon.strongswan.org"
+	rightauth=any
 	rightsubnet=10.1.0.0/16
 	rightsendcert=never
 	auto=add
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.d/certs/carolCert.pem
index 29709926a..a85635faf 100644
--- a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.d/certs/carolCert.pem
+++ b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.d/certs/carolCert.pem
@@ -1,18 +1,15 @@
 -----BEGIN CERTIFICATE-----
-MIIC7zCCAlGgAwIBAgIBBDAJBgcqhkjOPQQBMEgxCzAJBgNVBAYTAkNIMRkwFwYD
-VQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdTd2FuIEVDIFJv
-b3QgQ0EwHhcNMDgwNjIyMTYyOTE4WhcNMTMwNjIxMTYyOTE4WjBfMQswCQYDVQQG
-EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEWMBQGA1UECxMNRUNEU0Eg
-MjU2IGJpdDEdMBsGA1UEAxQUY2Fyb2xAc3Ryb25nc3dhbi5vcmcwWTATBgcqhkjO
-PQIBBggqhkjOPQMBBwNCAAQgp/Z/GgzvVCDdVcIYqERml0KroZEaVqiF8uy8dlTS
-4mxNs6snDdEWh/LzXTd3NVnCihT2XgHxOk8NrX4hBMMYo4IBFDCCARAwCQYDVR0T
-BAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYEFLdhGhurno1dU2SMx7UGXpa/lgJ9
-MHgGA1UdIwRxMG+AFLpd+XG2E7Vq0d26Nreq0sHuj9jSoUykSjBIMQswCQYDVQQG
-EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25n
-U3dhbiBFQyBSb290IENBggkA9qJ1fiLvpokwHwYDVR0RBBgwFoEUY2Fyb2xAc3Ry
-b25nc3dhbi5vcmcwPAYDVR0fBDUwMzAxoC+gLYYraHR0cDovL2NybC5zdHJvbmdz
-d2FuLm9yZy9zdHJvbmdzd2FuX2VjLmNybDAJBgcqhkjOPQQBA4GMADCBiAJCATa+
-sBFW3vCx/JgLyxU85F2QuLO0/zdNBhIU0kN7kr1cYBBr8mpbhuNKm6iFe2DsFJZx
-ii3DQjwvG46is2Njzi4vAkIA72lPodCDtAFpD/2PUxjzo6xTAFazUejobkdDTUXn
-s0f8qIzzeQuTwLbp6pDmR/JGzhAeRvQT82njCo0PJ8Hbz1c=
+MIICXzCCAcCgAwIBAgIBCTAKBggqhkjOPQQDBDBIMQswCQYDVQQGEwJDSDEZMBcG
+A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS
+b290IENBMB4XDTEzMDYyODA3MjczOFoXDTE4MDYwMjA3MjczOFowXzELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB
+IDI1NiBiaXQxHTAbBgNVBAMUFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMFkwEwYHKoZI
+zj0CAQYIKoZIzj0DAQcDQgAEwYQaBELkyAVAzNzWJr9LqoK8gdKDv+Ns6D+ZQSAj
+BuX3bs5ZIn7BrRxYd+mbnpZ2in7FjXPWkcLkIK/cgay2n6OBgzCBgDAfBgNVHSME
+GDAWgBS6XflxthO1atHduja3qtLB7o/Y0jAfBgNVHREEGDAWgRRjYXJvbEBzdHJv
+bmdzd2FuLm9yZzA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vY3JsLnN0cm9uZ3N3
+YW4ub3JnL3N0cm9uZ3N3YW5fZWMuY3JsMAoGCCqGSM49BAMEA4GMADCBiAJCAIU5
+nZLSfuiHElf7SFHl/sXCTSQ5FhEjSdhpMUvsgwq0vnEJRRdsdEOmmtVT5yQFHDUR
+Z9YVl4/zP5EFyUepvCH5AkIB2WFJ5WZ3Ds76Tq9AxAPaFbsQapGgOmrRZ6lGkj49
+hzLfARkvr+fTbOrttOC4yTIfnYVygA2G1cQYzceY/JiSk00=
 -----END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.d/private/carolKey.pem
index 5f21c1012..d2f97f858 100644
--- a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.d/private/carolKey.pem
+++ b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.d/private/carolKey.pem
@@ -1,8 +1,8 @@
 -----BEGIN EC PRIVATE KEY-----
 Proc-Type: 4,ENCRYPTED
-DEK-Info: AES-128-CBC,F36088B0517117B50C1A436E5C84526E
+DEK-Info: AES-128-CBC,0C53E74E6B5AC2D7475EFF30478B9D5F
 
-Zulq4O8x8i4P2I8+Ewe2pPJT8K2kzX9JjGhquFKaZdEG1YmXqIdMz41DA1b9cQjt
-KJstY10Gzc/C6Hv9v/ljfplcnumYBFdFsqvQ/Z0xh/G9u/J1gXjghhrQCUXbFble
-RVSwozA9IcCC9yQdhYyazF+85DR+p8AyQ5w2unOvuOk=
+eHLtgaAjHt0sWRnBnRAt8CEPjak58pCwVbH+7Vfz2dy//GRvZviPA/TEQDtznPde
+v5yIDGUe6vvtoY4oXemGi5SQiP8KAuaKylMQEjm2FHYwT/SgIwk5EZZjI4CcFBnK
+NWV3z5oPiW6hZebwUHWaioSAYK1awOtFcp0l4UGA31U=
 -----END EC PRIVATE KEY-----
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf
index ed9b8c764..6072bb335 100644
--- a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl pem pkcs1 random openssl revocation hmac xcbc stroke kernel-netlink socket-default eap-tls updown
+  load = curl pem pkcs1 random nonce openssl revocation hmac xcbc stroke kernel-netlink socket-default eap-tls updown
   multiple_authentication=no
 }
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.conf
index 2679d4f9b..28a5cad31 100755..100644
--- a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.conf
@@ -1,8 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	strictcrlpolicy=no
-	plutostart=no
 	charondebug="tls 2"
 
 conn %default
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.d/certs/moonCert.pem b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.d/certs/moonCert.pem
index 5178c7f38..25f0538a7 100644
--- a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.d/certs/moonCert.pem
+++ b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.d/certs/moonCert.pem
@@ -1,20 +1,17 @@
 -----BEGIN CERTIFICATE-----
-MIIDMDCCApKgAwIBAgIBATAJBgcqhkjOPQQBMEgxCzAJBgNVBAYTAkNIMRkwFwYD
-VQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdTd2FuIEVDIFJv
-b3QgQ0EwHhcNMDgwNjIyMTQ0MzA3WhcNMTMwNjIxMTQ0MzA3WjBeMQswCQYDVQQG
-EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEWMBQGA1UECxMNRUNEU0Eg
+MIICnTCCAf+gAwIBAgIBDTAKBggqhkjOPQQDBDBIMQswCQYDVQQGEwJDSDEZMBcG
+A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS
+b290IENBMB4XDTEzMDYyODEwMDIxNloXDTE4MDYwMjEwMDIxNlowXTELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFTATBgNVBAsTDEVDU0Eg
 NTIxIGJpdDEcMBoGA1UEAxMTbW9vbi5zdHJvbmdzd2FuLm9yZzCBmzAQBgcqhkjO
-PQIBBgUrgQQAIwOBhgAEALmnl/PUy9v7Qsc914kdzY+TQ6VY2192oRoa9SkpxXrs
-5GnWSJoz3yinpPHdchH0UknKt/C2Ik2k7izDH/Zau5gNAD1PqBrYWtcP+sLnH1G9
-BTibraniAUSpSaDhiWrfTteRNWqkzZI37a6YfKcBZozQcvYMW1co15EwZTptqykX
-Eepuo4IBEzCCAQ8wCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYEFDVU
-Hzs47lOG0dHsezm6aFqdwJwfMHgGA1UdIwRxMG+AFLpd+XG2E7Vq0d26Nreq0sHu
-j9jSoUykSjBIMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dh
-bjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBSb290IENBggkA9qJ1fiLvpokwHgYD
-VR0RBBcwFYITbW9vbi5zdHJvbmdzd2FuLm9yZzA8BgNVHR8ENTAzMDGgL6Athito
-dHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW5fZWMuY3JsMAkGByqG
-SM49BAEDgYwAMIGIAkIBDgZs1pXvm8SwT9S1m6nIHwuZsJDsDri/PWM6NXdMUXEt
-l0p8cfq8PbJlK/0+eLz8Ec1zpWuF5vasFHkVhauHdnECQgEVuYTrlry9gAx7G4kH
-mne2yDxTclEDziWxPG4UkZbkGttf9eZlsXmNoX/Z/fojXxMYZaPqM3eOT2h6ezMD
-CI9WpQ==
+PQIBBgUrgQQAIwOBhgAEAGWctqQ4b4fNSACnlcg5A3nxHU5X5qir+Ep8QziYNokU
+ri9N6ZPX3ipNlVAi6AYS7MXWZCBiT2g0yGFfwSxPha/rATR3m7acgyGQt0BE2UJ0
+Z7ZfjkjUPaKKEhmw0fy2t5gUhPaXMBXnu5hGjUz4gaaApsaJtr5eEwdQ0II9DG71
+tSA2o4GBMH8wHwYDVR0jBBgwFoAUul35cbYTtWrR3bo2t6rSwe6P2NIwHgYDVR0R
+BBcwFYITbW9vbi5zdHJvbmdzd2FuLm9yZzA8BgNVHR8ENTAzMDGgL6AthitodHRw
+Oi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW5fZWMuY3JsMAoGCCqGSM49
+BAMEA4GLADCBhwJBAjPn1KkfPOlfn51b6AtISSpccCsKJ6LhJiSLuQp0SzMrg3mv
+vSIkNpVrUigW0VVMwcanW3UuYKSxMBl3Z30+RpYCQgGh8v1XO4SO3DmVLD9+JLil
+9Dp0TNkzNLdOqeuIX6ili5yhnLU8chwSlpJ9d81FdAjHP9EDPO+7fTswC2vYL+Rm
+2A==
 -----END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.d/private/moonKey.pem
index beab0485f..a1ba4c9b9 100644
--- a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.d/private/moonKey.pem
+++ b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.d/private/moonKey.pem
@@ -1,7 +1,7 @@
 -----BEGIN EC PRIVATE KEY-----
-MIHcAgEBBEIBrBxHEGICJRNkhm0HWfARp+dIzm6Lw7eCbQXNM6jSGL4DVNDVCV42
-yOKQqifWEcNWxO+wWtBaz91IF5hz/m4TbOGgBwYFK4EEACOhgYkDgYYABAC5p5fz
-1Mvb+0LHPdeJHc2Pk0OlWNtfdqEaGvUpKcV67ORp1kiaM98op6Tx3XIR9FJJyrfw
-tiJNpO4swx/2WruYDQA9T6ga2FrXD/rC5x9RvQU4m62p4gFEqUmg4Ylq307XkTVq
-pM2SN+2umHynAWaM0HL2DFtXKNeRMGU6baspFxHqbg==
+MIHcAgEBBEIB2FqpGVb6Q8oGdL/boMxg+9G1lKAFqWXVm1jhjmrTyyc6lFJ5Hcix
++G8ZaNPJ7fLC3NU4uxW3Y9wo1K6yMDfqZhugBwYFK4EEACOhgYkDgYYABABlnLak
+OG+HzUgAp5XIOQN58R1OV+aoq/hKfEM4mDaJFK4vTemT194qTZVQIugGEuzF1mQg
+Yk9oNMhhX8EsT4Wv6wE0d5u2nIMhkLdARNlCdGe2X45I1D2iihIZsNH8treYFIT2
+lzAV57uYRo1M+IGmgKbGiba+XhMHUNCCPQxu9bUgNg==
 -----END EC PRIVATE KEY-----
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf
index 46d8e2933..5660f4376 100644
--- a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl pem pkcs1 random openssl revocation hmac xcbc stroke kernel-netlink socket-default eap-tls updown
+  load = curl pem pkcs1 random nonce openssl revocation hmac xcbc stroke kernel-netlink socket-default eap-tls updown
   multiple_authentication=no
 }
 
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/posttest.dat b/testing/tests/openssl-ikev2/rw-eap-tls-only/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/openssl-ikev2/rw-eap-tls-only/posttest.dat
+++ b/testing/tests/openssl-ikev2/rw-eap-tls-only/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/pretest.dat b/testing/tests/openssl-ikev2/rw-eap-tls-only/pretest.dat
index ed5498bfe..388339fb8 100644
--- a/testing/tests/openssl-ikev2/rw-eap-tls-only/pretest.dat
+++ b/testing/tests/openssl-ikev2/rw-eap-tls-only/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1
diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/test.conf b/testing/tests/openssl-ikev2/rw-eap-tls-only/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/openssl-ikev2/rw-eap-tls-only/test.conf
+++ b/testing/tests/openssl-ikev2/rw-eap-tls-only/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/description.txt b/testing/tests/openssl-ikev2/rw-suite-b-128/description.txt
new file mode 100644
index 000000000..c1a3da88e
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-128/description.txt
@@ -0,0 +1,12 @@
+The roadwarrior <b>dave</b> tries to set up a connection to roadwarrior <b>carol</b>
+but because <b>carol</b> has set the strongswan.conf option <b>initiator_only = yes</b>
+she ignores the repeated IKE requests sent by <b>dave</b>.
+<p/>
+After the failed connection attempt by <b>dave</b>, roadwarrior <b>carol</b> sets up a
+connection to gateway <b>moon</b>. The authentication is based on Suite B with 128 bit 
+security based on <b>X.509 ECDSA</b> certificates, <b>ECP Diffie-Hellman</b> groups and <b>AES-GCM</b>
+authenticated encryption.
+<p/>
+Upon the successful establishment of the IPsec tunnel, the static IPsec policy rules of
+an iptables-based firewall let pass the tunneled traffic. In order to test both tunnel and firewall,
+<b>carol</b> pings the client <b>alice</b> behind the gateway <b>moon</b>.
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/evaltest.dat b/testing/tests/openssl-ikev2/rw-suite-b-128/evaltest.dat
new file mode 100644
index 000000000..7169a091d
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-128/evaltest.dat
@@ -0,0 +1,11 @@
+dave:: cat /var/log/daemon.log::establishing IKE_SA failed, peer not responding::YES
+carol::cat /var/log/daemon.log::openssl FIPS mode(2) - enabled::YES
+moon:: cat /var/log/daemon.log::openssl FIPS mode(2) - enabled::YES
+moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA-256 signature successful::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..61e13df41
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	ike=aes128gcm128-prfsha256-ecp256!
+	esp=aes128gcm128-ecp256!
+
+conn home
+	left=PH_IP_CAROL
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem
new file mode 100644
index 000000000..3480a434a
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICyDCCAiqgAwIBAgIJAPaidX4i76aJMAkGByqGSM49BAEwSDELMAkGA1UEBhMC
+Q0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9uZ1N3
+YW4gRUMgUm9vdCBDQTAeFw0wODA2MjIxNDM2MDZaFw0xODA2MjAxNDM2MDZaMEgx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD
+ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0EwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYA
+BAEUx1NvjNKzbDHaRPMsqIf/6SbUpzBa78N/WIyF6rYj8e5McAqfTfzUfFJZYoQn
+/mbP3VfjOxRuMDjrlfvdgMxwkwFDigWQfHg3CJbS7eQjjO1MrxxIJUtfSTnF29tM
+h6IYMdxaZKloCGCOrpmGCGdxD2/KwoX1SA3BlnjaNt7kSTonkqOBujCBtzAPBgNV
+HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUul35cbYTtWrR3bo2
+t6rSwe6P2NIweAYDVR0jBHEwb4AUul35cbYTtWrR3bo2t6rSwe6P2NKhTKRKMEgx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD
+ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0GCCQD2onV+Iu+miTAJBgcqhkjOPQQBA4GM
+ADCBiAJCAL5pU3X6NYWjOYe0cxrah27UxtUDLUNkFG/Ojl+gOH4QB0CKY0HXNyrq
+cgba73dXF/U0Cg3Ij/9g4Kd9GgYq0GlSAkIAqgqMKqXni8wbeGMJE2Mn2/8aHM3Q
+3flpHSoeNWOe/VzpRviw+VRgA4vbhhKUXBtQSiea77/DXLwOp5w7rkBoEUg=
+-----END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.d/certs/carolCert.pem
new file mode 100644
index 000000000..a85635faf
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.d/certs/carolCert.pem
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICXzCCAcCgAwIBAgIBCTAKBggqhkjOPQQDBDBIMQswCQYDVQQGEwJDSDEZMBcG
+A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS
+b290IENBMB4XDTEzMDYyODA3MjczOFoXDTE4MDYwMjA3MjczOFowXzELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB
+IDI1NiBiaXQxHTAbBgNVBAMUFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMFkwEwYHKoZI
+zj0CAQYIKoZIzj0DAQcDQgAEwYQaBELkyAVAzNzWJr9LqoK8gdKDv+Ns6D+ZQSAj
+BuX3bs5ZIn7BrRxYd+mbnpZ2in7FjXPWkcLkIK/cgay2n6OBgzCBgDAfBgNVHSME
+GDAWgBS6XflxthO1atHduja3qtLB7o/Y0jAfBgNVHREEGDAWgRRjYXJvbEBzdHJv
+bmdzd2FuLm9yZzA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vY3JsLnN0cm9uZ3N3
+YW4ub3JnL3N0cm9uZ3N3YW5fZWMuY3JsMAoGCCqGSM49BAMEA4GMADCBiAJCAIU5
+nZLSfuiHElf7SFHl/sXCTSQ5FhEjSdhpMUvsgwq0vnEJRRdsdEOmmtVT5yQFHDUR
+Z9YVl4/zP5EFyUepvCH5AkIB2WFJ5WZ3Ds76Tq9AxAPaFbsQapGgOmrRZ6lGkj49
+hzLfARkvr+fTbOrttOC4yTIfnYVygA2G1cQYzceY/JiSk00=
+-----END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.d/private/carolKey.pem
new file mode 100644
index 000000000..d29ddb9ee
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.d/private/carolKey.pem
@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIMDstKxdv/vNBPfM8iHvn5g5/8T5aRSnlh27HHt6iTfGoAoGCCqGSM49
+AwEHoUQDQgAEwYQaBELkyAVAzNzWJr9LqoK8gdKDv+Ns6D+ZQSAjBuX3bs5ZIn7B
+rRxYd+mbnpZ2in7FjXPWkcLkIK/cgay2nw==
+-----END EC PRIVATE KEY-----
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.secrets b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..3d6725162
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: ECDSA carolKey.pem
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/iptables.flush b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/iptables.flush
new file mode 100644
index 000000000..b3ab63c51
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/iptables.flush
@@ -0,0 +1,21 @@
+*filter
+
+-F
+
+-P INPUT ACCEPT
+-P OUTPUT ACCEPT
+-P FORWARD ACCEPT
+
+COMMIT
+
+*nat
+
+-F
+
+COMMIT
+
+*mangle
+
+-F
+
+COMMIT
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/iptables.rules b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/iptables.rules
new file mode 100644
index 000000000..3d99c0197
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/iptables.rules
@@ -0,0 +1,32 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s 192.168.0.150 -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d 192.168.0.150 -j ACCEPT
+
+# allow traffic tunnelled via IPsec
+-A INPUT  -i eth0 -m policy --dir in  --pol ipsec --proto esp -j ACCEPT
+-A OUTPUT -o eth0 -m policy --dir out --pol ipsec --proto esp -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..128d4f2d9
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,20 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = test-vectors soup pem pkcs1 pkcs8 random nonce x509 revocation openssl stroke kernel-netlink socket-default
+
+  initiator_only = yes
+}
+
+libstrongswan {
+  integrity_test = yes
+  crypto_test {
+    required = yes
+    on_add = yes
+  }
+  plugins {
+    openssl {
+      fips_mode = 2
+    }
+  }
+}
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.conf
new file mode 100644
index 000000000..22fcb3eb5
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,21 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	ike=aes128gcm128-prfsha256-ecp256!
+	esp=aes128gcm128-ecp256!
+
+conn peer
+	left=PH_IP_DAVE
+	leftcert=daveCert.pem
+	leftid=dave@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_CAROL
+	rightid=carol@strongswan.org
+	auto=add
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem
new file mode 100644
index 000000000..3480a434a
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICyDCCAiqgAwIBAgIJAPaidX4i76aJMAkGByqGSM49BAEwSDELMAkGA1UEBhMC
+Q0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9uZ1N3
+YW4gRUMgUm9vdCBDQTAeFw0wODA2MjIxNDM2MDZaFw0xODA2MjAxNDM2MDZaMEgx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD
+ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0EwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYA
+BAEUx1NvjNKzbDHaRPMsqIf/6SbUpzBa78N/WIyF6rYj8e5McAqfTfzUfFJZYoQn
+/mbP3VfjOxRuMDjrlfvdgMxwkwFDigWQfHg3CJbS7eQjjO1MrxxIJUtfSTnF29tM
+h6IYMdxaZKloCGCOrpmGCGdxD2/KwoX1SA3BlnjaNt7kSTonkqOBujCBtzAPBgNV
+HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUul35cbYTtWrR3bo2
+t6rSwe6P2NIweAYDVR0jBHEwb4AUul35cbYTtWrR3bo2t6rSwe6P2NKhTKRKMEgx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD
+ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0GCCQD2onV+Iu+miTAJBgcqhkjOPQQBA4GM
+ADCBiAJCAL5pU3X6NYWjOYe0cxrah27UxtUDLUNkFG/Ojl+gOH4QB0CKY0HXNyrq
+cgba73dXF/U0Cg3Ij/9g4Kd9GgYq0GlSAkIAqgqMKqXni8wbeGMJE2Mn2/8aHM3Q
+3flpHSoeNWOe/VzpRviw+VRgA4vbhhKUXBtQSiea77/DXLwOp5w7rkBoEUg=
+-----END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.d/certs/daveCert.pem b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.d/certs/daveCert.pem
new file mode 100644
index 000000000..c83be145d
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.d/certs/daveCert.pem
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICXDCCAb2gAwIBAgIBCzAKBggqhkjOPQQDBDBIMQswCQYDVQQGEwJDSDEZMBcG
+A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS
+b290IENBMB4XDTEzMDYyODA3MzMyOFoXDTE4MDYwMjA3MzMyOFowXjELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB
+IDI1NiBiaXQxHDAaBgNVBAMUE2RhdmVAc3Ryb25nc3dhbi5vcmcwWTATBgcqhkjO
+PQIBBggqhkjOPQMBBwNCAAQ0aUuue3BcBvF6aEISID4c+mVBJyvSm2fPVRRkAQqh
+RktTHMYDWY6B8e/iGr4GDeF5bjr46vMB5eEtVx3chWbQo4GBMH8wHwYDVR0jBBgw
+FoAUul35cbYTtWrR3bo2t6rSwe6P2NIwHgYDVR0RBBcwFYETZGF2ZUBzdHJvbmdz
+d2FuLm9yZzA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vY3JsLnN0cm9uZ3N3YW4u
+b3JnL3N0cm9uZ3N3YW5fZWMuY3JsMAoGCCqGSM49BAMEA4GMADCBiAJCAd5ols9c
+CP6HPtfMXbPlSpUDKSRyB3c5Ix2Yn3z5ogMM1QSoS88FW8D7KKsb0qTY5TnlAls3
+45PmauVwEbI2cV6qAkIBphvsmhYWMnt/QMOij7DinihEL9Ib1vxOS2boUos6sHWi
+gj3wfHyfgHM3Pgt0YYoZxELDIxcLVJeoa1TmNey7IaI=
+-----END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.d/private/daveKey.pem
new file mode 100644
index 000000000..17e94022e
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.d/private/daveKey.pem
@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEICwxFtCsSqIAzwZDyxHclTRdz/tGzAY7fP/vPoxqr8vuoAoGCCqGSM49
+AwEHoUQDQgAENGlLrntwXAbxemhCEiA+HPplQScr0ptnz1UUZAEKoUZLUxzGA1mO
+gfHv4hq+Bg3heW46+OrzAeXhLVcd3IVm0A==
+-----END EC PRIVATE KEY-----
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.secrets b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.secrets
new file mode 100644
index 000000000..ebd3a2839
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: ECDSA daveKey.pem
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/iptables.flush b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/iptables.flush
new file mode 100644
index 000000000..b3ab63c51
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/iptables.flush
@@ -0,0 +1,21 @@
+*filter
+
+-F
+
+-P INPUT ACCEPT
+-P OUTPUT ACCEPT
+-P FORWARD ACCEPT
+
+COMMIT
+
+*nat
+
+-F
+
+COMMIT
+
+*mangle
+
+-F
+
+COMMIT
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/iptables.rules b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/iptables.rules
new file mode 100644
index 000000000..3d99c0197
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/iptables.rules
@@ -0,0 +1,32 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s 192.168.0.150 -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d 192.168.0.150 -j ACCEPT
+
+# allow traffic tunnelled via IPsec
+-A INPUT  -i eth0 -m policy --dir in  --pol ipsec --proto esp -j ACCEPT
+-A OUTPUT -o eth0 -m policy --dir out --pol ipsec --proto esp -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..958a502c2
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,23 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = test-vectors soup pem pkcs1 pkcs8 random nonce x509 revocation openssl stroke kernel-netlink socket-default
+
+  retransmit_timeout = 2
+  retransmit_base = 1.5
+  retransmit_tries = 3 
+  initiator_only = yes
+}
+
+libstrongswan {
+  integrity_test = yes
+  crypto_test {
+    required = yes
+    on_add = yes
+  }
+  plugins {
+    openssl {
+      fips_mode = 2
+    }
+  }
+}
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..f7044e51d
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,21 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekey=no
+	reauth=no
+	keyexchange=ikev2
+	ike=aes128gcm128-prfsha256-ecp256!
+	esp=aes128gcm128-ecp256!
+
+conn rw
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	leftfirewall=yes
+	right=%any
+	auto=add
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem
new file mode 100644
index 000000000..3480a434a
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICyDCCAiqgAwIBAgIJAPaidX4i76aJMAkGByqGSM49BAEwSDELMAkGA1UEBhMC
+Q0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9uZ1N3
+YW4gRUMgUm9vdCBDQTAeFw0wODA2MjIxNDM2MDZaFw0xODA2MjAxNDM2MDZaMEgx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD
+ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0EwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYA
+BAEUx1NvjNKzbDHaRPMsqIf/6SbUpzBa78N/WIyF6rYj8e5McAqfTfzUfFJZYoQn
+/mbP3VfjOxRuMDjrlfvdgMxwkwFDigWQfHg3CJbS7eQjjO1MrxxIJUtfSTnF29tM
+h6IYMdxaZKloCGCOrpmGCGdxD2/KwoX1SA3BlnjaNt7kSTonkqOBujCBtzAPBgNV
+HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUul35cbYTtWrR3bo2
+t6rSwe6P2NIweAYDVR0jBHEwb4AUul35cbYTtWrR3bo2t6rSwe6P2NKhTKRKMEgx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD
+ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0GCCQD2onV+Iu+miTAJBgcqhkjOPQQBA4GM
+ADCBiAJCAL5pU3X6NYWjOYe0cxrah27UxtUDLUNkFG/Ojl+gOH4QB0CKY0HXNyrq
+cgba73dXF/U0Cg3Ij/9g4Kd9GgYq0GlSAkIAqgqMKqXni8wbeGMJE2Mn2/8aHM3Q
+3flpHSoeNWOe/VzpRviw+VRgA4vbhhKUXBtQSiea77/DXLwOp5w7rkBoEUg=
+-----END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.d/certs/moonCert.pem b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.d/certs/moonCert.pem
new file mode 100644
index 000000000..a3b043e82
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.d/certs/moonCert.pem
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICXDCCAb2gAwIBAgIBBzAKBggqhkjOPQQDBDBIMQswCQYDVQQGEwJDSDEZMBcG
+A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS
+b290IENBMB4XDTEzMDYyODA3MTc0M1oXDTE4MDYwMjA3MTc0M1owXjELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB
+IDI1NiBiaXQxHDAaBgNVBAMTE21vb24uc3Ryb25nc3dhbi5vcmcwWTATBgcqhkjO
+PQIBBggqhkjOPQMBBwNCAATf97+pfDnyPIA9gf6bYTZiIjNBAbCjCIqxxWou/oMq
+/9V1O20vyI/dg2g3yzTdzESUa+X81fop+i2n9ymBqI1No4GBMH8wHwYDVR0jBBgw
+FoAUul35cbYTtWrR3bo2t6rSwe6P2NIwHgYDVR0RBBcwFYITbW9vbi5zdHJvbmdz
+d2FuLm9yZzA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vY3JsLnN0cm9uZ3N3YW4u
+b3JnL3N0cm9uZ3N3YW5fZWMuY3JsMAoGCCqGSM49BAMEA4GMADCBiAJCALNndw3C
+DDWCb0f+6P6hxkqiYmUpv39XrioZrLbw+MjMD2WAchbj60KibBep1cVwIq3kWIJ6
+Jj0tYXG+f6yjmImqAkIBGOGRm+MQZxPFdYZoJZq5QXwIN0w2hJxmLIxBASW4PLdl
+RLIlvW/XTJObdb0VVYmClg0HTSvuuYOJrzwdyd8D1w0=
+-----END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.d/private/moonKey.pem
new file mode 100644
index 000000000..5bd2778a9
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.d/private/moonKey.pem
@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIHWBnv6tDi/CTTWOQi/0XME7r8Wd5GRPaXx3wNTElpSvoAoGCCqGSM49
+AwEHoUQDQgAE3/e/qXw58jyAPYH+m2E2YiIzQQGwowiKscVqLv6DKv/VdTttL8iP
+3YNoN8s03cxElGvl/NX6Kfotp/cpgaiNTQ==
+-----END EC PRIVATE KEY-----
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.secrets b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..1ef3eccb5
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: ECDSA moonKey.pem
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/iptables.flush b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/iptables.flush
new file mode 100644
index 000000000..b3ab63c51
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/iptables.flush
@@ -0,0 +1,21 @@
+*filter
+
+-F
+
+-P INPUT ACCEPT
+-P OUTPUT ACCEPT
+-P FORWARD ACCEPT
+
+COMMIT
+
+*nat
+
+-F
+
+COMMIT
+
+*mangle
+
+-F
+
+COMMIT
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/iptables.rules b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..cc12d1659
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/iptables.rules
@@ -0,0 +1,32 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s 192.168.0.150 -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d 192.168.0.150 -j ACCEPT
+
+# allow traffic tunnelled via IPsec
+-A FORWARD -i eth0 -o eth1 -m policy --dir in  --pol ipsec --proto esp -j ACCEPT
+-A FORWARD -o eth0 -i eth1 -m policy --dir out --pol ipsec --proto esp -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..fc49f9fd2
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,18 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = test-vectors soup pem pkcs1 pkcs8 random nonce x509 revocation openssl stroke kernel-netlink socket-default
+}
+
+libstrongswan {
+  integrity_test = yes
+  crypto_test {
+    required = yes
+    on_add = yes
+  }
+  plugins {
+    openssl {
+      fips_mode = 2 
+    }
+  }
+}
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/posttest.dat b/testing/tests/openssl-ikev2/rw-suite-b-128/posttest.dat
new file mode 100644
index 000000000..1865a1c60
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-128/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/pretest.dat b/testing/tests/openssl-ikev2/rw-suite-b-128/pretest.dat
new file mode 100644
index 000000000..fc7173430
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-128/pretest.dat
@@ -0,0 +1,9 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+dave::ipsec up peer
+carol::ipsec up home
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/test.conf b/testing/tests/openssl-ikev2/rw-suite-b-128/test.conf
new file mode 100644
index 000000000..f29298850
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-128/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/description.txt b/testing/tests/openssl-ikev2/rw-suite-b-192/description.txt
new file mode 100644
index 000000000..24bb2b3df
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-192/description.txt
@@ -0,0 +1,12 @@
+The roadwarrior <b>dave</b> tries to set up a connection to roadwarrior <b>carol</b>
+but because <b>carol</b> has set the strongswan.conf option <b>initiator_only = yes</b>
+she ignores the repeated IKE requests sent by <b>dave</b>.
+<p/>
+After the failed connection attempt by <b>dave</b>, roadwarrior <b>carol</b> sets up a
+connection to gateway <b>moon</b>. The authentication is based on Suite B with 192 bit 
+security based on <b>X.509 ECDSA</b> certificates, <b>ECP Diffie-Hellman</b> groups and <b>AES-GCM</b>
+authenticated encryption.
+<p/>
+Upon the successful establishment of the IPsec tunnel, the static IPsec policy rules of
+an iptables-based firewall let pass the tunneled traffic. In order to test both tunnel and firewall,
+<b>carol</b> pings the client <b>alice</b> behind the gateway <b>moon</b>.
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/evaltest.dat b/testing/tests/openssl-ikev2/rw-suite-b-192/evaltest.dat
new file mode 100644
index 000000000..57cbee1d4
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-192/evaltest.dat
@@ -0,0 +1,11 @@
+dave:: cat /var/log/daemon.log::establishing IKE_SA failed, peer not responding::YES
+carol::cat /var/log/daemon.log::openssl FIPS mode(2) - enabled::YES
+moon:: cat /var/log/daemon.log::openssl FIPS mode(2) - enabled::YES
+moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA-384 signature successful::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..14146ef01
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	ike=aes256gcm128-prfsha384-ecp384!
+	esp=aes256gcm128-ecp384!
+
+conn home
+	left=PH_IP_CAROL
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem
new file mode 100644
index 000000000..3480a434a
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICyDCCAiqgAwIBAgIJAPaidX4i76aJMAkGByqGSM49BAEwSDELMAkGA1UEBhMC
+Q0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9uZ1N3
+YW4gRUMgUm9vdCBDQTAeFw0wODA2MjIxNDM2MDZaFw0xODA2MjAxNDM2MDZaMEgx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD
+ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0EwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYA
+BAEUx1NvjNKzbDHaRPMsqIf/6SbUpzBa78N/WIyF6rYj8e5McAqfTfzUfFJZYoQn
+/mbP3VfjOxRuMDjrlfvdgMxwkwFDigWQfHg3CJbS7eQjjO1MrxxIJUtfSTnF29tM
+h6IYMdxaZKloCGCOrpmGCGdxD2/KwoX1SA3BlnjaNt7kSTonkqOBujCBtzAPBgNV
+HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUul35cbYTtWrR3bo2
+t6rSwe6P2NIweAYDVR0jBHEwb4AUul35cbYTtWrR3bo2t6rSwe6P2NKhTKRKMEgx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD
+ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0GCCQD2onV+Iu+miTAJBgcqhkjOPQQBA4GM
+ADCBiAJCAL5pU3X6NYWjOYe0cxrah27UxtUDLUNkFG/Ojl+gOH4QB0CKY0HXNyrq
+cgba73dXF/U0Cg3Ij/9g4Kd9GgYq0GlSAkIAqgqMKqXni8wbeGMJE2Mn2/8aHM3Q
+3flpHSoeNWOe/VzpRviw+VRgA4vbhhKUXBtQSiea77/DXLwOp5w7rkBoEUg=
+-----END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.d/certs/carolCert.pem
new file mode 100644
index 000000000..f43957143
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.d/certs/carolCert.pem
@@ -0,0 +1,16 @@
+-----BEGIN CERTIFICATE-----
+MIICfDCCAd2gAwIBAgIBCjAKBggqhkjOPQQDBDBIMQswCQYDVQQGEwJDSDEZMBcG
+A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS
+b290IENBMB4XDTEzMDYyODA3MzE1NFoXDTE4MDYwMjA3MzE1NFowXzELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB
+IDM4NCBiaXQxHTAbBgNVBAMUFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMHYwEAYHKoZI
+zj0CAQYFK4EEACIDYgAERiDlh/bOFDq6bSRdDq2ivOcNcxWSGlO5dy5yBRvAhTWl
+NJcy93jxhDIzF5mxPpmgNXpdmSBRKbm3ydkw8LbWI+5/lje06Yl6nOLBO6Zb7GqH
+XFO+BqJrUxzbdHXwxWqto4GDMIGAMB8GA1UdIwQYMBaAFLpd+XG2E7Vq0d26Nreq
+0sHuj9jSMB8GA1UdEQQYMBaBFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMDwGA1UdHwQ1
+MDMwMaAvoC2GK2h0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dhbl9l
+Yy5jcmwwCgYIKoZIzj0EAwQDgYwAMIGIAkIA8mbKzo+mp8umjvpoQUo5pIvR1CQQ
+lvBGCUWv7mtq1CVBXzv7Z+HQqPsrL388RymEErA7BzDMkPKTa5E3ZV5LL38CQgDx
++v/cIcJdYngOOF0IgVSDzcGgSvOmMlPF/D97eC4Od7XwdYl5p9Sxi4SjmDZZi4r/
+EArN3teDfoc7CZcRxWcDhQ==
+-----END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.d/private/carolKey.pem
new file mode 100644
index 000000000..b94625718
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.d/private/carolKey.pem
@@ -0,0 +1,6 @@
+-----BEGIN EC PRIVATE KEY-----
+MIGkAgEBBDCkhn8iMx3xfYLzonabc5FVG700UU6WKdke251F8ncgj1sGd5HZCV+N
+6pHODLMII96gBwYFK4EEACKhZANiAARGIOWH9s4UOrptJF0OraK85w1zFZIaU7l3
+LnIFG8CFNaU0lzL3ePGEMjMXmbE+maA1el2ZIFEpubfJ2TDwttYj7n+WN7TpiXqc
+4sE7plvsaodcU74GomtTHNt0dfDFaq0=
+-----END EC PRIVATE KEY-----
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.secrets b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..3d6725162
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: ECDSA carolKey.pem
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/iptables.flush b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/iptables.flush
new file mode 100644
index 000000000..b3ab63c51
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/iptables.flush
@@ -0,0 +1,21 @@
+*filter
+
+-F
+
+-P INPUT ACCEPT
+-P OUTPUT ACCEPT
+-P FORWARD ACCEPT
+
+COMMIT
+
+*nat
+
+-F
+
+COMMIT
+
+*mangle
+
+-F
+
+COMMIT
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/iptables.rules b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/iptables.rules
new file mode 100644
index 000000000..3d99c0197
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/iptables.rules
@@ -0,0 +1,32 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s 192.168.0.150 -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d 192.168.0.150 -j ACCEPT
+
+# allow traffic tunnelled via IPsec
+-A INPUT  -i eth0 -m policy --dir in  --pol ipsec --proto esp -j ACCEPT
+-A OUTPUT -o eth0 -m policy --dir out --pol ipsec --proto esp -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..128d4f2d9
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,20 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = test-vectors soup pem pkcs1 pkcs8 random nonce x509 revocation openssl stroke kernel-netlink socket-default
+
+  initiator_only = yes
+}
+
+libstrongswan {
+  integrity_test = yes
+  crypto_test {
+    required = yes
+    on_add = yes
+  }
+  plugins {
+    openssl {
+      fips_mode = 2
+    }
+  }
+}
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.conf
new file mode 100644
index 000000000..f6feda0bb
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,21 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	ike=aes256gcm128-prfsha384-ecp384!
+	esp=aes256cm128-ecp384!
+
+conn peer
+	left=PH_IP_DAVE
+	leftcert=daveCert.pem
+	leftid=dave@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_CAROL
+	rightid=carol@strongswan.org
+	auto=add
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem
new file mode 100644
index 000000000..3480a434a
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICyDCCAiqgAwIBAgIJAPaidX4i76aJMAkGByqGSM49BAEwSDELMAkGA1UEBhMC
+Q0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9uZ1N3
+YW4gRUMgUm9vdCBDQTAeFw0wODA2MjIxNDM2MDZaFw0xODA2MjAxNDM2MDZaMEgx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD
+ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0EwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYA
+BAEUx1NvjNKzbDHaRPMsqIf/6SbUpzBa78N/WIyF6rYj8e5McAqfTfzUfFJZYoQn
+/mbP3VfjOxRuMDjrlfvdgMxwkwFDigWQfHg3CJbS7eQjjO1MrxxIJUtfSTnF29tM
+h6IYMdxaZKloCGCOrpmGCGdxD2/KwoX1SA3BlnjaNt7kSTonkqOBujCBtzAPBgNV
+HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUul35cbYTtWrR3bo2
+t6rSwe6P2NIweAYDVR0jBHEwb4AUul35cbYTtWrR3bo2t6rSwe6P2NKhTKRKMEgx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD
+ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0GCCQD2onV+Iu+miTAJBgcqhkjOPQQBA4GM
+ADCBiAJCAL5pU3X6NYWjOYe0cxrah27UxtUDLUNkFG/Ojl+gOH4QB0CKY0HXNyrq
+cgba73dXF/U0Cg3Ij/9g4Kd9GgYq0GlSAkIAqgqMKqXni8wbeGMJE2Mn2/8aHM3Q
+3flpHSoeNWOe/VzpRviw+VRgA4vbhhKUXBtQSiea77/DXLwOp5w7rkBoEUg=
+-----END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.d/certs/daveCert.pem b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.d/certs/daveCert.pem
new file mode 100644
index 000000000..e97709a3f
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.d/certs/daveCert.pem
@@ -0,0 +1,16 @@
+-----BEGIN CERTIFICATE-----
+MIICeTCCAdqgAwIBAgIBDDAKBggqhkjOPQQDBDBIMQswCQYDVQQGEwJDSDEZMBcG
+A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS
+b290IENBMB4XDTEzMDYyODA3MzUxOVoXDTE4MDYwMjA3MzUxOVowXjELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB
+IDM4NCBiaXQxHDAaBgNVBAMUE2RhdmVAc3Ryb25nc3dhbi5vcmcwdjAQBgcqhkjO
+PQIBBgUrgQQAIgNiAATVOQOBWOH7PhHx/mc+y5+uDpW/maSCkGwpnPP1dWQl4Dpr
+DokGZC8P+pm1j0sBvzbSCuHZCAkaSptYavgv4VVJ/X5u89tnj6QqQt/AtuPjCL7r
+3k3F0Nsj/TGSjRmcMr6jgYEwfzAfBgNVHSMEGDAWgBS6XflxthO1atHduja3qtLB
+7o/Y0jAeBgNVHREEFzAVgRNkYXZlQHN0cm9uZ3N3YW4ub3JnMDwGA1UdHwQ1MDMw
+MaAvoC2GK2h0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dhbl9lYy5j
+cmwwCgYIKoZIzj0EAwQDgYwAMIGIAkIB/x2+UiGE5T7229M2Ic2BMYLWSBQlZJeT
+d3uniJb3NAkeQAhDgj0TOxVdMz1SkgScLRS2RKYpsxiVsV+tVuijTMQCQgHn1WtY
+iiSY7OWcX9hQEqWDV0TxoNcgInEhsmtMbseCpR0dYXYsm54oC0pqVBeKp0GC7KJr
+ZEmeb0/mRB56osgppA==
+-----END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.d/private/daveKey.pem
new file mode 100644
index 000000000..574c86a2e
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.d/private/daveKey.pem
@@ -0,0 +1,6 @@
+-----BEGIN EC PRIVATE KEY-----
+MIGkAgEBBDCFbFPkGF4ez8EzHm6pTVCr17Q1+GACxn7m0EE4UVoq7RQBNk4NOxhE
+hJZpquwjgqegBwYFK4EEACKhZANiAATVOQOBWOH7PhHx/mc+y5+uDpW/maSCkGwp
+nPP1dWQl4DprDokGZC8P+pm1j0sBvzbSCuHZCAkaSptYavgv4VVJ/X5u89tnj6Qq
+Qt/AtuPjCL7r3k3F0Nsj/TGSjRmcMr4=
+-----END EC PRIVATE KEY-----
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.secrets b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.secrets
new file mode 100644
index 000000000..ebd3a2839
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: ECDSA daveKey.pem
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/iptables.flush b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/iptables.flush
new file mode 100644
index 000000000..b3ab63c51
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/iptables.flush
@@ -0,0 +1,21 @@
+*filter
+
+-F
+
+-P INPUT ACCEPT
+-P OUTPUT ACCEPT
+-P FORWARD ACCEPT
+
+COMMIT
+
+*nat
+
+-F
+
+COMMIT
+
+*mangle
+
+-F
+
+COMMIT
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/iptables.rules b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/iptables.rules
new file mode 100644
index 000000000..3d99c0197
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/iptables.rules
@@ -0,0 +1,32 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s 192.168.0.150 -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d 192.168.0.150 -j ACCEPT
+
+# allow traffic tunnelled via IPsec
+-A INPUT  -i eth0 -m policy --dir in  --pol ipsec --proto esp -j ACCEPT
+-A OUTPUT -o eth0 -m policy --dir out --pol ipsec --proto esp -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..958a502c2
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,23 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = test-vectors soup pem pkcs1 pkcs8 random nonce x509 revocation openssl stroke kernel-netlink socket-default
+
+  retransmit_timeout = 2
+  retransmit_base = 1.5
+  retransmit_tries = 3 
+  initiator_only = yes
+}
+
+libstrongswan {
+  integrity_test = yes
+  crypto_test {
+    required = yes
+    on_add = yes
+  }
+  plugins {
+    openssl {
+      fips_mode = 2
+    }
+  }
+}
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..f37dae945
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,21 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekey=no
+	reauth=no
+	keyexchange=ikev2
+	ike=aes256gcm128-prfsha384-ecp384!
+	esp=aes256gcm128-ecp384!
+
+conn rw
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	leftfirewall=yes
+	right=%any
+	auto=add
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem
new file mode 100644
index 000000000..3480a434a
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICyDCCAiqgAwIBAgIJAPaidX4i76aJMAkGByqGSM49BAEwSDELMAkGA1UEBhMC
+Q0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9uZ1N3
+YW4gRUMgUm9vdCBDQTAeFw0wODA2MjIxNDM2MDZaFw0xODA2MjAxNDM2MDZaMEgx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD
+ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0EwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYA
+BAEUx1NvjNKzbDHaRPMsqIf/6SbUpzBa78N/WIyF6rYj8e5McAqfTfzUfFJZYoQn
+/mbP3VfjOxRuMDjrlfvdgMxwkwFDigWQfHg3CJbS7eQjjO1MrxxIJUtfSTnF29tM
+h6IYMdxaZKloCGCOrpmGCGdxD2/KwoX1SA3BlnjaNt7kSTonkqOBujCBtzAPBgNV
+HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUul35cbYTtWrR3bo2
+t6rSwe6P2NIweAYDVR0jBHEwb4AUul35cbYTtWrR3bo2t6rSwe6P2NKhTKRKMEgx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD
+ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0GCCQD2onV+Iu+miTAJBgcqhkjOPQQBA4GM
+ADCBiAJCAL5pU3X6NYWjOYe0cxrah27UxtUDLUNkFG/Ojl+gOH4QB0CKY0HXNyrq
+cgba73dXF/U0Cg3Ij/9g4Kd9GgYq0GlSAkIAqgqMKqXni8wbeGMJE2Mn2/8aHM3Q
+3flpHSoeNWOe/VzpRviw+VRgA4vbhhKUXBtQSiea77/DXLwOp5w7rkBoEUg=
+-----END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.d/certs/moonCert.pem b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.d/certs/moonCert.pem
new file mode 100644
index 000000000..7bf96cdc8
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.d/certs/moonCert.pem
@@ -0,0 +1,16 @@
+-----BEGIN CERTIFICATE-----
+MIICdzCCAdqgAwIBAgIBCDAKBggqhkjOPQQDBDBIMQswCQYDVQQGEwJDSDEZMBcG
+A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS
+b290IENBMB4XDTEzMDYyODA3MjA1MFoXDTE4MDYwMjA3MjA1MFowXjELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB
+IDM4NCBiaXQxHDAaBgNVBAMTE21vb24uc3Ryb25nc3dhbi5vcmcwdjAQBgcqhkjO
+PQIBBgUrgQQAIgNiAAQh4YOVBbRxtdaM7uJvDrZqt6a1jJo+rijEV5Nw1OqU5jlk
+srCtZwcZXrR67MlqzFNyvkHtbcWRuBjL55xjQE+YavKnltuKu42COUhWXh760M/c
+2SNzsjvsJgGXAsiPwiajgYEwfzAfBgNVHSMEGDAWgBS6XflxthO1atHduja3qtLB
+7o/Y0jAeBgNVHREEFzAVghNtb29uLnN0cm9uZ3N3YW4ub3JnMDwGA1UdHwQ1MDMw
+MaAvoC2GK2h0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dhbl9lYy5j
+cmwwCgYIKoZIzj0EAwQDgYoAMIGGAkE35mfDj/fFUXGsetoU9l9Kt3jbIKYugJgE
+2gmv/MW8jwrqoP7y6ATHXJkonA6AvEK+o0ZMrae55lIKPkBh5xk3XQJBfp5Eqg6Y
+efRIXUeLksM56fRjVwJS6es7qb8l1q6+c1wC1A3lEHQvAs+kJxFfFyni2oxA923F
+h2eoaYy9vSqET5Q=
+-----END CERTIFICATE-----
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.d/private/moonKey.pem
new file mode 100644
index 000000000..231aa3bdc
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.d/private/moonKey.pem
@@ -0,0 +1,6 @@
+-----BEGIN EC PRIVATE KEY-----
+MIGkAgEBBDDlpnLnnwL+nIt/+e+cY2PoTtyHPM10qgck9nYj/f3bPd3ZfiraSBhZ
+KttBZfw5xQKgBwYFK4EEACKhZANiAAQh4YOVBbRxtdaM7uJvDrZqt6a1jJo+rijE
+V5Nw1OqU5jlksrCtZwcZXrR67MlqzFNyvkHtbcWRuBjL55xjQE+YavKnltuKu42C
+OUhWXh760M/c2SNzsjvsJgGXAsiPwiY=
+-----END EC PRIVATE KEY-----
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.secrets b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..1ef3eccb5
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: ECDSA moonKey.pem
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/iptables.flush b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/iptables.flush
new file mode 100644
index 000000000..b3ab63c51
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/iptables.flush
@@ -0,0 +1,21 @@
+*filter
+
+-F
+
+-P INPUT ACCEPT
+-P OUTPUT ACCEPT
+-P FORWARD ACCEPT
+
+COMMIT
+
+*nat
+
+-F
+
+COMMIT
+
+*mangle
+
+-F
+
+COMMIT
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/iptables.rules b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..cc12d1659
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/iptables.rules
@@ -0,0 +1,32 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s 192.168.0.150 -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d 192.168.0.150 -j ACCEPT
+
+# allow traffic tunnelled via IPsec
+-A FORWARD -i eth0 -o eth1 -m policy --dir in  --pol ipsec --proto esp -j ACCEPT
+-A FORWARD -o eth0 -i eth1 -m policy --dir out --pol ipsec --proto esp -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..fc49f9fd2
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,18 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = test-vectors soup pem pkcs1 pkcs8 random nonce x509 revocation openssl stroke kernel-netlink socket-default
+}
+
+libstrongswan {
+  integrity_test = yes
+  crypto_test {
+    required = yes
+    on_add = yes
+  }
+  plugins {
+    openssl {
+      fips_mode = 2 
+    }
+  }
+}
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/posttest.dat b/testing/tests/openssl-ikev2/rw-suite-b-192/posttest.dat
new file mode 100644
index 000000000..1865a1c60
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-192/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/pretest.dat b/testing/tests/openssl-ikev2/rw-suite-b-192/pretest.dat
new file mode 100644
index 000000000..fc7173430
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-192/pretest.dat
@@ -0,0 +1,9 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+dave::ipsec up peer
+carol::ipsec up home
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/test.conf b/testing/tests/openssl-ikev2/rw-suite-b-192/test.conf
new file mode 100644
index 000000000..f29298850
--- /dev/null
+++ b/testing/tests/openssl-ikev2/rw-suite-b-192/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/p2pnat/behind-same-nat/evaltest.dat b/testing/tests/p2pnat/behind-same-nat/evaltest.dat
index e59334db9..378520596 100644
--- a/testing/tests/p2pnat/behind-same-nat/evaltest.dat
+++ b/testing/tests/p2pnat/behind-same-nat/evaltest.dat
@@ -1,11 +1,11 @@
-alice::ipsec statusall::medsrv.*ESTABLISHED::YES
-venus::ipsec statusall::medsrv.*ESTABLISHED::YES
-carol::ipsec statusall::medsrv.*ESTABLISHED.*PH_IP_MOON.*6cu1UTVw@medsrv.org::YES
-carol::ipsec statusall::medsrv.*ESTABLISHED.*PH_IP_MOON.*F1ubAio8@medsrv.org::YES
+alice::ipsec status 2> /dev/null::medsrv.*ESTABLISHED.*6cu1UTVw@medsrv.org.*carol@strongswan.org::YES
+venus::ipsec status 2> /dev/null::medsrv.*ESTABLISHED.*F1ubAio8@medsrv.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::medsrv.*ESTABLISHED.*PH_IP_MOON.*6cu1UTVw@medsrv.org::YES
+carol::ipsec status 2> /dev/null::medsrv.*ESTABLISHED.*PH_IP_MOON.*F1ubAio8@medsrv.org::YES
 alice::cat /var/log/daemon.log::received ME_CALLBACK::YES
-alice::ipsec statusall::peer.*ESTABLISHED::YES
-venus::ipsec statusall::peer.*ESTABLISHED::YES
-alice::ipsec statusall::peer.*INSTALLED::YES
-venus::ipsec statusall::peer.*INSTALLED::YES
-alice::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
-venus::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+alice::ipsec status 2> /dev/null::peer.*ESTABLISHED.*alice@strongswan.org.*venus.strongswan.org::YES
+venus::ipsec status 2> /dev/null::peer.*ESTABLISHED.*venus.strongswan.org.*alice@strongswan.org::YES
+alice::ipsec status 2> /dev/null::peer.*INSTALLED, TUNNEL::YES
+venus::ipsec status 2> /dev/null::peer.*INSTALLED, TUNNEL::YES
+alice::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
+venus::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
diff --git a/testing/tests/p2pnat/behind-same-nat/hosts/alice/etc/init.d/iptables b/testing/tests/p2pnat/behind-same-nat/hosts/alice/etc/init.d/iptables
deleted file mode 100755
index 1eb88c15c..000000000
--- a/testing/tests/p2pnat/behind-same-nat/hosts/alice/etc/init.d/iptables
+++ /dev/null
@@ -1,78 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-	
-	# allow IKE
-        iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-        iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-			
-	# allow NAT-T 
-	iptables -A INPUT  -i eth0 -p udp --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
-
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/p2pnat/behind-same-nat/hosts/alice/etc/ipsec.conf b/testing/tests/p2pnat/behind-same-nat/hosts/alice/etc/ipsec.conf
index b47f157f6..4e70be4a0 100755..100644
--- a/testing/tests/p2pnat/behind-same-nat/hosts/alice/etc/ipsec.conf
+++ b/testing/tests/p2pnat/behind-same-nat/hosts/alice/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
@@ -19,10 +16,11 @@ conn %default
 		
 conn medsrv
 	leftid=6cu1UTVw@medsrv.org
+	leftauth=psk
 	right=PH_IP_CAROL
 	rightid=carol@strongswan.org
+	rightauth=pubkey
 	mediation=yes
-	authby=psk
 	auto=add
 
 conn peer
diff --git a/testing/tests/p2pnat/behind-same-nat/hosts/alice/etc/iptables.rules b/testing/tests/p2pnat/behind-same-nat/hosts/alice/etc/iptables.rules
new file mode 100644
index 000000000..da385d22a
--- /dev/null
+++ b/testing/tests/p2pnat/behind-same-nat/hosts/alice/etc/iptables.rules
@@ -0,0 +1,28 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/p2pnat/behind-same-nat/hosts/alice/etc/strongswan.conf b/testing/tests/p2pnat/behind-same-nat/hosts/alice/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/p2pnat/behind-same-nat/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/p2pnat/behind-same-nat/hosts/alice/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/p2pnat/behind-same-nat/hosts/carol/etc/init.d/iptables b/testing/tests/p2pnat/behind-same-nat/hosts/carol/etc/init.d/iptables
deleted file mode 100755
index 40510ce60..000000000
--- a/testing/tests/p2pnat/behind-same-nat/hosts/carol/etc/init.d/iptables
+++ /dev/null
@@ -1,77 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE behind NAT
-	iptables -A INPUT  -i eth0 -p udp --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT
-
-	# allow NAT-T
-	iptables -A INPUT  -i eth0 -p udp --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/p2pnat/behind-same-nat/hosts/carol/etc/ipsec.conf b/testing/tests/p2pnat/behind-same-nat/hosts/carol/etc/ipsec.conf
index e38922cf4..4e8a50fb9 100755..100644
--- a/testing/tests/p2pnat/behind-same-nat/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/p2pnat/behind-same-nat/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
@@ -19,7 +16,9 @@ conn medsrv
 	left=PH_IP_CAROL
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
+	leftauth=pubkey
 	leftfirewall=yes
 	right=%any
+	rightauth=psk
 	mediation=yes
 	auto=add
diff --git a/testing/tests/p2pnat/behind-same-nat/hosts/carol/etc/iptables.rules b/testing/tests/p2pnat/behind-same-nat/hosts/carol/etc/iptables.rules
new file mode 100644
index 000000000..ae8f9a61e
--- /dev/null
+++ b/testing/tests/p2pnat/behind-same-nat/hosts/carol/etc/iptables.rules
@@ -0,0 +1,24 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/p2pnat/behind-same-nat/hosts/carol/etc/strongswan.conf b/testing/tests/p2pnat/behind-same-nat/hosts/carol/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/p2pnat/behind-same-nat/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/p2pnat/behind-same-nat/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/p2pnat/behind-same-nat/hosts/venus/etc/init.d/iptables b/testing/tests/p2pnat/behind-same-nat/hosts/venus/etc/init.d/iptables
deleted file mode 100755
index 6fca87b4a..000000000
--- a/testing/tests/p2pnat/behind-same-nat/hosts/venus/etc/init.d/iptables
+++ /dev/null
@@ -1,78 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-        # allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-        iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-        iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-			
-	# allow NAT-T
-	iptables -A INPUT  -i eth0 -p udp --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
-
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/p2pnat/behind-same-nat/hosts/venus/etc/ipsec.conf b/testing/tests/p2pnat/behind-same-nat/hosts/venus/etc/ipsec.conf
index 3943c361e..4baa7b59f 100755..100644
--- a/testing/tests/p2pnat/behind-same-nat/hosts/venus/etc/ipsec.conf
+++ b/testing/tests/p2pnat/behind-same-nat/hosts/venus/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
@@ -19,9 +16,10 @@ conn %default
 
 conn medsrv
 	leftid=F1ubAio8@medsrv.org
+	leftauth=psk
 	right=PH_IP_CAROL
 	rightid=carol@strongswan.org
-	authby=psk
+	rightauth=pubkeye
 	mediation=yes
 	auto=start
 
diff --git a/testing/tests/p2pnat/behind-same-nat/hosts/venus/etc/iptables.rules b/testing/tests/p2pnat/behind-same-nat/hosts/venus/etc/iptables.rules
new file mode 100644
index 000000000..da385d22a
--- /dev/null
+++ b/testing/tests/p2pnat/behind-same-nat/hosts/venus/etc/iptables.rules
@@ -0,0 +1,28 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/p2pnat/behind-same-nat/hosts/venus/etc/strongswan.conf b/testing/tests/p2pnat/behind-same-nat/hosts/venus/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/p2pnat/behind-same-nat/hosts/venus/etc/strongswan.conf
+++ b/testing/tests/p2pnat/behind-same-nat/hosts/venus/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/p2pnat/behind-same-nat/posttest.dat b/testing/tests/p2pnat/behind-same-nat/posttest.dat
index 36cd0f36d..a1d5b4612 100644
--- a/testing/tests/p2pnat/behind-same-nat/posttest.dat
+++ b/testing/tests/p2pnat/behind-same-nat/posttest.dat
@@ -1,8 +1,8 @@
 venus::ipsec stop
 alice::ipsec stop
 carol::ipsec stop
-alice::/etc/init.d/iptables stop 2> /dev/null
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-venus::/etc/init.d/iptables stop 2> /dev/null
+alice::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+venus::iptables-restore < /etc/iptables.flush
+moon::iptables-restore < /etc/iptables.flush
 moon::conntrack -F
diff --git a/testing/tests/p2pnat/behind-same-nat/pretest.dat b/testing/tests/p2pnat/behind-same-nat/pretest.dat
index f1e33dc39..eb1d67fa2 100644
--- a/testing/tests/p2pnat/behind-same-nat/pretest.dat
+++ b/testing/tests/p2pnat/behind-same-nat/pretest.dat
@@ -1,7 +1,7 @@
-alice::/etc/init.d/iptables start 2> /dev/null
-venus::/etc/init.d/iptables start 2> /dev/null
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+alice::iptables-restore < /etc/iptables.rules
+venus::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+moon::iptables-restore < /etc/iptables.rules
 moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1100-1200
 moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100
 moon::iptables -A FORWARD -i eth1 -o eth0 -s 10.1.0.0/16  -j ACCEPT
@@ -10,5 +10,5 @@ carol::ipsec start
 carol::sleep 1
 alice::ipsec start
 alice::sleep 1
-venus::ipsec start 
-venus::sleep 4 
+venus::ipsec start
+venus::sleep 4
diff --git a/testing/tests/p2pnat/behind-same-nat/test.conf b/testing/tests/p2pnat/behind-same-nat/test.conf
index f98a0ab1b..fe44ff97b 100644
--- a/testing/tests/p2pnat/behind-same-nat/test.conf
+++ b/testing/tests/p2pnat/behind-same-nat/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon carol winnetou"
+VIRTHOSTS="alice venus moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-c-w-med.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="alice venus carol"
diff --git a/testing/tests/p2pnat/medsrv-psk/evaltest.dat b/testing/tests/p2pnat/medsrv-psk/evaltest.dat
index ba14bb858..2c6080775 100644
--- a/testing/tests/p2pnat/medsrv-psk/evaltest.dat
+++ b/testing/tests/p2pnat/medsrv-psk/evaltest.dat
@@ -1,12 +1,12 @@
-alice::ipsec statusall::medsrv.*ESTABLISHED::YES
-bob::ipsec statusall::medsrv.*ESTABLISHED::YES
-carol::ipsec statusall::medsrv.*ESTABLISHED.*PH_IP_MOON.*6cu1UTVw@medsrv.org::YES
-carol::ipsec statusall::medsrv.*ESTABLISHED.*PH_IP_SUN.*v9oEPMz@medsrv.org::YES
-alice::ipsec statusall::peer.*ESTABLISHED::YES
-bob::ipsec statusall::peer.*ESTABLISHED::YES
-alice::ipsec statusall::peer.*INSTALLED::YES
-bob::ipsec statusall::peer.*INSTALLED::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-bob::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+alice::ipsec status 2> /dev/null::medsrv.*ESTABLISHED.*6cu1UTVw@medsrv.org.*carol@strongswan.org::YES
+bob::  ipsec status 2> /dev/null::medsrv.*ESTABLISHED.*av9oEPMz@medsrv.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::medsrv.*ESTABLISHED.*PH_IP_MOON.*6cu1UTVw@medsrv.org::YES
+carol::ipsec status 2> /dev/null::medsrv.*ESTABLISHED.*PH_IP_SUN.*v9oEPMz@medsrv.org::YES
+alice::ipsec status 2> /dev/null::peer.*ESTABLISHED.*alice@strongswan.org.*bob@strongswan.org::YES
+bob::  ipsec status 2> /dev/null::peer.*ESTABLISHED.*bob@strongswan.org.*alice@strongswan.org::YES
+alice::ipsec status 2> /dev/null::peer.*INSTALLED, TUNNEL::YES
+bob::  ipsec status 2> /dev/null::peer.*INSTALLED, TUNNEL::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+bob::  ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.*: UDP::YES
 moon::tcpdump::IP sun.strongswan.org.* > moon.strongswan.org.*: UDP::YES
diff --git a/testing/tests/p2pnat/medsrv-psk/hosts/alice/etc/init.d/iptables b/testing/tests/p2pnat/medsrv-psk/hosts/alice/etc/init.d/iptables
deleted file mode 100755
index c6371c745..000000000
--- a/testing/tests/p2pnat/medsrv-psk/hosts/alice/etc/init.d/iptables
+++ /dev/null
@@ -1,74 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow IKE
-        iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-        iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-			
-	# allow NAT-T
-	iptables -A INPUT  -i eth0 -p udp --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
-
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/p2pnat/medsrv-psk/hosts/alice/etc/ipsec.conf b/testing/tests/p2pnat/medsrv-psk/hosts/alice/etc/ipsec.conf
index 99a50d5d8..6ac413a1b 100755..100644
--- a/testing/tests/p2pnat/medsrv-psk/hosts/alice/etc/ipsec.conf
+++ b/testing/tests/p2pnat/medsrv-psk/hosts/alice/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
@@ -19,10 +16,11 @@ conn %default
 		
 conn medsrv
 	leftid=6cu1UTVw@medsrv.org
+	leftauth=psk
 	right=PH_IP_CAROL
 	rightid=carol@strongswan.org
+	rightauth=pubkey
 	mediation=yes
-	authby=psk
 	auto=add
 
 conn peer 
diff --git a/testing/tests/p2pnat/medsrv-psk/hosts/alice/etc/iptables.rules b/testing/tests/p2pnat/medsrv-psk/hosts/alice/etc/iptables.rules
new file mode 100644
index 000000000..ae8f9a61e
--- /dev/null
+++ b/testing/tests/p2pnat/medsrv-psk/hosts/alice/etc/iptables.rules
@@ -0,0 +1,24 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/p2pnat/medsrv-psk/hosts/alice/etc/strongswan.conf b/testing/tests/p2pnat/medsrv-psk/hosts/alice/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/p2pnat/medsrv-psk/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/p2pnat/medsrv-psk/hosts/alice/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/p2pnat/medsrv-psk/hosts/bob/etc/ipsec.conf b/testing/tests/p2pnat/medsrv-psk/hosts/bob/etc/ipsec.conf
index 39dee8521..fb95f5637 100755..100644
--- a/testing/tests/p2pnat/medsrv-psk/hosts/bob/etc/ipsec.conf
+++ b/testing/tests/p2pnat/medsrv-psk/hosts/bob/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
@@ -19,9 +16,10 @@ conn %default
 
 conn medsrv
 	leftid=av9oEPMz@medsrv.org
+	leftauth=psk
 	right=PH_IP_CAROL
 	rightid=carol@strongswan.org
-	authby=psk
+	rightauth=pubkey
 	mediation=yes
 	auto=start
 
diff --git a/testing/tests/p2pnat/medsrv-psk/hosts/bob/etc/iptables.rules b/testing/tests/p2pnat/medsrv-psk/hosts/bob/etc/iptables.rules
new file mode 100644
index 000000000..ae8f9a61e
--- /dev/null
+++ b/testing/tests/p2pnat/medsrv-psk/hosts/bob/etc/iptables.rules
@@ -0,0 +1,24 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/p2pnat/medsrv-psk/hosts/bob/etc/strongswan.conf b/testing/tests/p2pnat/medsrv-psk/hosts/bob/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/p2pnat/medsrv-psk/hosts/bob/etc/strongswan.conf
+++ b/testing/tests/p2pnat/medsrv-psk/hosts/bob/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/p2pnat/medsrv-psk/hosts/carol/etc/init.d/iptables b/testing/tests/p2pnat/medsrv-psk/hosts/carol/etc/init.d/iptables
deleted file mode 100755
index 40510ce60..000000000
--- a/testing/tests/p2pnat/medsrv-psk/hosts/carol/etc/init.d/iptables
+++ /dev/null
@@ -1,77 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE behind NAT
-	iptables -A INPUT  -i eth0 -p udp --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT
-
-	# allow NAT-T
-	iptables -A INPUT  -i eth0 -p udp --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/p2pnat/medsrv-psk/hosts/carol/etc/ipsec.conf b/testing/tests/p2pnat/medsrv-psk/hosts/carol/etc/ipsec.conf
index e38922cf4..4e8a50fb9 100755..100644
--- a/testing/tests/p2pnat/medsrv-psk/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/p2pnat/medsrv-psk/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
@@ -19,7 +16,9 @@ conn medsrv
 	left=PH_IP_CAROL
 	leftcert=carolCert.pem
 	leftid=carol@strongswan.org
+	leftauth=pubkey
 	leftfirewall=yes
 	right=%any
+	rightauth=psk
 	mediation=yes
 	auto=add
diff --git a/testing/tests/p2pnat/medsrv-psk/hosts/carol/etc/iptables.rules b/testing/tests/p2pnat/medsrv-psk/hosts/carol/etc/iptables.rules
new file mode 100644
index 000000000..ae8f9a61e
--- /dev/null
+++ b/testing/tests/p2pnat/medsrv-psk/hosts/carol/etc/iptables.rules
@@ -0,0 +1,24 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/p2pnat/medsrv-psk/hosts/carol/etc/strongswan.conf b/testing/tests/p2pnat/medsrv-psk/hosts/carol/etc/strongswan.conf
index 339b56987..dc937641c 100644
--- a/testing/tests/p2pnat/medsrv-psk/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/p2pnat/medsrv-psk/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
 }
diff --git a/testing/tests/p2pnat/medsrv-psk/posttest.dat b/testing/tests/p2pnat/medsrv-psk/posttest.dat
index ca3cebc0a..4b696b90f 100644
--- a/testing/tests/p2pnat/medsrv-psk/posttest.dat
+++ b/testing/tests/p2pnat/medsrv-psk/posttest.dat
@@ -1,10 +1,10 @@
 bob::ipsec stop
 alice::ipsec stop
 carol::ipsec stop
-alice::/etc/init.d/iptables stop 2> /dev/null
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
-bob::/etc/init.d/iptables stop 2> /dev/null
+alice::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+bob::iptables-restore < /etc/iptables.flush
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
 moon::conntrack -F
 sun::conntrack -F
diff --git a/testing/tests/p2pnat/medsrv-psk/pretest.dat b/testing/tests/p2pnat/medsrv-psk/pretest.dat
index fba7be01d..09b658318 100644
--- a/testing/tests/p2pnat/medsrv-psk/pretest.dat
+++ b/testing/tests/p2pnat/medsrv-psk/pretest.dat
@@ -1,8 +1,8 @@
-alice::/etc/init.d/iptables start 2> /dev/null
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
-bob::/etc/init.d/iptables start 2> /dev/null
+alice::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+bob::iptables-restore < /etc/iptables.rules
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1100-1200
 moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100
 moon::iptables -A FORWARD -i eth1 -o eth0 -s 10.1.0.0/16  -j ACCEPT
@@ -15,5 +15,5 @@ carol::ipsec start
 carol::sleep 1
 bob::ipsec start
 bob::sleep 1
-alice::ipsec start 
-alice::sleep 4 
+alice::ipsec start
+alice::sleep 4
diff --git a/testing/tests/p2pnat/medsrv-psk/test.conf b/testing/tests/p2pnat/medsrv-psk/test.conf
index 2dc4cd8c1..a1c6b8c15 100644
--- a/testing/tests/p2pnat/medsrv-psk/test.conf
+++ b/testing/tests/p2pnat/medsrv-psk/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou sun bob"
+VIRTHOSTS="alice moon carol winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-s-b-med.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="alice carol bob"
diff --git a/testing/tests/pfkey/alg-aes-xcbc/evaltest.dat b/testing/tests/pfkey/alg-aes-xcbc/evaltest.dat
index 24e36eb77..590b7fe9c 100644
--- a/testing/tests/pfkey/alg-aes-xcbc/evaltest.dat
+++ b/testing/tests/pfkey/alg-aes-xcbc/evaltest.dat
@@ -1,12 +1,13 @@
-moon::ipsec statusall::rw.*INSTALLED::YES
-carol::ipsec statusall::home.*INSTALLED::YES
-moon::ipsec statusall::rw.*IKE proposal.*AES_CBC_128/AES_XCBC_96/PRF_AES128_XCBC/MODP_2048::YES
-carol::ipsec statusall::home.*IKE proposal.*AES_CBC_128/AES_XCBC_96/PRF_AES128_XCBC/MODP_2048::YES
-carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES
-moon::ipsec statusall::rw.*AES_CBC_128/AES_XCBC_96,::YES
-carol::ipsec statusall::home.*AES_CBC_128/AES_XCBC_96,::YES
-moon::ip xfrm state::auth xcbc(aes)::YES
-carol::ip xfrm state::auth xcbc(aes)::YES
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_128/AES_XCBC_96/PRF_AES128_XCBC/MODP_2048::YES
+carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_128/AES_XCBC_96/PRF_AES128_XCBC/MODP_2048::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon:: ipsec statusall 2> /dev/null::rw.*AES_CBC_128/AES_XCBC_96,::YES
+carol::ipsec statusall 2> /dev/null::home.*AES_CBC_128/AES_XCBC_96,::YES
+moon:: ip xfrm state::auth-trunc xcbc(aes)::YES
+carol::ip xfrm state::auth-trunc xcbc(aes)::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 196::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 196::YES
-
diff --git a/testing/tests/pfkey/alg-aes-xcbc/hosts/carol/etc/ipsec.conf b/testing/tests/pfkey/alg-aes-xcbc/hosts/carol/etc/ipsec.conf
index 33e6a842b..74668e7fb 100755..100644
--- a/testing/tests/pfkey/alg-aes-xcbc/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/pfkey/alg-aes-xcbc/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=yes
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/pfkey/alg-aes-xcbc/hosts/carol/etc/strongswan.conf b/testing/tests/pfkey/alg-aes-xcbc/hosts/carol/etc/strongswan.conf
index 21015f8a2..2061e52e9 100644
--- a/testing/tests/pfkey/alg-aes-xcbc/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/pfkey/alg-aes-xcbc/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
 }
diff --git a/testing/tests/pfkey/alg-aes-xcbc/hosts/moon/etc/ipsec.conf b/testing/tests/pfkey/alg-aes-xcbc/hosts/moon/etc/ipsec.conf
index 208477deb..3cda72935 100755..100644
--- a/testing/tests/pfkey/alg-aes-xcbc/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/pfkey/alg-aes-xcbc/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=yes
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/pfkey/alg-aes-xcbc/hosts/moon/etc/strongswan.conf b/testing/tests/pfkey/alg-aes-xcbc/hosts/moon/etc/strongswan.conf
index 21015f8a2..2061e52e9 100644
--- a/testing/tests/pfkey/alg-aes-xcbc/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/pfkey/alg-aes-xcbc/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
 }
diff --git a/testing/tests/pfkey/alg-aes-xcbc/posttest.dat b/testing/tests/pfkey/alg-aes-xcbc/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/pfkey/alg-aes-xcbc/posttest.dat
+++ b/testing/tests/pfkey/alg-aes-xcbc/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/pfkey/alg-aes-xcbc/pretest.dat b/testing/tests/pfkey/alg-aes-xcbc/pretest.dat
index f360351e1..4fc25772b 100644
--- a/testing/tests/pfkey/alg-aes-xcbc/pretest.dat
+++ b/testing/tests/pfkey/alg-aes-xcbc/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1 
diff --git a/testing/tests/pfkey/alg-aes-xcbc/test.conf b/testing/tests/pfkey/alg-aes-xcbc/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/pfkey/alg-aes-xcbc/test.conf
+++ b/testing/tests/pfkey/alg-aes-xcbc/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/pfkey/alg-sha384/evaltest.dat b/testing/tests/pfkey/alg-sha384/evaltest.dat
index 31bb64c5e..3b24217c5 100644
--- a/testing/tests/pfkey/alg-sha384/evaltest.dat
+++ b/testing/tests/pfkey/alg-sha384/evaltest.dat
@@ -1,11 +1,13 @@
-moon::ipsec statusall::rw.*INSTALLED::YES
-carol::ipsec statusall::home.*INSTALLED::YES
-moon::ipsec statusall::rw.*IKE proposal.*AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_3072::YES
-carol::ipsec statusall::home.*IKE proposal.*AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_3072::YES
-carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES
-moon::ipsec statusall::rw.*AES_CBC_192/HMAC_SHA2_384_192,::YES
-carol::ipsec statusall::home.*AES_CBC_192/HMAC_SHA2_384_192,::YES
-moon::ip xfrm state::auth hmac(sha384)::YES
-carol::ip xfrm state::auth hmac(sha384)::YES
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_3072::YES
+carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_3072::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon:: ipsec statusall 2> /dev/null::rw.*AES_CBC_192/HMAC_SHA2_384_192,::YES
+carol::ipsec statusall 2> /dev/null::home.*AES_CBC_192/HMAC_SHA2_384_192,::YES
+moon:: ip xfrm state::auth-trunc hmac(sha384)::YES
+carol::ip xfrm state::auth-trunc hmac(sha384)::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 208::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 208::YES
diff --git a/testing/tests/pfkey/alg-sha384/hosts/carol/etc/ipsec.conf b/testing/tests/pfkey/alg-sha384/hosts/carol/etc/ipsec.conf
index d38b7dfcf..e02d90b78 100755..100644
--- a/testing/tests/pfkey/alg-sha384/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/pfkey/alg-sha384/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=yes
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/pfkey/alg-sha384/hosts/carol/etc/strongswan.conf b/testing/tests/pfkey/alg-sha384/hosts/carol/etc/strongswan.conf
index 21015f8a2..2061e52e9 100644
--- a/testing/tests/pfkey/alg-sha384/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/pfkey/alg-sha384/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
 }
diff --git a/testing/tests/pfkey/alg-sha384/hosts/moon/etc/ipsec.conf b/testing/tests/pfkey/alg-sha384/hosts/moon/etc/ipsec.conf
index ea84cd8a4..990fce1d0 100755..100644
--- a/testing/tests/pfkey/alg-sha384/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/pfkey/alg-sha384/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=yes
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/pfkey/alg-sha384/hosts/moon/etc/strongswan.conf b/testing/tests/pfkey/alg-sha384/hosts/moon/etc/strongswan.conf
index 21015f8a2..2061e52e9 100644
--- a/testing/tests/pfkey/alg-sha384/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/pfkey/alg-sha384/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
 }
diff --git a/testing/tests/pfkey/alg-sha384/posttest.dat b/testing/tests/pfkey/alg-sha384/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/pfkey/alg-sha384/posttest.dat
+++ b/testing/tests/pfkey/alg-sha384/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/pfkey/alg-sha384/pretest.dat b/testing/tests/pfkey/alg-sha384/pretest.dat
index f360351e1..4fc25772b 100644
--- a/testing/tests/pfkey/alg-sha384/pretest.dat
+++ b/testing/tests/pfkey/alg-sha384/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1 
diff --git a/testing/tests/pfkey/alg-sha384/test.conf b/testing/tests/pfkey/alg-sha384/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/pfkey/alg-sha384/test.conf
+++ b/testing/tests/pfkey/alg-sha384/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/pfkey/alg-sha512/evaltest.dat b/testing/tests/pfkey/alg-sha512/evaltest.dat
index e0f5fb7a3..6bdceeb44 100644
--- a/testing/tests/pfkey/alg-sha512/evaltest.dat
+++ b/testing/tests/pfkey/alg-sha512/evaltest.dat
@@ -1,11 +1,13 @@
-moon::ipsec statusall::rw.*INSTALLED::YES
-carol::ipsec statusall::home.*INSTALLED::YES
-moon::ipsec statusall::rw.*IKE proposal.*AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_4096::YES
-carol::ipsec statusall::home.*IKE proposal.*AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_4096::YES
-carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES
-moon::ipsec statusall::rw.*AES_CBC_256/HMAC_SHA2_512_256,::YES
-carol::ipsec statusall::home.*AES_CBC_256/HMAC_SHA2_512_256,::YES
-moon::ip xfrm state::auth hmac(sha512)::YES
-carol::ip xfrm state::auth hmac(sha512)::YES
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_4096::YES
+carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_4096::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon:: ipsec statusall 2> /dev/null::rw.*AES_CBC_256/HMAC_SHA2_512_256,::YES
+carol::ipsec statusall 2> /dev/null::home.*AES_CBC_256/HMAC_SHA2_512_256,::YES
+moon:: ip xfrm state::auth-trunc hmac(sha512)::YES
+carol::ip xfrm state::auth-trunc hmac(sha512)::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 216::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 216::YES
diff --git a/testing/tests/pfkey/alg-sha512/hosts/carol/etc/ipsec.conf b/testing/tests/pfkey/alg-sha512/hosts/carol/etc/ipsec.conf
index 583522d1b..13ab244bb 100755..100644
--- a/testing/tests/pfkey/alg-sha512/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/pfkey/alg-sha512/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=yes
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/pfkey/alg-sha512/hosts/carol/etc/strongswan.conf b/testing/tests/pfkey/alg-sha512/hosts/carol/etc/strongswan.conf
index 21015f8a2..2061e52e9 100644
--- a/testing/tests/pfkey/alg-sha512/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/pfkey/alg-sha512/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
 }
diff --git a/testing/tests/pfkey/alg-sha512/hosts/moon/etc/ipsec.conf b/testing/tests/pfkey/alg-sha512/hosts/moon/etc/ipsec.conf
index 40fec93c0..e6d410442 100755..100644
--- a/testing/tests/pfkey/alg-sha512/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/pfkey/alg-sha512/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=yes
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/pfkey/alg-sha512/hosts/moon/etc/strongswan.conf b/testing/tests/pfkey/alg-sha512/hosts/moon/etc/strongswan.conf
index 21015f8a2..2061e52e9 100644
--- a/testing/tests/pfkey/alg-sha512/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/pfkey/alg-sha512/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
 }
diff --git a/testing/tests/pfkey/alg-sha512/posttest.dat b/testing/tests/pfkey/alg-sha512/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/pfkey/alg-sha512/posttest.dat
+++ b/testing/tests/pfkey/alg-sha512/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/pfkey/alg-sha512/pretest.dat b/testing/tests/pfkey/alg-sha512/pretest.dat
index f360351e1..4fc25772b 100644
--- a/testing/tests/pfkey/alg-sha512/pretest.dat
+++ b/testing/tests/pfkey/alg-sha512/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1 
diff --git a/testing/tests/pfkey/alg-sha512/test.conf b/testing/tests/pfkey/alg-sha512/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/pfkey/alg-sha512/test.conf
+++ b/testing/tests/pfkey/alg-sha512/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/pfkey/esp-alg-null/evaltest.dat b/testing/tests/pfkey/esp-alg-null/evaltest.dat
index d5c0a64c4..c50b188bb 100644
--- a/testing/tests/pfkey/esp-alg-null/evaltest.dat
+++ b/testing/tests/pfkey/esp-alg-null/evaltest.dat
@@ -1,9 +1,11 @@
-moon::ipsec statusall::rw.*INSTALLED::YES
-carol::ipsec statusall::home.*INSTALLED::YES
-carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::ipsec statusall::NULL/HMAC_SHA1_96::YES
-carol::ipsec statusall::NULL/HMAC_SHA1_96::YES
-moon::ip xfrm state::enc ecb(cipher_null)::YES
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon:: ipsec statusall 2> /dev/null::NULL/HMAC_SHA1_96::YES
+carol::ipsec statusall 2> /dev/null::NULL/HMAC_SHA1_96::YES
+moon:: ip xfrm state::enc ecb(cipher_null)::YES
 carol::ip xfrm state::enc ecb(cipher_null)::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length::YES
diff --git a/testing/tests/pfkey/esp-alg-null/hosts/carol/etc/ipsec.conf b/testing/tests/pfkey/esp-alg-null/hosts/carol/etc/ipsec.conf
index 5640d74fc..1d8509115 100755..100644
--- a/testing/tests/pfkey/esp-alg-null/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/pfkey/esp-alg-null/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=yes
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/pfkey/esp-alg-null/hosts/carol/etc/strongswan.conf b/testing/tests/pfkey/esp-alg-null/hosts/carol/etc/strongswan.conf
index 21015f8a2..2061e52e9 100644
--- a/testing/tests/pfkey/esp-alg-null/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/pfkey/esp-alg-null/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
 }
diff --git a/testing/tests/pfkey/esp-alg-null/hosts/moon/etc/ipsec.conf b/testing/tests/pfkey/esp-alg-null/hosts/moon/etc/ipsec.conf
index 91f4a7c7f..38f8bd619 100755..100644
--- a/testing/tests/pfkey/esp-alg-null/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/pfkey/esp-alg-null/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=yes
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/pfkey/esp-alg-null/hosts/moon/etc/strongswan.conf b/testing/tests/pfkey/esp-alg-null/hosts/moon/etc/strongswan.conf
index 21015f8a2..2061e52e9 100644
--- a/testing/tests/pfkey/esp-alg-null/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/pfkey/esp-alg-null/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
 }
diff --git a/testing/tests/pfkey/esp-alg-null/posttest.dat b/testing/tests/pfkey/esp-alg-null/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/pfkey/esp-alg-null/posttest.dat
+++ b/testing/tests/pfkey/esp-alg-null/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/pfkey/esp-alg-null/pretest.dat b/testing/tests/pfkey/esp-alg-null/pretest.dat
index f360351e1..4fc25772b 100644
--- a/testing/tests/pfkey/esp-alg-null/pretest.dat
+++ b/testing/tests/pfkey/esp-alg-null/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1 
diff --git a/testing/tests/pfkey/esp-alg-null/test.conf b/testing/tests/pfkey/esp-alg-null/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/pfkey/esp-alg-null/test.conf
+++ b/testing/tests/pfkey/esp-alg-null/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/pfkey/host2host-transport/evaltest.dat b/testing/tests/pfkey/host2host-transport/evaltest.dat
index b3cade48c..fbd0c1c96 100644
--- a/testing/tests/pfkey/host2host-transport/evaltest.dat
+++ b/testing/tests/pfkey/host2host-transport/evaltest.dat
@@ -1,8 +1,10 @@
+moon::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun:: ipsec status 2> /dev/null::host-host.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon::ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES
+sun:: ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES
 moon::cat /var/log/daemon.log::parsed IKE_AUTH response.*N(USE_TRANSP)::YES
-moon::ipsec status::host-host.*INSTALLED.*TRANSPORT::YES
-sun::ipsec status::host-host.*INSTALLED.*TRANSPORT::YES
 moon::ip xfrm state::mode transport::YES
-sun::ip xfrm state::mode transport::YES
-moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_seq=1::YES
+sun:: ip xfrm state::mode transport::YES
+moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/pfkey/host2host-transport/hosts/moon/etc/ipsec.conf b/testing/tests/pfkey/host2host-transport/hosts/moon/etc/ipsec.conf
index 7f6c5a58a..de273e53a 100755..100644
--- a/testing/tests/pfkey/host2host-transport/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/pfkey/host2host-transport/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/pfkey/host2host-transport/hosts/moon/etc/strongswan.conf b/testing/tests/pfkey/host2host-transport/hosts/moon/etc/strongswan.conf
index 21015f8a2..2061e52e9 100644
--- a/testing/tests/pfkey/host2host-transport/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/pfkey/host2host-transport/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
 }
diff --git a/testing/tests/pfkey/host2host-transport/hosts/sun/etc/ipsec.conf b/testing/tests/pfkey/host2host-transport/hosts/sun/etc/ipsec.conf
index af52fb22b..e96c1ca2e 100755..100644
--- a/testing/tests/pfkey/host2host-transport/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/pfkey/host2host-transport/hosts/sun/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/pfkey/host2host-transport/hosts/sun/etc/strongswan.conf b/testing/tests/pfkey/host2host-transport/hosts/sun/etc/strongswan.conf
index 21015f8a2..2061e52e9 100644
--- a/testing/tests/pfkey/host2host-transport/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/pfkey/host2host-transport/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
 }
diff --git a/testing/tests/pfkey/host2host-transport/posttest.dat b/testing/tests/pfkey/host2host-transport/posttest.dat
index 5a9150bc8..1f7aa73a1 100644
--- a/testing/tests/pfkey/host2host-transport/posttest.dat
+++ b/testing/tests/pfkey/host2host-transport/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/pfkey/host2host-transport/pretest.dat b/testing/tests/pfkey/host2host-transport/pretest.dat
index e2d98f2eb..99789b90f 100644
--- a/testing/tests/pfkey/host2host-transport/pretest.dat
+++ b/testing/tests/pfkey/host2host-transport/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 sun::ipsec start
 moon::sleep 2
diff --git a/testing/tests/pfkey/host2host-transport/test.conf b/testing/tests/pfkey/host2host-transport/test.conf
index cf2e704fd..5a286c84f 100644
--- a/testing/tests/pfkey/host2host-transport/test.conf
+++ b/testing/tests/pfkey/host2host-transport/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="moon winnetou sun"
+VIRTHOSTS="moon winnetou sun"
  
 # Corresponding block diagram
 #
 DIAGRAM="m-w-s.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/pfkey/nat-two-rw/description.txt b/testing/tests/pfkey/nat-rw/description.txt
index dcf4b94bd..dcf4b94bd 100644
--- a/testing/tests/pfkey/nat-two-rw/description.txt
+++ b/testing/tests/pfkey/nat-rw/description.txt
diff --git a/testing/tests/pfkey/nat-rw/evaltest.dat b/testing/tests/pfkey/nat-rw/evaltest.dat
new file mode 100644
index 000000000..ac09e2d6b
--- /dev/null
+++ b/testing/tests/pfkey/nat-rw/evaltest.dat
@@ -0,0 +1,12 @@
+alice::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*alice@strongswan.org.*sun.strongswan.org::YES
+venus::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*venus.strongswan.org.*sun.strongswan.org::YES
+sun::  ipsec status 2> /dev/null::nat-t\[1]: ESTABLISHED.*sun.strongswan.org.*alice@strongswan.org::YES
+sun::  ipsec status 2> /dev/null::nat-t\[2]: ESTABLISHED.*sun.strongswan.org.*venus.strongswan.org::YES
+alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL::YES
+venus::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL::YES
+sun::  ipsec status 2> /dev/null::nat-t[{]1}.*INSTALLED, TUNNEL::YES
+sun::  ipsec status 2> /dev/null::nat-t[{]2}.*INSTALLED, TUNNEL::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.4500: UDP::YES
+moon::tcpdump::IP sun.strongswan.org.4500 > moon.strongswan.org.*: UDP::YES
diff --git a/testing/tests/pfkey/nat-two-rw/hosts/alice/etc/ipsec.conf b/testing/tests/pfkey/nat-rw/hosts/alice/etc/ipsec.conf
index 3da2fcf86..b04ffa7e8 100755..100644
--- a/testing/tests/pfkey/nat-two-rw/hosts/alice/etc/ipsec.conf
+++ b/testing/tests/pfkey/nat-rw/hosts/alice/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/pfkey/nat-rw/hosts/alice/etc/strongswan.conf b/testing/tests/pfkey/nat-rw/hosts/alice/etc/strongswan.conf
new file mode 100644
index 000000000..2061e52e9
--- /dev/null
+++ b/testing/tests/pfkey/nat-rw/hosts/alice/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
+}
diff --git a/testing/tests/pfkey/nat-two-rw/hosts/sun/etc/ipsec.conf b/testing/tests/pfkey/nat-rw/hosts/sun/etc/ipsec.conf
index d8b426318..59762b1fe 100755..100644
--- a/testing/tests/pfkey/nat-two-rw/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/pfkey/nat-rw/hosts/sun/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/pfkey/nat-rw/hosts/sun/etc/iptables.rules b/testing/tests/pfkey/nat-rw/hosts/sun/etc/iptables.rules
new file mode 100644
index 000000000..ae8f9a61e
--- /dev/null
+++ b/testing/tests/pfkey/nat-rw/hosts/sun/etc/iptables.rules
@@ -0,0 +1,24 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/pfkey/nat-rw/hosts/sun/etc/strongswan.conf b/testing/tests/pfkey/nat-rw/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..2061e52e9
--- /dev/null
+++ b/testing/tests/pfkey/nat-rw/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
+}
diff --git a/testing/tests/pfkey/nat-two-rw/hosts/venus/etc/ipsec.conf b/testing/tests/pfkey/nat-rw/hosts/venus/etc/ipsec.conf
index 3a70b3434..c6ee10979 100755..100644
--- a/testing/tests/pfkey/nat-two-rw/hosts/venus/etc/ipsec.conf
+++ b/testing/tests/pfkey/nat-rw/hosts/venus/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/pfkey/nat-rw/hosts/venus/etc/strongswan.conf b/testing/tests/pfkey/nat-rw/hosts/venus/etc/strongswan.conf
new file mode 100644
index 000000000..2061e52e9
--- /dev/null
+++ b/testing/tests/pfkey/nat-rw/hosts/venus/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
+}
diff --git a/testing/tests/pfkey/nat-rw/posttest.dat b/testing/tests/pfkey/nat-rw/posttest.dat
new file mode 100644
index 000000000..4643a3a7b
--- /dev/null
+++ b/testing/tests/pfkey/nat-rw/posttest.dat
@@ -0,0 +1,8 @@
+sun::ipsec stop
+alice::ipsec stop
+venus::ipsec stop
+alice::iptables-restore < /etc/iptables.flush
+venus::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
+moon::iptables -t nat -F
+moon::conntrack -F
diff --git a/testing/tests/ikev1/nat-two-rw/pretest.dat b/testing/tests/pfkey/nat-rw/pretest.dat
index dd5259936..d701a1d61 100644
--- a/testing/tests/ikev1/nat-two-rw/pretest.dat
+++ b/testing/tests/pfkey/nat-rw/pretest.dat
@@ -1,13 +1,13 @@
-alice::/etc/init.d/iptables start 2> /dev/null
-venus::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
+alice::iptables-restore < /etc/iptables.rules
+venus::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100
 moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100
 alice::ipsec start
 venus::ipsec start
 sun::ipsec start
-alice::sleep 5 
+alice::sleep 2 
 alice::ipsec up nat-t
-venus::sleep 5 
+venus::sleep 2 
 venus::ipsec up nat-t
+venus::sleep 2
diff --git a/testing/tests/pfkey/nat-rw/test.conf b/testing/tests/pfkey/nat-rw/test.conf
new file mode 100644
index 000000000..f515d4bc7
--- /dev/null
+++ b/testing/tests/pfkey/nat-rw/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice venus moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-w-s-b.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="alice venus sun"
diff --git a/testing/tests/pfkey/nat-two-rw/evaltest.dat b/testing/tests/pfkey/nat-two-rw/evaltest.dat
deleted file mode 100644
index bd0a4b52b..000000000
--- a/testing/tests/pfkey/nat-two-rw/evaltest.dat
+++ /dev/null
@@ -1,9 +0,0 @@
-alice::ipsec statusall::nat-t.*INSTALLED::YES
-venus::ipsec statusall::nat-t.*INSTALLED::YES
-sun::ipsec statusall::nat-t.*INSTALLED::YES
-sun::ipsec status::alice@strongswan.org::YES
-sun::ipsec status::venus.strongswan.org::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.ipsec-nat-t: UDP::YES
-moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.*: UDP::YES
diff --git a/testing/tests/pfkey/nat-two-rw/hosts/alice/etc/strongswan.conf b/testing/tests/pfkey/nat-two-rw/hosts/alice/etc/strongswan.conf
deleted file mode 100644
index 21015f8a2..000000000
--- a/testing/tests/pfkey/nat-two-rw/hosts/alice/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
-}
diff --git a/testing/tests/pfkey/nat-two-rw/hosts/sun/etc/strongswan.conf b/testing/tests/pfkey/nat-two-rw/hosts/sun/etc/strongswan.conf
deleted file mode 100644
index 21015f8a2..000000000
--- a/testing/tests/pfkey/nat-two-rw/hosts/sun/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
-}
diff --git a/testing/tests/pfkey/nat-two-rw/hosts/venus/etc/strongswan.conf b/testing/tests/pfkey/nat-two-rw/hosts/venus/etc/strongswan.conf
deleted file mode 100644
index 21015f8a2..000000000
--- a/testing/tests/pfkey/nat-two-rw/hosts/venus/etc/strongswan.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
-}
diff --git a/testing/tests/pfkey/nat-two-rw/posttest.dat b/testing/tests/pfkey/nat-two-rw/posttest.dat
deleted file mode 100644
index 52572ece8..000000000
--- a/testing/tests/pfkey/nat-two-rw/posttest.dat
+++ /dev/null
@@ -1,8 +0,0 @@
-sun::ipsec stop
-alice::ipsec stop
-venus::ipsec stop
-alice::/etc/init.d/iptables stop 2> /dev/null
-venus::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
-moon::iptables -t nat -F
-moon::conntrack -F
diff --git a/testing/tests/pfkey/nat-two-rw/test.conf b/testing/tests/pfkey/nat-two-rw/test.conf
deleted file mode 100644
index 84317fd70..000000000
--- a/testing/tests/pfkey/nat-two-rw/test.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# UML instances used for this test
-
-# All UML instances that are required for this test
-#
-UMLHOSTS="alice venus moon winnetou sun bob"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-v-m-w-s-b.png"
-
-# UML instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon"
-
-# UML instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="alice venus sun"
diff --git a/testing/tests/pfkey/net2net-route/evaltest.dat b/testing/tests/pfkey/net2net-route/evaltest.dat
index a89e5a298..1de6ca8e1 100644
--- a/testing/tests/pfkey/net2net-route/evaltest.dat
+++ b/testing/tests/pfkey/net2net-route/evaltest.dat
@@ -1,6 +1,9 @@
-moon::cat /var/log/daemon.log::creating acquire job::YES
-moon::ipsec statusall::net-net.*INSTALLED::YES
-sun::ipsec statusall::net-net.*INSTALLED::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+moon:: ipsec status 2> /dev/null::net-net.*ROUTED, TUNNEL::YES
+moon:: cat /var/log/daemon.log::creating acquire job::YES
+moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun::  ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+sun::  ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/pfkey/net2net-route/hosts/moon/etc/ipsec.conf b/testing/tests/pfkey/net2net-route/hosts/moon/etc/ipsec.conf
index 8a2f8b77c..c374cd6b4 100755..100644
--- a/testing/tests/pfkey/net2net-route/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/pfkey/net2net-route/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/pfkey/net2net-route/hosts/moon/etc/strongswan.conf b/testing/tests/pfkey/net2net-route/hosts/moon/etc/strongswan.conf
index 21015f8a2..2061e52e9 100644
--- a/testing/tests/pfkey/net2net-route/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/pfkey/net2net-route/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
 }
diff --git a/testing/tests/pfkey/net2net-route/hosts/sun/etc/ipsec.conf b/testing/tests/pfkey/net2net-route/hosts/sun/etc/ipsec.conf
index 24e5df519..06bfa038b 100755..100644
--- a/testing/tests/pfkey/net2net-route/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/pfkey/net2net-route/hosts/sun/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/pfkey/net2net-route/hosts/sun/etc/strongswan.conf b/testing/tests/pfkey/net2net-route/hosts/sun/etc/strongswan.conf
index 21015f8a2..2061e52e9 100644
--- a/testing/tests/pfkey/net2net-route/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/pfkey/net2net-route/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
 }
diff --git a/testing/tests/pfkey/net2net-route/posttest.dat b/testing/tests/pfkey/net2net-route/posttest.dat
index 5a9150bc8..1f7aa73a1 100644
--- a/testing/tests/pfkey/net2net-route/posttest.dat
+++ b/testing/tests/pfkey/net2net-route/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/pfkey/net2net-route/pretest.dat b/testing/tests/pfkey/net2net-route/pretest.dat
index 2eef7de19..e4ee3fac2 100644
--- a/testing/tests/pfkey/net2net-route/pretest.dat
+++ b/testing/tests/pfkey/net2net-route/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 sun::ipsec start
 moon::sleep 2 
diff --git a/testing/tests/pfkey/net2net-route/test.conf b/testing/tests/pfkey/net2net-route/test.conf
index d9a61590f..646b8b3e6 100644
--- a/testing/tests/pfkey/net2net-route/test.conf
+++ b/testing/tests/pfkey/net2net-route/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b.png"
  
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/pfkey/protoport-dual/evaltest.dat b/testing/tests/pfkey/protoport-dual/evaltest.dat
index bd24b911c..50b53cc00 100644
--- a/testing/tests/pfkey/protoport-dual/evaltest.dat
+++ b/testing/tests/pfkey/protoport-dual/evaltest.dat
@@ -1,9 +1,11 @@
-carol::ipsec statusall::home-icmp.*INSTALLED::YES
-carol::ipsec statusall::home-ssh.*INSTALLED::YES
-moon::ipsec statusall::rw-icmp.*INSTALLED::YES
-moon::ipsec statusall::rw-ssh.*INSTALLED::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-carol::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES
+carol::ipsec status 2> /dev/null::home-icmp.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw-icmp.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home-icmp.*INSTALLED, TUNNEL::YES
+carol::ipsec status 2> /dev/null::home-ssh.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw-icmp.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw-ssh.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+carol::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_req=1::YES
 carol::ssh -o ConnectTimeout=5 PH_IP_ALICE hostname::alice::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/pfkey/protoport-dual/hosts/carol/etc/ipsec.conf b/testing/tests/pfkey/protoport-dual/hosts/carol/etc/ipsec.conf
index 51971a13c..e15382bad 100755..100644
--- a/testing/tests/pfkey/protoport-dual/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/pfkey/protoport-dual/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/pfkey/protoport-dual/hosts/carol/etc/strongswan.conf b/testing/tests/pfkey/protoport-dual/hosts/carol/etc/strongswan.conf
index 21015f8a2..2061e52e9 100644
--- a/testing/tests/pfkey/protoport-dual/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/pfkey/protoport-dual/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
 }
diff --git a/testing/tests/pfkey/protoport-dual/hosts/moon/etc/ipsec.conf b/testing/tests/pfkey/protoport-dual/hosts/moon/etc/ipsec.conf
index 0d7e8db3f..bc131cd71 100755..100644
--- a/testing/tests/pfkey/protoport-dual/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/pfkey/protoport-dual/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/pfkey/protoport-dual/hosts/moon/etc/strongswan.conf b/testing/tests/pfkey/protoport-dual/hosts/moon/etc/strongswan.conf
index 21015f8a2..2061e52e9 100644
--- a/testing/tests/pfkey/protoport-dual/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/pfkey/protoport-dual/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
 }
diff --git a/testing/tests/pfkey/protoport-dual/posttest.dat b/testing/tests/pfkey/protoport-dual/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/pfkey/protoport-dual/posttest.dat
+++ b/testing/tests/pfkey/protoport-dual/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/pfkey/protoport-dual/pretest.dat b/testing/tests/pfkey/protoport-dual/pretest.dat
index d3d0061c3..efb2e5712 100644
--- a/testing/tests/pfkey/protoport-dual/pretest.dat
+++ b/testing/tests/pfkey/protoport-dual/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 2
diff --git a/testing/tests/pfkey/protoport-dual/test.conf b/testing/tests/pfkey/protoport-dual/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/pfkey/protoport-dual/test.conf
+++ b/testing/tests/pfkey/protoport-dual/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/pfkey/protoport-route/evaltest.dat b/testing/tests/pfkey/protoport-route/evaltest.dat
index 78d062918..9e970f055 100644
--- a/testing/tests/pfkey/protoport-route/evaltest.dat
+++ b/testing/tests/pfkey/protoport-route/evaltest.dat
@@ -1,10 +1,12 @@
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq::YES
-carol::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req::YES
+carol::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_req::YES
 carol::ssh PH_IP_ALICE hostname::alice::YES
 carol::cat /var/log/daemon.log::creating acquire job::YES
-carol::ipsec statusall::home-icmp.*INSTALLED::YES
-carol::ipsec statusall::home-ssh.*INSTALLED::YES
-moon::ipsec statusall::rw-icmp.*INSTALLED::YES
-moon::ipsec statusall::rw-ssh.*INSTALLED::YES
+carol::ipsec status 2> /dev/null::home-icmp.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw-icmp.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home-icmp.*INSTALLED, TUNNEL::YES
+carol::ipsec status 2> /dev/null::home-ssh.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw-icmp.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw-ssh.*INSTALLED, TUNNEL::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/pfkey/protoport-route/hosts/carol/etc/ipsec.conf b/testing/tests/pfkey/protoport-route/hosts/carol/etc/ipsec.conf
index d76a6ee17..f4d112daf 100755..100644
--- a/testing/tests/pfkey/protoport-route/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/pfkey/protoport-route/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/pfkey/protoport-route/hosts/carol/etc/strongswan.conf b/testing/tests/pfkey/protoport-route/hosts/carol/etc/strongswan.conf
index 21015f8a2..2061e52e9 100644
--- a/testing/tests/pfkey/protoport-route/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/pfkey/protoport-route/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
 }
diff --git a/testing/tests/pfkey/protoport-route/hosts/moon/etc/ipsec.conf b/testing/tests/pfkey/protoport-route/hosts/moon/etc/ipsec.conf
index 0d7e8db3f..bc131cd71 100755..100644
--- a/testing/tests/pfkey/protoport-route/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/pfkey/protoport-route/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/pfkey/protoport-route/hosts/moon/etc/strongswan.conf b/testing/tests/pfkey/protoport-route/hosts/moon/etc/strongswan.conf
index 21015f8a2..2061e52e9 100644
--- a/testing/tests/pfkey/protoport-route/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/pfkey/protoport-route/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
 }
diff --git a/testing/tests/pfkey/protoport-route/posttest.dat b/testing/tests/pfkey/protoport-route/posttest.dat
index 94a400606..046d4cfdc 100644
--- a/testing/tests/pfkey/protoport-route/posttest.dat
+++ b/testing/tests/pfkey/protoport-route/posttest.dat
@@ -1,4 +1,4 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/pfkey/protoport-route/pretest.dat b/testing/tests/pfkey/protoport-route/pretest.dat
index 0aded0f4d..5a15574d6 100644
--- a/testing/tests/pfkey/protoport-route/pretest.dat
+++ b/testing/tests/pfkey/protoport-route/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1
diff --git a/testing/tests/pfkey/protoport-route/test.conf b/testing/tests/pfkey/protoport-route/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/pfkey/protoport-route/test.conf
+++ b/testing/tests/pfkey/protoport-route/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/pfkey/rw-cert/evaltest.dat b/testing/tests/pfkey/rw-cert/evaltest.dat
index 06a0f8cda..2342d024b 100644
--- a/testing/tests/pfkey/rw-cert/evaltest.dat
+++ b/testing/tests/pfkey/rw-cert/evaltest.dat
@@ -1,10 +1,14 @@
-moon::ipsec statusall::rw.*ESTABLISHED::YES
-carol::ipsec statusall::home.*ESTABLISHED::YES
-dave::ipsec statusall::home.*ESTABLISHED::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
-
diff --git a/testing/tests/pfkey/rw-cert/hosts/carol/etc/ipsec.conf b/testing/tests/pfkey/rw-cert/hosts/carol/etc/ipsec.conf
index bcdb8641b..e72f78742 100755..100644
--- a/testing/tests/pfkey/rw-cert/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/pfkey/rw-cert/hosts/carol/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/pfkey/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/pfkey/rw-cert/hosts/carol/etc/strongswan.conf
index d59e04ef3..3da60b82f 100644
--- a/testing/tests/pfkey/rw-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/pfkey/rw-cert/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
+  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
 }
 
 libstrongswan {
diff --git a/testing/tests/pfkey/rw-cert/hosts/dave/etc/ipsec.conf b/testing/tests/pfkey/rw-cert/hosts/dave/etc/ipsec.conf
index ea8bc92a7..65c9819bb 100755..100644
--- a/testing/tests/pfkey/rw-cert/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/pfkey/rw-cert/hosts/dave/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/pfkey/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/pfkey/rw-cert/hosts/dave/etc/strongswan.conf
index d59e04ef3..3da60b82f 100644
--- a/testing/tests/pfkey/rw-cert/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/pfkey/rw-cert/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
+  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
 }
 
 libstrongswan {
diff --git a/testing/tests/pfkey/rw-cert/hosts/moon/etc/ipsec.conf b/testing/tests/pfkey/rw-cert/hosts/moon/etc/ipsec.conf
index 274521386..1ee751360 100755..100644
--- a/testing/tests/pfkey/rw-cert/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/pfkey/rw-cert/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/pfkey/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/pfkey/rw-cert/hosts/moon/etc/strongswan.conf
index d59e04ef3..3da60b82f 100644
--- a/testing/tests/pfkey/rw-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/pfkey/rw-cert/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
+  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
 }
 
 libstrongswan {
diff --git a/testing/tests/pfkey/rw-cert/posttest.dat b/testing/tests/pfkey/rw-cert/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/pfkey/rw-cert/posttest.dat
+++ b/testing/tests/pfkey/rw-cert/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/pfkey/rw-cert/pretest.dat b/testing/tests/pfkey/rw-cert/pretest.dat
index 42e9d7c24..8bbea1412 100644
--- a/testing/tests/pfkey/rw-cert/pretest.dat
+++ b/testing/tests/pfkey/rw-cert/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/pfkey/rw-cert/test.conf b/testing/tests/pfkey/rw-cert/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/pfkey/rw-cert/test.conf
+++ b/testing/tests/pfkey/rw-cert/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/pfkey/shunt-policies/evaltest.dat b/testing/tests/pfkey/shunt-policies/evaltest.dat
index 2f6e1a91f..6ba3a988f 100644
--- a/testing/tests/pfkey/shunt-policies/evaltest.dat
+++ b/testing/tests/pfkey/shunt-policies/evaltest.dat
@@ -1,15 +1,19 @@
-moon::ipsec statusall::net-net.*ESTABLISHED::YES
-sun::ipsec statusall::net-net.*ESTABLISHED::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-alice::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES
-venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::NO
-venus::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES
-moon::ping -c 1 -I PH_IP_MOON1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-moon::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
-bob::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-bob::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES
-bob::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::NO
+moon:: ipsec status 2> /dev/null::local-net.*PASS::YES
+moon:: ipsec status 2> /dev/null::venus-icmp.*DROP::YES
+moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun::  ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+sun::  ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+alice::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_req=1::YES
+venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::NO
+venus::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_req=1::YES
+moon:: ping -c 1 -I PH_IP_MOON1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+moon:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
+bob::  ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+bob::  ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_req=1::YES
+bob::  ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
 venus::ssh PH_IP_BOB hostname::bob::YES
diff --git a/testing/tests/pfkey/shunt-policies/hosts/moon/etc/init.d/iptables b/testing/tests/pfkey/shunt-policies/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 2b90a14c7..000000000
--- a/testing/tests/pfkey/shunt-policies/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,84 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# allow icmp in local net
-	iptables -A INPUT  -i eth1 -p icmp -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p icmp -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/pfkey/shunt-policies/hosts/moon/etc/ipsec.conf b/testing/tests/pfkey/shunt-policies/hosts/moon/etc/ipsec.conf
index a4958f295..90a5d61b1 100755..100644
--- a/testing/tests/pfkey/shunt-policies/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/pfkey/shunt-policies/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/pfkey/shunt-policies/hosts/moon/etc/iptables.rules b/testing/tests/pfkey/shunt-policies/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..af0f25209
--- /dev/null
+++ b/testing/tests/pfkey/shunt-policies/hosts/moon/etc/iptables.rules
@@ -0,0 +1,32 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# allow icmp in local net
+-A INPUT  -i eth1 -p icmp -j ACCEPT
+-A OUTPUT -o eth1 -p icmp -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/pfkey/shunt-policies/hosts/moon/etc/strongswan.conf b/testing/tests/pfkey/shunt-policies/hosts/moon/etc/strongswan.conf
index 87b70994f..4582e1473 100644
--- a/testing/tests/pfkey/shunt-policies/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/pfkey/shunt-policies/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
   multiple_authentication = no
   install_routes = no
 }
diff --git a/testing/tests/pfkey/shunt-policies/hosts/sun/etc/ipsec.conf b/testing/tests/pfkey/shunt-policies/hosts/sun/etc/ipsec.conf
index c3b36fb7c..cd8ea23c3 100755..100644
--- a/testing/tests/pfkey/shunt-policies/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/pfkey/shunt-policies/hosts/sun/etc/ipsec.conf
@@ -1,9 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/pfkey/shunt-policies/hosts/sun/etc/strongswan.conf b/testing/tests/pfkey/shunt-policies/hosts/sun/etc/strongswan.conf
index 10efed787..902d83c69 100644
--- a/testing/tests/pfkey/shunt-policies/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/pfkey/shunt-policies/hosts/sun/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
   multiple_authentication = no
 }
diff --git a/testing/tests/pfkey/shunt-policies/posttest.dat b/testing/tests/pfkey/shunt-policies/posttest.dat
index a4c96e10f..837738fc6 100644
--- a/testing/tests/pfkey/shunt-policies/posttest.dat
+++ b/testing/tests/pfkey/shunt-policies/posttest.dat
@@ -1,5 +1,5 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
 
diff --git a/testing/tests/pfkey/shunt-policies/pretest.dat b/testing/tests/pfkey/shunt-policies/pretest.dat
index 2d7a78acb..c724e5df8 100644
--- a/testing/tests/pfkey/shunt-policies/pretest.dat
+++ b/testing/tests/pfkey/shunt-policies/pretest.dat
@@ -1,5 +1,5 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 sun::ipsec start
 moon::sleep 1 
diff --git a/testing/tests/pfkey/shunt-policies/test.conf b/testing/tests/pfkey/shunt-policies/test.conf
index cf2ef7424..6b7432ca6 100644
--- a/testing/tests/pfkey/shunt-policies/test.conf
+++ b/testing/tests/pfkey/shunt-policies/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-w-s-b.png"
  
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/sql/ip-pool-db-expired/evaltest.dat b/testing/tests/sql/ip-pool-db-expired/evaltest.dat
index 9633fde10..5ff5edbf8 100644
--- a/testing/tests/sql/ip-pool-db-expired/evaltest.dat
+++ b/testing/tests/sql/ip-pool-db-expired/evaltest.dat
@@ -1,21 +1,25 @@
 carol::cat /var/log/daemon.log::installing new virtual IP PH_IP_CAROL1::YES
 carol::ip addr list dev eth0::PH_IP_CAROL1::YES
 carol::ip route list table 220::10.1.0.0/16.*src PH_IP_CAROL1::YES
-carol::ipsec status::home.*INSTALLED::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES
-dave::ip addr list dev eth0::PH_IP_DAVE1::YES
-dave::ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES
-dave::ipsec status::home.*INSTALLED::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::cat /var/log/daemon.log::peer requested virtual IP %any::YES
-moon::cat /var/log/daemon.log::acquired new lease for address.*in pool.*bigpool::YES
-moon::cat /var/log/daemon.log::assigning virtual IP::YES
-moon::ipsec pool --status 2> /dev/null::bigpool.*10.3.0.1.*10.3.0.6.*1h.*2::YES
-moon::ipsec pool --leases --filter pool=bigpool,addr=10.3.0.1,id=carol@strongswan.org 2> /dev/null::online::YES
-moon::ipsec pool --leases --filter pool=bigpool,addr=10.3.0.2,id=dave@strongswan.org 2> /dev/null::online::YES
-moon::ipsec status::rw.*ESTABLISHED.*carol@strongswan.org::YES
-moon::ipsec status::rw.*ESTABLISHED.*dave@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES
+dave:: ip addr list dev eth0::PH_IP_DAVE1::YES
+dave:: ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon:: cat /var/log/daemon.log::peer requested virtual IP %any::YES
+moon:: cat /var/log/daemon.log::acquired new lease for address.*in pool.*bigpool::YES
+moon:: cat /var/log/daemon.log::assigning virtual IP::YES
+moon:: ipsec pool --status 2> /dev/null::bigpool.*10.3.0.1.*10.3.0.6.*1h.*2::YES
+moon:: ipsec pool --leases --filter pool=bigpool,addr=10.3.0.1,id=carol@strongswan.org 2> /dev/null::online::YES
+moon:: ipsec pool --leases --filter pool=bigpool,addr=10.3.0.2,id=dave@strongswan.org 2> /dev/null::online::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/sql/ip-pool-db-expired/hosts/carol/etc/ipsec.conf b/testing/tests/sql/ip-pool-db-expired/hosts/carol/etc/ipsec.conf
index 3bc29625f..a7fa09213 100755..100644
--- a/testing/tests/sql/ip-pool-db-expired/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/sql/ip-pool-db-expired/hosts/carol/etc/ipsec.conf
@@ -1,8 +1,5 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-        strictcrlpolicy=no
-        plutostart=no
 
 # configuration is read from SQLite database
diff --git a/testing/tests/sql/ip-pool-db-expired/hosts/carol/etc/strongswan.conf b/testing/tests/sql/ip-pool-db-expired/hosts/carol/etc/strongswan.conf
index ee9fbbc66..930b72578 100644
--- a/testing/tests/sql/ip-pool-db-expired/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/sql/ip-pool-db-expired/hosts/carol/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/ip-pool-db-expired/hosts/dave/etc/ipsec.conf b/testing/tests/sql/ip-pool-db-expired/hosts/dave/etc/ipsec.conf
index 3bc29625f..a7fa09213 100755..100644
--- a/testing/tests/sql/ip-pool-db-expired/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/sql/ip-pool-db-expired/hosts/dave/etc/ipsec.conf
@@ -1,8 +1,5 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-        strictcrlpolicy=no
-        plutostart=no
 
 # configuration is read from SQLite database
diff --git a/testing/tests/sql/ip-pool-db-expired/hosts/dave/etc/strongswan.conf b/testing/tests/sql/ip-pool-db-expired/hosts/dave/etc/strongswan.conf
index ee9fbbc66..930b72578 100644
--- a/testing/tests/sql/ip-pool-db-expired/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/sql/ip-pool-db-expired/hosts/dave/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/ipsec.conf b/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/ipsec.conf
index 3bc29625f..a7fa09213 100644
--- a/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/ipsec.conf
@@ -1,8 +1,5 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-        strictcrlpolicy=no
-        plutostart=no
 
 # configuration is read from SQLite database
diff --git a/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/strongswan.conf b/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/strongswan.conf
index 3300d3ee8..69f7bb692 100644
--- a/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/strongswan.conf
@@ -6,7 +6,7 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql attr-sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql attr-sql
 }
 
 libhydra {
diff --git a/testing/tests/sql/ip-pool-db-expired/posttest.dat b/testing/tests/sql/ip-pool-db-expired/posttest.dat
index 40b1a403e..1b963fcec 100644
--- a/testing/tests/sql/ip-pool-db-expired/posttest.dat
+++ b/testing/tests/sql/ip-pool-db-expired/posttest.dat
@@ -1,9 +1,9 @@
 carol::ipsec stop
 dave::ipsec stop
 moon::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
 moon::rm /etc/ipsec.d/ipsec.*
 carol::rm /etc/ipsec.d/ipsec.*
 dave::rm /etc/ipsec.d/ipsec.*
diff --git a/testing/tests/sql/ip-pool-db-expired/pretest.dat b/testing/tests/sql/ip-pool-db-expired/pretest.dat
index 4df33509f..391785a1c 100644
--- a/testing/tests/sql/ip-pool-db-expired/pretest.dat
+++ b/testing/tests/sql/ip-pool-db-expired/pretest.dat
@@ -8,9 +8,9 @@ moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 carol::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 dave::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 moon::ipsec pool --leases 2> /dev/null
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/sql/ip-pool-db-expired/test.conf b/testing/tests/sql/ip-pool-db-expired/test.conf
index 75510b295..9b1ec0b54 100644
--- a/testing/tests/sql/ip-pool-db-expired/test.conf
+++ b/testing/tests/sql/ip-pool-db-expired/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="alice moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/sql/ip-pool-db-restart/evaltest.dat b/testing/tests/sql/ip-pool-db-restart/evaltest.dat
index f4c713c9f..f70e2d2de 100644
--- a/testing/tests/sql/ip-pool-db-restart/evaltest.dat
+++ b/testing/tests/sql/ip-pool-db-restart/evaltest.dat
@@ -1,21 +1,25 @@
 carol::cat /var/log/daemon.log::installing new virtual IP PH_IP_CAROL1::YES
 carol::ip addr list dev eth0::PH_IP_CAROL1::YES
 carol::ip route list table 220::10.1.0.0/16.*src PH_IP_CAROL1::YES
-carol::ipsec status::home.*INSTALLED::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES
-dave::ip addr list dev eth0::PH_IP_DAVE1::YES
-dave::ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES
-dave::ipsec status::home.*INSTALLED::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::cat /var/log/daemon.log::peer requested virtual IP %any::YES
-moon::cat /var/log/daemon.log::acquired existing lease for address.*in pool.*bigpool::YES
-moon::cat /var/log/daemon.log::assigning virtual IP::YES
-moon::ipsec pool --status 2> /dev/null::bigpool.*10.3.0.1.*10.3.0.6.*static.*2::YES
-moon::ipsec pool --leases --filter pool=bigpool,addr=10.3.0.1,id=carol@strongswan.org 2> /dev/null::online::YES
-moon::ipsec pool --leases --filter pool=bigpool,addr=10.3.0.2,id=dave@strongswan.org 2> /dev/null::online::YES
-moon::ipsec status::rw.*ESTABLISHED.*carol@strongswan.org::YES
-moon::ipsec status::rw.*ESTABLISHED.*dave@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES
+dave:: ip addr list dev eth0::PH_IP_DAVE1::YES
+dave:: ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon:: cat /var/log/daemon.log::peer requested virtual IP %any::YES
+moon:: cat /var/log/daemon.log::acquired existing lease for address.*in pool.*bigpool::YES
+moon:: cat /var/log/daemon.log::assigning virtual IP::YES
+moon:: ipsec pool --status 2> /dev/null::bigpool.*10.3.0.1.*10.3.0.6.*static.*2::YES
+moon:: ipsec pool --leases --filter pool=bigpool,addr=10.3.0.1,id=carol@strongswan.org 2> /dev/null::online::YES
+moon:: ipsec pool --leases --filter pool=bigpool,addr=10.3.0.2,id=dave@strongswan.org 2> /dev/null::online::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/sql/ip-pool-db-restart/hosts/carol/etc/ipsec.conf b/testing/tests/sql/ip-pool-db-restart/hosts/carol/etc/ipsec.conf
index 3bc29625f..a7fa09213 100755..100644
--- a/testing/tests/sql/ip-pool-db-restart/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/sql/ip-pool-db-restart/hosts/carol/etc/ipsec.conf
@@ -1,8 +1,5 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-        strictcrlpolicy=no
-        plutostart=no
 
 # configuration is read from SQLite database
diff --git a/testing/tests/sql/ip-pool-db-restart/hosts/carol/etc/strongswan.conf b/testing/tests/sql/ip-pool-db-restart/hosts/carol/etc/strongswan.conf
index ee9fbbc66..930b72578 100644
--- a/testing/tests/sql/ip-pool-db-restart/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/sql/ip-pool-db-restart/hosts/carol/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/ip-pool-db-restart/hosts/dave/etc/ipsec.conf b/testing/tests/sql/ip-pool-db-restart/hosts/dave/etc/ipsec.conf
index 3bc29625f..a7fa09213 100755..100644
--- a/testing/tests/sql/ip-pool-db-restart/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/sql/ip-pool-db-restart/hosts/dave/etc/ipsec.conf
@@ -1,8 +1,5 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-        strictcrlpolicy=no
-        plutostart=no
 
 # configuration is read from SQLite database
diff --git a/testing/tests/sql/ip-pool-db-restart/hosts/dave/etc/strongswan.conf b/testing/tests/sql/ip-pool-db-restart/hosts/dave/etc/strongswan.conf
index ee9fbbc66..930b72578 100644
--- a/testing/tests/sql/ip-pool-db-restart/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/sql/ip-pool-db-restart/hosts/dave/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/ipsec.conf b/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/ipsec.conf
index 3bc29625f..a7fa09213 100644
--- a/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/ipsec.conf
@@ -1,8 +1,5 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-        strictcrlpolicy=no
-        plutostart=no
 
 # configuration is read from SQLite database
diff --git a/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/strongswan.conf b/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/strongswan.conf
index 3300d3ee8..69f7bb692 100644
--- a/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/strongswan.conf
@@ -6,7 +6,7 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql attr-sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql attr-sql
 }
 
 libhydra {
diff --git a/testing/tests/sql/ip-pool-db-restart/posttest.dat b/testing/tests/sql/ip-pool-db-restart/posttest.dat
index 40b1a403e..1b963fcec 100644
--- a/testing/tests/sql/ip-pool-db-restart/posttest.dat
+++ b/testing/tests/sql/ip-pool-db-restart/posttest.dat
@@ -1,9 +1,9 @@
 carol::ipsec stop
 dave::ipsec stop
 moon::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
 moon::rm /etc/ipsec.d/ipsec.*
 carol::rm /etc/ipsec.d/ipsec.*
 dave::rm /etc/ipsec.d/ipsec.*
diff --git a/testing/tests/sql/ip-pool-db-restart/pretest.dat b/testing/tests/sql/ip-pool-db-restart/pretest.dat
index b5108051c..20b1937b7 100644
--- a/testing/tests/sql/ip-pool-db-restart/pretest.dat
+++ b/testing/tests/sql/ip-pool-db-restart/pretest.dat
@@ -8,9 +8,9 @@ moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 carol::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 dave::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 moon::ipsec pool --leases 2> /dev/null
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/sql/ip-pool-db-restart/test.conf b/testing/tests/sql/ip-pool-db-restart/test.conf
index 75510b295..9b1ec0b54 100644
--- a/testing/tests/sql/ip-pool-db-restart/test.conf
+++ b/testing/tests/sql/ip-pool-db-restart/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="alice moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/sql/ip-pool-db/evaltest.dat b/testing/tests/sql/ip-pool-db/evaltest.dat
index 11be09d38..cfa87ae3f 100644
--- a/testing/tests/sql/ip-pool-db/evaltest.dat
+++ b/testing/tests/sql/ip-pool-db/evaltest.dat
@@ -5,28 +5,32 @@ carol::cat /var/log/daemon.log::handling INTERNAL_IP4_NBNS attribute failed::YES
 carol::cat /var/log/daemon.log::handling APPLICATION_VERSION attribute failed::YES
 carol::ip addr list dev eth0::PH_IP_CAROL1::YES
 carol::ip route list table 220::10.1.0.0/16.*src PH_IP_CAROL1::YES
-carol::ipsec status::home.*INSTALLED::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES
-dave::cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES
-dave::cat /var/log/daemon.log::installing DNS server PH_IP_WINNETOU::YES
-dave::cat /var/log/daemon.log::installing DNS server PH_IP_VENUS::YES
-dave::cat /var/log/daemon.log::handling INTERNAL_IP4_NBNS attribute failed::YES
-dave::cat /var/log/daemon.log::handling APPLICATION_VERSION attribute failed::YES
-dave::ip addr list dev eth0::PH_IP_DAVE1::YES
-dave::ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES
-dave::ipsec status::home.*INSTALLED::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::cat /var/log/daemon.log::peer requested virtual IP %any::YES
-moon::cat /var/log/daemon.log::acquired new lease for address.*in pool.*bigpool::YES
-moon::cat /var/log/daemon.log::assigning virtual IP::YES
-moon::ipsec pool --status 2> /dev/null::dns servers: PH_IP_WINNETOU PH_IP_VENUS::YES
-moon::ipsec pool --status 2> /dev/null::nbns servers: PH_IP_VENUS::YES
-moon::ipsec pool --status 2> /dev/null::bigpool.*10.3.0.1.*10.3.0.6.*static.*2::YES
-moon::ipsec pool --leases --filter pool=bigpool,addr=10.3.0.1,id=carol@strongswan.org 2> /dev/null::online::YES
-moon::ipsec pool --leases --filter pool=bigpool,addr=10.3.0.2,id=dave@strongswan.org 2> /dev/null::online::YES
-moon::ipsec status::rw.*ESTABLISHED.*carol@strongswan.org::YES
-moon::ipsec status::rw.*ESTABLISHED.*dave@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES
+dave:: cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES
+dave:: cat /var/log/daemon.log::installing DNS server PH_IP_WINNETOU::YES
+dave:: cat /var/log/daemon.log::installing DNS server PH_IP_VENUS::YES
+dave:: cat /var/log/daemon.log::handling INTERNAL_IP4_NBNS attribute failed::YES
+dave:: cat /var/log/daemon.log::handling APPLICATION_VERSION attribute failed::YES
+dave:: ip addr list dev eth0::PH_IP_DAVE1::YES
+dave:: ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES
+dave:: ipsec status 2> /dev/null::.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon:: cat /var/log/daemon.log::peer requested virtual IP %any::YES
+moon:: cat /var/log/daemon.log::acquired new lease for address.*in pool.*bigpool::YES
+moon:: cat /var/log/daemon.log::assigning virtual IP::YES
+moon:: ipsec pool --status 2> /dev/null::dns servers: PH_IP_WINNETOU PH_IP_VENUS::YES
+moon:: ipsec pool --status 2> /dev/null::nbns servers: PH_IP_VENUS::YES
+moon:: ipsec pool --status 2> /dev/null::bigpool.*10.3.0.1.*10.3.0.6.*static.*2::YES
+moon:: ipsec pool --leases --filter pool=bigpool,addr=10.3.0.1,id=carol@strongswan.org 2> /dev/null::online::YES
+moon:: ipsec pool --leases --filter pool=bigpool,addr=10.3.0.2,id=dave@strongswan.org 2> /dev/null::online::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/sql/ip-pool-db/hosts/carol/etc/ipsec.conf b/testing/tests/sql/ip-pool-db/hosts/carol/etc/ipsec.conf
index 3bc29625f..a7fa09213 100755..100644
--- a/testing/tests/sql/ip-pool-db/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/sql/ip-pool-db/hosts/carol/etc/ipsec.conf
@@ -1,8 +1,5 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-        strictcrlpolicy=no
-        plutostart=no
 
 # configuration is read from SQLite database
diff --git a/testing/tests/sql/ip-pool-db/hosts/carol/etc/strongswan.conf b/testing/tests/sql/ip-pool-db/hosts/carol/etc/strongswan.conf
index d09387c35..145ca9029 100644
--- a/testing/tests/sql/ip-pool-db/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/sql/ip-pool-db/hosts/carol/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql resolve
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql resolve
 }
diff --git a/testing/tests/sql/ip-pool-db/hosts/dave/etc/ipsec.conf b/testing/tests/sql/ip-pool-db/hosts/dave/etc/ipsec.conf
index 3bc29625f..a7fa09213 100755..100644
--- a/testing/tests/sql/ip-pool-db/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/sql/ip-pool-db/hosts/dave/etc/ipsec.conf
@@ -1,8 +1,5 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-        strictcrlpolicy=no
-        plutostart=no
 
 # configuration is read from SQLite database
diff --git a/testing/tests/sql/ip-pool-db/hosts/dave/etc/strongswan.conf b/testing/tests/sql/ip-pool-db/hosts/dave/etc/strongswan.conf
index d09387c35..145ca9029 100644
--- a/testing/tests/sql/ip-pool-db/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/sql/ip-pool-db/hosts/dave/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql resolve
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql resolve
 }
diff --git a/testing/tests/sql/ip-pool-db/hosts/moon/etc/ipsec.conf b/testing/tests/sql/ip-pool-db/hosts/moon/etc/ipsec.conf
index 3bc29625f..a7fa09213 100644
--- a/testing/tests/sql/ip-pool-db/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/sql/ip-pool-db/hosts/moon/etc/ipsec.conf
@@ -1,8 +1,5 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-        strictcrlpolicy=no
-        plutostart=no
 
 # configuration is read from SQLite database
diff --git a/testing/tests/sql/ip-pool-db/hosts/moon/etc/strongswan.conf b/testing/tests/sql/ip-pool-db/hosts/moon/etc/strongswan.conf
index 3300d3ee8..69f7bb692 100644
--- a/testing/tests/sql/ip-pool-db/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/ip-pool-db/hosts/moon/etc/strongswan.conf
@@ -6,7 +6,7 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql attr-sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql attr-sql
 }
 
 libhydra {
diff --git a/testing/tests/sql/ip-pool-db/posttest.dat b/testing/tests/sql/ip-pool-db/posttest.dat
index 40b1a403e..1b963fcec 100644
--- a/testing/tests/sql/ip-pool-db/posttest.dat
+++ b/testing/tests/sql/ip-pool-db/posttest.dat
@@ -1,9 +1,9 @@
 carol::ipsec stop
 dave::ipsec stop
 moon::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
 moon::rm /etc/ipsec.d/ipsec.*
 carol::rm /etc/ipsec.d/ipsec.*
 dave::rm /etc/ipsec.d/ipsec.*
diff --git a/testing/tests/sql/ip-pool-db/pretest.dat b/testing/tests/sql/ip-pool-db/pretest.dat
index a5d786b3f..819aca3d9 100644
--- a/testing/tests/sql/ip-pool-db/pretest.dat
+++ b/testing/tests/sql/ip-pool-db/pretest.dat
@@ -7,9 +7,9 @@ dave::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
 moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 carol::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 dave::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/sql/ip-pool-db/test.conf b/testing/tests/sql/ip-pool-db/test.conf
index 75510b295..9b1ec0b54 100644
--- a/testing/tests/sql/ip-pool-db/test.conf
+++ b/testing/tests/sql/ip-pool-db/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="alice moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/sql/ip-split-pools-db-restart/evaltest.dat b/testing/tests/sql/ip-split-pools-db-restart/evaltest.dat
index 6c912eb47..5f7f5ec3d 100644
--- a/testing/tests/sql/ip-split-pools-db-restart/evaltest.dat
+++ b/testing/tests/sql/ip-split-pools-db-restart/evaltest.dat
@@ -1,14 +1,18 @@
 dave::cat /var/log/daemon.log::installing new virtual IP 10.3.1.1::YES
-dave::ipsec status::home.*INSTALLED::YES
+dave::ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+dave::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
 carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES
-carol::ipsec status::home.*INSTALLED::YES
-moon::cat /var/log/daemon.log::acquired existing lease for address 10.3.1.1 in pool.*pool1::YES
-moon::cat /var/log/daemon.log::assigning virtual IP 10.3.1.1 to peer::YES
-moon::cat /var/log/daemon.log::acquired existing lease for address 10.3.0.1 in pool.*pool0::YES
-moon::cat /var/log/daemon.log::assigning virtual IP 10.3.0.1 to peer::YES
-moon::ipsec pool --status 2> /dev/null::pool0.*10.3.0.1.*10.3.0.2.*static.*2 .*1 .*1 ::YES
-moon::ipsec pool --status 2> /dev/null::pool1.*10.3.1.1.*10.3.1.2.*static.*2 .*1 .*1 ::YES
-moon::ipsec pool --leases --filter pool=pool0,addr=10.3.0.1,id=carol@strongswan.org 2> /dev/null::online::YES
-moon::ipsec pool --leases --filter pool=pool1,addr=10.3.1.1,id=dave@strongswan.org 2> /dev/null::online::YES
-moon::ipsec status::rw.*ESTABLISHED.*dave@strongswan.org::YES
-moon::ipsec status::rw.*ESTABLISHED.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: cat /var/log/daemon.log::acquired existing lease for address 10.3.1.1 in pool.*pool1::YES
+moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.1.1 to peer::YES
+moon:: cat /var/log/daemon.log::acquired existing lease for address 10.3.0.1 in pool.*pool0::YES
+moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.1 to peer::YES
+moon:: ipsec pool --status 2> /dev/null::pool0.*10.3.0.1.*10.3.0.2.*static.*2 .*1 .*1 ::YES
+moon:: ipsec pool --status 2> /dev/null::pool1.*10.3.1.1.*10.3.1.2.*static.*2 .*1 .*1 ::YES
+moon:: ipsec pool --leases --filter pool=pool0,addr=10.3.0.1,id=carol@strongswan.org 2> /dev/null::online::YES
+moon:: ipsec pool --leases --filter pool=pool1,addr=10.3.1.1,id=dave@strongswan.org 2> /dev/null::online::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
diff --git a/testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/ipsec.conf b/testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/ipsec.conf
index 3bc29625f..a7fa09213 100755..100644
--- a/testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/ipsec.conf
@@ -1,8 +1,5 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-        strictcrlpolicy=no
-        plutostart=no
 
 # configuration is read from SQLite database
diff --git a/testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/strongswan.conf b/testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/strongswan.conf
index ee9fbbc66..930b72578 100644
--- a/testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/ipsec.conf b/testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/ipsec.conf
index 3bc29625f..a7fa09213 100755..100644
--- a/testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/ipsec.conf
@@ -1,8 +1,5 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-        strictcrlpolicy=no
-        plutostart=no
 
 # configuration is read from SQLite database
diff --git a/testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/strongswan.conf b/testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/strongswan.conf
index ee9fbbc66..930b72578 100644
--- a/testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/ipsec.conf b/testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/ipsec.conf
index 3bc29625f..a7fa09213 100644
--- a/testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/ipsec.conf
@@ -1,8 +1,5 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-        strictcrlpolicy=no
-        plutostart=no
 
 # configuration is read from SQLite database
diff --git a/testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/strongswan.conf b/testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/strongswan.conf
index 3300d3ee8..69f7bb692 100644
--- a/testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/strongswan.conf
@@ -6,7 +6,7 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql attr-sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql attr-sql
 }
 
 libhydra {
diff --git a/testing/tests/sql/ip-split-pools-db-restart/test.conf b/testing/tests/sql/ip-split-pools-db-restart/test.conf
index 75510b295..9b1ec0b54 100644
--- a/testing/tests/sql/ip-split-pools-db-restart/test.conf
+++ b/testing/tests/sql/ip-split-pools-db-restart/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="alice moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/sql/ip-split-pools-db/evaltest.dat b/testing/tests/sql/ip-split-pools-db/evaltest.dat
index f358b62c8..f186d8927 100644
--- a/testing/tests/sql/ip-split-pools-db/evaltest.dat
+++ b/testing/tests/sql/ip-split-pools-db/evaltest.dat
@@ -1,15 +1,17 @@
 carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES
-carol::ipsec status::home.*INSTALLED::YES
-dave::cat /var/log/daemon.log::installing new virtual IP 10.3.1.1::YES
-dave::ipsec status::home.*INSTALLED::YES
-moon::cat /var/log/daemon.log::acquired new lease for address 10.3.0.1 in pool.*pool0::YES
-moon::cat /var/log/daemon.log::assigning virtual IP 10.3.0.1 to peer::YES
-moon::cat /var/log/daemon.log::no available address found in pool.*pool0::YES
-moon::cat /var/log/daemon.log::acquired new lease for address 10.3.1.1 in pool.*pool1::YES
-moon::cat /var/log/daemon.log::assigning virtual IP 10.3.1.1 to peer::YES
-moon::ipsec pool --status 2> /dev/null::pool0.*10.3.0.1.*10.3.0.1.*static.*1 .*1 .*1 ::YES
-moon::ipsec pool --status 2> /dev/null::pool1.*10.3.1.1.*10.3.1.1.*static.*1 .*1 .*1 ::YES
-moon::ipsec pool --leases --filter pool=pool0,addr=10.3.0.1,id=carol@strongswan.org 2> /dev/null::online::YES
-moon::ipsec pool --leases --filter pool=pool1,addr=10.3.1.1,id=dave@strongswan.org 2> /dev/null::online::YES
-moon::ipsec status::rw.*ESTABLISHED.*carol@strongswan.org::YES
-moon::ipsec status::rw.*ESTABLISHED.*dave@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: cat /var/log/daemon.log::installing new virtual IP 10.3.1.1::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: cat /var/log/daemon.log::acquired new lease for address 10.3.0.1 in pool.*pool0::YES
+moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.1 to peer::YES
+moon:: cat /var/log/daemon.log::no available address found in pool.*pool0::YES
+moon:: cat /var/log/daemon.log::acquired new lease for address 10.3.1.1 in pool.*pool1::YES
+moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.1.1 to peer::YES
+moon:: ipsec pool --status 2> /dev/null::pool0.*10.3.0.1.*10.3.0.1.*static.*1 .*1 .*1 ::YES
+moon:: ipsec pool --status 2> /dev/null::pool1.*10.3.1.1.*10.3.1.1.*static.*1 .*1 .*1 ::YES
+moon:: ipsec pool --leases --filter pool=pool0,addr=10.3.0.1,id=carol@strongswan.org 2> /dev/null::online::YES
+moon:: ipsec pool --leases --filter pool=pool1,addr=10.3.1.1,id=dave@strongswan.org 2> /dev/null::online::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
diff --git a/testing/tests/sql/ip-split-pools-db/hosts/carol/etc/ipsec.conf b/testing/tests/sql/ip-split-pools-db/hosts/carol/etc/ipsec.conf
index 3bc29625f..a7fa09213 100755..100644
--- a/testing/tests/sql/ip-split-pools-db/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/sql/ip-split-pools-db/hosts/carol/etc/ipsec.conf
@@ -1,8 +1,5 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-        strictcrlpolicy=no
-        plutostart=no
 
 # configuration is read from SQLite database
diff --git a/testing/tests/sql/ip-split-pools-db/hosts/carol/etc/strongswan.conf b/testing/tests/sql/ip-split-pools-db/hosts/carol/etc/strongswan.conf
index ee9fbbc66..930b72578 100644
--- a/testing/tests/sql/ip-split-pools-db/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/sql/ip-split-pools-db/hosts/carol/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/ip-split-pools-db/hosts/dave/etc/ipsec.conf b/testing/tests/sql/ip-split-pools-db/hosts/dave/etc/ipsec.conf
index 3bc29625f..a7fa09213 100755..100644
--- a/testing/tests/sql/ip-split-pools-db/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/sql/ip-split-pools-db/hosts/dave/etc/ipsec.conf
@@ -1,8 +1,5 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-        strictcrlpolicy=no
-        plutostart=no
 
 # configuration is read from SQLite database
diff --git a/testing/tests/sql/ip-split-pools-db/hosts/dave/etc/strongswan.conf b/testing/tests/sql/ip-split-pools-db/hosts/dave/etc/strongswan.conf
index ee9fbbc66..930b72578 100644
--- a/testing/tests/sql/ip-split-pools-db/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/sql/ip-split-pools-db/hosts/dave/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/ip-split-pools-db/hosts/moon/etc/ipsec.conf b/testing/tests/sql/ip-split-pools-db/hosts/moon/etc/ipsec.conf
index 3bc29625f..a7fa09213 100644
--- a/testing/tests/sql/ip-split-pools-db/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/sql/ip-split-pools-db/hosts/moon/etc/ipsec.conf
@@ -1,8 +1,5 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-        strictcrlpolicy=no
-        plutostart=no
 
 # configuration is read from SQLite database
diff --git a/testing/tests/sql/ip-split-pools-db/hosts/moon/etc/strongswan.conf b/testing/tests/sql/ip-split-pools-db/hosts/moon/etc/strongswan.conf
index 3300d3ee8..69f7bb692 100644
--- a/testing/tests/sql/ip-split-pools-db/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/ip-split-pools-db/hosts/moon/etc/strongswan.conf
@@ -6,7 +6,7 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql attr-sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql attr-sql
 }
 
 libhydra {
diff --git a/testing/tests/sql/ip-split-pools-db/test.conf b/testing/tests/sql/ip-split-pools-db/test.conf
index 75510b295..9b1ec0b54 100644
--- a/testing/tests/sql/ip-split-pools-db/test.conf
+++ b/testing/tests/sql/ip-split-pools-db/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="alice moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/sql/multi-level-ca/evaltest.dat b/testing/tests/sql/multi-level-ca/evaltest.dat
index 91113ce11..72a555d4b 100644
--- a/testing/tests/sql/multi-level-ca/evaltest.dat
+++ b/testing/tests/sql/multi-level-ca/evaltest.dat
@@ -1,16 +1,21 @@
 carol::cat /var/log/daemon.log::sending issuer cert.*CN=Research CA::YES
-dave::cat /var/log/daemon.log::sending issuer cert.*CN=Sales CA::YES
-moon::cat /var/log/daemon.log::fetching crl from.*http.*research.crl::YES
-moon::cat /var/log/daemon.log::crl correctly signed by.*Research CA::YES
-moon::cat /var/log/daemon.log::fetching crl from.*http.*sales.crl::YES
-moon::cat /var/log/daemon.log::crl correctly signed by.*Sales CA::YES
-moon::cat /var/log/daemon.log::fetching crl from.*http.*strongswan.crl::YES
-moon::cat /var/log/daemon.log::crl correctly signed by.*strongSwan Root CA::YES
-moon::ipsec statusall::rw.*ESTABLISHED::YES
-carol::ipsec statusall::home.*ESTABLISHED::YES
-dave::ipsec statusall::home.*ESTABLISHED::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave:: cat /var/log/daemon.log::sending issuer cert.*CN=Sales CA::YES
+moon:: cat /var/log/daemon.log::fetching crl from.*http.*research.crl::YES
+moon:: cat /var/log/daemon.log::crl correctly signed by.*Research CA::YES
+moon:: cat /var/log/daemon.log::fetching crl from.*http.*sales.crl::YES
+moon:: cat /var/log/daemon.log::crl correctly signed by.*Sales CA::YES
+moon:: cat /var/log/daemon.log::fetching crl from.*http.*strongswan.crl::YES
+moon:: cat /var/log/daemon.log::crl correctly signed by.*strongSwan Root CA::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/sql/multi-level-ca/hosts/carol/etc/ipsec.conf b/testing/tests/sql/multi-level-ca/hosts/carol/etc/ipsec.conf
index 96eb832ae..d77a4c0c9 100755..100644
--- a/testing/tests/sql/multi-level-ca/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/sql/multi-level-ca/hosts/carol/etc/ipsec.conf
@@ -2,6 +2,5 @@
 
 config setup
         strictcrlpolicy=yes
-        plutostart=no
 
 # configuration is read from SQLite database
diff --git a/testing/tests/sql/multi-level-ca/hosts/carol/etc/strongswan.conf b/testing/tests/sql/multi-level-ca/hosts/carol/etc/strongswan.conf
index ee9fbbc66..930b72578 100644
--- a/testing/tests/sql/multi-level-ca/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/sql/multi-level-ca/hosts/carol/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/multi-level-ca/hosts/dave/etc/ipsec.conf b/testing/tests/sql/multi-level-ca/hosts/dave/etc/ipsec.conf
index 96eb832ae..d77a4c0c9 100755..100644
--- a/testing/tests/sql/multi-level-ca/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/sql/multi-level-ca/hosts/dave/etc/ipsec.conf
@@ -2,6 +2,5 @@
 
 config setup
         strictcrlpolicy=yes
-        plutostart=no
 
 # configuration is read from SQLite database
diff --git a/testing/tests/sql/multi-level-ca/hosts/dave/etc/strongswan.conf b/testing/tests/sql/multi-level-ca/hosts/dave/etc/strongswan.conf
index ee9fbbc66..930b72578 100644
--- a/testing/tests/sql/multi-level-ca/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/sql/multi-level-ca/hosts/dave/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/multi-level-ca/hosts/moon/etc/ipsec.conf b/testing/tests/sql/multi-level-ca/hosts/moon/etc/ipsec.conf
index 96eb832ae..296ed1e93 100644
--- a/testing/tests/sql/multi-level-ca/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/sql/multi-level-ca/hosts/moon/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        strictcrlpolicy=yes
-        plutostart=no
+	strictcrlpolicy=yes
 
 # configuration is read from SQLite database
diff --git a/testing/tests/sql/multi-level-ca/hosts/moon/etc/strongswan.conf b/testing/tests/sql/multi-level-ca/hosts/moon/etc/strongswan.conf
index ee9fbbc66..930b72578 100644
--- a/testing/tests/sql/multi-level-ca/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/multi-level-ca/hosts/moon/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/multi-level-ca/posttest.dat b/testing/tests/sql/multi-level-ca/posttest.dat
index d4d57ad83..e9ad4bea6 100644
--- a/testing/tests/sql/multi-level-ca/posttest.dat
+++ b/testing/tests/sql/multi-level-ca/posttest.dat
@@ -1,9 +1,9 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
 moon::rm /etc/ipsec.d/ipsec.*
 carol::rm /etc/ipsec.d/ipsec.*
 dave::rm /etc/ipsec.d/ipsec.*
diff --git a/testing/tests/sql/multi-level-ca/pretest.dat b/testing/tests/sql/multi-level-ca/pretest.dat
index 76316f33d..fdd4df5f9 100644
--- a/testing/tests/sql/multi-level-ca/pretest.dat
+++ b/testing/tests/sql/multi-level-ca/pretest.dat
@@ -7,9 +7,9 @@ dave::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
 moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 carol::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 dave::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/sql/multi-level-ca/test.conf b/testing/tests/sql/multi-level-ca/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/sql/multi-level-ca/test.conf
+++ b/testing/tests/sql/multi-level-ca/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/sql/net2net-cert/evaltest.dat b/testing/tests/sql/net2net-cert/evaltest.dat
index e67c39a08..f003f822f 100644
--- a/testing/tests/sql/net2net-cert/evaltest.dat
+++ b/testing/tests/sql/net2net-cert/evaltest.dat
@@ -1,5 +1,7 @@
-moon::ipsec statusall::net-net.*ESTABLISHED::YES
-sun::ipsec statusall::net-net.*ESTABLISHED::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun::  ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+sun::  ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/sql/net2net-cert/hosts/moon/etc/ipsec.conf b/testing/tests/sql/net2net-cert/hosts/moon/etc/ipsec.conf
index 3bc29625f..a7fa09213 100644
--- a/testing/tests/sql/net2net-cert/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/sql/net2net-cert/hosts/moon/etc/ipsec.conf
@@ -1,8 +1,5 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-        strictcrlpolicy=no
-        plutostart=no
 
 # configuration is read from SQLite database
diff --git a/testing/tests/sql/net2net-cert/hosts/moon/etc/strongswan.conf b/testing/tests/sql/net2net-cert/hosts/moon/etc/strongswan.conf
index ee9fbbc66..930b72578 100644
--- a/testing/tests/sql/net2net-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/net2net-cert/hosts/moon/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/net2net-cert/hosts/sun/etc/ipsec.conf b/testing/tests/sql/net2net-cert/hosts/sun/etc/ipsec.conf
index 3bc29625f..a7fa09213 100755..100644
--- a/testing/tests/sql/net2net-cert/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/sql/net2net-cert/hosts/sun/etc/ipsec.conf
@@ -1,8 +1,5 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-        strictcrlpolicy=no
-        plutostart=no
 
 # configuration is read from SQLite database
diff --git a/testing/tests/sql/net2net-cert/hosts/sun/etc/strongswan.conf b/testing/tests/sql/net2net-cert/hosts/sun/etc/strongswan.conf
index ee9fbbc66..930b72578 100644
--- a/testing/tests/sql/net2net-cert/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/sql/net2net-cert/hosts/sun/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/net2net-cert/posttest.dat b/testing/tests/sql/net2net-cert/posttest.dat
index 13f7ede0a..329a572b2 100644
--- a/testing/tests/sql/net2net-cert/posttest.dat
+++ b/testing/tests/sql/net2net-cert/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
 moon::rm /etc/ipsec.d/ipsec.*
 sun::rm /etc/ipsec.d/ipsec.*
diff --git a/testing/tests/sql/net2net-cert/pretest.dat b/testing/tests/sql/net2net-cert/pretest.dat
index 2ab18542f..a1777efb0 100644
--- a/testing/tests/sql/net2net-cert/pretest.dat
+++ b/testing/tests/sql/net2net-cert/pretest.dat
@@ -4,8 +4,8 @@ moon::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
 sun::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
 moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 sun::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 sun::ipsec start
 moon::sleep 1 
diff --git a/testing/tests/sql/net2net-cert/test.conf b/testing/tests/sql/net2net-cert/test.conf
index d9a61590f..646b8b3e6 100644
--- a/testing/tests/sql/net2net-cert/test.conf
+++ b/testing/tests/sql/net2net-cert/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b.png"
  
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/sql/net2net-psk/evaltest.dat b/testing/tests/sql/net2net-psk/evaltest.dat
index e67c39a08..f003f822f 100644
--- a/testing/tests/sql/net2net-psk/evaltest.dat
+++ b/testing/tests/sql/net2net-psk/evaltest.dat
@@ -1,5 +1,7 @@
-moon::ipsec statusall::net-net.*ESTABLISHED::YES
-sun::ipsec statusall::net-net.*ESTABLISHED::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
+moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun::  ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+sun::  ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/sql/net2net-psk/hosts/moon/etc/ipsec.conf b/testing/tests/sql/net2net-psk/hosts/moon/etc/ipsec.conf
index 3bc29625f..a7fa09213 100644
--- a/testing/tests/sql/net2net-psk/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/sql/net2net-psk/hosts/moon/etc/ipsec.conf
@@ -1,8 +1,5 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-        strictcrlpolicy=no
-        plutostart=no
 
 # configuration is read from SQLite database
diff --git a/testing/tests/sql/net2net-psk/hosts/moon/etc/strongswan.conf b/testing/tests/sql/net2net-psk/hosts/moon/etc/strongswan.conf
index 1120fe649..5e4eb1246 100644
--- a/testing/tests/sql/net2net-psk/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/net2net-psk/hosts/moon/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac stroke kernel-netlink socket-default updown sqlite sql
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce hmac stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/net2net-psk/hosts/sun/etc/ipsec.conf b/testing/tests/sql/net2net-psk/hosts/sun/etc/ipsec.conf
index 3bc29625f..a7fa09213 100755..100644
--- a/testing/tests/sql/net2net-psk/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/sql/net2net-psk/hosts/sun/etc/ipsec.conf
@@ -1,8 +1,5 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-        strictcrlpolicy=no
-        plutostart=no
 
 # configuration is read from SQLite database
diff --git a/testing/tests/sql/net2net-psk/hosts/sun/etc/strongswan.conf b/testing/tests/sql/net2net-psk/hosts/sun/etc/strongswan.conf
index 1120fe649..5e4eb1246 100644
--- a/testing/tests/sql/net2net-psk/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/sql/net2net-psk/hosts/sun/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac stroke kernel-netlink socket-default updown sqlite sql
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce hmac stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/net2net-psk/posttest.dat b/testing/tests/sql/net2net-psk/posttest.dat
index 13f7ede0a..329a572b2 100644
--- a/testing/tests/sql/net2net-psk/posttest.dat
+++ b/testing/tests/sql/net2net-psk/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
 moon::rm /etc/ipsec.d/ipsec.*
 sun::rm /etc/ipsec.d/ipsec.*
diff --git a/testing/tests/sql/net2net-psk/pretest.dat b/testing/tests/sql/net2net-psk/pretest.dat
index 2ab18542f..a1777efb0 100644
--- a/testing/tests/sql/net2net-psk/pretest.dat
+++ b/testing/tests/sql/net2net-psk/pretest.dat
@@ -4,8 +4,8 @@ moon::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
 sun::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
 moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 sun::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 sun::ipsec start
 moon::sleep 1 
diff --git a/testing/tests/sql/net2net-psk/test.conf b/testing/tests/sql/net2net-psk/test.conf
index d9a61590f..646b8b3e6 100644
--- a/testing/tests/sql/net2net-psk/test.conf
+++ b/testing/tests/sql/net2net-psk/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b.png"
  
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/sql/net2net-route-pem/evaltest.dat b/testing/tests/sql/net2net-route-pem/evaltest.dat
index eaca715d5..3fd32907c 100644
--- a/testing/tests/sql/net2net-route-pem/evaltest.dat
+++ b/testing/tests/sql/net2net-route-pem/evaltest.dat
@@ -1,16 +1,16 @@
-moon::ipsec statusall::net-1.*ROUTED::YES
-sun::ipsec statusall::net-1.*ROUTED::YES
-moon::ipsec statusall::net-2.*ROUTED::YES
-sun::ipsec statusall::net-2.*ROUTED::YES
-moon::cat /var/log/daemon.log::creating acquire job for policy 10.1.0.10/32\[icmp/8\] === 10.2.0.10/32\[icmp\] with reqid {1}::YES
-moon::ipsec statusall::net-1.*INSTALLED::YES
-sun::ipsec statusall::net-1.*INSTALLED::YES
-sun::cat /var/log/daemon.log::creating acquire job for policy 10.2.0.10/32\[icmp/8\] === 10.1.0.20/32\[icmp\] with reqid {2}::YES
-moon::ipsec statusall::net-2.*INSTALLED::YES
-sun::ipsec statusall::net-2.*INSTALLED::YES
-moon::ipsec statusall::net-net.*ESTABLISHED::YES
-sun::ipsec statusall::net-net.*ESTABLISHED::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-bob:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
+moon:: ipsec status 2> /dev/null::net-1.*ROUTED, TUNNEL::YES
+sun::  ipsec status 2> /dev/null::net-1.*ROUTED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::net-2.*ROUTED, TUNNEL::YES
+sun::  ipsec status 2> /dev/null::net-2.*ROUTED, TUNNEL::YES
+moon:: cat /var/log/daemon.log::creating acquire job for policy 10.1.0.10/32\[icmp/8\] === 10.2.0.10/32\[icmp\] with reqid {1}::YES
+moon:: ipsec status 2> /dev/null::net-1.*INSTALLED, TUNNEL::YES
+sun::  ipsec status 2> /dev/null::net-1.*INSTALLED. TUNNEL::YES
+sun::  cat /var/log/daemon.log::creating acquire job for policy 10.2.0.10/32\[icmp/8\] === 10.1.0.20/32\[icmp\] with reqid {2}::YES
+moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun::  ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::net-2.*INSTALLED, TUNNEL::YES
+sun::  ipsec status 2> /dev/null::net-2.*INSTALLED, TUNNEL::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+bob::  ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/sql/net2net-route-pem/hosts/moon/etc/ipsec.conf b/testing/tests/sql/net2net-route-pem/hosts/moon/etc/ipsec.conf
index 3bc29625f..a7fa09213 100644
--- a/testing/tests/sql/net2net-route-pem/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/sql/net2net-route-pem/hosts/moon/etc/ipsec.conf
@@ -1,8 +1,5 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-        strictcrlpolicy=no
-        plutostart=no
 
 # configuration is read from SQLite database
diff --git a/testing/tests/sql/net2net-route-pem/hosts/moon/etc/strongswan.conf b/testing/tests/sql/net2net-route-pem/hosts/moon/etc/strongswan.conf
index ee9fbbc66..930b72578 100644
--- a/testing/tests/sql/net2net-route-pem/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/net2net-route-pem/hosts/moon/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/net2net-route-pem/hosts/sun/etc/ipsec.conf b/testing/tests/sql/net2net-route-pem/hosts/sun/etc/ipsec.conf
index 3bc29625f..a7fa09213 100755..100644
--- a/testing/tests/sql/net2net-route-pem/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/sql/net2net-route-pem/hosts/sun/etc/ipsec.conf
@@ -1,8 +1,5 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-        strictcrlpolicy=no
-        plutostart=no
 
 # configuration is read from SQLite database
diff --git a/testing/tests/sql/net2net-route-pem/hosts/sun/etc/strongswan.conf b/testing/tests/sql/net2net-route-pem/hosts/sun/etc/strongswan.conf
index ee9fbbc66..930b72578 100644
--- a/testing/tests/sql/net2net-route-pem/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/sql/net2net-route-pem/hosts/sun/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/net2net-route-pem/posttest.dat b/testing/tests/sql/net2net-route-pem/posttest.dat
index 13f7ede0a..329a572b2 100644
--- a/testing/tests/sql/net2net-route-pem/posttest.dat
+++ b/testing/tests/sql/net2net-route-pem/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
 moon::rm /etc/ipsec.d/ipsec.*
 sun::rm /etc/ipsec.d/ipsec.*
diff --git a/testing/tests/sql/net2net-route-pem/pretest.dat b/testing/tests/sql/net2net-route-pem/pretest.dat
index 5a537e15b..8ca573ee5 100644
--- a/testing/tests/sql/net2net-route-pem/pretest.dat
+++ b/testing/tests/sql/net2net-route-pem/pretest.dat
@@ -4,8 +4,8 @@ moon::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
 sun::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
 moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 sun::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 sun::ipsec start
 moon::ipsec start
 moon::sleep 1
diff --git a/testing/tests/sql/net2net-route-pem/test.conf b/testing/tests/sql/net2net-route-pem/test.conf
index 13a8a2a48..10c582c9b 100644
--- a/testing/tests/sql/net2net-route-pem/test.conf
+++ b/testing/tests/sql/net2net-route-pem/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon winnetou sun bob"
+VIRTHOSTS="alice venus moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-w-s-b.png"
  
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/sql/net2net-start-pem/evaltest.dat b/testing/tests/sql/net2net-start-pem/evaltest.dat
index eaacd0133..6534adc07 100644
--- a/testing/tests/sql/net2net-start-pem/evaltest.dat
+++ b/testing/tests/sql/net2net-start-pem/evaltest.dat
@@ -1,12 +1,12 @@
-moon::ipsec statusall::net-net.*ESTABLISHED::YES
-sun::ipsec statusall::net-net.*ESTABLISHED::YES
-moon::ipsec statusall::net-1.*INSTALLED::YES
-sun::ipsec statusall::net-1.*INSTALLED::YES
-moon::ipsec statusall::net-2.*INSTALLED::YES
-sun::ipsec statusall::net-2.*INSTALLED::YES
-moon::ipsec statusall::net-3.*INSTALLED::YES
-sun::ipsec statusall::net-3.*INSTALLED::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-bob:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
+moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun::  ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::net-1.*INSTALLED, TUNNEL::YES
+sun::  ipsec status 2> /dev/null::net-1.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::net-2.*INSTALLED, TUNNEL::YES
+sun::  ipsec status 2> /dev/null::net-2.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::net-3.*INSTALLED, TUNNEL::YES
+sun::  ipsec status 2> /dev/null::net-3.*INSTALLED, TUNNEL::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+bob::  ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/sql/net2net-start-pem/hosts/moon/etc/ipsec.conf b/testing/tests/sql/net2net-start-pem/hosts/moon/etc/ipsec.conf
index 3bc29625f..a7fa09213 100644
--- a/testing/tests/sql/net2net-start-pem/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/sql/net2net-start-pem/hosts/moon/etc/ipsec.conf
@@ -1,8 +1,5 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-        strictcrlpolicy=no
-        plutostart=no
 
 # configuration is read from SQLite database
diff --git a/testing/tests/sql/net2net-start-pem/hosts/moon/etc/strongswan.conf b/testing/tests/sql/net2net-start-pem/hosts/moon/etc/strongswan.conf
index ee9fbbc66..930b72578 100644
--- a/testing/tests/sql/net2net-start-pem/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/net2net-start-pem/hosts/moon/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/net2net-start-pem/hosts/sun/etc/ipsec.conf b/testing/tests/sql/net2net-start-pem/hosts/sun/etc/ipsec.conf
index 3bc29625f..a7fa09213 100755..100644
--- a/testing/tests/sql/net2net-start-pem/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/sql/net2net-start-pem/hosts/sun/etc/ipsec.conf
@@ -1,8 +1,5 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-        strictcrlpolicy=no
-        plutostart=no
 
 # configuration is read from SQLite database
diff --git a/testing/tests/sql/net2net-start-pem/hosts/sun/etc/strongswan.conf b/testing/tests/sql/net2net-start-pem/hosts/sun/etc/strongswan.conf
index ee9fbbc66..930b72578 100644
--- a/testing/tests/sql/net2net-start-pem/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/sql/net2net-start-pem/hosts/sun/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/net2net-start-pem/posttest.dat b/testing/tests/sql/net2net-start-pem/posttest.dat
index 13f7ede0a..329a572b2 100644
--- a/testing/tests/sql/net2net-start-pem/posttest.dat
+++ b/testing/tests/sql/net2net-start-pem/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
 moon::rm /etc/ipsec.d/ipsec.*
 sun::rm /etc/ipsec.d/ipsec.*
diff --git a/testing/tests/sql/net2net-start-pem/pretest.dat b/testing/tests/sql/net2net-start-pem/pretest.dat
index 3e168960d..1c71f0c14 100644
--- a/testing/tests/sql/net2net-start-pem/pretest.dat
+++ b/testing/tests/sql/net2net-start-pem/pretest.dat
@@ -4,8 +4,8 @@ moon::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
 sun::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
 moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 sun::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 sun::ipsec start
 moon::ipsec start
-moon::sleep 2
+moon::sleep 3
diff --git a/testing/tests/sql/net2net-start-pem/test.conf b/testing/tests/sql/net2net-start-pem/test.conf
index 13a8a2a48..10c582c9b 100644
--- a/testing/tests/sql/net2net-start-pem/test.conf
+++ b/testing/tests/sql/net2net-start-pem/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon winnetou sun bob"
+VIRTHOSTS="alice venus moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-w-s-b.png"
  
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/sql/rw-cert/evaltest.dat b/testing/tests/sql/rw-cert/evaltest.dat
index 06a0f8cda..2342d024b 100644
--- a/testing/tests/sql/rw-cert/evaltest.dat
+++ b/testing/tests/sql/rw-cert/evaltest.dat
@@ -1,10 +1,14 @@
-moon::ipsec statusall::rw.*ESTABLISHED::YES
-carol::ipsec statusall::home.*ESTABLISHED::YES
-dave::ipsec statusall::home.*ESTABLISHED::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
-
diff --git a/testing/tests/sql/rw-cert/hosts/carol/etc/ipsec.conf b/testing/tests/sql/rw-cert/hosts/carol/etc/ipsec.conf
index 3bc29625f..a7fa09213 100755..100644
--- a/testing/tests/sql/rw-cert/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/sql/rw-cert/hosts/carol/etc/ipsec.conf
@@ -1,8 +1,5 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-        strictcrlpolicy=no
-        plutostart=no
 
 # configuration is read from SQLite database
diff --git a/testing/tests/sql/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/sql/rw-cert/hosts/carol/etc/strongswan.conf
index a09081afe..7cd88f5da 100644
--- a/testing/tests/sql/rw-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/sql/rw-cert/hosts/carol/etc/strongswan.conf
@@ -6,7 +6,7 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
+  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
 }
 
 libstrongswan {
diff --git a/testing/tests/sql/rw-cert/hosts/dave/etc/ipsec.conf b/testing/tests/sql/rw-cert/hosts/dave/etc/ipsec.conf
index 3bc29625f..a7fa09213 100755..100644
--- a/testing/tests/sql/rw-cert/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/sql/rw-cert/hosts/dave/etc/ipsec.conf
@@ -1,8 +1,5 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-        strictcrlpolicy=no
-        plutostart=no
 
 # configuration is read from SQLite database
diff --git a/testing/tests/sql/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/sql/rw-cert/hosts/dave/etc/strongswan.conf
index a09081afe..7cd88f5da 100644
--- a/testing/tests/sql/rw-cert/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/sql/rw-cert/hosts/dave/etc/strongswan.conf
@@ -6,7 +6,7 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
+  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
 }
 
 libstrongswan {
diff --git a/testing/tests/sql/rw-cert/hosts/moon/etc/ipsec.conf b/testing/tests/sql/rw-cert/hosts/moon/etc/ipsec.conf
index 3bc29625f..a7fa09213 100644
--- a/testing/tests/sql/rw-cert/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/sql/rw-cert/hosts/moon/etc/ipsec.conf
@@ -1,8 +1,5 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-        strictcrlpolicy=no
-        plutostart=no
 
 # configuration is read from SQLite database
diff --git a/testing/tests/sql/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/sql/rw-cert/hosts/moon/etc/strongswan.conf
index a09081afe..7cd88f5da 100644
--- a/testing/tests/sql/rw-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/rw-cert/hosts/moon/etc/strongswan.conf
@@ -6,7 +6,7 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
+  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
 }
 
 libstrongswan {
diff --git a/testing/tests/sql/rw-cert/posttest.dat b/testing/tests/sql/rw-cert/posttest.dat
index d4d57ad83..e9ad4bea6 100644
--- a/testing/tests/sql/rw-cert/posttest.dat
+++ b/testing/tests/sql/rw-cert/posttest.dat
@@ -1,9 +1,9 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
 moon::rm /etc/ipsec.d/ipsec.*
 carol::rm /etc/ipsec.d/ipsec.*
 dave::rm /etc/ipsec.d/ipsec.*
diff --git a/testing/tests/sql/rw-cert/pretest.dat b/testing/tests/sql/rw-cert/pretest.dat
index 76316f33d..fdd4df5f9 100644
--- a/testing/tests/sql/rw-cert/pretest.dat
+++ b/testing/tests/sql/rw-cert/pretest.dat
@@ -7,9 +7,9 @@ dave::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
 moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 carol::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 dave::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/sql/rw-cert/test.conf b/testing/tests/sql/rw-cert/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/sql/rw-cert/test.conf
+++ b/testing/tests/sql/rw-cert/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/sql/rw-eap-aka-rsa/evaltest.dat b/testing/tests/sql/rw-eap-aka-rsa/evaltest.dat
index aca7b045b..e1d33feb7 100644
--- a/testing/tests/sql/rw-eap-aka-rsa/evaltest.dat
+++ b/testing/tests/sql/rw-eap-aka-rsa/evaltest.dat
@@ -1,9 +1,11 @@
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
-moon::ipsec statusall::rw-eap-aka.*ESTABLISHED::YES
-carol::ipsec statusall::home.*ESTABLISHED::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw-eap-aka.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw-eap-aka.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 
diff --git a/testing/tests/sql/rw-eap-aka-rsa/hosts/carol/etc/ipsec.conf b/testing/tests/sql/rw-eap-aka-rsa/hosts/carol/etc/ipsec.conf
index 3bc29625f..a7fa09213 100755..100644
--- a/testing/tests/sql/rw-eap-aka-rsa/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/sql/rw-eap-aka-rsa/hosts/carol/etc/ipsec.conf
@@ -1,8 +1,5 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-        strictcrlpolicy=no
-        plutostart=no
 
 # configuration is read from SQLite database
diff --git a/testing/tests/sql/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/sql/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf
index 2fdfe3282..f48c123d1 100644
--- a/testing/tests/sql/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/sql/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db
     }
   }
-  load = curl aes des sha1 sha2 md5 fips-prf pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql eap-aka eap-aka-3gpp2
+  load = curl aes des sha1 sha2 md5 fips-prf pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql eap-aka eap-aka-3gpp2
 }
diff --git a/testing/tests/sql/rw-eap-aka-rsa/hosts/moon/etc/ipsec.conf b/testing/tests/sql/rw-eap-aka-rsa/hosts/moon/etc/ipsec.conf
index 3bc29625f..a7fa09213 100644
--- a/testing/tests/sql/rw-eap-aka-rsa/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/sql/rw-eap-aka-rsa/hosts/moon/etc/ipsec.conf
@@ -1,8 +1,5 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-        strictcrlpolicy=no
-        plutostart=no
 
 # configuration is read from SQLite database
diff --git a/testing/tests/sql/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/sql/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf
index 3661a7bb9..41951083c 100644
--- a/testing/tests/sql/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db
     }
   }
-  load = aes des sha1 sha2 md5 fips-prf pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql eap-aka eap-aka-3gpp2
+  load = aes des sha1 sha2 md5 fips-prf pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql eap-aka eap-aka-3gpp2
 }
diff --git a/testing/tests/sql/rw-eap-aka-rsa/posttest.dat b/testing/tests/sql/rw-eap-aka-rsa/posttest.dat
index 23eeb0d17..584356d8e 100644
--- a/testing/tests/sql/rw-eap-aka-rsa/posttest.dat
+++ b/testing/tests/sql/rw-eap-aka-rsa/posttest.dat
@@ -1,7 +1,7 @@
 moon::ipsec stop
 carol::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
 moon::rm /etc/ipsec.d/ipsec.*
 carol::rm /etc/ipsec.d/ipsec.*
 ~
diff --git a/testing/tests/sql/rw-eap-aka-rsa/pretest.dat b/testing/tests/sql/rw-eap-aka-rsa/pretest.dat
index b78fd480f..8f2387ba1 100644
--- a/testing/tests/sql/rw-eap-aka-rsa/pretest.dat
+++ b/testing/tests/sql/rw-eap-aka-rsa/pretest.dat
@@ -4,8 +4,8 @@ moon::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
 carol::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
 moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 carol::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 carol::sleep 1
diff --git a/testing/tests/sql/rw-eap-aka-rsa/test.conf b/testing/tests/sql/rw-eap-aka-rsa/test.conf
index 9cd583b16..4a5fc470f 100644
--- a/testing/tests/sql/rw-eap-aka-rsa/test.conf
+++ b/testing/tests/sql/rw-eap-aka-rsa/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou"
+VIRTHOSTS="alice moon carol winnetou"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol"
diff --git a/testing/tests/sql/rw-psk-ipv4/evaltest.dat b/testing/tests/sql/rw-psk-ipv4/evaltest.dat
index 06a0f8cda..eaf47395e 100644
--- a/testing/tests/sql/rw-psk-ipv4/evaltest.dat
+++ b/testing/tests/sql/rw-psk-ipv4/evaltest.dat
@@ -1,8 +1,13 @@
-moon::ipsec statusall::rw.*ESTABLISHED::YES
-carol::ipsec statusall::home.*ESTABLISHED::YES
-dave::ipsec statusall::home.*ESTABLISHED::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*\[192.168.0.100].*\[192.168.0.1]::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*\[192.168.0.200].*\[192.168.0.1]::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*\[192.168.0.1].*\[192.168.0.100]::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*\[192.168.0.1].*\[192.168.0.200]::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/sql/rw-psk-ipv4/hosts/carol/etc/ipsec.conf b/testing/tests/sql/rw-psk-ipv4/hosts/carol/etc/ipsec.conf
index 3bc29625f..a7fa09213 100755..100644
--- a/testing/tests/sql/rw-psk-ipv4/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/sql/rw-psk-ipv4/hosts/carol/etc/ipsec.conf
@@ -1,8 +1,5 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-        strictcrlpolicy=no
-        plutostart=no
 
 # configuration is read from SQLite database
diff --git a/testing/tests/sql/rw-psk-ipv4/hosts/carol/etc/strongswan.conf b/testing/tests/sql/rw-psk-ipv4/hosts/carol/etc/strongswan.conf
index 1120fe649..5e4eb1246 100644
--- a/testing/tests/sql/rw-psk-ipv4/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/sql/rw-psk-ipv4/hosts/carol/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac stroke kernel-netlink socket-default updown sqlite sql
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce hmac stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/rw-psk-ipv4/hosts/dave/etc/ipsec.conf b/testing/tests/sql/rw-psk-ipv4/hosts/dave/etc/ipsec.conf
index 3bc29625f..a7fa09213 100755..100644
--- a/testing/tests/sql/rw-psk-ipv4/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/sql/rw-psk-ipv4/hosts/dave/etc/ipsec.conf
@@ -1,8 +1,5 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-        strictcrlpolicy=no
-        plutostart=no
 
 # configuration is read from SQLite database
diff --git a/testing/tests/sql/rw-psk-ipv4/hosts/dave/etc/strongswan.conf b/testing/tests/sql/rw-psk-ipv4/hosts/dave/etc/strongswan.conf
index 1120fe649..5e4eb1246 100644
--- a/testing/tests/sql/rw-psk-ipv4/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/sql/rw-psk-ipv4/hosts/dave/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac stroke kernel-netlink socket-default updown sqlite sql
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce hmac stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/rw-psk-ipv4/hosts/moon/etc/ipsec.conf b/testing/tests/sql/rw-psk-ipv4/hosts/moon/etc/ipsec.conf
index 3bc29625f..a7fa09213 100644
--- a/testing/tests/sql/rw-psk-ipv4/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/sql/rw-psk-ipv4/hosts/moon/etc/ipsec.conf
@@ -1,8 +1,5 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-        strictcrlpolicy=no
-        plutostart=no
 
 # configuration is read from SQLite database
diff --git a/testing/tests/sql/rw-psk-ipv4/hosts/moon/etc/strongswan.conf b/testing/tests/sql/rw-psk-ipv4/hosts/moon/etc/strongswan.conf
index 1120fe649..5e4eb1246 100644
--- a/testing/tests/sql/rw-psk-ipv4/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/rw-psk-ipv4/hosts/moon/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac stroke kernel-netlink socket-default updown sqlite sql
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce hmac stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/rw-psk-ipv4/posttest.dat b/testing/tests/sql/rw-psk-ipv4/posttest.dat
index d4d57ad83..e9ad4bea6 100644
--- a/testing/tests/sql/rw-psk-ipv4/posttest.dat
+++ b/testing/tests/sql/rw-psk-ipv4/posttest.dat
@@ -1,9 +1,9 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
 moon::rm /etc/ipsec.d/ipsec.*
 carol::rm /etc/ipsec.d/ipsec.*
 dave::rm /etc/ipsec.d/ipsec.*
diff --git a/testing/tests/sql/rw-psk-ipv4/pretest.dat b/testing/tests/sql/rw-psk-ipv4/pretest.dat
index 76316f33d..fdd4df5f9 100644
--- a/testing/tests/sql/rw-psk-ipv4/pretest.dat
+++ b/testing/tests/sql/rw-psk-ipv4/pretest.dat
@@ -7,9 +7,9 @@ dave::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
 moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 carol::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 dave::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/sql/rw-psk-ipv4/test.conf b/testing/tests/sql/rw-psk-ipv4/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/sql/rw-psk-ipv4/test.conf
+++ b/testing/tests/sql/rw-psk-ipv4/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/sql/rw-psk-ipv6/evaltest.dat b/testing/tests/sql/rw-psk-ipv6/evaltest.dat
index cee1853c4..344dfa809 100644
--- a/testing/tests/sql/rw-psk-ipv6/evaltest.dat
+++ b/testing/tests/sql/rw-psk-ipv6/evaltest.dat
@@ -1,8 +1,13 @@
-moon::ipsec statusall::rw.*ESTABLISHED::YES
-carol::ipsec statusall::home.*ESTABLISHED::YES
-dave::ipsec statusall::home.*ESTABLISHED::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*\[fec0.*10].*\[fec0.*1]::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*\[fec0.*20].*\[fec0.*1]::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*\[fec0.*1].*\[fec0.*10]::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*\[fec0.*1].*\[fec0.*20]::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
 carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
-dave::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
+dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES
 moon::tcpdump::IP6 ip6-carol.strongswan.org > ip6-moon.strongswan.org: ESP::YES
 moon::tcpdump::IP6 ip6-moon.strongswan.org > ip6-carol.strongswan.org: ESP::YES
 moon::tcpdump::IP6 ip6-dave.strongswan.org > ip6-moon.strongswan.org: ESP::YES
diff --git a/testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/init.d/iptables b/testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/init.d/iptables
deleted file mode 100755
index 25074a0f1..000000000
--- a/testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/init.d/iptables
+++ /dev/null
@@ -1,107 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow last UDP fragment
-	ip6tables -A INPUT -i eth0 -p udp -m frag --fraglast -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/ipsec.conf b/testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/ipsec.conf
index 3bc29625f..a7fa09213 100755..100644
--- a/testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/ipsec.conf
@@ -1,8 +1,5 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-        strictcrlpolicy=no
-        plutostart=no
 
 # configuration is read from SQLite database
diff --git a/testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/iptables.rules b/testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/iptables.rules
new file mode 100644
index 000000000..7362b2e25
--- /dev/null
+++ b/testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/iptables.rules
@@ -0,0 +1,16 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/strongswan.conf b/testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/strongswan.conf
index 1120fe649..5e4eb1246 100644
--- a/testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac stroke kernel-netlink socket-default updown sqlite sql
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce hmac stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/init.d/iptables b/testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/init.d/iptables
deleted file mode 100755
index 25074a0f1..000000000
--- a/testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/init.d/iptables
+++ /dev/null
@@ -1,107 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow last UDP fragment
-	ip6tables -A INPUT -i eth0 -p udp -m frag --fraglast -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/ipsec.conf b/testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/ipsec.conf
index 3bc29625f..a7fa09213 100755..100644
--- a/testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/ipsec.conf
@@ -1,8 +1,5 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-        strictcrlpolicy=no
-        plutostart=no
 
 # configuration is read from SQLite database
diff --git a/testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/iptables.rules b/testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/iptables.rules
new file mode 100644
index 000000000..7362b2e25
--- /dev/null
+++ b/testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/iptables.rules
@@ -0,0 +1,16 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/strongswan.conf b/testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/strongswan.conf
index 1120fe649..5e4eb1246 100644
--- a/testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac stroke kernel-netlink socket-default updown sqlite sql
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce hmac stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/init.d/iptables b/testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 25074a0f1..000000000
--- a/testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,107 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	/sbin/ip6tables -P INPUT DROP
-	/sbin/ip6tables -P OUTPUT DROP
-	/sbin/ip6tables -P FORWARD DROP
-
-	# allow esp
-	ip6tables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	ip6tables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow last UDP fragment
-	ip6tables -A INPUT -i eth0 -p udp -m frag --fraglast -j ACCEPT
-
-	# allow ICMPv6 neighbor-solicitations
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-	
-	# allow ICMPv6 neighbor-advertisements
-	ip6tables -A INPUT  -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-	ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# log dropped packets
-	ip6tables -A INPUT  -j LOG --log-prefix " IN: "
-	ip6tables -A OUTPUT -j LOG --log-prefix " OUT: "
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/ip6tables -t filter -P INPUT ACCEPT
-				/sbin/ip6tables -t filter -P FORWARD ACCEPT
-				/sbin/ip6tables -t filter -P OUTPUT ACCEPT
-
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/ip6tables -F -t $a
-			/sbin/ip6tables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/ipsec.conf b/testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/ipsec.conf
index 3bc29625f..a7fa09213 100644
--- a/testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/ipsec.conf
@@ -1,8 +1,5 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-        strictcrlpolicy=no
-        plutostart=no
 
 # configuration is read from SQLite database
diff --git a/testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/iptables.rules b/testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..7362b2e25
--- /dev/null
+++ b/testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/iptables.rules
@@ -0,0 +1,16 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/strongswan.conf b/testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/strongswan.conf
index 1120fe649..5e4eb1246 100644
--- a/testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac stroke kernel-netlink socket-default updown sqlite sql
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce hmac stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/rw-psk-ipv6/posttest.dat b/testing/tests/sql/rw-psk-ipv6/posttest.dat
index bdfd9ed00..ab753507f 100644
--- a/testing/tests/sql/rw-psk-ipv6/posttest.dat
+++ b/testing/tests/sql/rw-psk-ipv6/posttest.dat
@@ -1,9 +1,12 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
+moon::ip6tables-restore < /etc/ip6tables.flush
+carol::ip6tables-restore < /etc/ip6tables.flush
+dave::ip6tables-restore < /etc/ip6tables.flush
 alice::"ip route del fec0:\:/16 via fec1:\:1"
 carol::"ip route del fec1:\:/16 via fec0:\:1"
 dave::"ip route del fec1:\:/16 via fec0:\:1"
diff --git a/testing/tests/sql/rw-psk-ipv6/pretest.dat b/testing/tests/sql/rw-psk-ipv6/pretest.dat
index 253438dbf..587dd7f85 100644
--- a/testing/tests/sql/rw-psk-ipv6/pretest.dat
+++ b/testing/tests/sql/rw-psk-ipv6/pretest.dat
@@ -7,9 +7,12 @@ dave::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
 moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 carol::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 dave::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+moon::ip6tables-restore < /etc/ip6tables.rules
+carol::ip6tables-restore < /etc/ip6tables.rules
+dave::ip6tables-restore < /etc/ip6tables.rules
 alice::"ip route add fec0:\:/16 via fec1:\:1"
 carol::"ip route add fec1:\:/16 via fec0:\:1"
 dave::"ip route add fec1:\:/16 via fec0:\:1"
diff --git a/testing/tests/sql/rw-psk-ipv6/test.conf b/testing/tests/sql/rw-psk-ipv6/test.conf
index 80cf5e3a1..05bb8ab6d 100644
--- a/testing/tests/sql/rw-psk-ipv6/test.conf
+++ b/testing/tests/sql/rw-psk-ipv6/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d-ip6.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/sql/rw-psk-rsa-split/evaltest.dat b/testing/tests/sql/rw-psk-rsa-split/evaltest.dat
index 0e5bd03db..1648c9557 100644
--- a/testing/tests/sql/rw-psk-rsa-split/evaltest.dat
+++ b/testing/tests/sql/rw-psk-rsa-split/evaltest.dat
@@ -1,11 +1,16 @@
-moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with pre-shared key successful::YES
-moon::cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with pre-shared key successful::YES
-moon::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' (myself) with RSA signature successful::YES
-moon::ipsec statusall::rw.*INSTALLED::YES
-carol::ipsec statusall::home.*ESTABLISHED::YES
-dave::ipsec statusall::home.*ESTABLISHED::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with pre-shared key successful::YES
+moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with pre-shared key successful::YES
+moon:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' (myself) with RSA signature successful::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/sql/rw-psk-rsa-split/hosts/carol/etc/ipsec.conf b/testing/tests/sql/rw-psk-rsa-split/hosts/carol/etc/ipsec.conf
index 3bc29625f..a7fa09213 100755..100644
--- a/testing/tests/sql/rw-psk-rsa-split/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/sql/rw-psk-rsa-split/hosts/carol/etc/ipsec.conf
@@ -1,8 +1,5 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-        strictcrlpolicy=no
-        plutostart=no
 
 # configuration is read from SQLite database
diff --git a/testing/tests/sql/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf b/testing/tests/sql/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf
index ee9fbbc66..930b72578 100644
--- a/testing/tests/sql/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/sql/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/rw-psk-rsa-split/hosts/dave/etc/ipsec.conf b/testing/tests/sql/rw-psk-rsa-split/hosts/dave/etc/ipsec.conf
index 3bc29625f..a7fa09213 100755..100644
--- a/testing/tests/sql/rw-psk-rsa-split/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/sql/rw-psk-rsa-split/hosts/dave/etc/ipsec.conf
@@ -1,8 +1,5 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-        strictcrlpolicy=no
-        plutostart=no
 
 # configuration is read from SQLite database
diff --git a/testing/tests/sql/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf b/testing/tests/sql/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf
index ee9fbbc66..930b72578 100644
--- a/testing/tests/sql/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/sql/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/rw-psk-rsa-split/hosts/moon/etc/ipsec.conf b/testing/tests/sql/rw-psk-rsa-split/hosts/moon/etc/ipsec.conf
index 3bc29625f..a7fa09213 100644
--- a/testing/tests/sql/rw-psk-rsa-split/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/sql/rw-psk-rsa-split/hosts/moon/etc/ipsec.conf
@@ -1,8 +1,5 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-        strictcrlpolicy=no
-        plutostart=no
 
 # configuration is read from SQLite database
diff --git a/testing/tests/sql/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf b/testing/tests/sql/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf
index ee9fbbc66..930b72578 100644
--- a/testing/tests/sql/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/rw-psk-rsa-split/posttest.dat b/testing/tests/sql/rw-psk-rsa-split/posttest.dat
index d4d57ad83..e9ad4bea6 100644
--- a/testing/tests/sql/rw-psk-rsa-split/posttest.dat
+++ b/testing/tests/sql/rw-psk-rsa-split/posttest.dat
@@ -1,9 +1,9 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
 moon::rm /etc/ipsec.d/ipsec.*
 carol::rm /etc/ipsec.d/ipsec.*
 dave::rm /etc/ipsec.d/ipsec.*
diff --git a/testing/tests/sql/rw-psk-rsa-split/pretest.dat b/testing/tests/sql/rw-psk-rsa-split/pretest.dat
index 76316f33d..fdd4df5f9 100644
--- a/testing/tests/sql/rw-psk-rsa-split/pretest.dat
+++ b/testing/tests/sql/rw-psk-rsa-split/pretest.dat
@@ -7,9 +7,9 @@ dave::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
 moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 carol::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 dave::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/sql/rw-psk-rsa-split/test.conf b/testing/tests/sql/rw-psk-rsa-split/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/sql/rw-psk-rsa-split/test.conf
+++ b/testing/tests/sql/rw-psk-rsa-split/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/sql/rw-rsa-keyid/evaltest.dat b/testing/tests/sql/rw-rsa-keyid/evaltest.dat
index 941df6ac9..4f5cd724c 100644
--- a/testing/tests/sql/rw-rsa-keyid/evaltest.dat
+++ b/testing/tests/sql/rw-rsa-keyid/evaltest.dat
@@ -1,11 +1,14 @@
-moon::ipsec statusall::rw.*ESTABLISHED.*6a:9c:.*:29:2e.*1f:a1:.*:6e:7c::YES
-moon::ipsec statusall::rw.*ESTABLISHED.*6a:9c:.*:29:2e.*ee:7f:.*:8e:0e::YES
-carol::ipsec statusall::home.*ESTABLISHED.*1f:a1:.*:6e:7c.*6a:9c:.*:29:2e::YES
-dave::ipsec statusall::home.*ESTABLISHED.*ee:7f:.*:8e:0e.*6a:9c:.*:29:2e::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*1f:a1:.*:6e:7c.*6a:9c:.*:29:2e::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*ee:7f:.*:8e:0e.*6a:9c:.*:29:2e::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*6a:9c:.*:29:2e.*1f:a1:.*:6e:7c::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*6a:9c:.*:29:2e.*ee:7f:.*:8e:0e::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
-
diff --git a/testing/tests/sql/rw-rsa-keyid/hosts/carol/etc/ipsec.conf b/testing/tests/sql/rw-rsa-keyid/hosts/carol/etc/ipsec.conf
index 3bc29625f..a7fa09213 100755..100644
--- a/testing/tests/sql/rw-rsa-keyid/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/sql/rw-rsa-keyid/hosts/carol/etc/ipsec.conf
@@ -1,8 +1,5 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-        strictcrlpolicy=no
-        plutostart=no
 
 # configuration is read from SQLite database
diff --git a/testing/tests/sql/rw-rsa-keyid/hosts/carol/etc/strongswan.conf b/testing/tests/sql/rw-rsa-keyid/hosts/carol/etc/strongswan.conf
index 137aecdeb..d37a13039 100644
--- a/testing/tests/sql/rw-rsa-keyid/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/sql/rw-rsa-keyid/hosts/carol/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 pubkey gmp random x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 pubkey gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/rw-rsa-keyid/hosts/dave/etc/ipsec.conf b/testing/tests/sql/rw-rsa-keyid/hosts/dave/etc/ipsec.conf
index 3bc29625f..a7fa09213 100755..100644
--- a/testing/tests/sql/rw-rsa-keyid/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/sql/rw-rsa-keyid/hosts/dave/etc/ipsec.conf
@@ -1,8 +1,5 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-        strictcrlpolicy=no
-        plutostart=no
 
 # configuration is read from SQLite database
diff --git a/testing/tests/sql/rw-rsa-keyid/hosts/dave/etc/strongswan.conf b/testing/tests/sql/rw-rsa-keyid/hosts/dave/etc/strongswan.conf
index 137aecdeb..d37a13039 100644
--- a/testing/tests/sql/rw-rsa-keyid/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/sql/rw-rsa-keyid/hosts/dave/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 pubkey gmp random x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 pubkey gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/rw-rsa-keyid/hosts/moon/etc/ipsec.conf b/testing/tests/sql/rw-rsa-keyid/hosts/moon/etc/ipsec.conf
index 3bc29625f..a7fa09213 100644
--- a/testing/tests/sql/rw-rsa-keyid/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/sql/rw-rsa-keyid/hosts/moon/etc/ipsec.conf
@@ -1,8 +1,5 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-        strictcrlpolicy=no
-        plutostart=no
 
 # configuration is read from SQLite database
diff --git a/testing/tests/sql/rw-rsa-keyid/hosts/moon/etc/strongswan.conf b/testing/tests/sql/rw-rsa-keyid/hosts/moon/etc/strongswan.conf
index 137aecdeb..d37a13039 100644
--- a/testing/tests/sql/rw-rsa-keyid/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/rw-rsa-keyid/hosts/moon/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 pubkey gmp random x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 pubkey gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/rw-rsa-keyid/posttest.dat b/testing/tests/sql/rw-rsa-keyid/posttest.dat
index b10aeb3aa..892650ccb 100644
--- a/testing/tests/sql/rw-rsa-keyid/posttest.dat
+++ b/testing/tests/sql/rw-rsa-keyid/posttest.dat
@@ -1,9 +1,9 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
 moon::rm /etc/ipsec.d/ipsec.db
 carol::rm /etc/ipsec.d/ipsec.db
 dave::rm /etc/ipsec.d/ipsec.db
diff --git a/testing/tests/sql/rw-rsa-keyid/pretest.dat b/testing/tests/sql/rw-rsa-keyid/pretest.dat
index 76316f33d..fdd4df5f9 100644
--- a/testing/tests/sql/rw-rsa-keyid/pretest.dat
+++ b/testing/tests/sql/rw-rsa-keyid/pretest.dat
@@ -7,9 +7,9 @@ dave::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
 moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 carol::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 dave::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/sql/rw-rsa-keyid/test.conf b/testing/tests/sql/rw-rsa-keyid/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/sql/rw-rsa-keyid/test.conf
+++ b/testing/tests/sql/rw-rsa-keyid/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/sql/rw-rsa/evaltest.dat b/testing/tests/sql/rw-rsa/evaltest.dat
index cc565fb98..ba661975b 100644
--- a/testing/tests/sql/rw-rsa/evaltest.dat
+++ b/testing/tests/sql/rw-rsa/evaltest.dat
@@ -1,9 +1,13 @@
-moon::ipsec statusall::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-moon::ipsec statusall::rw.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
-carol::ipsec statusall::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-dave::ipsec statusall::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
 moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
 moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/sql/rw-rsa/hosts/carol/etc/ipsec.conf b/testing/tests/sql/rw-rsa/hosts/carol/etc/ipsec.conf
index 3bc29625f..a7fa09213 100755..100644
--- a/testing/tests/sql/rw-rsa/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/sql/rw-rsa/hosts/carol/etc/ipsec.conf
@@ -1,8 +1,5 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-        strictcrlpolicy=no
-        plutostart=no
 
 # configuration is read from SQLite database
diff --git a/testing/tests/sql/rw-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/sql/rw-rsa/hosts/carol/etc/strongswan.conf
index 137aecdeb..d37a13039 100644
--- a/testing/tests/sql/rw-rsa/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/sql/rw-rsa/hosts/carol/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 pubkey gmp random x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 pubkey gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/rw-rsa/hosts/dave/etc/ipsec.conf b/testing/tests/sql/rw-rsa/hosts/dave/etc/ipsec.conf
index 3bc29625f..a7fa09213 100755..100644
--- a/testing/tests/sql/rw-rsa/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/sql/rw-rsa/hosts/dave/etc/ipsec.conf
@@ -1,8 +1,5 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-        strictcrlpolicy=no
-        plutostart=no
 
 # configuration is read from SQLite database
diff --git a/testing/tests/sql/rw-rsa/hosts/dave/etc/strongswan.conf b/testing/tests/sql/rw-rsa/hosts/dave/etc/strongswan.conf
index 137aecdeb..d37a13039 100644
--- a/testing/tests/sql/rw-rsa/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/sql/rw-rsa/hosts/dave/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 pubkey gmp random x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 pubkey gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/rw-rsa/hosts/moon/etc/ipsec.conf b/testing/tests/sql/rw-rsa/hosts/moon/etc/ipsec.conf
index 3bc29625f..a7fa09213 100644
--- a/testing/tests/sql/rw-rsa/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/sql/rw-rsa/hosts/moon/etc/ipsec.conf
@@ -1,8 +1,5 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-        strictcrlpolicy=no
-        plutostart=no
 
 # configuration is read from SQLite database
diff --git a/testing/tests/sql/rw-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/sql/rw-rsa/hosts/moon/etc/strongswan.conf
index 137aecdeb..d37a13039 100644
--- a/testing/tests/sql/rw-rsa/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/rw-rsa/hosts/moon/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 pubkey gmp random x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 pubkey gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/rw-rsa/posttest.dat b/testing/tests/sql/rw-rsa/posttest.dat
index b10aeb3aa..892650ccb 100644
--- a/testing/tests/sql/rw-rsa/posttest.dat
+++ b/testing/tests/sql/rw-rsa/posttest.dat
@@ -1,9 +1,9 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
 moon::rm /etc/ipsec.d/ipsec.db
 carol::rm /etc/ipsec.d/ipsec.db
 dave::rm /etc/ipsec.d/ipsec.db
diff --git a/testing/tests/sql/rw-rsa/pretest.dat b/testing/tests/sql/rw-rsa/pretest.dat
index 76316f33d..fdd4df5f9 100644
--- a/testing/tests/sql/rw-rsa/pretest.dat
+++ b/testing/tests/sql/rw-rsa/pretest.dat
@@ -7,9 +7,9 @@ dave::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
 moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 carol::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 dave::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start
diff --git a/testing/tests/sql/rw-rsa/test.conf b/testing/tests/sql/rw-rsa/test.conf
index 70416826e..f29298850 100644
--- a/testing/tests/sql/rw-rsa/test.conf
+++ b/testing/tests/sql/rw-rsa/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/sql/shunt-policies/evaltest.dat b/testing/tests/sql/shunt-policies/evaltest.dat
index 2f6e1a91f..51dd9610b 100644
--- a/testing/tests/sql/shunt-policies/evaltest.dat
+++ b/testing/tests/sql/shunt-policies/evaltest.dat
@@ -1,15 +1,19 @@
-moon::ipsec statusall::net-net.*ESTABLISHED::YES
-sun::ipsec statusall::net-net.*ESTABLISHED::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-alice::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES
-venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::NO
-venus::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES
-moon::ping -c 1 -I PH_IP_MOON1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES
-moon::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-moon::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
-bob::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-bob::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES
-bob::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::NO
+moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun::  ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+sun::  ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::local-net.*PASS::YES
+moon:: ipsec status 2> /dev/null::venus-icmp.*DROP::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+alice::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_req=1::YES
+venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::NO
+venus::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_req=1::YES
+moon:: ping -c 1 -I PH_IP_MOON1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+moon:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
+bob::  ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+bob::  ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_req=1::YES
+bob::  ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO
 sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
 sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
 venus::ssh PH_IP_BOB hostname::bob::YES
diff --git a/testing/tests/sql/shunt-policies/hosts/moon/etc/init.d/iptables b/testing/tests/sql/shunt-policies/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 2b90a14c7..000000000
--- a/testing/tests/sql/shunt-policies/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,84 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	# allow icmp in local net
-	iptables -A INPUT  -i eth1 -p icmp -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p icmp -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/sql/shunt-policies/hosts/moon/etc/ipsec.conf b/testing/tests/sql/shunt-policies/hosts/moon/etc/ipsec.conf
index 3bc29625f..a7fa09213 100644
--- a/testing/tests/sql/shunt-policies/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/sql/shunt-policies/hosts/moon/etc/ipsec.conf
@@ -1,8 +1,5 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-        strictcrlpolicy=no
-        plutostart=no
 
 # configuration is read from SQLite database
diff --git a/testing/tests/sql/shunt-policies/hosts/moon/etc/iptables.rules b/testing/tests/sql/shunt-policies/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..af0f25209
--- /dev/null
+++ b/testing/tests/sql/shunt-policies/hosts/moon/etc/iptables.rules
@@ -0,0 +1,32 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# allow icmp in local net
+-A INPUT  -i eth1 -p icmp -j ACCEPT
+-A OUTPUT -o eth1 -p icmp -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/sql/shunt-policies/hosts/moon/etc/strongswan.conf b/testing/tests/sql/shunt-policies/hosts/moon/etc/strongswan.conf
index 90be03f69..b3a7bc0de 100644
--- a/testing/tests/sql/shunt-policies/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/sql/shunt-policies/hosts/moon/etc/strongswan.conf
@@ -6,6 +6,6 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
   install_routes = no
 }
diff --git a/testing/tests/sql/shunt-policies/hosts/sun/etc/ipsec.conf b/testing/tests/sql/shunt-policies/hosts/sun/etc/ipsec.conf
index 3bc29625f..a7fa09213 100755..100644
--- a/testing/tests/sql/shunt-policies/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/sql/shunt-policies/hosts/sun/etc/ipsec.conf
@@ -1,8 +1,5 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-        crlcheckinterval=180
-        strictcrlpolicy=no
-        plutostart=no
 
 # configuration is read from SQLite database
diff --git a/testing/tests/sql/shunt-policies/hosts/sun/etc/strongswan.conf b/testing/tests/sql/shunt-policies/hosts/sun/etc/strongswan.conf
index ee9fbbc66..930b72578 100644
--- a/testing/tests/sql/shunt-policies/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/sql/shunt-policies/hosts/sun/etc/strongswan.conf
@@ -6,5 +6,5 @@ charon {
       database = sqlite:///etc/ipsec.d/ipsec.db 
     }
   }
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
 }
diff --git a/testing/tests/sql/shunt-policies/posttest.dat b/testing/tests/sql/shunt-policies/posttest.dat
index 13f7ede0a..329a572b2 100644
--- a/testing/tests/sql/shunt-policies/posttest.dat
+++ b/testing/tests/sql/shunt-policies/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 sun::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-sun::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
 moon::rm /etc/ipsec.d/ipsec.*
 sun::rm /etc/ipsec.d/ipsec.*
diff --git a/testing/tests/sql/shunt-policies/pretest.dat b/testing/tests/sql/shunt-policies/pretest.dat
index 2ab18542f..a1777efb0 100644
--- a/testing/tests/sql/shunt-policies/pretest.dat
+++ b/testing/tests/sql/shunt-policies/pretest.dat
@@ -4,8 +4,8 @@ moon::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
 sun::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
 moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
 sun::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
-moon::/etc/init.d/iptables start 2> /dev/null
-sun::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
 moon::ipsec start
 sun::ipsec start
 moon::sleep 1 
diff --git a/testing/tests/sql/shunt-policies/test.conf b/testing/tests/sql/shunt-policies/test.conf
index d9a61590f..646b8b3e6 100644
--- a/testing/tests/sql/shunt-policies/test.conf
+++ b/testing/tests/sql/shunt-policies/test.conf
@@ -1,21 +1,21 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-w-s-b.png"
  
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="sun"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon sun"
diff --git a/testing/tests/tkm/host2host-initiator/description.txt b/testing/tests/tkm/host2host-initiator/description.txt
new file mode 100644
index 000000000..467693b1e
--- /dev/null
+++ b/testing/tests/tkm/host2host-initiator/description.txt
@@ -0,0 +1,3 @@
+A connection between the hosts <b>moon</b> and <b>sun</b> is set up. The host
+<b>moon</b> uses the Trusted Key Manager (TKM) and is the initiator of the
+transport connection. The authentication is based on X.509 certificates.
diff --git a/testing/tests/tkm/host2host-initiator/evaltest.dat b/testing/tests/tkm/host2host-initiator/evaltest.dat
new file mode 100644
index 000000000..d8d44dff6
--- /dev/null
+++ b/testing/tests/tkm/host2host-initiator/evaltest.dat
@@ -0,0 +1,12 @@
+moon::ipsec stroke status 2> /dev/null::conn1.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon::ipsec stroke status 2> /dev/null::conn1.*INSTALLED, TRANSPORT::YES
+sun::ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES
+moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
+moon::cat /tmp/tkm.log::RSA private key '/etc/tkm/moonKey.der' loaded::YES
+moon::cat /tmp/tkm.log::Adding policy \[ 1, 192.168.0.1 <-> 192.168.0.2 \]::YES
+moon::cat /tmp/tkm.log::Checked CA certificate of CC context 1::YES
+moon::cat /tmp/tkm.log::Authentication of ISA context 1 successful::YES
+moon::cat /tmp/tkm.log::Adding SA \[ 1, 192.168.0.1 <-> 192.168.0.2, SPI_in.*, SPI_out.*, soft 30, hard 60 \]::YES
diff --git a/testing/tests/tkm/host2host-initiator/hosts/moon/etc/tkm/moonKey.der b/testing/tests/tkm/host2host-initiator/hosts/moon/etc/tkm/moonKey.der
new file mode 100644
index 000000000..97f0963f8
--- /dev/null
+++ b/testing/tests/tkm/host2host-initiator/hosts/moon/etc/tkm/moonKey.der
diff --git a/testing/tests/tkm/host2host-initiator/hosts/moon/etc/tkm/strongswanCert.der b/testing/tests/tkm/host2host-initiator/hosts/moon/etc/tkm/strongswanCert.der
new file mode 100644
index 000000000..a5a631f4b
--- /dev/null
+++ b/testing/tests/tkm/host2host-initiator/hosts/moon/etc/tkm/strongswanCert.der
diff --git a/testing/tests/tkm/host2host-initiator/hosts/moon/etc/tkm/tkm.conf b/testing/tests/tkm/host2host-initiator/hosts/moon/etc/tkm/tkm.conf
new file mode 100644
index 000000000..2619c0089
--- /dev/null
+++ b/testing/tests/tkm/host2host-initiator/hosts/moon/etc/tkm/tkm.conf
@@ -0,0 +1,21 @@
+<tkmconfig>
+    <local_identity id="1">
+        <identity>moon.strongswan.org</identity>
+        <certificate>moonCert.pem</certificate>
+    </local_identity>
+    <policy id="1">
+        <mode>transport</mode>
+        <local>
+            <identity_id>1</identity_id>
+            <ip>192.168.0.1</ip>
+        </local>
+        <remote>
+            <identity>sun.strongswan.org</identity>
+            <ip>192.168.0.2</ip>
+        </remote>
+        <lifetime>
+            <soft>30</soft>
+            <hard>60</hard>
+        </lifetime>
+    </policy>
+</tkmconfig>
diff --git a/testing/tests/tkm/host2host-initiator/hosts/sun/etc/ipsec.conf b/testing/tests/tkm/host2host-initiator/hosts/sun/etc/ipsec.conf
new file mode 100644
index 000000000..e52a04f42
--- /dev/null
+++ b/testing/tests/tkm/host2host-initiator/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,21 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn host-host
+	left=PH_IP_SUN
+	leftcert=sunCert.pem
+	leftid=sun.strongswan.org
+	right=PH_IP_MOON
+	rightid=moon.strongswan.org
+	ike=aes256-sha512-modp4096!
+	esp=aes256-sha512-modp4096!
+	type=transport
+	auto=add
diff --git a/testing/tests/tkm/host2host-initiator/hosts/sun/etc/strongswan.conf b/testing/tests/tkm/host2host-initiator/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..dc937641c
--- /dev/null
+++ b/testing/tests/tkm/host2host-initiator/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/tkm/host2host-initiator/posttest.dat b/testing/tests/tkm/host2host-initiator/posttest.dat
new file mode 100644
index 000000000..34037bc23
--- /dev/null
+++ b/testing/tests/tkm/host2host-initiator/posttest.dat
@@ -0,0 +1,4 @@
+moon::DAEMON_NAME=charon-tkm ipsec stop
+moon::killall tkm_keymanager
+moon::rm -f /tmp/tkm.rpc.ike /tmp/tkm.rpc.ees /tmp/tkm.log
+sun::ipsec stop
diff --git a/testing/tests/tkm/host2host-initiator/pretest.dat b/testing/tests/tkm/host2host-initiator/pretest.dat
new file mode 100644
index 000000000..7cb90ac26
--- /dev/null
+++ b/testing/tests/tkm/host2host-initiator/pretest.dat
@@ -0,0 +1,10 @@
+moon::rm /etc/ipsec.secrets
+moon::tkm_cfgtool -c /etc/tkm/tkm.conf -i /etc/ipsec.conf -t /etc/tkm/tkm.bin -s /usr/local/share/tkm/tkmconfig.xsd
+moon::cat /etc/ipsec.conf
+moon::tkm_keymanager -c /etc/tkm/tkm.bin -k /etc/tkm/moonKey.der -r /etc/tkm/strongswanCert.der >/tmp/tkm.log 2>&1 &
+moon::expect-file /tmp/tkm.rpc.ike
+moon::DAEMON_NAME=charon-tkm ipsec start
+sun::ipsec start
+sun::expect-connection host-host
+moon::DAEMON_NAME=charon-tkm expect-connection conn1
+moon::DAEMON_NAME=charon-tkm ipsec up conn1
diff --git a/testing/tests/tkm/host2host-initiator/test.conf b/testing/tests/tkm/host2host-initiator/test.conf
new file mode 100644
index 000000000..9647dc6a2
--- /dev/null
+++ b/testing/tests/tkm/host2host-initiator/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="moon winnetou sun"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-w-s.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
diff --git a/testing/tests/tkm/host2host-responder/description.txt b/testing/tests/tkm/host2host-responder/description.txt
new file mode 100644
index 000000000..72eabdb6c
--- /dev/null
+++ b/testing/tests/tkm/host2host-responder/description.txt
@@ -0,0 +1,3 @@
+A connection between the hosts <b>moon</b> and <b>sun</b> is set up. The host
+<b>moon</b> uses the Trusted Key Manager (TKM) and is the responder of the
+transport connection. The authentication is based on X.509 certificates.
diff --git a/testing/tests/tkm/host2host-responder/evaltest.dat b/testing/tests/tkm/host2host-responder/evaltest.dat
new file mode 100644
index 000000000..d8d44dff6
--- /dev/null
+++ b/testing/tests/tkm/host2host-responder/evaltest.dat
@@ -0,0 +1,12 @@
+moon::ipsec stroke status 2> /dev/null::conn1.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon::ipsec stroke status 2> /dev/null::conn1.*INSTALLED, TRANSPORT::YES
+sun::ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES
+moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
+moon::cat /tmp/tkm.log::RSA private key '/etc/tkm/moonKey.der' loaded::YES
+moon::cat /tmp/tkm.log::Adding policy \[ 1, 192.168.0.1 <-> 192.168.0.2 \]::YES
+moon::cat /tmp/tkm.log::Checked CA certificate of CC context 1::YES
+moon::cat /tmp/tkm.log::Authentication of ISA context 1 successful::YES
+moon::cat /tmp/tkm.log::Adding SA \[ 1, 192.168.0.1 <-> 192.168.0.2, SPI_in.*, SPI_out.*, soft 30, hard 60 \]::YES
diff --git a/testing/tests/tkm/host2host-responder/hosts/moon/etc/tkm/moonKey.der b/testing/tests/tkm/host2host-responder/hosts/moon/etc/tkm/moonKey.der
new file mode 100644
index 000000000..97f0963f8
--- /dev/null
+++ b/testing/tests/tkm/host2host-responder/hosts/moon/etc/tkm/moonKey.der
diff --git a/testing/tests/tkm/host2host-responder/hosts/moon/etc/tkm/strongswanCert.der b/testing/tests/tkm/host2host-responder/hosts/moon/etc/tkm/strongswanCert.der
new file mode 100644
index 000000000..a5a631f4b
--- /dev/null
+++ b/testing/tests/tkm/host2host-responder/hosts/moon/etc/tkm/strongswanCert.der
diff --git a/testing/tests/tkm/host2host-responder/hosts/moon/etc/tkm/tkm.conf b/testing/tests/tkm/host2host-responder/hosts/moon/etc/tkm/tkm.conf
new file mode 100644
index 000000000..2619c0089
--- /dev/null
+++ b/testing/tests/tkm/host2host-responder/hosts/moon/etc/tkm/tkm.conf
@@ -0,0 +1,21 @@
+<tkmconfig>
+    <local_identity id="1">
+        <identity>moon.strongswan.org</identity>
+        <certificate>moonCert.pem</certificate>
+    </local_identity>
+    <policy id="1">
+        <mode>transport</mode>
+        <local>
+            <identity_id>1</identity_id>
+            <ip>192.168.0.1</ip>
+        </local>
+        <remote>
+            <identity>sun.strongswan.org</identity>
+            <ip>192.168.0.2</ip>
+        </remote>
+        <lifetime>
+            <soft>30</soft>
+            <hard>60</hard>
+        </lifetime>
+    </policy>
+</tkmconfig>
diff --git a/testing/tests/tkm/host2host-responder/hosts/sun/etc/ipsec.conf b/testing/tests/tkm/host2host-responder/hosts/sun/etc/ipsec.conf
new file mode 100644
index 000000000..6681dad11
--- /dev/null
+++ b/testing/tests/tkm/host2host-responder/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,21 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn host-host
+	left=PH_IP_SUN
+	leftcert=sunCert.pem
+	leftid=sun.strongswan.org
+	right=PH_IP_MOON
+	rightid=moon.strongswan.org
+	ike=aes256-sha512-modp4096!
+	esp=aes256-sha512-modp4096!
+	auto=add
+	type=transport
diff --git a/testing/tests/tkm/host2host-responder/hosts/sun/etc/strongswan.conf b/testing/tests/tkm/host2host-responder/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..dc937641c
--- /dev/null
+++ b/testing/tests/tkm/host2host-responder/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/tkm/host2host-responder/posttest.dat b/testing/tests/tkm/host2host-responder/posttest.dat
new file mode 100644
index 000000000..34037bc23
--- /dev/null
+++ b/testing/tests/tkm/host2host-responder/posttest.dat
@@ -0,0 +1,4 @@
+moon::DAEMON_NAME=charon-tkm ipsec stop
+moon::killall tkm_keymanager
+moon::rm -f /tmp/tkm.rpc.ike /tmp/tkm.rpc.ees /tmp/tkm.log
+sun::ipsec stop
diff --git a/testing/tests/tkm/host2host-responder/pretest.dat b/testing/tests/tkm/host2host-responder/pretest.dat
new file mode 100644
index 000000000..40e84453f
--- /dev/null
+++ b/testing/tests/tkm/host2host-responder/pretest.dat
@@ -0,0 +1,10 @@
+moon::rm /etc/ipsec.secrets
+moon::tkm_cfgtool -c /etc/tkm/tkm.conf -i /etc/ipsec.conf -t /etc/tkm/tkm.bin -s /usr/local/share/tkm/tkmconfig.xsd
+moon::cat /etc/ipsec.conf
+moon::tkm_keymanager -c /etc/tkm/tkm.bin -k /etc/tkm/moonKey.der -r /etc/tkm/strongswanCert.der >/tmp/tkm.log 2>&1 &
+moon::expect-file /tmp/tkm.rpc.ike
+moon::DAEMON_NAME=charon-tkm ipsec start
+sun::ipsec start
+sun::expect-connection host-host
+moon::DAEMON_NAME=charon-tkm expect-connection conn1
+sun::ipsec up host-host
diff --git a/testing/tests/tkm/host2host-responder/test.conf b/testing/tests/tkm/host2host-responder/test.conf
new file mode 100644
index 000000000..9647dc6a2
--- /dev/null
+++ b/testing/tests/tkm/host2host-responder/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="moon winnetou sun"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-w-s.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
diff --git a/testing/tests/tkm/host2host-xfrmproxy/description.txt b/testing/tests/tkm/host2host-xfrmproxy/description.txt
new file mode 100644
index 000000000..b728a317d
--- /dev/null
+++ b/testing/tests/tkm/host2host-xfrmproxy/description.txt
@@ -0,0 +1,5 @@
+A transport connection between the hosts <b>moon</b> and <b>sun</b> is set up.
+The host <b>moon</b> starts the Trusted Key Manager (TKM) and the Ada XFRM
+proxy, which relays XFRM kernel messages to charon. The authentication is based
+on X.509 certificates. The connection is initiated by a ping from <b>moon</b> to
+<b>sun</b>.
diff --git a/testing/tests/tkm/host2host-xfrmproxy/evaltest.dat b/testing/tests/tkm/host2host-xfrmproxy/evaltest.dat
new file mode 100644
index 000000000..7c8c6b24a
--- /dev/null
+++ b/testing/tests/tkm/host2host-xfrmproxy/evaltest.dat
@@ -0,0 +1,13 @@
+moon::ipsec stroke status 2> /dev/null::conn1.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon::ipsec stroke status 2> /dev/null::conn1.*INSTALLED, TRANSPORT::YES
+sun::ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES
+moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
+moon::cat /tmp/tkm.log::RSA private key '/etc/tkm/moonKey.der' loaded::YES
+moon::cat /tmp/tkm.log::Adding policy \[ 1, 192.168.0.1 <-> 192.168.0.2 \]::YES
+moon::cat /tmp/tkm.log::Checked CA certificate of CC context 1::YES
+moon::cat /tmp/tkm.log::Authentication of ISA context 1 successful::YES
+moon::cat /tmp/tkm.log::Adding SA \[ 1, 192.168.0.1 <-> 192.168.0.2, SPI_in.*, SPI_out.*, soft 30, hard 60 \]::YES
+moon::cat /tmp/xfrm_proxy.log::Initiating ESA acquire for reqid 1::YES
diff --git a/testing/tests/tkm/host2host-xfrmproxy/hosts/moon/etc/tkm/moonKey.der b/testing/tests/tkm/host2host-xfrmproxy/hosts/moon/etc/tkm/moonKey.der
new file mode 100644
index 000000000..97f0963f8
--- /dev/null
+++ b/testing/tests/tkm/host2host-xfrmproxy/hosts/moon/etc/tkm/moonKey.der
diff --git a/testing/tests/tkm/host2host-xfrmproxy/hosts/moon/etc/tkm/strongswanCert.der b/testing/tests/tkm/host2host-xfrmproxy/hosts/moon/etc/tkm/strongswanCert.der
new file mode 100644
index 000000000..a5a631f4b
--- /dev/null
+++ b/testing/tests/tkm/host2host-xfrmproxy/hosts/moon/etc/tkm/strongswanCert.der
diff --git a/testing/tests/tkm/host2host-xfrmproxy/hosts/moon/etc/tkm/tkm.conf b/testing/tests/tkm/host2host-xfrmproxy/hosts/moon/etc/tkm/tkm.conf
new file mode 100644
index 000000000..2619c0089
--- /dev/null
+++ b/testing/tests/tkm/host2host-xfrmproxy/hosts/moon/etc/tkm/tkm.conf
@@ -0,0 +1,21 @@
+<tkmconfig>
+    <local_identity id="1">
+        <identity>moon.strongswan.org</identity>
+        <certificate>moonCert.pem</certificate>
+    </local_identity>
+    <policy id="1">
+        <mode>transport</mode>
+        <local>
+            <identity_id>1</identity_id>
+            <ip>192.168.0.1</ip>
+        </local>
+        <remote>
+            <identity>sun.strongswan.org</identity>
+            <ip>192.168.0.2</ip>
+        </remote>
+        <lifetime>
+            <soft>30</soft>
+            <hard>60</hard>
+        </lifetime>
+    </policy>
+</tkmconfig>
diff --git a/testing/tests/tkm/host2host-xfrmproxy/hosts/sun/etc/ipsec.conf b/testing/tests/tkm/host2host-xfrmproxy/hosts/sun/etc/ipsec.conf
new file mode 100644
index 000000000..e52a04f42
--- /dev/null
+++ b/testing/tests/tkm/host2host-xfrmproxy/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,21 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn host-host
+	left=PH_IP_SUN
+	leftcert=sunCert.pem
+	leftid=sun.strongswan.org
+	right=PH_IP_MOON
+	rightid=moon.strongswan.org
+	ike=aes256-sha512-modp4096!
+	esp=aes256-sha512-modp4096!
+	type=transport
+	auto=add
diff --git a/testing/tests/tkm/host2host-xfrmproxy/hosts/sun/etc/strongswan.conf b/testing/tests/tkm/host2host-xfrmproxy/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..dc937641c
--- /dev/null
+++ b/testing/tests/tkm/host2host-xfrmproxy/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/tkm/host2host-xfrmproxy/posttest.dat b/testing/tests/tkm/host2host-xfrmproxy/posttest.dat
new file mode 100644
index 000000000..99efe7b00
--- /dev/null
+++ b/testing/tests/tkm/host2host-xfrmproxy/posttest.dat
@@ -0,0 +1,5 @@
+moon::DAEMON_NAME=charon-tkm ipsec stop
+moon::killall xfrm_proxy
+moon::killall tkm_keymanager
+moon::rm -f /tmp/tkm.rpc.ike /tmp/tkm.rpc.ees /tmp/tkm.log /tmp/xfrm_proxy.log
+sun::ipsec stop
diff --git a/testing/tests/tkm/host2host-xfrmproxy/pretest.dat b/testing/tests/tkm/host2host-xfrmproxy/pretest.dat
new file mode 100644
index 000000000..d645ddbfe
--- /dev/null
+++ b/testing/tests/tkm/host2host-xfrmproxy/pretest.dat
@@ -0,0 +1,12 @@
+sun::ipsec start
+moon::rm /etc/ipsec.secrets
+moon::tkm_cfgtool -c /etc/tkm/tkm.conf -i /etc/ipsec.conf -t /etc/tkm/tkm.bin -s /usr/local/share/tkm/tkmconfig.xsd
+moon::cat /etc/ipsec.conf
+moon::tkm_keymanager -c /etc/tkm/tkm.bin -k /etc/tkm/moonKey.der -r /etc/tkm/strongswanCert.der >/tmp/tkm.log 2>&1 &
+moon::expect-file /tmp/tkm.rpc.ike
+moon::DAEMON_NAME=charon-tkm ipsec start
+moon::expect-file /tmp/tkm.rpc.ees
+moon::xfrm_proxy >/tmp/xfrm_proxy.log 2>&1 &
+moon::DAEMON_NAME=charon-tkm expect-connection conn1
+sun::expect-connection host-host
+moon::ping -c 3 192.168.0.2
diff --git a/testing/tests/tkm/host2host-xfrmproxy/test.conf b/testing/tests/tkm/host2host-xfrmproxy/test.conf
new file mode 100644
index 000000000..9647dc6a2
--- /dev/null
+++ b/testing/tests/tkm/host2host-xfrmproxy/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="moon winnetou sun"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-w-s.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
diff --git a/testing/tests/tkm/multiple-clients/description.txt b/testing/tests/tkm/multiple-clients/description.txt
new file mode 100644
index 000000000..c8e72d51d
--- /dev/null
+++ b/testing/tests/tkm/multiple-clients/description.txt
@@ -0,0 +1,5 @@
+Two transport connections to gateway <b>sun</b> are set up, one from client
+<b>carol</b> and the other from client <b>dave</b>. The gateway <b>sun</b> uses
+the Trusted Key Manager (TKM) and is the responder for both connections. The
+authentication is based on X.509 certificates. In order to test the connections,
+both <b>carol</b> and <b>dave</b> ping gateway <b>sun</b>.
diff --git a/testing/tests/tkm/multiple-clients/evaltest.dat b/testing/tests/tkm/multiple-clients/evaltest.dat
new file mode 100644
index 000000000..8e0042102
--- /dev/null
+++ b/testing/tests/tkm/multiple-clients/evaltest.dat
@@ -0,0 +1,23 @@
+sun::ipsec stroke status 2> /dev/null::conn1.*ESTABLISHED.*sun.strongswan.org.*carol.strongswan.org::YES
+sun::ipsec stroke status 2> /dev/null::conn2.*ESTABLISHED.*sun.strongswan.org.*dave.strongswan.org::YES
+carol::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*carol.strongswan.org.*sun.strongswan.org::YES
+dave::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*dave.strongswan.org.*sun.strongswan.org::YES
+sun::ipsec stroke status 2> /dev/null::conn1.*INSTALLED, TRANSPORT::YES
+sun::ipsec stroke status 2> /dev/null::conn2.*INSTALLED, TRANSPORT::YES
+carol::ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES
+dave::ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES
+carol::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=1::YES
+dave::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=1::YES
+carol::tcpdump::IP carol.strongswan.org > sun.strongswan.org: ESP::YES
+carol::tcpdump::IP sun.strongswan.org > carol.strongswan.org: ESP::YES
+dave::tcpdump::IP dave.strongswan.org > sun.strongswan.org: ESP::YES
+dave::tcpdump::IP sun.strongswan.org > dave.strongswan.org: ESP::YES
+sun::cat /tmp/tkm.log::RSA private key '/etc/tkm/sunKey.der' loaded::YES
+sun::cat /tmp/tkm.log::Adding policy \[ 1, 192.168.0.2 <-> 192.168.0.100 \]::YES
+sun::cat /tmp/tkm.log::Adding policy \[ 2, 192.168.0.2 <-> 192.168.0.200 \]::YES
+sun::cat /tmp/tkm.log::Checked CA certificate of CC context 1::YES
+sun::cat /tmp/tkm.log::Checked CA certificate of CC context 2::YES
+sun::cat /tmp/tkm.log::Authentication of ISA context 1 successful::YES
+sun::cat /tmp/tkm.log::Authentication of ISA context 2 successful::YES
+sun::cat /tmp/tkm.log::Adding SA \[ 1, 192.168.0.2 <-> 192.168.0.100, SPI_in.*, SPI_out.*, soft 30, hard 60 \]::YES
+sun::cat /tmp/tkm.log::Adding SA \[ 2, 192.168.0.2 <-> 192.168.0.200, SPI_in.*, SPI_out.*, soft 30, hard 60 \]::YES
diff --git a/testing/tests/tkm/multiple-clients/hosts/carol/etc/ipsec.conf b/testing/tests/tkm/multiple-clients/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..10ee3e89d
--- /dev/null
+++ b/testing/tests/tkm/multiple-clients/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	mobike=no
+
+conn host-host
+	left=PH_IP_CAROL
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	right=PH_IP_SUN
+	rightid=sun.strongswan.org
+	ike=aes256-sha512-modp4096!
+	esp=aes256-sha512-modp4096!
+	type=transport
+	auto=add
diff --git a/testing/tests/tkm/multiple-clients/hosts/carol/etc/strongswan.conf b/testing/tests/tkm/multiple-clients/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..ca23c6971
--- /dev/null
+++ b/testing/tests/tkm/multiple-clients/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/tkm/multiple-clients/hosts/dave/etc/ipsec.conf b/testing/tests/tkm/multiple-clients/hosts/dave/etc/ipsec.conf
new file mode 100644
index 000000000..6ba0a97ce
--- /dev/null
+++ b/testing/tests/tkm/multiple-clients/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	mobike=no
+
+conn host-host
+	left=PH_IP_DAVE
+	leftcert=daveCert.pem
+	leftid=dave@strongswan.org
+	right=PH_IP_SUN
+	rightid=sun.strongswan.org
+	ike=aes256-sha512-modp4096!
+	esp=aes256-sha512-modp4096!
+	type=transport
+	auto=add
diff --git a/testing/tests/tkm/multiple-clients/hosts/dave/etc/strongswan.conf b/testing/tests/tkm/multiple-clients/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..ca23c6971
--- /dev/null
+++ b/testing/tests/tkm/multiple-clients/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/tkm/multiple-clients/hosts/sun/etc/tkm/strongswanCert.der b/testing/tests/tkm/multiple-clients/hosts/sun/etc/tkm/strongswanCert.der
new file mode 100644
index 000000000..a5a631f4b
--- /dev/null
+++ b/testing/tests/tkm/multiple-clients/hosts/sun/etc/tkm/strongswanCert.der
diff --git a/testing/tests/tkm/multiple-clients/hosts/sun/etc/tkm/sunKey.der b/testing/tests/tkm/multiple-clients/hosts/sun/etc/tkm/sunKey.der
new file mode 100644
index 000000000..4c47db093
--- /dev/null
+++ b/testing/tests/tkm/multiple-clients/hosts/sun/etc/tkm/sunKey.der
diff --git a/testing/tests/tkm/multiple-clients/hosts/sun/etc/tkm/tkm.conf b/testing/tests/tkm/multiple-clients/hosts/sun/etc/tkm/tkm.conf
new file mode 100644
index 000000000..216625e4c
--- /dev/null
+++ b/testing/tests/tkm/multiple-clients/hosts/sun/etc/tkm/tkm.conf
@@ -0,0 +1,36 @@
+<tkmconfig>
+    <local_identity id="1">
+        <identity>sun.strongswan.org</identity>
+        <certificate>sunCert.pem</certificate>
+    </local_identity>
+    <policy id="1">
+        <mode>transport</mode>
+        <local>
+            <identity_id>1</identity_id>
+            <ip>192.168.0.2</ip>
+        </local>
+        <remote>
+            <identity>carol@strongswan.org</identity>
+            <ip>192.168.0.100</ip>
+        </remote>
+        <lifetime>
+            <soft>30</soft>
+            <hard>60</hard>
+        </lifetime>
+    </policy>
+    <policy id="2">
+        <mode>transport</mode>
+        <local>
+            <identity_id>1</identity_id>
+            <ip>192.168.0.2</ip>
+        </local>
+        <remote>
+            <identity>dave@strongswan.org</identity>
+            <ip>192.168.0.200</ip>
+        </remote>
+        <lifetime>
+            <soft>30</soft>
+            <hard>60</hard>
+        </lifetime>
+    </policy>
+</tkmconfig>
diff --git a/testing/tests/tkm/multiple-clients/posttest.dat b/testing/tests/tkm/multiple-clients/posttest.dat
new file mode 100644
index 000000000..9a4a9bc9d
--- /dev/null
+++ b/testing/tests/tkm/multiple-clients/posttest.dat
@@ -0,0 +1,5 @@
+sun::DAEMON_NAME=charon-tkm ipsec stop
+sun::killall tkm_keymanager
+sun::rm -f /tmp/tkm.rpc.ike /tmp/tkm.rpc.ees /tmp/tkm.log
+carol::ipsec stop
+dave::ipsec stop
diff --git a/testing/tests/tkm/multiple-clients/pretest.dat b/testing/tests/tkm/multiple-clients/pretest.dat
new file mode 100644
index 000000000..ec83662f5
--- /dev/null
+++ b/testing/tests/tkm/multiple-clients/pretest.dat
@@ -0,0 +1,14 @@
+sun::rm /etc/ipsec.secrets
+sun::tkm_cfgtool -c /etc/tkm/tkm.conf -i /etc/ipsec.conf -t /etc/tkm/tkm.bin -s /usr/local/share/tkm/tkmconfig.xsd
+sun::cat /etc/ipsec.conf
+sun::tkm_keymanager -c /etc/tkm/tkm.bin -k /etc/tkm/sunKey.der -r /etc/tkm/strongswanCert.der >/tmp/tkm.log 2>&1 &
+sun::expect-file /tmp/tkm.rpc.ike
+sun::DAEMON_NAME=charon-tkm ipsec start
+carol::ipsec start
+carol::expect-connection host-host
+dave::ipsec start
+dave::expect-connection host-host
+sun::DAEMON_NAME=charon-tkm expect-connection conn1
+sun::DAEMON_NAME=charon-tkm expect-connection conn2
+carol::ipsec up host-host
+dave::ipsec up host-host
diff --git a/testing/tests/tkm/multiple-clients/test.conf b/testing/tests/tkm/multiple-clients/test.conf
new file mode 100644
index 000000000..1dd36309d
--- /dev/null
+++ b/testing/tests/tkm/multiple-clients/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="carol dave sun winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d-s.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="carol dave"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="carol dave sun"
diff --git a/testing/tests/tkm/net2net-initiator/description.txt b/testing/tests/tkm/net2net-initiator/description.txt
new file mode 100644
index 000000000..40f2a8013
--- /dev/null
+++ b/testing/tests/tkm/net2net-initiator/description.txt
@@ -0,0 +1,5 @@
+A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b>
+is set up. The host <b>moon</b> uses the Trusted Key Manager (TKM) and is the
+initiator of the tunnel connection. The authentication is based on X.509
+certificates. In order to test the tunnel, client <b>alice</b> behind gateway
+<b>moon</b> pings client <b>bob</b> located behind gateway <b>sun</b>.
diff --git a/testing/tests/tkm/net2net-initiator/evaltest.dat b/testing/tests/tkm/net2net-initiator/evaltest.dat
new file mode 100644
index 000000000..8d4794f0d
--- /dev/null
+++ b/testing/tests/tkm/net2net-initiator/evaltest.dat
@@ -0,0 +1,12 @@
+moon::ipsec stroke status 2> /dev/null::conn1.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon::ipsec stroke status 2> /dev/null::conn1.*INSTALLED, TUNNEL::YES
+sun::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
+moon::cat /tmp/tkm.log::RSA private key '/etc/tkm/moonKey.der' loaded::YES
+moon::cat /tmp/tkm.log::Adding policy \[ 1, 10.1.0.0/16 > 192.168.0.1 <=> 192.168.0.2 < 10.2.0.0/16 \]::YES
+moon::cat /tmp/tkm.log::Checked CA certificate of CC context 1::YES
+moon::cat /tmp/tkm.log::Authentication of ISA context 1 successful::YES
+moon::cat /tmp/tkm.log::Adding SA \[ 1, 10.1.0.0/16 > 192.168.0.1 <=> 192.168.0.2 < 10.2.0.0/16, SPI_in.*, SPI_out.*, soft 30, hard 60 \]::YES
diff --git a/testing/tests/tkm/net2net-initiator/hosts/moon/etc/tkm/moonKey.der b/testing/tests/tkm/net2net-initiator/hosts/moon/etc/tkm/moonKey.der
new file mode 100644
index 000000000..97f0963f8
--- /dev/null
+++ b/testing/tests/tkm/net2net-initiator/hosts/moon/etc/tkm/moonKey.der
diff --git a/testing/tests/tkm/net2net-initiator/hosts/moon/etc/tkm/tkm.conf b/testing/tests/tkm/net2net-initiator/hosts/moon/etc/tkm/tkm.conf
new file mode 100644
index 000000000..717b0a6f4
--- /dev/null
+++ b/testing/tests/tkm/net2net-initiator/hosts/moon/etc/tkm/tkm.conf
@@ -0,0 +1,23 @@
+<tkmconfig>
+    <local_identity id="1">
+        <identity>moon.strongswan.org</identity>
+        <certificate>moonCert.pem</certificate>
+    </local_identity>
+    <policy id="1">
+        <mode>tunnel</mode>
+        <local>
+            <identity_id>1</identity_id>
+            <ip>192.168.0.1</ip>
+            <net mask="16">10.1.0.0</net>
+        </local>
+        <remote>
+            <identity>sun.strongswan.org</identity>
+            <ip>192.168.0.2</ip>
+            <net mask="16">10.2.0.0</net>
+        </remote>
+        <lifetime>
+            <soft>30</soft>
+            <hard>60</hard>
+        </lifetime>
+    </policy>
+</tkmconfig>
diff --git a/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/ipsec.conf b/testing/tests/tkm/net2net-initiator/hosts/sun/etc/ipsec.conf
index 428b10ce6..21b613d20 100755..100644
--- a/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/tkm/net2net-initiator/hosts/sun/etc/ipsec.conf
@@ -1,24 +1,23 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	nocrsend=yes
-	charonstart=no
 
 conn %default
 	ikelifetime=60m
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
-	keyexchange=ikev1
-	
+	keyexchange=ikev2
+	mobike=no
+
 conn net-net
 	left=PH_IP_SUN
+	leftcert=sunCert.pem
+	leftid=sun.strongswan.org
 	leftsubnet=10.2.0.0/16
-	leftcert=sunCert.asc
-	leftid=@#b42f31fec80ae3264a101c85977a04ac8d1638d3
-	leftfirewall=yes
 	right=PH_IP_MOON
+	rightid=moon.strongswan.org
 	rightsubnet=10.1.0.0/16
-	rightcert=moonCert.asc
+	ike=aes256-sha512-modp4096!
+	esp=aes256-sha512-modp4096!
 	auto=add
diff --git a/testing/tests/tkm/net2net-initiator/hosts/sun/etc/strongswan.conf b/testing/tests/tkm/net2net-initiator/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..94e0b2a62
--- /dev/null
+++ b/testing/tests/tkm/net2net-initiator/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+  multiple_authentication = no
+}
diff --git a/testing/tests/tkm/net2net-initiator/posttest.dat b/testing/tests/tkm/net2net-initiator/posttest.dat
new file mode 100644
index 000000000..34037bc23
--- /dev/null
+++ b/testing/tests/tkm/net2net-initiator/posttest.dat
@@ -0,0 +1,4 @@
+moon::DAEMON_NAME=charon-tkm ipsec stop
+moon::killall tkm_keymanager
+moon::rm -f /tmp/tkm.rpc.ike /tmp/tkm.rpc.ees /tmp/tkm.log
+sun::ipsec stop
diff --git a/testing/tests/tkm/net2net-initiator/pretest.dat b/testing/tests/tkm/net2net-initiator/pretest.dat
new file mode 100644
index 000000000..f84c8fcd2
--- /dev/null
+++ b/testing/tests/tkm/net2net-initiator/pretest.dat
@@ -0,0 +1,10 @@
+moon::rm /etc/ipsec.secrets
+moon::tkm_cfgtool -c /etc/tkm/tkm.conf -i /etc/ipsec.conf -t /etc/tkm/tkm.bin -s /usr/local/share/tkm/tkmconfig.xsd
+moon::cat /etc/ipsec.conf
+moon::tkm_keymanager -c /etc/tkm/tkm.bin -k /etc/tkm/moonKey.der -r /etc/tkm/strongswanCert.der >/tmp/tkm.log 2>&1 &
+moon::expect-file /tmp/tkm.rpc.ike
+moon::DAEMON_NAME=charon-tkm ipsec start
+sun::ipsec start
+sun::expect-connection net-net
+moon::DAEMON_NAME=charon-tkm expect-connection conn1
+moon::DAEMON_NAME=charon-tkm ipsec up conn1
diff --git a/testing/tests/tkm/net2net-initiator/test.conf b/testing/tests/tkm/net2net-initiator/test.conf
new file mode 100644
index 000000000..afa2accbe
--- /dev/null
+++ b/testing/tests/tkm/net2net-initiator/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-w-s-b.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
diff --git a/testing/tests/tkm/net2net-xfrmproxy/description.txt b/testing/tests/tkm/net2net-xfrmproxy/description.txt
new file mode 100644
index 000000000..b42c89c52
--- /dev/null
+++ b/testing/tests/tkm/net2net-xfrmproxy/description.txt
@@ -0,0 +1,6 @@
+A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b>
+is set up. The host <b>moon</b> starts the Trusted Key Manager (TKM) and the Ada
+XFRM proxy, which relays XFRM kernel messages to charon. The authentication is
+based on X.509 certificates. In order to test the tunnel, client <b>alice</b>
+behind gateway <b>moon</b> pings client <b>bob</b> located behind gateway
+<b>sun</b>.
diff --git a/testing/tests/tkm/net2net-xfrmproxy/evaltest.dat b/testing/tests/tkm/net2net-xfrmproxy/evaltest.dat
new file mode 100644
index 000000000..a38dba0ee
--- /dev/null
+++ b/testing/tests/tkm/net2net-xfrmproxy/evaltest.dat
@@ -0,0 +1,13 @@
+moon::ipsec stroke status 2> /dev/null::conn1.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon::ipsec stroke status 2> /dev/null::conn1.*INSTALLED, TUNNEL::YES
+sun::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
+moon::cat /tmp/tkm.log::RSA private key '/etc/tkm/moonKey.der' loaded::YES
+moon::cat /tmp/tkm.log::Adding policy \[ 1, 10.1.0.0/16 > 192.168.0.1 <=> 192.168.0.2 < 10.2.0.0/16 \]::YES
+moon::cat /tmp/tkm.log::Checked CA certificate of CC context 1::YES
+moon::cat /tmp/tkm.log::Authentication of ISA context 1 successful::YES
+moon::cat /tmp/tkm.log::Adding SA \[ 1, 10.1.0.0/16 > 192.168.0.1 <=> 192.168.0.2 < 10.2.0.0/16, SPI_in.*, SPI_out.*, soft 30, hard 60 \]::YES
+moon::cat /tmp/xfrm_proxy.log::Initiating ESA acquire for reqid 1::YES
diff --git a/testing/tests/tkm/net2net-xfrmproxy/hosts/moon/etc/tkm/moonKey.der b/testing/tests/tkm/net2net-xfrmproxy/hosts/moon/etc/tkm/moonKey.der
new file mode 100644
index 000000000..97f0963f8
--- /dev/null
+++ b/testing/tests/tkm/net2net-xfrmproxy/hosts/moon/etc/tkm/moonKey.der
diff --git a/testing/tests/tkm/net2net-xfrmproxy/hosts/moon/etc/tkm/strongswanCert.der b/testing/tests/tkm/net2net-xfrmproxy/hosts/moon/etc/tkm/strongswanCert.der
new file mode 100644
index 000000000..a5a631f4b
--- /dev/null
+++ b/testing/tests/tkm/net2net-xfrmproxy/hosts/moon/etc/tkm/strongswanCert.der
diff --git a/testing/tests/tkm/net2net-xfrmproxy/hosts/moon/etc/tkm/tkm.conf b/testing/tests/tkm/net2net-xfrmproxy/hosts/moon/etc/tkm/tkm.conf
new file mode 100644
index 000000000..717b0a6f4
--- /dev/null
+++ b/testing/tests/tkm/net2net-xfrmproxy/hosts/moon/etc/tkm/tkm.conf
@@ -0,0 +1,23 @@
+<tkmconfig>
+    <local_identity id="1">
+        <identity>moon.strongswan.org</identity>
+        <certificate>moonCert.pem</certificate>
+    </local_identity>
+    <policy id="1">
+        <mode>tunnel</mode>
+        <local>
+            <identity_id>1</identity_id>
+            <ip>192.168.0.1</ip>
+            <net mask="16">10.1.0.0</net>
+        </local>
+        <remote>
+            <identity>sun.strongswan.org</identity>
+            <ip>192.168.0.2</ip>
+            <net mask="16">10.2.0.0</net>
+        </remote>
+        <lifetime>
+            <soft>30</soft>
+            <hard>60</hard>
+        </lifetime>
+    </policy>
+</tkmconfig>
diff --git a/testing/tests/tkm/net2net-xfrmproxy/hosts/sun/etc/ipsec.conf b/testing/tests/tkm/net2net-xfrmproxy/hosts/sun/etc/ipsec.conf
new file mode 100644
index 000000000..21b613d20
--- /dev/null
+++ b/testing/tests/tkm/net2net-xfrmproxy/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	mobike=no
+
+conn net-net
+	left=PH_IP_SUN
+	leftcert=sunCert.pem
+	leftid=sun.strongswan.org
+	leftsubnet=10.2.0.0/16
+	right=PH_IP_MOON
+	rightid=moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	ike=aes256-sha512-modp4096!
+	esp=aes256-sha512-modp4096!
+	auto=add
diff --git a/testing/tests/tkm/net2net-xfrmproxy/hosts/sun/etc/strongswan.conf b/testing/tests/tkm/net2net-xfrmproxy/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..94e0b2a62
--- /dev/null
+++ b/testing/tests/tkm/net2net-xfrmproxy/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+  multiple_authentication = no
+}
diff --git a/testing/tests/tkm/net2net-xfrmproxy/posttest.dat b/testing/tests/tkm/net2net-xfrmproxy/posttest.dat
new file mode 100644
index 000000000..24544307a
--- /dev/null
+++ b/testing/tests/tkm/net2net-xfrmproxy/posttest.dat
@@ -0,0 +1,4 @@
+moon::DAEMON_NAME=charon-tkm ipsec stop
+moon::killall tkm_keymanager
+moon::rm -f /tmp/tkm.rpc.ike /tmp/tkm.rpc.ees /tmp/tkm.log /tmp/xfrm_proxy.log
+sun::ipsec stop
diff --git a/testing/tests/tkm/net2net-xfrmproxy/pretest.dat b/testing/tests/tkm/net2net-xfrmproxy/pretest.dat
new file mode 100644
index 000000000..4732a37f6
--- /dev/null
+++ b/testing/tests/tkm/net2net-xfrmproxy/pretest.dat
@@ -0,0 +1,12 @@
+sun::ipsec start
+moon::rm /etc/ipsec.secrets
+moon::tkm_cfgtool -c /etc/tkm/tkm.conf -i /etc/ipsec.conf -t /etc/tkm/tkm.bin -s /usr/local/share/tkm/tkmconfig.xsd
+moon::cat /etc/ipsec.conf
+moon::tkm_keymanager -c /etc/tkm/tkm.bin -k /etc/tkm/moonKey.der -r /etc/tkm/strongswanCert.der >/tmp/tkm.log 2>&1 &
+moon::expect-file /tmp/tkm.rpc.ike
+moon::DAEMON_NAME=charon-tkm ipsec start
+moon::expect-file /tmp/tkm.rpc.ees
+moon::xfrm_proxy >/tmp/xfrm_proxy.log 2>&1 &
+moon::DAEMON_NAME=charon-tkm expect-connection conn1
+sun::expect-connection net-net
+alice::ping -c 3 PH_IP_BOB
diff --git a/testing/tests/tkm/net2net-xfrmproxy/test.conf b/testing/tests/tkm/net2net-xfrmproxy/test.conf
new file mode 100644
index 000000000..afa2accbe
--- /dev/null
+++ b/testing/tests/tkm/net2net-xfrmproxy/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-w-s-b.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
diff --git a/testing/tests/tnc/tnccs-11-fhh/evaltest.dat b/testing/tests/tnc/tnccs-11-fhh/evaltest.dat
index a02755148..6b7c713ef 100644
--- a/testing/tests/tnc/tnccs-11-fhh/evaltest.dat
+++ b/testing/tests/tnc/tnccs-11-fhh/evaltest.dat
@@ -1,19 +1,19 @@
 carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES
-carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
+carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
 carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
-dave::cat /var/log/daemon.log::TNCCS-Recommendation.*isolate::YES
-dave::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
-dave::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
-moon::cat /var/log/daemon.log::added group membership 'allow'::YES
-moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
-moon::cat /var/log/daemon.log::added group membership 'isolate'::YES
-moon::cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
-moon::ipsec statusall::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
-moon::ipsec statusall::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_seq=1::NO
-dave::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO
+dave:: cat /var/log/daemon.log::TNCCS-Recommendation.*isolate::YES
+dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
+dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
+moon:: cat /var/log/daemon.log::added group membership 'allow'::YES
+moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES
+moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
+moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
+moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO
+dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO
 
diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/ipsec.conf
index ca55d84a2..caa5bc17a 100755..100644
--- a/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 	charondebug="tnc 3"
 
 conn %default
@@ -18,6 +17,7 @@ conn home
 	leftfirewall=yes
 	right=PH_IP_MOON
 	rightid=@moon.strongswan.org
+	rightauth=any
 	rightsendcert=never
 	rightsubnet=10.1.0.0/16
 	auto=add
diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/strongswan.conf
index 579601b85..73646f8db 100644
--- a/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
   multiple_authentication=no
 }
diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/ipsec.conf
index 93807bb66..ba149c4ba 100755..100644
--- a/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 	charondebug="tnc 3"
 
 conn %default
@@ -18,6 +17,7 @@ conn home
 	leftfirewall=yes
 	right=PH_IP_MOON
 	rightid=@moon.strongswan.org
+	rightauth=any
 	rightsendcert=never
 	rightsubnet=10.1.0.0/16
 	auto=add
diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/strongswan.conf
index 579601b85..73646f8db 100644
--- a/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
   multiple_authentication=no
 }
diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/ipsec.conf
index 32c3357a3..0fdad8607 100755..100644
--- a/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/ipsec.conf
@@ -1,8 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	strictcrlpolicy=no
-	plutostart=no
 	charondebug="tnc 3"
 
 conn %default
diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/strongswan.conf
index e3518f5b9..3975f09a9 100644
--- a/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-11 tnc-imv updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-11 tnc-imv updown
   multiple_authentication=no
   plugins {
     eap-ttls {
diff --git a/testing/tests/tnc/tnccs-11-fhh/posttest.dat b/testing/tests/tnc/tnccs-11-fhh/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/tnc/tnccs-11-fhh/posttest.dat
+++ b/testing/tests/tnc/tnccs-11-fhh/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/tnc/tnccs-11-fhh/pretest.dat b/testing/tests/tnc/tnccs-11-fhh/pretest.dat
index c7a30ee7c..8fab1fb6c 100644
--- a/testing/tests/tnc/tnccs-11-fhh/pretest.dat
+++ b/testing/tests/tnc/tnccs-11-fhh/pretest.dat
@@ -1,14 +1,14 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::cat /etc/tnc_config
 carol::cat /etc/tnc_config
 dave::cat /etc/tnc_config
 carol::cat /etc/tnc/dummyimc.file
 dave::cat /etc/tnc/dummyimc.file
-moon::LEAK_DETECTIVE_DISABLE=1 LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties ipsec start
-carol::LEAK_DETECTIVE_DISABLE=1 LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties ipsec start
-dave::LEAK_DETECTIVE_DISABLE=1 LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties ipsec start
+moon::LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties ipsec start
+carol::LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties ipsec start
+dave::LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties ipsec start
 carol::sleep 1
 carol::ipsec up home
 dave::ipsec up home
diff --git a/testing/tests/tnc/tnccs-11-fhh/test.conf b/testing/tests/tnc/tnccs-11-fhh/test.conf
index e28b8259b..a8a05af19 100644
--- a/testing/tests/tnc/tnccs-11-fhh/test.conf
+++ b/testing/tests/tnc/tnccs-11-fhh/test.conf
@@ -1,26 +1,26 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon carol winnetou dave"
+VIRTHOSTS="alice venus moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
 
-# UML instances on which FreeRadius is started
+# Guest instances on which FreeRadius is started
 #
 RADIUSHOSTS=
 
diff --git a/testing/tests/tnc/tnccs-11-radius-block/evaltest.dat b/testing/tests/tnc/tnccs-11-radius-block/evaltest.dat
index 517ea9ab2..d93407434 100644
--- a/testing/tests/tnc/tnccs-11-radius-block/evaltest.dat
+++ b/testing/tests/tnc/tnccs-11-radius-block/evaltest.dat
@@ -2,13 +2,13 @@ carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA
 carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES
 carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/16::YES
-dave::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
-dave::cat /var/log/daemon.log::TNCCS-Recommendation.*none::YES
-dave::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
-dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.0/16::NO
-moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES         
-moon::cat /var/log/daemon.log::RADIUS authentication of 'dave@strongswan.org' failed::YES
-moon::cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer dave@strongswan.org::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO
+dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+dave:: cat /var/log/daemon.log::TNCCS-Recommendation.*none::YES
+dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
+dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.0/16::NO
+moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon:: cat /var/log/daemon.log::RADIUS authentication of 'dave@strongswan.org' failed::YES
+moon:: cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer dave@strongswan.org::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO
 
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/eap.conf b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/eap.conf
index 31556361e..31556361e 100644
--- a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/eap.conf
+++ b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/eap.conf
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/proxy.conf b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/proxy.conf
new file mode 100644
index 000000000..23cba8d11
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/proxy.conf
@@ -0,0 +1,5 @@
+realm strongswan.org {
+  type     = radius
+  authhost = LOCAL
+  accthost = LOCAL
+}
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/sites-available/default
new file mode 100644
index 000000000..dd0825858
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/sites-available/default
@@ -0,0 +1,43 @@
+authorize {
+  suffix
+  eap {
+    ok = return
+  }
+  files
+}
+
+authenticate {
+  eap
+}
+
+preacct {
+  preprocess
+  acct_unique
+  suffix
+  files
+}
+
+accounting {
+  detail
+  unix
+  radutmp
+  attr_filter.accounting_response
+}
+
+session {
+  radutmp
+}
+
+post-auth {
+  exec
+  Post-Auth-Type REJECT {
+    attr_filter.access_reject
+  }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+  eap
+}
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/sites-available/inner-tunnel b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/sites-available/inner-tunnel
index e088fae14..e088fae14 100644
--- a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/sites-available/inner-tunnel
+++ b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/sites-available/inner-tunnel
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/sites-available/inner-tunnel-second b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/sites-available/inner-tunnel-second
index 2d4961288..2d4961288 100644
--- a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/sites-available/inner-tunnel-second
+++ b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/sites-available/inner-tunnel-second
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/users b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/users
index 50ccf3e76..50ccf3e76 100644
--- a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/users
+++ b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/freeradius/users
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/clients.conf b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/clients.conf
deleted file mode 100644
index f4e179aa4..000000000
--- a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/clients.conf
+++ /dev/null
@@ -1,4 +0,0 @@
-client PH_IP_MOON1 {
-  secret    = gv6URkSs 
-  shortname = moon
-}
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/dictionary b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/dictionary
deleted file mode 100644
index 1a27a02fc..000000000
--- a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/dictionary
+++ /dev/null
@@ -1,2 +0,0 @@
-$INCLUDE	/usr/share/freeradius/dictionary
-$INCLUDE	/etc/raddb/dictionary.tnc
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/dictionary.tnc b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/dictionary.tnc
deleted file mode 100644
index f295467a9..000000000
--- a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/dictionary.tnc
+++ /dev/null
@@ -1,5 +0,0 @@
-ATTRIBUTE	TNC-Status	3001	integer
-
-VALUE	TNC-Status	Access	0 
-VALUE	TNC-Status	Isolate	1
-VALUE	TNC-Status	None	2
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/radiusd.conf b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/radiusd.conf
deleted file mode 100644
index 1143a0473..000000000
--- a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/raddb/radiusd.conf
+++ /dev/null
@@ -1,120 +0,0 @@
-# radiusd.conf	-- FreeRADIUS server configuration file.
-
-prefix = /usr
-exec_prefix = ${prefix}
-sysconfdir = /etc
-localstatedir = /var
-sbindir = ${exec_prefix}/sbin
-logdir = ${localstatedir}/log/radius
-raddbdir = ${sysconfdir}/raddb
-radacctdir = ${logdir}/radacct
-
-#  name of the running server.  See also the "-n" command-line option.
-name = radiusd
-
-#  Location of config and logfiles.
-confdir = ${raddbdir}
-run_dir = ${localstatedir}/run/radiusd
-
-# Should likely be ${localstatedir}/lib/radiusd
-db_dir = ${raddbdir}
-
-# libdir: Where to find the rlm_* modules.
-libdir = ${exec_prefix}/lib
-
-#  pidfile: Where to place the PID of the RADIUS server.
-pidfile = ${run_dir}/${name}.pid
-
-#  max_request_time: The maximum time (in seconds) to handle a request.
-max_request_time = 30
-
-#  cleanup_delay: The time to wait (in seconds) before cleaning up
-cleanup_delay = 5
-
-#  max_requests: The maximum number of requests which the server keeps
-max_requests = 1024
-
-#  listen: Make the server listen on a particular IP address, and send
-listen {
-  type = auth
-  ipaddr = PH_IP_ALICE 
-  port = 0
-}
-
-#  This second "listen" section is for listening on the accounting
-#  port, too.
-#
-listen {
-  type  = acct
-  ipaddr = PH_IP_ALICE 
-  port = 0
-}
-
-#  hostname_lookups: Log the names of clients or just their IP addresses
-hostname_lookups = no
-
-#  Core dumps are a bad thing.  This should only be set to 'yes'
-allow_core_dumps = no
-
-#  Regular expressions
-regular_expressions = yes
-extended_expressions = yes
-
-#  Logging section.  The various "log_*" configuration items
-log {
-  destination = files
-  file = ${logdir}/radius.log
-  syslog_facility = daemon
-  stripped_names = no
-  auth = yes 
-  auth_badpass = yes 
-  auth_goodpass = yes 
-}
-
-#  The program to execute to do concurrency checks.
-checkrad = ${sbindir}/checkrad
-
-#  Security considerations
-security {
-  max_attributes = 200
-  reject_delay = 1
-  status_server = yes
-}
-
-# PROXY CONFIGURATION
-proxy_requests = yes
-$INCLUDE proxy.conf
-
-# CLIENTS CONFIGURATION
-$INCLUDE clients.conf
-
-# THREAD POOL CONFIGURATION
-thread pool {
-  start_servers = 5
-  max_servers = 32
-  min_spare_servers = 3
-  max_spare_servers = 10
-  max_requests_per_server = 0
-}
-
-# MODULE CONFIGURATION
-modules {
-  $INCLUDE ${confdir}/modules/
-  $INCLUDE eap.conf
-  $INCLUDE sql.conf
-  $INCLUDE sql/mysql/counter.conf
-}
-
-# Instantiation
-instantiate {
-  exec
-  expr
-  expiration
-  logintime
-}
-
-# Policies
-$INCLUDE policy.conf
-
-# Include all enabled virtual hosts
-$INCLUDE sites-enabled/
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/strongswan.conf
index acd4630d2..06c34ed9a 100644
--- a/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-11-radius-block/hosts/alice/etc/strongswan.conf
@@ -2,6 +2,7 @@
 
 libimcv {
   debug_level = 3
+  assessment_result = no
   plugins {
     imv-scanner {
       closed_port_policy = no
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/ipsec.conf
index a639b0426..e9152e0d8 100755..100644
--- a/testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 	charondebug="tnc 3, imc 3"
 
 conn %default
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/strongswan.conf
index 7bff51d6b..4cc205cf7 100644
--- a/testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
   multiple_authentication=no
 }
 
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/ipsec.conf
index 5da78b4ab..25589bcf1 100755..100644
--- a/testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 	charondebug="tnc 3, imc 3"
 
 conn %default
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/strongswan.conf
index 579601b85..ac469590c 100644
--- a/testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/strongswan.conf
@@ -1,6 +1,14 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
   multiple_authentication=no
 }
+
+libimcv {
+  plugins {
+    imc-scanner {
+      push_info = no
+    }
+  }
+}
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/init.d/iptables b/testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 56587b2e8..000000000
--- a/testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,84 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow RADIUS protocol with alice
-	iptables -A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/ipsec.conf
index fc8f84638..98e2525ba 100755..100644
--- a/testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/ipsec.conf
@@ -1,8 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/iptables.rules b/testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..1eb755354
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/iptables.rules
@@ -0,0 +1,32 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# allow RADIUS protocol with alice
+-A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/strongswan.conf
index ab71e5908..5bf9dc03b 100644
--- a/testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-11-radius-block/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-radius updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-radius updown
   multiple_authentication=no
   plugins {
     eap-radius {
diff --git a/testing/tests/tnc/tnccs-11-radius-block/posttest.dat b/testing/tests/tnc/tnccs-11-radius-block/posttest.dat
index 51d8ca1b3..5e5a8514d 100644
--- a/testing/tests/tnc/tnccs-11-radius-block/posttest.dat
+++ b/testing/tests/tnc/tnccs-11-radius-block/posttest.dat
@@ -2,8 +2,8 @@ moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
 alice::killall radiusd
-alice::rm /etc/raddb/sites-enabled/inner-tunnel-second
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+alice::rm /etc/freeradius/sites-enabled/inner-tunnel-second
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
 dave::/etc/init.d/apache2 stop 2> /dev/null
diff --git a/testing/tests/tnc/tnccs-11-radius-block/pretest.dat b/testing/tests/tnc/tnccs-11-radius-block/pretest.dat
index 0fa88dbc7..96163aa36 100644
--- a/testing/tests/tnc/tnccs-11-radius-block/pretest.dat
+++ b/testing/tests/tnc/tnccs-11-radius-block/pretest.dat
@@ -1,13 +1,13 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 dave::/etc/init.d/apache2 start 2> /dev/null
-alice::ln -s /etc/raddb/sites-available/inner-tunnel-second /etc/raddb/sites-enabled/inner-tunnel-second
-alice::cat /etc/raddb/sites-enabled/inner-tunnel-second
+alice::ln -s /etc/freeradius/sites-available/inner-tunnel-second /etc/freeradius/sites-enabled/inner-tunnel-second
+alice::cat /etc/freeradius/sites-enabled/inner-tunnel-second
 alice::LEAK_DETECTIVE_DISABLE=1 LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties radiusd
 moon::ipsec start
-carol::LEAK_DETECTIVE_DISABLE=1 ipsec start
-dave::LEAK_DETECTIVE_DISABLE=1 ipsec start
+carol::ipsec start
+dave::ipsec start
 carol::sleep 1
 carol::ipsec up home
 dave::ipsec up home
diff --git a/testing/tests/tnc/tnccs-11-radius-block/test.conf b/testing/tests/tnc/tnccs-11-radius-block/test.conf
index bb6b68687..29bfaa78c 100644
--- a/testing/tests/tnc/tnccs-11-radius-block/test.conf
+++ b/testing/tests/tnc/tnccs-11-radius-block/test.conf
@@ -1,26 +1,26 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
 
-# UML instances on which FreeRadius is started
+# Guest instances on which FreeRadius is started
 #
 RADIUSHOSTS="alice"
 
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/description.txt b/testing/tests/tnc/tnccs-11-radius-pts/description.txt
new file mode 100644
index 000000000..f71837b6d
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius-pts/description.txt
@@ -0,0 +1,14 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
+At the outset the gateway authenticates itself to the clients by sending an IKEv2
+<b>RSA signature</b> accompanied by a certificate.
+<b>carol</b> and <b>dave</b> then set up an <b>EAP-TTLS</b> tunnel each via <b>moon</b> to the
+<a href="http://trust.inform.fh-hannover.de/joomla/index.php/projects/tncfhh" target="popup">
+<b>TNC@FHH</b></a>-enhanced FreeRADIUS server <b>alice</b> authenticated by an X.509 AAA certificate.
+The strong EAP-TTLS tunnel protects the ensuing weak client authentication based on <b>EAP-MD5</b>.
+In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the
+health of <b>carol</b> and <b>dave</b> via the <b>IF-TNCCS 1.1</b> client-server interface.
+The communication between the OS and Attestation IMC and the Attestation IMV is based on the
+ <b>IF-M</b> protocol defined by <b>RFC 5792 PA-TNC</b>.
+<p>
+<b>carol</b> passes the health test and <b>dave</b> fails. Based on these measurements the clients
+are connected by gateway <b>moon</b> to the "rw-allow" and "rw-isolate" subnets, respectively.
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/evaltest.dat b/testing/tests/tnc/tnccs-11-radius-pts/evaltest.dat
new file mode 100644
index 000000000..e22b767f7
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius-pts/evaltest.dat
@@ -0,0 +1,19 @@
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES
+carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
+carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
+dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+dave:: cat /var/log/daemon.log::TNCCS-Recommendation.*isolate::YES
+dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
+dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
+moon:: cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'allow'::YES
+moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon:: cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'isolate'::YES
+moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
+moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
+moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO
+dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO
+
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/eap.conf b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/eap.conf
index 31556361e..31556361e 100644
--- a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/eap.conf
+++ b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/eap.conf
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/proxy.conf b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/proxy.conf
new file mode 100644
index 000000000..23cba8d11
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/proxy.conf
@@ -0,0 +1,5 @@
+realm strongswan.org {
+  type     = radius
+  authhost = LOCAL
+  accthost = LOCAL
+}
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/sites-available/default
new file mode 100644
index 000000000..dd0825858
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/sites-available/default
@@ -0,0 +1,43 @@
+authorize {
+  suffix
+  eap {
+    ok = return
+  }
+  files
+}
+
+authenticate {
+  eap
+}
+
+preacct {
+  preprocess
+  acct_unique
+  suffix
+  files
+}
+
+accounting {
+  detail
+  unix
+  radutmp
+  attr_filter.accounting_response
+}
+
+session {
+  radutmp
+}
+
+post-auth {
+  exec
+  Post-Auth-Type REJECT {
+    attr_filter.access_reject
+  }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+  eap
+}
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/sites-available/inner-tunnel
index e088fae14..e088fae14 100644
--- a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel
+++ b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/sites-available/inner-tunnel
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel-second b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/sites-available/inner-tunnel-second
index f91bccc72..c5bde6a9e 100644
--- a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel-second
+++ b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/sites-available/inner-tunnel-second
@@ -17,14 +17,14 @@ session {
 post-auth {
 	if (control:TNC-Status == "Access") {
 		update reply {
-			Tunnel-Type := ESP 
+			Tunnel-Type := ESP
 			Filter-Id := "allow"
 		}
 	}
 	elsif (control:TNC-Status == "Isolate") {
 		update reply {
-			Tunnel-Type := ESP 
-			Filter-Id := "isolate"	
+			Tunnel-Type := ESP
+			Filter-Id := "isolate"
 		}
 	}
 
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/users b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/users
index 50ccf3e76..50ccf3e76 100644
--- a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/users
+++ b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/freeradius/users
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/pts/data.sql b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/pts/data.sql
new file mode 100644
index 000000000..090eb47ff
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/pts/data.sql
@@ -0,0 +1,873 @@
+/* Products */
+
+INSERT INTO products (			/*  1 */
+  name
+) VALUES (
+ 'Debian 6.0 i686'
+);
+
+INSERT INTO products (			/*  2 */
+  name
+) VALUES (
+ 'Debian 6.0 x86_64'
+);
+
+INSERT INTO products (			/*  3 */
+  name
+) VALUES (
+ 'Debian 7.0 i686'
+);
+
+INSERT INTO products (			/*  4 */
+  name
+) VALUES (
+ 'Debian 7.0 x86_64'
+);
+
+INSERT INTO products (			/*  5 */
+  name
+) VALUES (
+ 'Debian 8.0 i686'
+);
+
+INSERT INTO products (			/*  6 */
+  name
+) VALUES (
+ 'Debian 8.0 x86_64'
+);
+
+INSERT INTO products (			/*  7 */
+  name
+) VALUES (
+ 'Ubuntu 10.04 i686'
+);
+
+INSERT INTO products (			/*  8 */
+  name
+) VALUES (
+ 'Ubuntu 10.04 x86_64'
+);
+
+INSERT INTO products (			/*  9 */
+  name
+) VALUES (
+ 'Ubuntu 10.10 i686'
+);
+
+INSERT INTO products (			/* 10 */
+  name
+) VALUES (
+ 'Ubuntu 10.10 x86_64'
+);
+
+INSERT INTO products (			/* 11 */
+  name
+) VALUES (
+ 'Ubuntu 11.04 i686'
+);
+
+INSERT INTO products (			/* 12 */
+  name
+) VALUES (
+ 'Ubuntu 11.04 x86_64'
+);
+
+INSERT INTO products (			/* 13 */
+  name
+) VALUES (
+ 'Ubuntu 11.10 i686'
+);
+
+INSERT INTO products (			/* 14 */
+  name
+) VALUES (
+ 'Ubuntu 11.10 x86_64'
+);
+
+INSERT INTO products (			/* 15 */
+  name
+) VALUES (
+ 'Ubuntu 12.04 i686'
+);
+
+INSERT INTO products (			/* 16 */
+  name
+) VALUES (
+ 'Ubuntu 12.04 x86_64'
+);
+
+INSERT INTO products (			/* 17 */
+  name
+) VALUES (
+ 'Ubuntu 12.10 i686'
+);
+
+INSERT INTO products (			/* 18 */
+  name
+) VALUES (
+ 'Ubuntu 12.10 x86_64'
+);
+
+INSERT INTO products (			/* 19 */
+  name
+) VALUES (
+ 'Ubuntu 13.04 i686'
+);
+
+INSERT INTO products (			/* 20 */
+  name
+) VALUES (
+ 'Ubuntu 13.04 x86_64'
+);
+
+INSERT INTO products (			/* 21 */
+  name
+) VALUES (
+ 'Android 4.1.1'
+);
+
+INSERT INTO products (			/* 22 */
+  name
+) VALUES (
+ 'Android 4.2.1'
+);
+
+/* Directories */
+
+INSERT INTO directories (		/*  1 */
+  path
+) VALUES (
+ '/bin'
+);
+
+INSERT INTO directories (		/*  2 */
+  path
+) VALUES (
+ '/etc'
+);
+
+INSERT INTO directories (		/*  3 */
+  path
+) VALUES (
+ '/lib'
+);
+
+INSERT INTO directories (		/*  4 */
+  path
+) VALUES (
+ '/lib/i386-linux-gnu'
+);
+
+INSERT INTO directories (		/*  5 */
+  path
+) VALUES (
+ '/lib/x86_64-linux-gnu'
+);
+
+INSERT INTO directories (		/*  6 */
+  path
+) VALUES (
+ '/lib/xtables'
+);
+
+INSERT INTO directories (		/*  7 */
+  path
+) VALUES (
+ '/sbin'
+);
+
+INSERT INTO directories (		/*  8 */
+  path
+) VALUES (
+ '/usr/bin'
+);
+
+INSERT INTO directories (		/*  9 */
+  path
+) VALUES (
+ '/usr/lib'
+);
+
+INSERT INTO directories (		/* 10 */
+  path
+) VALUES (
+ '/usr/lib/i386-linux-gnu'
+);
+
+INSERT INTO directories (		/* 11 */
+  path
+) VALUES (
+ '/usr/lib/x86_64-linux-gnu'
+);
+
+INSERT INTO directories (		/* 12 */
+  path
+) VALUES (
+ '/usr/sbin'
+);
+
+INSERT INTO directories (		/* 13 */
+  path
+) VALUES (
+ '/system/bin'
+);
+
+INSERT INTO directories (		/* 14 */
+  path
+) VALUES (
+ '/system/lib'
+);
+
+/* Files */
+
+INSERT INTO files (				/*  1 */
+  name, dir
+) VALUES (
+ 'libcrypto.so.1.0.0', 5
+);
+
+INSERT INTO files (				/*  2 */
+  name, dir
+) VALUES (
+ 'libcrypto.so.1.0.0', 11
+);
+
+INSERT INTO files (				/*  3 */
+  name, dir
+) VALUES (
+ 'libssl.so.1.0.0', 5
+);
+
+INSERT INTO files (				/*  4 */
+  name, dir
+) VALUES (
+ 'libssl.so.1.0.0', 11
+);
+
+INSERT INTO files (				/*  5 */
+  name, dir
+) VALUES (
+  'openssl', 8
+);
+
+INSERT INTO files (				/*  6 */
+  name, dir
+) VALUES (
+  'tnc_config', 2
+);
+
+/* Algorithms */
+
+INSERT INTO algorithms (
+  id, name
+) VALUES (
+  65536, 'SHA1-IMA' 
+);
+
+INSERT INTO algorithms (
+  id, name
+) VALUES (
+  32768, 'SHA1' 
+);
+
+INSERT INTO algorithms (
+  id, name
+) VALUES (
+  16384, 'SHA256' 
+);
+
+INSERT INTO algorithms (
+  id, name
+) VALUES (
+  8192, 'SHA384' 
+);
+
+/* File Hashes */
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 2, 32768, X'6c6f8e12f6cbfba612e780374c4cdcd40f20968a' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 2, 16384, X'dbcecd19d59310183cf5c31ddee29e8d7bec64d3f9583aad074330a1b3024b07' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 2, 8192, X'197c5385e5853003188833d4f991136c1b0875fa416a60b1159f64e57e457b3184762c884a802a2bda194c058e3bd953' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 4, 32768, X'3ad204f99eb7262efab79cfca02628870ea76361' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 4, 16384, X'3a2170aad92fdd58b55e0e199822bc873cf587b2d1eb1ed7ed8dcea97ae86376' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 4, 8192, X'f778076baa876b5e4b502494a3db081fb09dd870dee6991d54104a74b7e009c58fe261db5ffd13c11e08ef0cefcfa59f' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 5, 32768, X'ecd9c7076cc0572724c7a67db7f19c2831e0445f' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 5, 16384, X'28f3ea5afd34444c8232ea75003131e294a0c9b847de300e4b205d38c1a41305' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 5, 8192, X'51921a8b9322f2d3f06d55002ff40a79da67e70cb563b2a50977642d603dfac2ccbb68b3d32a8bb350769b75d6254208' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 1, 32768, X'd9309b9e45928239d7a7b18711e690792632cce4' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 1, 16384, X'dbfa1856d278d8707c4989b30dd065b4bcd309908f0f2e6e66ff2aa83ff93f59' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 1, 8192, X'fb8d027f03bb5ebb47741ed247eb9e174127b714d20229885feb37e0979aeb14a1b74020cded891d680441093625729c' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 3, 32768, X'3715f2f94016a91fab5bbc503f0f1d43c5a9fc2b' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 3, 16384, X'c03a5296b5decb87b01517f9927a8b2349dfb29ff9f5ba084f994c155ca5d4be' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 3, 8192, X'b8bc345f56115235cc6091f61e312ce43ea54a5b99e7295002ae7b415fd35e06ec4c731ab70ad00d784bb53a318a2fa0' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 5, 32768, X'e59602f4edf24c1b36199588886d06665d4adcd7' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 5, 16384, X'090e1b77bda7fe665e498c6b5e09dbb7ddc5cfe57f213de48f4fb6736484f500' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 5, 8192, X'7cbdb4612a13443dba910ecdef5161f2213e52c9b4a2eef14bcee5d287e9df931cd022e9e9715518ad9c9b6e3384a668' 
+);
+
+/* Packages */
+
+INSERT INTO packages (			/*  1 */
+  name
+) VALUES (
+ 'libssl-dev'
+);
+
+INSERT INTO packages (			/*  2 */
+  name
+) VALUES (
+ 'libssl1.0.0'
+);
+
+INSERT INTO packages (			/*  3 */
+  name
+) VALUES (
+ 'libssl1.0.0-dbg'
+);
+
+INSERT INTO packages (			/*  4 */
+  name
+) VALUES (
+ 'openssl'
+);
+
+/* Versions */
+
+INSERT INTO versions (
+  package, product, release, time
+) VALUES (
+  1, 4, '1.0.1e-2', 1366531494
+);
+
+INSERT INTO versions (
+  package, product, release, time
+) VALUES (
+  2, 4, '1.0.1e-2', 1366531494
+);
+
+INSERT INTO versions (
+  package, product, release, time
+) VALUES (
+  3, 4, '1.0.1e-2', 1366531494
+);
+
+INSERT INTO versions (
+  package, product, release, time
+) VALUES (
+  4, 4, '1.0.1e-2', 1366531494
+);
+
+/* Components */
+
+INSERT INTO components (
+  vendor_id, name, qualifier
+) VALUES (
+  36906, 1, 33  /* ITA TGRUB */
+);
+
+INSERT INTO components (
+  vendor_id, name, qualifier
+) VALUES (
+  36906, 2, 33  /* ITA TBOOT */
+);
+
+INSERT INTO components (
+  vendor_id, name, qualifier
+) VALUES (
+  36906, 3, 33  /* ITA IMA - Trusted Platform */
+);
+
+INSERT INTO components (
+  vendor_id, name, qualifier
+) VALUES (
+  36906, 3, 34  /* ITA IMA - Operating System */
+);
+
+/* Groups */
+
+INSERT INTO groups (			/*  1 */
+  name
+) VALUES (
+  'Default'
+);
+
+INSERT INTO groups (			/*  2 */
+  name, parent
+) VALUES (
+  'Linux', 1
+);
+
+INSERT INTO groups (			/*  3 */
+  name, parent
+) VALUES (
+  'Android', 1
+);
+
+INSERT INTO groups (			/*  4 */
+  name, parent
+) VALUES (
+  'Debian i686', 2
+);
+
+INSERT INTO groups (			/*  5 */
+  name, parent
+) VALUES (
+  'Debian x86_64', 2
+);
+
+INSERT INTO groups (			/*  6 */
+  name, parent
+) VALUES (
+  'Ubuntu i686', 2
+);
+
+INSERT INTO groups (			/*  7 */
+  name, parent
+) VALUES (
+  'Ubuntu x86_64', 2
+);
+
+INSERT INTO groups (			/*  8 */
+  name
+) VALUES (
+  'Reference'
+);
+
+INSERT INTO groups (			/*  9 */
+  name, parent
+) VALUES (
+  'Ref. Android', 8
+);
+
+INSERT INTO groups (			/* 10 */
+  name, parent
+) VALUES (
+  'Ref. Linux', 8
+);
+
+/* Default Product Groups */
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  4, 1
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  4, 3
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  4, 5
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  5, 2
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  5, 4
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  5, 6
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  6, 7
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  6, 9
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  6, 11
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  6, 13
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  6, 15
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  6, 17
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  6, 19
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  7, 8
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  7, 10
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  7, 12
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  7, 14
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  7, 16
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  7, 18
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  7, 20
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  3, 21
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  3, 22
+);
+
+/* Devices */
+
+INSERT INTO devices (                  /*  1 */
+  value, product, created  
+) VALUES (
+  'aabbccddeeff11223344556677889900', 4, 1372330615
+);
+
+/* Groups Members */
+
+INSERT INTO groups_members (
+  group_id, device_id
+) VALUES (
+  10, 1
+);
+
+/* Policies */
+
+INSERT INTO policies (			/*  1 */
+  type, name, rec_fail, rec_noresult
+) VALUES (
+  1, 'Installed Packages', 2, 2
+);
+
+INSERT INTO policies (			/*  2 */
+  type, name, rec_fail, rec_noresult
+) VALUES (
+  2, 'Unknown Source', 2, 2
+);
+
+INSERT INTO policies (			/*  3 */
+  type, name, rec_fail, rec_noresult
+) VALUES (
+  3, 'IP Forwarding Enabled',  1, 1
+);
+
+INSERT INTO policies (			/*  4 */
+  type, name, rec_fail, rec_noresult
+) VALUES (
+  4, 'Default Factory Password Enabled', 1, 1
+);
+
+INSERT INTO policies (			/*  5 */
+  type, name, file, rec_fail, rec_noresult
+) VALUES (
+  6, 'Measure /lib/x86_64-linux-gnu/libcrypto.so.1.0.0', 1, 2, 2
+);
+
+INSERT INTO policies (			/*  6 */
+  type, name, file, rec_fail, rec_noresult
+) VALUES (
+  6, 'Measure /lib/x86_64-linux-gnu/libssl.so.1.0.0', 3, 2, 2
+);
+
+INSERT INTO policies (			/*  7 */
+  type, name, file, rec_fail, rec_noresult
+) VALUES (
+  6, 'Measure /usr/bin/openssl', 5, 2, 2
+);
+
+INSERT INTO policies (			/*  8 */
+  type, name, rec_fail, rec_noresult
+) VALUES (
+  11, 'No Open TCP Ports', 1, 1
+);
+
+INSERT INTO policies (			/*  9 */
+  type, name, argument, rec_fail, rec_noresult
+) VALUES (
+  13, 'Open UDP Ports', '500 4500 10000-65000', 1, 1
+);
+
+INSERT INTO policies (			/* 10 */
+  type, name, file, rec_fail, rec_noresult
+) VALUES (
+  7, 'Metadata of /etc/tnc_config', 6, 0, 0
+);
+
+INSERT INTO policies (			/* 11 */
+  type, name, dir, rec_fail, rec_noresult
+) VALUES (
+  8, 'Get /bin', 1, 0, 0
+);
+
+INSERT INTO policies (			/*  12 */
+  type, name, file, rec_fail, rec_noresult
+) VALUES (
+  6, 'Measure /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0', 2, 2, 2
+);
+
+INSERT INTO policies (			/* 13 */
+  type, name, file, rec_fail, rec_noresult
+) VALUES (
+  6, 'Measure /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0', 4, 2, 2
+);
+
+INSERT INTO policies (			/* 14 */
+  type, name, dir, rec_fail, rec_noresult
+) VALUES (
+  8, 'Get /system/bin', 13, 0, 0
+);
+
+INSERT INTO policies (			/* 15 */
+  type, name, dir, rec_fail, rec_noresult
+) VALUES (
+  8, 'Get /system/lib', 14, 0, 0
+);
+
+INSERT INTO policies (                  /* 16 */
+  type, name, dir, rec_fail, rec_noresult
+) VALUES (
+  9, 'Measure /bin', 1, 2, 2
+);
+
+/* Enforcements */
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  2, 3, 0
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age, rec_fail, rec_noresult
+) VALUES (
+  3, 2, 0, 2, 2
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age, rec_fail, rec_noresult
+) VALUES (
+  3, 10, 0, 2, 2
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  5, 7, 86400
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  6, 7, 86400
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  7, 2, 86400
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  8, 1, 60
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  9, 1, 60
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  10, 2, 60
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  11, 10, 86400
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  12, 5, 86400
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  13, 5, 86400
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  14, 9, 0
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  15, 9, 0
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  16, 2, 0
+);
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/strongswan.conf
new file mode 100644
index 000000000..23f840f69
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/strongswan.conf
@@ -0,0 +1,13 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+libimcv {
+  load = random nonce openssl pubkey sqlite
+  debug_level = 3 
+  database = sqlite:///etc/pts/config.db
+  policy_script = ipsec imv_policy_manager
+  assessment_result = no
+}
+
+attest {
+  database = sqlite:///etc/pts/config.db
+}
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/tnc/log4cxx.properties b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/tnc/log4cxx.properties
new file mode 100644
index 000000000..2bdc6e4de
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/tnc/log4cxx.properties
@@ -0,0 +1,15 @@
+# Set root logger level to DEBUG and its appenders to A1 and A2.
+log4j.rootLogger=DEBUG, A1, A2
+
+# A1 is set to be a ConsoleAppender.
+log4j.appender.A1=org.apache.log4j.ConsoleAppender
+log4j.appender.A1.layout=org.apache.log4j.PatternLayout
+log4j.appender.A1.layout.ConversionPattern=[FHH] %m%n
+
+# A2 is set to be a SyslogAppender
+log4j.appender.A2=org.apache.log4j.net.SyslogAppender
+log4j.appender.A2.Facility=DAEMON
+log4j.appender.A2.SyslogHost=localhost
+log4j.appender.A2.Threshold=DEBUG
+log4j.appender.A2.layout=org.apache.log4j.PatternLayout
+log4j.appender.A2.layout.ConversionPattern=[FHH] %m%n
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/tnc_config b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/tnc_config
new file mode 100644
index 000000000..b5ac8c178
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/tnc_config
@@ -0,0 +1,4 @@
+#IMV configuration file for strongSwan client 
+
+IMV "OS" /usr/local/lib/ipsec/imcvs/imv-os.so
+IMV "Attestation" /usr/local/lib/ipsec/imcvs/imv-attestation.so
diff --git a/testing/tests/ikev1/req-pkcs10/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/ipsec.conf
index 7c2bb3a98..e9152e0d8 100755..100644
--- a/testing/tests/ikev1/req-pkcs10/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/ipsec.conf
@@ -1,28 +1,23 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutodebug=control
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
+	charondebug="tnc 3, imc 3"
 
 conn %default
 	ikelifetime=60m
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
-	keyexchange=ikev1
+	keyexchange=ikev2
 
 conn home
 	left=PH_IP_CAROL
-	leftcert=myCert.pem
 	leftid=carol@strongswan.org
+	leftauth=eap
 	leftfirewall=yes
 	right=PH_IP_MOON
-	rightsubnet=10.1.0.0/16
 	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	rightauth=pubkey
+	aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
 	auto=add
-
-
-
-
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/ipsec.secrets b/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..74942afda
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+carol@strongswan.org : EAP "Ar3etTnp"
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..56c6b9f57
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,14 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl openssl pem pkcs1 random nonce revocation stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
+  multiple_authentication=no
+}
+
+libimcv {
+  plugins {
+    imc-test {
+      command = allow
+    }
+  }
+}
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/tnc_config b/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/tnc_config
new file mode 100644
index 000000000..15dc93a0a
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/tnc_config
@@ -0,0 +1,4 @@
+#IMC configuration file for strongSwan client 
+
+IMC "OS"          /usr/local/lib/ipsec/imcvs/imc-os.so
+IMC "Attestation" /usr/local/lib/ipsec/imcvs/imc-attestation.so
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/ipsec.conf
new file mode 100644
index 000000000..25589bcf1
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	charondebug="tnc 3, imc 3"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_DAVE
+	leftid=dave@strongswan.org
+	leftauth=eap
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	rightauth=pubkey
+	aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
+	auto=add
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/ipsec.secrets b/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/ipsec.secrets
new file mode 100644
index 000000000..5496df7ad
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+dave@strongswan.org : EAP "W7R0g3do"
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..145ad9d2d
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,17 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl openssl pem pkcs1 random nonce revocation stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
+  multiple_authentication=no
+}
+
+libimcv {
+  plugins {
+    imc-test {
+      command = allow
+    }
+    imc-scanner {
+      push_info = no
+    }
+  }
+}
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/tnc_config b/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/tnc_config
new file mode 100644
index 000000000..15dc93a0a
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/tnc_config
@@ -0,0 +1,4 @@
+#IMC configuration file for strongSwan client 
+
+IMC "OS"          /usr/local/lib/ipsec/imcvs/imc-os.so
+IMC "Attestation" /usr/local/lib/ipsec/imcvs/imc-attestation.so
diff --git a/testing/tests/ikev1/ip-two-pools-mixed/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/ipsec.conf
index e844ba989..294964fe7 100755..100644
--- a/testing/tests/ikev1/ip-two-pools-mixed/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/ipsec.conf
@@ -1,28 +1,33 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	crlcheckinterval=180
-	strictcrlpolicy=no
-	charonstart=no
-	plutodebug=control
 
 conn %default
 	ikelifetime=60m
 	keylife=20m
 	rekeymargin=3m
 	keyingtries=1
-	keyexchange=ikev1
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-	leftfirewall=yes
-	right=%any
+	keyexchange=ikev2
 
-conn int 
-	left=PH_IP_MOON1
-	rightsourceip=%intpool
+conn rw-allow
+	rightgroups=allow
+	leftsubnet=10.1.0.0/28
+	also=rw-eap
 	auto=add
 
-conn ext 
-	left=PH_IP_MOON
-	rightsourceip=10.3.0.0/28
+conn rw-isolate
+	rightgroups=isolate
+	leftsubnet=10.1.0.16/28
+	also=rw-eap
 	auto=add
+
+conn rw-eap
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftauth=pubkey
+	leftfirewall=yes
+	rightauth=eap-radius
+	rightid=*@strongswan.org
+	rightsendcert=never
+	right=%any
diff --git a/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/ipsec.secrets b/testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/ipsec.secrets
index ee98b1611..e86d6aa5c 100644
--- a/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/ipsec.secrets
+++ b/testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/ipsec.secrets
@@ -1,3 +1,3 @@
 # /etc/ipsec.secrets - strongSwan IPsec secrets file
 
-: RSA sunKey.asc
+: RSA moonKey.pem
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/iptables.rules b/testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..1eb755354
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/iptables.rules
@@ -0,0 +1,32 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# allow RADIUS protocol with alice
+-A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..390c42ccf
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius-pts/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,13 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-radius updown
+  multiple_authentication=no
+  plugins {
+    eap-radius {
+      secret = gv6URkSs 
+      server = PH_IP_ALICE
+      filter_id = yes
+    }
+  }
+}
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/posttest.dat b/testing/tests/tnc/tnccs-11-radius-pts/posttest.dat
new file mode 100644
index 000000000..dc8507d26
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius-pts/posttest.dat
@@ -0,0 +1,10 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+alice::killall radiusd
+alice::rm /etc/freeradius/sites-enabled/inner-tunnel-second
+alice::rm /etc/pts/config.db
+carol::echo 1 > /proc/sys/net/ipv4/ip_forward
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/pretest.dat b/testing/tests/tnc/tnccs-11-radius-pts/pretest.dat
new file mode 100644
index 000000000..5f94f8dbb
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius-pts/pretest.dat
@@ -0,0 +1,21 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+carol::echo 0 > /proc/sys/net/ipv4/ip_forward
+dave::echo aabbccddeeff11223344556677889900 > /var/lib/dbus/machine-id
+alice::ln -s /etc/freeradius/sites-available/inner-tunnel-second /etc/freeradius/sites-enabled/inner-tunnel-second
+alice::cat /etc/freeradius/sites-enabled/inner-tunnel-second
+alice::cd /etc/pts; cat tables.sql data.sql | sqlite3 config.db
+alice::LEAK_DETECTIVE_DISABLE=1 LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties radiusd
+alice::cat /etc/tnc_config
+carol::cat /etc/tnc_config
+dave::cat /etc/tnc_config
+moon::ipsec start
+dave::ipsec start
+carol::ipsec start
+dave::sleep 1
+dave::ipsec up home
+carol::ipsec up home
+carol::sleep 1
+alice::ipsec attest --sessions
+alice::ipsec attest --devices
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/test.conf b/testing/tests/tnc/tnccs-11-radius-pts/test.conf
new file mode 100644
index 000000000..f23a19329
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius-pts/test.conf
@@ -0,0 +1,26 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice venus moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
+
+# Guest instances on which FreeRadius is started
+#
+RADIUSHOSTS="alice"
+
diff --git a/testing/tests/tnc/tnccs-11-radius/evaltest.dat b/testing/tests/tnc/tnccs-11-radius/evaltest.dat
index d0ea22ba9..e22b767f7 100644
--- a/testing/tests/tnc/tnccs-11-radius/evaltest.dat
+++ b/testing/tests/tnc/tnccs-11-radius/evaltest.dat
@@ -1,19 +1,19 @@
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
 carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES
-carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
+carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
-dave::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
-dave::cat /var/log/daemon.log::TNCCS-Recommendation.*isolate::YES
-dave::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
-dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
-moon::cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'allow'::YES
-moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES            
-moon::cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'isolate'::YES
-moon::cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
-moon::ipsec statusall::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
-moon::ipsec statusall::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_seq=1::NO
-dave::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO
+dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+dave:: cat /var/log/daemon.log::TNCCS-Recommendation.*isolate::YES
+dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
+dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
+moon:: cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'allow'::YES
+moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon:: cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'isolate'::YES
+moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
+moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
+moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO
+dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO
 
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/eap.conf b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/eap.conf
new file mode 100644
index 000000000..31556361e
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/eap.conf
@@ -0,0 +1,25 @@
+eap {
+  md5 {
+  }
+  default_eap_type = ttls
+  tls {
+    private_key_file = /etc/raddb/certs/aaaKey.pem
+    certificate_file = /etc/raddb/certs/aaaCert.pem
+    CA_file = /etc/raddb/certs/strongswanCert.pem
+    cipher_list = "DEFAULT"
+    dh_file = /etc/raddb/certs/dh
+    random_file = /etc/raddb/certs/random
+  }
+  ttls {
+    default_eap_type = md5
+    use_tunneled_reply = yes
+    virtual_server = "inner-tunnel"
+    tnc_virtual_server = "inner-tunnel-second"
+  }
+}
+
+eap eap_tnc {
+      default_eap_type = tnc
+      tnc {
+      }
+}
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/proxy.conf b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/proxy.conf
new file mode 100644
index 000000000..23cba8d11
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/proxy.conf
@@ -0,0 +1,5 @@
+realm strongswan.org {
+  type     = radius
+  authhost = LOCAL
+  accthost = LOCAL
+}
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/sites-available/default
new file mode 100644
index 000000000..dd0825858
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/sites-available/default
@@ -0,0 +1,43 @@
+authorize {
+  suffix
+  eap {
+    ok = return
+  }
+  files
+}
+
+authenticate {
+  eap
+}
+
+preacct {
+  preprocess
+  acct_unique
+  suffix
+  files
+}
+
+accounting {
+  detail
+  unix
+  radutmp
+  attr_filter.accounting_response
+}
+
+session {
+  radutmp
+}
+
+post-auth {
+  exec
+  Post-Auth-Type REJECT {
+    attr_filter.access_reject
+  }
+}
+
+pre-proxy {
+}
+
+post-proxy {
+  eap
+}
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel
new file mode 100644
index 000000000..e088fae14
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel
@@ -0,0 +1,32 @@
+server inner-tunnel {
+
+authorize {
+	suffix
+	eap {
+		ok = return
+	}
+	files
+}
+
+authenticate {
+	eap
+}
+
+session {
+	radutmp
+}
+
+post-auth {
+	Post-Auth-Type REJECT {
+		attr_filter.access_reject
+	}
+}
+
+pre-proxy {
+}
+
+post-proxy {
+	eap
+}
+
+} # inner-tunnel server block
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel-second b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel-second
new file mode 100644
index 000000000..c5bde6a9e
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel-second
@@ -0,0 +1,36 @@
+server inner-tunnel-second {
+
+authorize {
+	eap_tnc {
+		ok = return
+	}
+}
+
+authenticate {
+	eap_tnc
+}
+
+session {
+	radutmp
+}
+
+post-auth {
+	if (control:TNC-Status == "Access") {
+		update reply {
+			Tunnel-Type := ESP
+			Filter-Id := "allow"
+		}
+	}
+	elsif (control:TNC-Status == "Isolate") {
+		update reply {
+			Tunnel-Type := ESP
+			Filter-Id := "isolate"
+		}
+	}
+
+	Post-Auth-Type REJECT {
+		attr_filter.access_reject
+	}
+}
+
+} # inner-tunnel-second block
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/users b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/users
new file mode 100644
index 000000000..50ccf3e76
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/freeradius/users
@@ -0,0 +1,2 @@
+carol	Cleartext-Password := "Ar3etTnp"
+dave	Cleartext-Password := "W7R0g3do"
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/clients.conf b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/clients.conf
deleted file mode 100644
index f4e179aa4..000000000
--- a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/clients.conf
+++ /dev/null
@@ -1,4 +0,0 @@
-client PH_IP_MOON1 {
-  secret    = gv6URkSs 
-  shortname = moon
-}
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/dictionary b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/dictionary
deleted file mode 100644
index 1a27a02fc..000000000
--- a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/dictionary
+++ /dev/null
@@ -1,2 +0,0 @@
-$INCLUDE	/usr/share/freeradius/dictionary
-$INCLUDE	/etc/raddb/dictionary.tnc
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/dictionary.tnc b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/dictionary.tnc
deleted file mode 100644
index f295467a9..000000000
--- a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/dictionary.tnc
+++ /dev/null
@@ -1,5 +0,0 @@
-ATTRIBUTE	TNC-Status	3001	integer
-
-VALUE	TNC-Status	Access	0 
-VALUE	TNC-Status	Isolate	1
-VALUE	TNC-Status	None	2
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/radiusd.conf b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/radiusd.conf
deleted file mode 100644
index 1143a0473..000000000
--- a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/radiusd.conf
+++ /dev/null
@@ -1,120 +0,0 @@
-# radiusd.conf	-- FreeRADIUS server configuration file.
-
-prefix = /usr
-exec_prefix = ${prefix}
-sysconfdir = /etc
-localstatedir = /var
-sbindir = ${exec_prefix}/sbin
-logdir = ${localstatedir}/log/radius
-raddbdir = ${sysconfdir}/raddb
-radacctdir = ${logdir}/radacct
-
-#  name of the running server.  See also the "-n" command-line option.
-name = radiusd
-
-#  Location of config and logfiles.
-confdir = ${raddbdir}
-run_dir = ${localstatedir}/run/radiusd
-
-# Should likely be ${localstatedir}/lib/radiusd
-db_dir = ${raddbdir}
-
-# libdir: Where to find the rlm_* modules.
-libdir = ${exec_prefix}/lib
-
-#  pidfile: Where to place the PID of the RADIUS server.
-pidfile = ${run_dir}/${name}.pid
-
-#  max_request_time: The maximum time (in seconds) to handle a request.
-max_request_time = 30
-
-#  cleanup_delay: The time to wait (in seconds) before cleaning up
-cleanup_delay = 5
-
-#  max_requests: The maximum number of requests which the server keeps
-max_requests = 1024
-
-#  listen: Make the server listen on a particular IP address, and send
-listen {
-  type = auth
-  ipaddr = PH_IP_ALICE 
-  port = 0
-}
-
-#  This second "listen" section is for listening on the accounting
-#  port, too.
-#
-listen {
-  type  = acct
-  ipaddr = PH_IP_ALICE 
-  port = 0
-}
-
-#  hostname_lookups: Log the names of clients or just their IP addresses
-hostname_lookups = no
-
-#  Core dumps are a bad thing.  This should only be set to 'yes'
-allow_core_dumps = no
-
-#  Regular expressions
-regular_expressions = yes
-extended_expressions = yes
-
-#  Logging section.  The various "log_*" configuration items
-log {
-  destination = files
-  file = ${logdir}/radius.log
-  syslog_facility = daemon
-  stripped_names = no
-  auth = yes 
-  auth_badpass = yes 
-  auth_goodpass = yes 
-}
-
-#  The program to execute to do concurrency checks.
-checkrad = ${sbindir}/checkrad
-
-#  Security considerations
-security {
-  max_attributes = 200
-  reject_delay = 1
-  status_server = yes
-}
-
-# PROXY CONFIGURATION
-proxy_requests = yes
-$INCLUDE proxy.conf
-
-# CLIENTS CONFIGURATION
-$INCLUDE clients.conf
-
-# THREAD POOL CONFIGURATION
-thread pool {
-  start_servers = 5
-  max_servers = 32
-  min_spare_servers = 3
-  max_spare_servers = 10
-  max_requests_per_server = 0
-}
-
-# MODULE CONFIGURATION
-modules {
-  $INCLUDE ${confdir}/modules/
-  $INCLUDE eap.conf
-  $INCLUDE sql.conf
-  $INCLUDE sql/mysql/counter.conf
-}
-
-# Instantiation
-instantiate {
-  exec
-  expr
-  expiration
-  logintime
-}
-
-# Policies
-$INCLUDE policy.conf
-
-# Include all enabled virtual hosts
-$INCLUDE sites-enabled/
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/sites-available/default b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/sites-available/default
deleted file mode 100644
index 802fcfd8d..000000000
--- a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/sites-available/default
+++ /dev/null
@@ -1,44 +0,0 @@
-authorize {
-  suffix
-  eap {
-    ok = return
-  }
-  files
-}
-
-authenticate {
-  eap
-}
-
-preacct {
-  preprocess
-  acct_unique
-  suffix
-  files
-}
-
-accounting {
-  detail
-  unix
-  radutmp
-  attr_filter.accounting_response
-}
-
-session {
-  radutmp
-}
-
-post-auth {
-  exec
-  Post-Auth-Type REJECT {
-    attr_filter.access_reject
-  }
-}
-
-pre-proxy {
-}
-
-post-proxy {
-  eap
-}
-
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/strongswan.conf
index 5d586066b..45050f7e1 100644
--- a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/strongswan.conf
@@ -2,14 +2,10 @@
 
 libimcv {
   debug_level = 3 
+  assessment_result = no
   plugins {
     imv-test {
       rounds = 1 
     }
-    imv-scanner {
-      closed_port_policy = yes
-      tcp_ports = 22
-      udp_ports = 500 4500
-    }
   }
 }
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/ipsec.conf
index a639b0426..e9152e0d8 100755..100644
--- a/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 	charondebug="tnc 3, imc 3"
 
 conn %default
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/strongswan.conf
index 7bff51d6b..4cc205cf7 100644
--- a/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
   multiple_authentication=no
 }
 
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/ipsec.conf
index 5da78b4ab..25589bcf1 100755..100644
--- a/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 	charondebug="tnc 3, imc 3"
 
 conn %default
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/strongswan.conf
index a599122bc..5dbee558f 100644
--- a/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
   multiple_authentication=no
 }
 
@@ -10,5 +10,8 @@ libimcv {
     imc-test {
       command = isolate
     }
+    imc-scanner {
+      push_info = no
+    }
   }
 }
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/init.d/iptables b/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 56587b2e8..000000000
--- a/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,84 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow RADIUS protocol with alice
-	iptables -A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/ipsec.conf
index 33dcdcfb0..294964fe7 100755..100644
--- a/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/ipsec.conf
@@ -1,8 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/iptables.rules b/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..1eb755354
--- /dev/null
+++ b/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/iptables.rules
@@ -0,0 +1,32 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# allow RADIUS protocol with alice
+-A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/strongswan.conf
index 40be81b48..390c42ccf 100644
--- a/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-radius updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-radius updown
   multiple_authentication=no
   plugins {
     eap-radius {
diff --git a/testing/tests/tnc/tnccs-11-radius/posttest.dat b/testing/tests/tnc/tnccs-11-radius/posttest.dat
index 86bd89dea..a64a9147c 100644
--- a/testing/tests/tnc/tnccs-11-radius/posttest.dat
+++ b/testing/tests/tnc/tnccs-11-radius/posttest.dat
@@ -2,7 +2,7 @@ moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
 alice::killall radiusd
-alice::rm /etc/raddb/sites-enabled/inner-tunnel-second
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+alice::rm /etc/freeradius/sites-enabled/inner-tunnel-second
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/tnc/tnccs-11-radius/pretest.dat b/testing/tests/tnc/tnccs-11-radius/pretest.dat
index b5d284278..71dff71b7 100644
--- a/testing/tests/tnc/tnccs-11-radius/pretest.dat
+++ b/testing/tests/tnc/tnccs-11-radius/pretest.dat
@@ -1,15 +1,15 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
-alice::ln -s /etc/raddb/sites-available/inner-tunnel-second /etc/raddb/sites-enabled/inner-tunnel-second
-alice::cat /etc/raddb/sites-enabled/inner-tunnel-second
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+alice::ln -s /etc/freeradius/sites-available/inner-tunnel-second /etc/freeradius/sites-enabled/inner-tunnel-second
+alice::cat /etc/freeradius/sites-enabled/inner-tunnel-second
 alice::LEAK_DETECTIVE_DISABLE=1 LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties radiusd
 alice::cat /etc/tnc_config
 carol::cat /etc/tnc_config
 dave::cat /etc/tnc_config
 moon::ipsec start
-carol::LEAK_DETECTIVE_DISABLE=1 ipsec start
-dave::LEAK_DETECTIVE_DISABLE=1 ipsec start
+carol::ipsec start
+dave::ipsec start
 carol::sleep 1
 carol::ipsec up home
 dave::ipsec up home
diff --git a/testing/tests/tnc/tnccs-11-radius/test.conf b/testing/tests/tnc/tnccs-11-radius/test.conf
index 2a52df203..f23a19329 100644
--- a/testing/tests/tnc/tnccs-11-radius/test.conf
+++ b/testing/tests/tnc/tnccs-11-radius/test.conf
@@ -1,26 +1,26 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon carol winnetou dave"
+VIRTHOSTS="alice venus moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
 
-# UML instances on which FreeRadius is started
+# Guest instances on which FreeRadius is started
 #
 RADIUSHOSTS="alice"
 
diff --git a/testing/tests/tnc/tnccs-11/evaltest.dat b/testing/tests/tnc/tnccs-11/evaltest.dat
index a02755148..6b7c713ef 100644
--- a/testing/tests/tnc/tnccs-11/evaltest.dat
+++ b/testing/tests/tnc/tnccs-11/evaltest.dat
@@ -1,19 +1,19 @@
 carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES
-carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
+carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
 carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
-dave::cat /var/log/daemon.log::TNCCS-Recommendation.*isolate::YES
-dave::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
-dave::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
-moon::cat /var/log/daemon.log::added group membership 'allow'::YES
-moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
-moon::cat /var/log/daemon.log::added group membership 'isolate'::YES
-moon::cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
-moon::ipsec statusall::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
-moon::ipsec statusall::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_seq=1::NO
-dave::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO
+dave:: cat /var/log/daemon.log::TNCCS-Recommendation.*isolate::YES
+dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
+dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
+moon:: cat /var/log/daemon.log::added group membership 'allow'::YES
+moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES
+moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
+moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
+moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO
+dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO
 
diff --git a/testing/tests/tnc/tnccs-11/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-11/hosts/carol/etc/ipsec.conf
index 105fcbec6..e2bf349d9 100755..100644
--- a/testing/tests/tnc/tnccs-11/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/tnc/tnccs-11/hosts/carol/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 	charondebug="tnc 3, imc 3"
 
 conn %default
@@ -18,6 +17,7 @@ conn home
 	leftfirewall=yes
 	right=PH_IP_MOON
 	rightid=@moon.strongswan.org
+	rightauth=any
 	rightsendcert=never
 	rightsubnet=10.1.0.0/16
 	auto=add
diff --git a/testing/tests/tnc/tnccs-11/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-11/hosts/carol/etc/strongswan.conf
index 7bff51d6b..4cc205cf7 100644
--- a/testing/tests/tnc/tnccs-11/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-11/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
   multiple_authentication=no
 }
 
diff --git a/testing/tests/tnc/tnccs-11/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-11/hosts/dave/etc/ipsec.conf
index 97f322c28..77446cbae 100755..100644
--- a/testing/tests/tnc/tnccs-11/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/tnc/tnccs-11/hosts/dave/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 	charondebug="tnc 3, imc 3"
 
 conn %default
@@ -18,6 +17,7 @@ conn home
 	leftfirewall=yes
 	right=PH_IP_MOON
 	rightid=@moon.strongswan.org
+	rightauth=any
 	rightsendcert=never
 	rightsubnet=10.1.0.0/16
 	auto=add
diff --git a/testing/tests/tnc/tnccs-11/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-11/hosts/dave/etc/strongswan.conf
index a599122bc..5dbee558f 100644
--- a/testing/tests/tnc/tnccs-11/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-11/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
   multiple_authentication=no
 }
 
@@ -10,5 +10,8 @@ libimcv {
     imc-test {
       command = isolate
     }
+    imc-scanner {
+      push_info = no
+    }
   }
 }
diff --git a/testing/tests/tnc/tnccs-11/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-11/hosts/moon/etc/ipsec.conf
index 997db0df7..e21ef0d14 100755..100644
--- a/testing/tests/tnc/tnccs-11/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/tnc/tnccs-11/hosts/moon/etc/ipsec.conf
@@ -1,8 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	strictcrlpolicy=no
-	plutostart=no
 	charondebug="tnc 3, imv 3"
 
 conn %default
diff --git a/testing/tests/tnc/tnccs-11/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-11/hosts/moon/etc/strongswan.conf
index 60313e946..2fe4cf001 100644
--- a/testing/tests/tnc/tnccs-11/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-11/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-11 tnc-imv updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-11 tnc-imv updown
   multiple_authentication=no
   plugins {
     eap-ttls {
@@ -17,10 +17,5 @@ libimcv {
     imv-test {
       rounds = 1
     }
-    imv-scanner {
-      closed_port_policy = yes
-      tcp_ports = 22
-      udp_ports = 500 4500
-    }
   }
 }
diff --git a/testing/tests/tnc/tnccs-11/posttest.dat b/testing/tests/tnc/tnccs-11/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/tnc/tnccs-11/posttest.dat
+++ b/testing/tests/tnc/tnccs-11/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/tnc/tnccs-11/pretest.dat b/testing/tests/tnc/tnccs-11/pretest.dat
index dd729cb0b..cac1cfafc 100644
--- a/testing/tests/tnc/tnccs-11/pretest.dat
+++ b/testing/tests/tnc/tnccs-11/pretest.dat
@@ -1,12 +1,12 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::cat /etc/tnc_config
 carol::cat /etc/tnc_config
 dave::cat /etc/tnc_config
-moon::LEAK_DETECTIVE_DISABLE=1 ipsec start
-carol::LEAK_DETECTIVE_DISABLE=1 ipsec start
-dave::LEAK_DETECTIVE_DISABLE=1 ipsec start
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
 carol::sleep 1
 carol::ipsec up home
 dave::ipsec up home
diff --git a/testing/tests/tnc/tnccs-11/test.conf b/testing/tests/tnc/tnccs-11/test.conf
index e28b8259b..a8a05af19 100644
--- a/testing/tests/tnc/tnccs-11/test.conf
+++ b/testing/tests/tnc/tnccs-11/test.conf
@@ -1,26 +1,26 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon carol winnetou dave"
+VIRTHOSTS="alice venus moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
 
-# UML instances on which FreeRadius is started
+# Guest instances on which FreeRadius is started
 #
 RADIUSHOSTS=
 
diff --git a/testing/tests/tnc/tnccs-20-block/evaltest.dat b/testing/tests/tnc/tnccs-20-block/evaltest.dat
index f1753c208..03b576efa 100644
--- a/testing/tests/tnc/tnccs-20-block/evaltest.dat
+++ b/testing/tests/tnc/tnccs-20-block/evaltest.dat
@@ -2,11 +2,11 @@ carol::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'
 carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
 carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/16::YES
-dave::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Denied'::YES
-dave::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
-dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.0/16::NO
-moon::cat /var/log/daemon.log::added group membership 'allow'::YES
-moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES 
-moon::cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer dave@strongswan.org::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO
+dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Denied'::YES
+dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
+dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.0/16::NO
+moon:: cat /var/log/daemon.log::added group membership 'allow'::YES
+moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon:: cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer dave@strongswan.org::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO
diff --git a/testing/tests/tnc/tnccs-20-block/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-block/hosts/carol/etc/ipsec.conf
index 105fcbec6..e2bf349d9 100755..100644
--- a/testing/tests/tnc/tnccs-20-block/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/tnc/tnccs-20-block/hosts/carol/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 	charondebug="tnc 3, imc 3"
 
 conn %default
@@ -18,6 +17,7 @@ conn home
 	leftfirewall=yes
 	right=PH_IP_MOON
 	rightid=@moon.strongswan.org
+	rightauth=any
 	rightsendcert=never
 	rightsubnet=10.1.0.0/16
 	auto=add
diff --git a/testing/tests/tnc/tnccs-20-block/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-block/hosts/carol/etc/strongswan.conf
index 264e8d121..ced332cc4 100644
--- a/testing/tests/tnc/tnccs-20-block/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-block/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
   multiple_authentication=no
   plugins {
     eap-tnc {
diff --git a/testing/tests/tnc/tnccs-20-block/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-block/hosts/dave/etc/ipsec.conf
index 97f322c28..77446cbae 100755..100644
--- a/testing/tests/tnc/tnccs-20-block/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/tnc/tnccs-20-block/hosts/dave/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 	charondebug="tnc 3, imc 3"
 
 conn %default
@@ -18,6 +17,7 @@ conn home
 	leftfirewall=yes
 	right=PH_IP_MOON
 	rightid=@moon.strongswan.org
+	rightauth=any
 	rightsendcert=never
 	rightsubnet=10.1.0.0/16
 	auto=add
diff --git a/testing/tests/tnc/tnccs-20-block/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-block/hosts/dave/etc/strongswan.conf
index 9167adb47..70a1b07e6 100644
--- a/testing/tests/tnc/tnccs-20-block/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-block/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
   multiple_authentication=no
   plugins {
     eap-tnc {
@@ -12,3 +12,11 @@ charon {
     }
   }
 }
+
+libimcv {
+  plugins {
+    imc-scanner {
+      push_info = no
+    }
+  }
+}
diff --git a/testing/tests/tnc/tnccs-20-block/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-block/hosts/moon/etc/ipsec.conf
index 106cde446..9aeb02ac2 100755..100644
--- a/testing/tests/tnc/tnccs-20-block/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/tnc/tnccs-20-block/hosts/moon/etc/ipsec.conf
@@ -1,8 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	strictcrlpolicy=no
-	plutostart=no
 	charondebug="tnc 3, imv 3"
 
 conn %default
diff --git a/testing/tests/tnc/tnccs-20-block/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-block/hosts/moon/etc/strongswan.conf
index d64c89ab8..59dce1874 100644
--- a/testing/tests/tnc/tnccs-20-block/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-block/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-20 tnc-imv updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-20 tnc-imv updown
   multiple_authentication=no
   plugins {
     eap-ttls {
diff --git a/testing/tests/tnc/tnccs-20-block/posttest.dat b/testing/tests/tnc/tnccs-20-block/posttest.dat
index 50bb7e117..2258e03ff 100644
--- a/testing/tests/tnc/tnccs-20-block/posttest.dat
+++ b/testing/tests/tnc/tnccs-20-block/posttest.dat
@@ -1,7 +1,7 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
 dave::/etc/init.d/apache2 stop 2> /dev/null
diff --git a/testing/tests/tnc/tnccs-20-block/pretest.dat b/testing/tests/tnc/tnccs-20-block/pretest.dat
index 7b0a42fcd..f5b3b2e8c 100644
--- a/testing/tests/tnc/tnccs-20-block/pretest.dat
+++ b/testing/tests/tnc/tnccs-20-block/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 dave::/etc/init.d/apache2 start 2> /dev/null
 moon::cat /etc/tnc_config
 carol::cat /etc/tnc_config
diff --git a/testing/tests/tnc/tnccs-20-block/test.conf b/testing/tests/tnc/tnccs-20-block/test.conf
index e28b8259b..a8a05af19 100644
--- a/testing/tests/tnc/tnccs-20-block/test.conf
+++ b/testing/tests/tnc/tnccs-20-block/test.conf
@@ -1,26 +1,26 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon carol winnetou dave"
+VIRTHOSTS="alice venus moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
 
-# UML instances on which FreeRadius is started
+# Guest instances on which FreeRadius is started
 #
 RADIUSHOSTS=
 
diff --git a/testing/tests/tnc/tnccs-20-client-retry/evaltest.dat b/testing/tests/tnc/tnccs-20-client-retry/evaltest.dat
index 737c9b9ef..bac7294b2 100644
--- a/testing/tests/tnc/tnccs-20-client-retry/evaltest.dat
+++ b/testing/tests/tnc/tnccs-20-client-retry/evaltest.dat
@@ -1,19 +1,19 @@
 carol::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'::YES
-carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
+carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
 carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
-dave::cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YES
-dave::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
-dave::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
-moon::cat /var/log/daemon.log::added group membership 'allow'::YES
-moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
-moon::cat /var/log/daemon.log::added group membership 'isolate'::YES
-moon::cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
-moon::ipsec statusall::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
-moon::ipsec statusall::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_seq=1::NO
-dave::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO
+dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YES
+dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
+dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
+moon:: cat /var/log/daemon.log::added group membership 'allow'::YES
+moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES
+moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
+moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
+moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO
+dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO
 
diff --git a/testing/tests/tnc/tnccs-20-client-retry/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-client-retry/hosts/carol/etc/ipsec.conf
index 847ca2e7f..a483d6df8 100755..100644
--- a/testing/tests/tnc/tnccs-20-client-retry/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/tnc/tnccs-20-client-retry/hosts/carol/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 	charondebug="tnc 3, imc 2"
 
 conn %default
@@ -18,6 +17,7 @@ conn home
 	leftfirewall=yes
 	right=PH_IP_MOON
 	rightid=@moon.strongswan.org
+	rightauth=any
 	rightsendcert=never
 	rightsubnet=10.1.0.0/16
 	auto=add
diff --git a/testing/tests/tnc/tnccs-20-client-retry/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-client-retry/hosts/carol/etc/strongswan.conf
index 885271160..f202bbfa8 100644
--- a/testing/tests/tnc/tnccs-20-client-retry/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-client-retry/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
   multiple_authentication=no
   plugins {
     eap-tnc {
diff --git a/testing/tests/tnc/tnccs-20-client-retry/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-client-retry/hosts/dave/etc/ipsec.conf
index f0ad4721f..11378131a 100755..100644
--- a/testing/tests/tnc/tnccs-20-client-retry/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/tnc/tnccs-20-client-retry/hosts/dave/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 	charondebug="tnc 3, imc 2"
 
 conn %default
@@ -18,6 +17,7 @@ conn home
 	leftfirewall=yes
 	right=PH_IP_MOON
 	rightid=@moon.strongswan.org
+	rightauth=any
 	rightsendcert=never
 	rightsubnet=10.1.0.0/16
 	auto=add
diff --git a/testing/tests/tnc/tnccs-20-client-retry/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-client-retry/hosts/dave/etc/strongswan.conf
index 7e848a25b..996169add 100644
--- a/testing/tests/tnc/tnccs-20-client-retry/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-client-retry/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
   multiple_authentication=no
   plugins {
     eap-tnc {
@@ -19,5 +19,8 @@ libimcv {
       command = isolate
       retry = yes
     }
+    imc-scanner {
+      push_info = no
+    }
   }
 }
diff --git a/testing/tests/tnc/tnccs-20-client-retry/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-client-retry/hosts/moon/etc/ipsec.conf
index 9eec48402..b1093d46d 100755..100644
--- a/testing/tests/tnc/tnccs-20-client-retry/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/tnc/tnccs-20-client-retry/hosts/moon/etc/ipsec.conf
@@ -1,8 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	strictcrlpolicy=no
-	plutostart=no
 	charondebug="tnc 3, imv 2"
 
 conn %default
diff --git a/testing/tests/tnc/tnccs-20-client-retry/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-client-retry/hosts/moon/etc/strongswan.conf
index bfc5d9531..3e6bc65a6 100644
--- a/testing/tests/tnc/tnccs-20-client-retry/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-client-retry/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-20 tnc-imv updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-20 tnc-imv updown
   multiple_authentication=no
   plugins {
     eap-ttls {
diff --git a/testing/tests/tnc/tnccs-20-client-retry/posttest.dat b/testing/tests/tnc/tnccs-20-client-retry/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/tnc/tnccs-20-client-retry/posttest.dat
+++ b/testing/tests/tnc/tnccs-20-client-retry/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/tnc/tnccs-20-client-retry/pretest.dat b/testing/tests/tnc/tnccs-20-client-retry/pretest.dat
index 208f9daa9..b2b243ba3 100644
--- a/testing/tests/tnc/tnccs-20-client-retry/pretest.dat
+++ b/testing/tests/tnc/tnccs-20-client-retry/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::cat /etc/tnc_config
 carol::cat /etc/tnc_config
 dave::cat /etc/tnc_config
diff --git a/testing/tests/tnc/tnccs-20-client-retry/test.conf b/testing/tests/tnc/tnccs-20-client-retry/test.conf
index e28b8259b..a8a05af19 100644
--- a/testing/tests/tnc/tnccs-20-client-retry/test.conf
+++ b/testing/tests/tnc/tnccs-20-client-retry/test.conf
@@ -1,26 +1,26 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon carol winnetou dave"
+VIRTHOSTS="alice venus moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
 
-# UML instances on which FreeRadius is started
+# Guest instances on which FreeRadius is started
 #
 RADIUSHOSTS=
 
diff --git a/testing/tests/tnc/tnccs-20-fhh/evaltest.dat b/testing/tests/tnc/tnccs-20-fhh/evaltest.dat
index 737c9b9ef..bac7294b2 100644
--- a/testing/tests/tnc/tnccs-20-fhh/evaltest.dat
+++ b/testing/tests/tnc/tnccs-20-fhh/evaltest.dat
@@ -1,19 +1,19 @@
 carol::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'::YES
-carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
+carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
 carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
-dave::cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YES
-dave::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
-dave::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
-moon::cat /var/log/daemon.log::added group membership 'allow'::YES
-moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
-moon::cat /var/log/daemon.log::added group membership 'isolate'::YES
-moon::cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
-moon::ipsec statusall::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
-moon::ipsec statusall::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_seq=1::NO
-dave::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO
+dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YES
+dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
+dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
+moon:: cat /var/log/daemon.log::added group membership 'allow'::YES
+moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES
+moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
+moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
+moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO
+dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO
 
diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/ipsec.conf
index 847ca2e7f..a483d6df8 100755..100644
--- a/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 	charondebug="tnc 3, imc 2"
 
 conn %default
@@ -18,6 +17,7 @@ conn home
 	leftfirewall=yes
 	right=PH_IP_MOON
 	rightid=@moon.strongswan.org
+	rightauth=any
 	rightsendcert=never
 	rightsubnet=10.1.0.0/16
 	auto=add
diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/strongswan.conf
index 8d52bc084..18e715785 100644
--- a/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
   multiple_authentication=no
   plugins {
     eap-tnc {
diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/ipsec.conf
index f0ad4721f..11378131a 100755..100644
--- a/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 	charondebug="tnc 3, imc 2"
 
 conn %default
@@ -18,6 +17,7 @@ conn home
 	leftfirewall=yes
 	right=PH_IP_MOON
 	rightid=@moon.strongswan.org
+	rightauth=any
 	rightsendcert=never
 	rightsubnet=10.1.0.0/16
 	auto=add
diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/strongswan.conf
index 8d52bc084..18e715785 100644
--- a/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
   multiple_authentication=no
   plugins {
     eap-tnc {
diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/ipsec.conf
index 9eec48402..b1093d46d 100755..100644
--- a/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/ipsec.conf
@@ -1,8 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	strictcrlpolicy=no
-	plutostart=no
 	charondebug="tnc 3, imv 2"
 
 conn %default
diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/strongswan.conf
index 04cae2ebb..602979cf6 100644
--- a/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown
   multiple_authentication=no
   plugins {
     eap-ttls {
diff --git a/testing/tests/tnc/tnccs-20-fhh/posttest.dat b/testing/tests/tnc/tnccs-20-fhh/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/tnc/tnccs-20-fhh/posttest.dat
+++ b/testing/tests/tnc/tnccs-20-fhh/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/tnc/tnccs-20-fhh/pretest.dat b/testing/tests/tnc/tnccs-20-fhh/pretest.dat
index 76ad91f98..72c9b1665 100644
--- a/testing/tests/tnc/tnccs-20-fhh/pretest.dat
+++ b/testing/tests/tnc/tnccs-20-fhh/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::cat /etc/tnc_config
 carol::cat /etc/tnc_config
 dave::cat /etc/tnc_config
diff --git a/testing/tests/tnc/tnccs-20-fhh/test.conf b/testing/tests/tnc/tnccs-20-fhh/test.conf
index e28b8259b..a8a05af19 100644
--- a/testing/tests/tnc/tnccs-20-fhh/test.conf
+++ b/testing/tests/tnc/tnccs-20-fhh/test.conf
@@ -1,26 +1,26 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon carol winnetou dave"
+VIRTHOSTS="alice venus moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
 
-# UML instances on which FreeRadius is started
+# Guest instances on which FreeRadius is started
 #
 RADIUSHOSTS=
 
diff --git a/testing/tests/tnc/tnccs-20-os/description.txt b/testing/tests/tnc/tnccs-20-os/description.txt
new file mode 100644
index 000000000..f660a0b63
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-os/description.txt
@@ -0,0 +1,24 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>
+using EAP-TTLS authentication only with the gateway presenting a server certificate and
+the clients doing EAP-MD5 password-based authentication.
+In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the
+state of <b>carol</b>'s and <b>dave</b>'s operating system via the <b>TNCCS 2.0 </b>
+client-server interface compliant with <b>RFC 5793 PB-TNC</b>. The OS IMC and OS IMV pair
+is using the <b>IF-M 1.0</b> measurement protocol defined by <b>RFC 5792 PA-TNC</b> to
+exchange PA-TNC attributes.
+<p>
+<b>carol</b> sends information on her operating system consisting of the PA-TNC attributes
+<em>Product Information</em>, <em>String Version</em>, <em>Numeric Version</em>,
+<em>Operational Status</em>, <em>Forwarding Enabled</em>, <em>Factory Default Password Enabled</em>
+and <em>Device ID> up-front, whereas <b>dave</b> must be prompted by the IMV to do so via an
+<em>Attribute Request</em> PA-TNC attribute. <b>carol</b> is then prompted to send a list of
+installed packages using the <em>Installed Packages</em> PA-TNC attribute. Since <b>dave</b>
+successfully connected to the VPN gateway shortly before, no new list of installed packages is
+requested again but because IP forwarding is enabled <b>dave</b> receives a corresponding
+<em>Remediation Instructions</em> PA-TNC attribute.
+<p>
+<b>carol</b> passes the health test and <b>dave</b> fails. Based on these assessments
+which are communicated to the IMCs using the <em>Assessment Result</em> PA-TNC attribute,
+the clients are connected by gateway <b>moon</b> to the "rw-allow" and "rw-isolate"
+subnets, respectively.
+</p>
diff --git a/testing/tests/tnc/tnccs-20-os/evaltest.dat b/testing/tests/tnc/tnccs-20-os/evaltest.dat
new file mode 100644
index 000000000..0d3f55b45
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-os/evaltest.dat
@@ -0,0 +1,20 @@
+carol::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'::YES
+carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
+dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YES
+dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
+dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
+moon:: ipsec attest --sessions 2> /dev/null::Debian 7.0 x86_64.*carol@strongswan.org - allow::YES
+moon:: cat /var/log/daemon.log::added group membership 'allow'::YES
+moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon:: ipsec attest --sessions 2> /dev/null::Debian 7.0 x86_64.*dave@strongswan.org - isolate::YES
+moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES
+moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
+moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
+moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO
+dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO
diff --git a/testing/tests/tnc/tnccs-20-os/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-os/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..e2bf349d9
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-os/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	charondebug="tnc 3, imc 3"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_CAROL
+	leftid=carol@strongswan.org
+	leftauth=eap
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightauth=any
+	rightsendcert=never
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/tnc/tnccs-20-os/hosts/carol/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-os/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..74942afda
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-os/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+carol@strongswan.org : EAP "Ar3etTnp"
diff --git a/testing/tests/tnc/tnccs-20-os/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-os/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..34941e52c
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-os/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,19 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown
+  multiple_authentication=no
+  plugins {
+    eap-tnc {
+      protocol = tnccs-2.0
+    }
+  }
+}
+
+libimcv {
+  plugins {
+    imc-os {
+      push_info = yes
+    }
+  }
+}
diff --git a/testing/tests/tnc/tnccs-20-os/hosts/carol/etc/tnc_config b/testing/tests/tnc/tnccs-20-os/hosts/carol/etc/tnc_config
new file mode 100644
index 000000000..25c28442f
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-os/hosts/carol/etc/tnc_config
@@ -0,0 +1,3 @@
+#IMC configuration file for strongSwan client 
+
+IMC "OS" /usr/local/lib/ipsec/imcvs/imc-os.so
diff --git a/testing/tests/tnc/tnccs-20-os/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-os/hosts/dave/etc/ipsec.conf
new file mode 100644
index 000000000..77446cbae
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-os/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	charondebug="tnc 3, imc 3"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_DAVE
+	leftid=dave@strongswan.org
+	leftauth=eap
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightauth=any
+	rightsendcert=never
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/tnc/tnccs-20-os/hosts/dave/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-os/hosts/dave/etc/ipsec.secrets
new file mode 100644
index 000000000..5496df7ad
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-os/hosts/dave/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+dave@strongswan.org : EAP "W7R0g3do"
diff --git a/testing/tests/tnc/tnccs-20-os/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-os/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..49f778f5b
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-os/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,22 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+  multiple_authentication=no
+  plugins {
+    eap-tnc {
+      protocol = tnccs-2.0
+    }
+    tnc-imc {
+      preferred_language = de
+    }
+  }
+}
+
+libimcv {
+  plugins {
+    imc-os {
+      push_info = no
+    }
+  }
+}
diff --git a/testing/tests/tnc/tnccs-20-os/hosts/dave/etc/tnc_config b/testing/tests/tnc/tnccs-20-os/hosts/dave/etc/tnc_config
new file mode 100644
index 000000000..25c28442f
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-os/hosts/dave/etc/tnc_config
@@ -0,0 +1,3 @@
+#IMC configuration file for strongSwan client 
+
+IMC "OS" /usr/local/lib/ipsec/imcvs/imc-os.so
diff --git a/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..e21ef0d14
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,34 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	charondebug="tnc 3, imv 3"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn rw-allow
+	rightgroups=allow
+	leftsubnet=10.1.0.0/28
+	also=rw-eap
+	auto=add
+
+conn rw-isolate
+	rightgroups=isolate
+	leftsubnet=10.1.0.16/28
+	also=rw-eap
+	auto=add
+
+conn rw-eap
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftauth=eap-ttls
+	leftfirewall=yes
+	rightauth=eap-ttls
+	rightid=*@strongswan.org
+	rightsendcert=never
+	right=%any
diff --git a/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..2e277ccb0
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,6 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA moonKey.pem
+
+carol@strongswan.org : EAP "Ar3etTnp"
+dave@strongswan.org  : EAP "W7R0g3do"
diff --git a/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/pts/data.sql b/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/pts/data.sql
new file mode 100644
index 000000000..d17aac15e
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/pts/data.sql
@@ -0,0 +1,892 @@
+/* Products */
+
+INSERT INTO products (			/*  1 */
+  name
+) VALUES (
+ 'Debian 6.0 i686'
+);
+
+INSERT INTO products (			/*  2 */
+  name
+) VALUES (
+ 'Debian 6.0 x86_64'
+);
+
+INSERT INTO products (			/*  3 */
+  name
+) VALUES (
+ 'Debian 7.0 i686'
+);
+
+INSERT INTO products (			/*  4 */
+  name
+) VALUES (
+ 'Debian 7.0 x86_64'
+);
+
+INSERT INTO products (			/*  5 */
+  name
+) VALUES (
+ 'Debian 8.0 i686'
+);
+
+INSERT INTO products (			/*  6 */
+  name
+) VALUES (
+ 'Debian 8.0 x86_64'
+);
+
+INSERT INTO products (			/*  7 */
+  name
+) VALUES (
+ 'Ubuntu 10.04 i686'
+);
+
+INSERT INTO products (			/*  8 */
+  name
+) VALUES (
+ 'Ubuntu 10.04 x86_64'
+);
+
+INSERT INTO products (			/*  9 */
+  name
+) VALUES (
+ 'Ubuntu 10.10 i686'
+);
+
+INSERT INTO products (			/* 10 */
+  name
+) VALUES (
+ 'Ubuntu 10.10 x86_64'
+);
+
+INSERT INTO products (			/* 11 */
+  name
+) VALUES (
+ 'Ubuntu 11.04 i686'
+);
+
+INSERT INTO products (			/* 12 */
+  name
+) VALUES (
+ 'Ubuntu 11.04 x86_64'
+);
+
+INSERT INTO products (			/* 13 */
+  name
+) VALUES (
+ 'Ubuntu 11.10 i686'
+);
+
+INSERT INTO products (			/* 14 */
+  name
+) VALUES (
+ 'Ubuntu 11.10 x86_64'
+);
+
+INSERT INTO products (			/* 15 */
+  name
+) VALUES (
+ 'Ubuntu 12.04 i686'
+);
+
+INSERT INTO products (			/* 16 */
+  name
+) VALUES (
+ 'Ubuntu 12.04 x86_64'
+);
+
+INSERT INTO products (			/* 17 */
+  name
+) VALUES (
+ 'Ubuntu 12.10 i686'
+);
+
+INSERT INTO products (			/* 18 */
+  name
+) VALUES (
+ 'Ubuntu 12.10 x86_64'
+);
+
+INSERT INTO products (			/* 19 */
+  name
+) VALUES (
+ 'Ubuntu 13.04 i686'
+);
+
+INSERT INTO products (			/* 20 */
+  name
+) VALUES (
+ 'Ubuntu 13.04 x86_64'
+);
+
+INSERT INTO products (			/* 21 */
+  name
+) VALUES (
+ 'Android 4.1.1'
+);
+
+INSERT INTO products (			/* 22 */
+  name
+) VALUES (
+ 'Android 4.2.1'
+);
+
+/* Directories */
+
+INSERT INTO directories (		/*  1 */
+  path
+) VALUES (
+ '/bin'
+);
+
+INSERT INTO directories (		/*  2 */
+  path
+) VALUES (
+ '/etc'
+);
+
+INSERT INTO directories (		/*  3 */
+  path
+) VALUES (
+ '/lib'
+);
+
+INSERT INTO directories (		/*  4 */
+  path
+) VALUES (
+ '/lib/i386-linux-gnu'
+);
+
+INSERT INTO directories (		/*  5 */
+  path
+) VALUES (
+ '/lib/x86_64-linux-gnu'
+);
+
+INSERT INTO directories (		/*  6 */
+  path
+) VALUES (
+ '/lib/xtables'
+);
+
+INSERT INTO directories (		/*  7 */
+  path
+) VALUES (
+ '/sbin'
+);
+
+INSERT INTO directories (		/*  8 */
+  path
+) VALUES (
+ '/usr/bin'
+);
+
+INSERT INTO directories (		/*  9 */
+  path
+) VALUES (
+ '/usr/lib'
+);
+
+INSERT INTO directories (		/* 10 */
+  path
+) VALUES (
+ '/usr/lib/i386-linux-gnu'
+);
+
+INSERT INTO directories (		/* 11 */
+  path
+) VALUES (
+ '/usr/lib/x86_64-linux-gnu'
+);
+
+INSERT INTO directories (		/* 12 */
+  path
+) VALUES (
+ '/usr/sbin'
+);
+
+INSERT INTO directories (		/* 13 */
+  path
+) VALUES (
+ '/system/bin'
+);
+
+INSERT INTO directories (		/* 14 */
+  path
+) VALUES (
+ '/system/lib'
+);
+
+/* Files */
+
+INSERT INTO files (				/*  1 */
+  name, dir
+) VALUES (
+ 'libcrypto.so.1.0.0', 5
+);
+
+INSERT INTO files (				/*  2 */
+  name, dir
+) VALUES (
+ 'libcrypto.so.1.0.0', 11
+);
+
+INSERT INTO files (				/*  3 */
+  name, dir
+) VALUES (
+ 'libssl.so.1.0.0', 5
+);
+
+INSERT INTO files (				/*  4 */
+  name, dir
+) VALUES (
+ 'libssl.so.1.0.0', 11
+);
+
+INSERT INTO files (				/*  5 */
+  name, dir
+) VALUES (
+  'openssl', 8
+);
+
+INSERT INTO files (				/*  6 */
+  name, dir
+) VALUES (
+  'tnc_config', 2
+);
+
+/* Algorithms */
+
+INSERT INTO algorithms (
+  id, name
+) VALUES (
+  65536, 'SHA1-IMA' 
+);
+
+INSERT INTO algorithms (
+  id, name
+) VALUES (
+  32768, 'SHA1' 
+);
+
+INSERT INTO algorithms (
+  id, name
+) VALUES (
+  16384, 'SHA256' 
+);
+
+INSERT INTO algorithms (
+  id, name
+) VALUES (
+  8192, 'SHA384' 
+);
+
+/* File Hashes */
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 2, 32768, X'6c6f8e12f6cbfba612e780374c4cdcd40f20968a' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 2, 16384, X'dbcecd19d59310183cf5c31ddee29e8d7bec64d3f9583aad074330a1b3024b07' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 2, 8192, X'197c5385e5853003188833d4f991136c1b0875fa416a60b1159f64e57e457b3184762c884a802a2bda194c058e3bd953' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 4, 32768, X'3ad204f99eb7262efab79cfca02628870ea76361' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 4, 16384, X'3a2170aad92fdd58b55e0e199822bc873cf587b2d1eb1ed7ed8dcea97ae86376' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 4, 8192, X'f778076baa876b5e4b502494a3db081fb09dd870dee6991d54104a74b7e009c58fe261db5ffd13c11e08ef0cefcfa59f' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 5, 32768, X'ecd9c7076cc0572724c7a67db7f19c2831e0445f' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 5, 16384, X'28f3ea5afd34444c8232ea75003131e294a0c9b847de300e4b205d38c1a41305' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 5, 8192, X'51921a8b9322f2d3f06d55002ff40a79da67e70cb563b2a50977642d603dfac2ccbb68b3d32a8bb350769b75d6254208' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 1, 32768, X'd9309b9e45928239d7a7b18711e690792632cce4' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 1, 16384, X'dbfa1856d278d8707c4989b30dd065b4bcd309908f0f2e6e66ff2aa83ff93f59' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 1, 8192, X'fb8d027f03bb5ebb47741ed247eb9e174127b714d20229885feb37e0979aeb14a1b74020cded891d680441093625729c' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 3, 32768, X'3715f2f94016a91fab5bbc503f0f1d43c5a9fc2b' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 3, 16384, X'c03a5296b5decb87b01517f9927a8b2349dfb29ff9f5ba084f994c155ca5d4be' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 3, 8192, X'b8bc345f56115235cc6091f61e312ce43ea54a5b99e7295002ae7b415fd35e06ec4c731ab70ad00d784bb53a318a2fa0' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 5, 32768, X'e59602f4edf24c1b36199588886d06665d4adcd7' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 5, 16384, X'090e1b77bda7fe665e498c6b5e09dbb7ddc5cfe57f213de48f4fb6736484f500' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 5, 8192, X'7cbdb4612a13443dba910ecdef5161f2213e52c9b4a2eef14bcee5d287e9df931cd022e9e9715518ad9c9b6e3384a668' 
+);
+
+/* Packages */
+
+INSERT INTO packages (			/*  1 */
+  name
+) VALUES (
+ 'libssl-dev'
+);
+
+INSERT INTO packages (			/*  2 */
+  name
+) VALUES (
+ 'libssl1.0.0'
+);
+
+INSERT INTO packages (			/*  3 */
+  name
+) VALUES (
+ 'libssl1.0.0-dbg'
+);
+
+INSERT INTO packages (			/*  4 */
+  name
+) VALUES (
+ 'openssl'
+);
+
+/* Versions */
+
+INSERT INTO versions (
+  package, product, release, time
+) VALUES (
+  1, 4, '1.0.1e-2', 1366531494
+);
+
+INSERT INTO versions (
+  package, product, release, time
+) VALUES (
+  2, 4, '1.0.1e-2', 1366531494
+);
+
+INSERT INTO versions (
+  package, product, release, time
+) VALUES (
+  3, 4, '1.0.1e-2', 1366531494
+);
+
+INSERT INTO versions (
+  package, product, release, time
+) VALUES (
+  4, 4, '1.0.1e-2', 1366531494
+);
+
+/* Components */
+
+INSERT INTO components (
+  vendor_id, name, qualifier
+) VALUES (
+  36906, 1, 33  /* ITA TGRUB */
+);
+
+INSERT INTO components (
+  vendor_id, name, qualifier
+) VALUES (
+  36906, 2, 33  /* ITA TBOOT */
+);
+
+INSERT INTO components (
+  vendor_id, name, qualifier
+) VALUES (
+  36906, 3, 33  /* ITA IMA - Trusted Platform */
+);
+
+INSERT INTO components (
+  vendor_id, name, qualifier
+) VALUES (
+  36906, 3, 34  /* ITA IMA - Operating System */
+);
+
+/* Groups */
+
+INSERT INTO groups (			/*  1 */
+  name
+) VALUES (
+  'Default'
+);
+
+INSERT INTO groups (			/*  2 */
+  name, parent
+) VALUES (
+  'Linux', 1
+);
+
+INSERT INTO groups (			/*  3 */
+  name, parent
+) VALUES (
+  'Android', 1
+);
+
+INSERT INTO groups (			/*  4 */
+  name, parent
+) VALUES (
+  'Debian i686', 2
+);
+
+INSERT INTO groups (			/*  5 */
+  name, parent
+) VALUES (
+  'Debian x86_64', 2
+);
+
+INSERT INTO groups (			/*  6 */
+  name, parent
+) VALUES (
+  'Ubuntu i686', 2
+);
+
+INSERT INTO groups (			/*  7 */
+  name, parent
+) VALUES (
+  'Ubuntu x86_64', 2
+);
+
+INSERT INTO groups (			/*  8 */
+  name
+) VALUES (
+  'Reference'
+);
+
+INSERT INTO groups (			/*  9 */
+  name, parent
+) VALUES (
+  'Ref. Android', 8
+);
+
+INSERT INTO groups (			/* 10 */
+  name, parent
+) VALUES (
+  'Ref. Linux', 8
+);
+
+/* Default Product Groups */
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  4, 1
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  4, 3
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  4, 5
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  5, 2
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  5, 4
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  5, 6
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  6, 7
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  6, 9
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  6, 11
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  6, 13
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  6, 15
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  6, 17
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  6, 19
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  7, 8
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  7, 10
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  7, 12
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  7, 14
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  7, 16
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  7, 18
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  7, 20
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  3, 21
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  3, 22
+);
+
+/* Devices */
+
+INSERT INTO devices (                  /*  1 */
+  value, product, created  
+) VALUES (
+  'aabbccddeeff11223344556677889900', 4, 1372330615
+);
+
+/* Groups Members */
+
+INSERT INTO groups_members (
+  group_id, device_id
+) VALUES (
+  5, 1
+);
+
+/* Identities */
+
+INSERT INTO identities (
+  type, value
+) VALUES ( /* dave@strongswan.org */
+  4, X'64617665407374726f6e677377616e2e6f7267'
+);
+
+/* Sessions */
+
+INSERT INTO sessions (
+  time, connection, identity, device, product, rec
+) VALUES (
+  NOW, 1, 1, 1, 4, 0
+);
+
+/* Results */
+
+INSERT INTO results (
+  session, policy, rec, result
+) VALUES (
+  1, 1, 0, 'processed 355 packages: 0 not updated, 0 blacklisted, 4 ok, 351 not found'
+);
+
+/* Policies */
+
+INSERT INTO policies (			/*  1 */
+  type, name, rec_fail, rec_noresult
+) VALUES (
+  1, 'Installed Packages', 2, 2
+);
+
+INSERT INTO policies (			/*  2 */
+  type, name, rec_fail, rec_noresult
+) VALUES (
+  2, 'Unknown Source', 2, 2
+);
+
+INSERT INTO policies (			/*  3 */
+  type, name, rec_fail, rec_noresult
+) VALUES (
+  3, 'IP Forwarding Enabled',  1, 1
+);
+
+INSERT INTO policies (			/*  4 */
+  type, name, rec_fail, rec_noresult
+) VALUES (
+  4, 'Default Factory Password Enabled', 1, 1
+);
+
+INSERT INTO policies (			/*  5 */
+  type, name, file, rec_fail, rec_noresult
+) VALUES (
+  6, 'Measure /lib/x86_64-linux-gnu/libcrypto.so.1.0.0', 1, 2, 2
+);
+
+INSERT INTO policies (			/*  6 */
+  type, name, file, rec_fail, rec_noresult
+) VALUES (
+  6, 'Measure /lib/x86_64-linux-gnu/libssl.so.1.0.0', 3, 2, 2
+);
+
+INSERT INTO policies (			/*  7 */
+  type, name, file, rec_fail, rec_noresult
+) VALUES (
+  6, 'Measure /usr/bin/openssl', 5, 2, 2
+);
+
+INSERT INTO policies (			/*  8 */
+  type, name, rec_fail, rec_noresult
+) VALUES (
+  11, 'No Open TCP Ports', 1, 1
+);
+
+INSERT INTO policies (			/*  9 */
+  type, name, argument, rec_fail, rec_noresult
+) VALUES (
+  13, 'Open UDP Ports', '500 4500 10000-65000', 1, 1
+);
+
+INSERT INTO policies (			/* 10 */
+  type, name, file, rec_fail, rec_noresult
+) VALUES (
+  7, 'Metadata of /etc/tnc_config', 6, 0, 0
+);
+
+INSERT INTO policies (			/* 11 */
+  type, name, dir, rec_fail, rec_noresult
+) VALUES (
+  8, 'Get /bin', 1, 0, 0
+);
+
+INSERT INTO policies (			/*  12 */
+  type, name, file, rec_fail, rec_noresult
+) VALUES (
+  6, 'Measure /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0', 2, 2, 2
+);
+
+INSERT INTO policies (			/* 13 */
+  type, name, file, rec_fail, rec_noresult
+) VALUES (
+  6, 'Measure /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0', 4, 2, 2
+);
+
+INSERT INTO policies (			/* 14 */
+  type, name, dir, rec_fail, rec_noresult
+) VALUES (
+  8, 'Get /system/bin', 13, 0, 0
+);
+
+INSERT INTO policies (			/* 15 */
+  type, name, dir, rec_fail, rec_noresult
+) VALUES (
+  8, 'Get /system/lib', 14, 0, 0
+);
+
+INSERT INTO policies (                  /* 16 */
+  type, name, dir, rec_fail, rec_noresult
+) VALUES (
+  9, 'Measure /bin', 1, 2, 2
+);
+
+/* Enforcements */
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  1, 1, 86400
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  2, 3, 0
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age, rec_fail, rec_noresult
+) VALUES (
+  3, 2, 0, 2, 2
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  5, 7, 86400
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  6, 7, 86400
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  7, 2, 86400
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  8, 1, 60
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  9, 1, 60
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  10, 2, 60
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  11, 10, 86400
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  12, 5, 86400
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  13, 5, 86400
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  14, 9, 0
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  15, 9, 0
+);
+
diff --git a/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/pts/data.sql~ b/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/pts/data.sql~
new file mode 100644
index 000000000..7373dd4b6
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/pts/data.sql~
@@ -0,0 +1,852 @@
+/* Products */
+
+INSERT INTO products (			/*  1 */
+  name
+) VALUES (
+ 'Debian 6.0 i686'
+);
+
+INSERT INTO products (			/*  2 */
+  name
+) VALUES (
+ 'Debian 6.0 x86_64'
+);
+
+INSERT INTO products (			/*  3 */
+  name
+) VALUES (
+ 'Debian 7.0 i686'
+);
+
+INSERT INTO products (			/*  4 */
+  name
+) VALUES (
+ 'Debian 7.0 x86_64'
+);
+
+INSERT INTO products (			/*  5 */
+  name
+) VALUES (
+ 'Debian 8.0 i686'
+);
+
+INSERT INTO products (			/*  6 */
+  name
+) VALUES (
+ 'Debian 8.0 x86_64'
+);
+
+INSERT INTO products (			/*  7 */
+  name
+) VALUES (
+ 'Ubuntu 10.04 i686'
+);
+
+INSERT INTO products (			/*  8 */
+  name
+) VALUES (
+ 'Ubuntu 10.04 x86_64'
+);
+
+INSERT INTO products (			/*  9 */
+  name
+) VALUES (
+ 'Ubuntu 10.10 i686'
+);
+
+INSERT INTO products (			/* 10 */
+  name
+) VALUES (
+ 'Ubuntu 10.10 x86_64'
+);
+
+INSERT INTO products (			/* 11 */
+  name
+) VALUES (
+ 'Ubuntu 11.04 i686'
+);
+
+INSERT INTO products (			/* 12 */
+  name
+) VALUES (
+ 'Ubuntu 11.04 x86_64'
+);
+
+INSERT INTO products (			/* 13 */
+  name
+) VALUES (
+ 'Ubuntu 11.10 i686'
+);
+
+INSERT INTO products (			/* 14 */
+  name
+) VALUES (
+ 'Ubuntu 11.10 x86_64'
+);
+
+INSERT INTO products (			/* 15 */
+  name
+) VALUES (
+ 'Ubuntu 12.04 i686'
+);
+
+INSERT INTO products (			/* 16 */
+  name
+) VALUES (
+ 'Ubuntu 12.04 x86_64'
+);
+
+INSERT INTO products (			/* 17 */
+  name
+) VALUES (
+ 'Ubuntu 12.10 i686'
+);
+
+INSERT INTO products (			/* 18 */
+  name
+) VALUES (
+ 'Ubuntu 12.10 x86_64'
+);
+
+INSERT INTO products (			/* 19 */
+  name
+) VALUES (
+ 'Ubuntu 13.04 i686'
+);
+
+INSERT INTO products (			/* 20 */
+  name
+) VALUES (
+ 'Ubuntu 13.04 x86_64'
+);
+
+INSERT INTO products (			/* 21 */
+  name
+) VALUES (
+ 'Android 4.1.1'
+);
+
+INSERT INTO products (			/* 22 */
+  name
+) VALUES (
+ 'Android 4.2.1'
+);
+
+/* Directories */
+
+INSERT INTO directories (		/*  1 */
+  path
+) VALUES (
+ '/bin'
+);
+
+INSERT INTO directories (		/*  2 */
+  path
+) VALUES (
+ '/etc'
+);
+
+INSERT INTO directories (		/*  3 */
+  path
+) VALUES (
+ '/lib'
+);
+
+INSERT INTO directories (		/*  4 */
+  path
+) VALUES (
+ '/lib/i386-linux-gnu'
+);
+
+INSERT INTO directories (		/*  5 */
+  path
+) VALUES (
+ '/lib/x86_64-linux-gnu'
+);
+
+INSERT INTO directories (		/*  6 */
+  path
+) VALUES (
+ '/lib/xtables'
+);
+
+INSERT INTO directories (		/*  7 */
+  path
+) VALUES (
+ '/sbin'
+);
+
+INSERT INTO directories (		/*  8 */
+  path
+) VALUES (
+ '/usr/bin'
+);
+
+INSERT INTO directories (		/*  9 */
+  path
+) VALUES (
+ '/usr/lib'
+);
+
+INSERT INTO directories (		/* 10 */
+  path
+) VALUES (
+ '/usr/lib/i386-linux-gnu'
+);
+
+INSERT INTO directories (		/* 11 */
+  path
+) VALUES (
+ '/usr/lib/x86_64-linux-gnu'
+);
+
+INSERT INTO directories (		/* 12 */
+  path
+) VALUES (
+ '/usr/sbin'
+);
+
+INSERT INTO directories (		/* 13 */
+  path
+) VALUES (
+ '/system/bin'
+);
+
+INSERT INTO directories (		/* 14 */
+  path
+) VALUES (
+ '/system/lib'
+);
+
+/* Files */
+
+INSERT INTO files (				/*  1 */
+  name, dir
+) VALUES (
+ 'libcrypto.so.1.0.0', 5
+);
+
+INSERT INTO files (				/*  2 */
+  name, dir
+) VALUES (
+ 'libcrypto.so.1.0.0', 11
+);
+
+INSERT INTO files (				/*  3 */
+  name, dir
+) VALUES (
+ 'libssl.so.1.0.0', 5
+);
+
+INSERT INTO files (				/*  4 */
+  name, dir
+) VALUES (
+ 'libssl.so.1.0.0', 11
+);
+
+INSERT INTO files (				/*  5 */
+  name, dir
+) VALUES (
+  'openssl', 8
+);
+
+INSERT INTO files (				/*  6 */
+  name, dir
+) VALUES (
+  'tnc_config', 2
+);
+
+/* Algorithms */
+
+INSERT INTO algorithms (
+  id, name
+) VALUES (
+  65536, 'SHA1-IMA' 
+);
+
+INSERT INTO algorithms (
+  id, name
+) VALUES (
+  32768, 'SHA1' 
+);
+
+INSERT INTO algorithms (
+  id, name
+) VALUES (
+  16384, 'SHA256' 
+);
+
+INSERT INTO algorithms (
+  id, name
+) VALUES (
+  8192, 'SHA384' 
+);
+
+/* File Hashes */
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 2, 32768, X'6c6f8e12f6cbfba612e780374c4cdcd40f20968a' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 2, 16384, X'dbcecd19d59310183cf5c31ddee29e8d7bec64d3f9583aad074330a1b3024b07' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 2, 8192, X'197c5385e5853003188833d4f991136c1b0875fa416a60b1159f64e57e457b3184762c884a802a2bda194c058e3bd953' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 4, 32768, X'3ad204f99eb7262efab79cfca02628870ea76361' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 4, 16384, X'3a2170aad92fdd58b55e0e199822bc873cf587b2d1eb1ed7ed8dcea97ae86376' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 4, 8192, X'f778076baa876b5e4b502494a3db081fb09dd870dee6991d54104a74b7e009c58fe261db5ffd13c11e08ef0cefcfa59f' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 5, 32768, X'ecd9c7076cc0572724c7a67db7f19c2831e0445f' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 5, 16384, X'28f3ea5afd34444c8232ea75003131e294a0c9b847de300e4b205d38c1a41305' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 5, 8192, X'51921a8b9322f2d3f06d55002ff40a79da67e70cb563b2a50977642d603dfac2ccbb68b3d32a8bb350769b75d6254208' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 1, 32768, X'd9309b9e45928239d7a7b18711e690792632cce4' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 1, 16384, X'dbfa1856d278d8707c4989b30dd065b4bcd309908f0f2e6e66ff2aa83ff93f59' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 1, 8192, X'fb8d027f03bb5ebb47741ed247eb9e174127b714d20229885feb37e0979aeb14a1b74020cded891d680441093625729c' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 3, 32768, X'3715f2f94016a91fab5bbc503f0f1d43c5a9fc2b' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 3, 16384, X'c03a5296b5decb87b01517f9927a8b2349dfb29ff9f5ba084f994c155ca5d4be' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 3, 8192, X'b8bc345f56115235cc6091f61e312ce43ea54a5b99e7295002ae7b415fd35e06ec4c731ab70ad00d784bb53a318a2fa0' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 5, 32768, X'e59602f4edf24c1b36199588886d06665d4adcd7' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 5, 16384, X'090e1b77bda7fe665e498c6b5e09dbb7ddc5cfe57f213de48f4fb6736484f500' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 5, 8192, X'7cbdb4612a13443dba910ecdef5161f2213e52c9b4a2eef14bcee5d287e9df931cd022e9e9715518ad9c9b6e3384a668' 
+);
+
+/* Packages */
+
+INSERT INTO packages (			/*  1 */
+  name
+) VALUES (
+ 'libssl-dev'
+);
+
+INSERT INTO packages (			/*  2 */
+  name
+) VALUES (
+ 'libssl1.0.0'
+);
+
+INSERT INTO packages (			/*  3 */
+  name
+) VALUES (
+ 'libssl1.0.0-dbg'
+);
+
+INSERT INTO packages (			/*  4 */
+  name
+) VALUES (
+ 'openssl'
+);
+
+/* Versions */
+
+INSERT INTO versions (
+  package, product, release, time
+) VALUES (
+  1, 4, '1.0.1e-2', 1366531494
+);
+
+INSERT INTO versions (
+  package, product, release, time
+) VALUES (
+  2, 4, '1.0.1e-2', 1366531494
+);
+
+INSERT INTO versions (
+  package, product, release, time
+) VALUES (
+  3, 4, '1.0.1e-2', 1366531494
+);
+
+INSERT INTO versions (
+  package, product, release, time
+) VALUES (
+  4, 4, '1.0.1e-2', 1366531494
+);
+
+/* Components */
+
+INSERT INTO components (
+  vendor_id, name, qualifier
+) VALUES (
+  36906, 1, 33  /* ITA TGRUB */
+);
+
+INSERT INTO components (
+  vendor_id, name, qualifier
+) VALUES (
+  36906, 2, 33  /* ITA TBOOT */
+);
+
+INSERT INTO components (
+  vendor_id, name, qualifier
+) VALUES (
+  36906, 3, 33  /* ITA IMA - Trusted Platform */
+);
+
+INSERT INTO components (
+  vendor_id, name, qualifier
+) VALUES (
+  36906, 3, 34  /* ITA IMA - Operating System */
+);
+
+/* Groups */
+
+INSERT INTO groups (			/*  1 */
+  name
+) VALUES (
+  'Default'
+);
+
+INSERT INTO groups (			/*  2 */
+  name, parent
+) VALUES (
+  'Linux', 1
+);
+
+INSERT INTO groups (			/*  3 */
+  name, parent
+) VALUES (
+  'Android', 1
+);
+
+INSERT INTO groups (			/*  4 */
+  name, parent
+) VALUES (
+  'Debian i686', 2
+);
+
+INSERT INTO groups (			/*  5 */
+  name, parent
+) VALUES (
+  'Debian x86_64', 2
+);
+
+INSERT INTO groups (			/*  6 */
+  name, parent
+) VALUES (
+  'Ubuntu i686', 2
+);
+
+INSERT INTO groups (			/*  7 */
+  name, parent
+) VALUES (
+  'Ubuntu x86_64', 2
+);
+
+INSERT INTO groups (			/*  8 */
+  name
+) VALUES (
+  'Reference'
+);
+
+INSERT INTO groups (			/*  9 */
+  name, parent
+) VALUES (
+  'Ref. Android', 8
+);
+
+INSERT INTO groups (			/* 10 */
+  name, parent
+) VALUES (
+  'Ref. Linux', 8
+);
+
+/* Default Product Groups */
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  4, 1
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  4, 3
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  4, 5
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  5, 2
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  5, 4
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  5, 6
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  6, 7
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  6, 9
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  6, 11
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  6, 13
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  6, 15
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  6, 17
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  6, 19
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  7, 8
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  7, 10
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  7, 12
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  7, 14
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  7, 16
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  7, 18
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  7, 20
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  3, 21
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  3, 22
+);
+
+/* Policies */
+
+INSERT INTO policies (			/*  1 */
+  type, name, rec_fail, rec_noresult
+) VALUES (
+  1, 'Installed Packages', 2, 2
+);
+
+INSERT INTO policies (			/*  2 */
+  type, name, rec_fail, rec_noresult
+) VALUES (
+  2, 'Unknown Source', 2, 2
+);
+
+INSERT INTO policies (			/*  3 */
+  type, name, rec_fail, rec_noresult
+) VALUES (
+  3, 'IP Forwarding Enabled', 1, 1 
+);
+
+INSERT INTO policies (			/*  4 */
+  type, name, rec_fail, rec_noresult
+) VALUES (
+  4, 'Default Factory Password Enabled', 1, 1
+);
+
+INSERT INTO policies (			/*  5 */
+  type, name, file, rec_fail, rec_noresult
+) VALUES (
+  6, 'Measure /lib/x86_64-linux-gnu/libcrypto.so.1.0.0', 1, 2, 2
+);
+
+INSERT INTO policies (			/*  6 */
+  type, name, file, rec_fail, rec_noresult
+) VALUES (
+  6, 'Measure /lib/x86_64-linux-gnu/libssl.so.1.0.0', 3, 2, 2
+);
+
+INSERT INTO policies (			/*  7 */
+  type, name, file, rec_fail, rec_noresult
+) VALUES (
+  6, 'Measure /usr/bin/openssl', 5, 2, 2
+);
+
+INSERT INTO policies (			/*  8 */
+  type, name, rec_fail, rec_noresult
+) VALUES (
+  11, 'No Open TCP Ports', 1, 1
+);
+
+INSERT INTO policies (			/*  9 */
+  type, name, argument, rec_fail, rec_noresult
+) VALUES (
+  13, 'Open UDP Ports', '500 4500 10000-65000', 1, 1
+);
+
+INSERT INTO policies (			/* 10 */
+  type, name, file, rec_fail, rec_noresult
+) VALUES (
+  7, 'Metadata of /etc/tnc_config', 6, 0, 0
+);
+
+INSERT INTO policies (			/* 11 */
+  type, name, dir, rec_fail, rec_noresult
+) VALUES (
+  8, 'Get /bin', 1, 0, 0
+);
+
+INSERT INTO policies (			/*  12 */
+  type, name, file, rec_fail, rec_noresult
+) VALUES (
+  6, 'Measure /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0', 2, 2, 2
+);
+
+INSERT INTO policies (			/* 13 */
+  type, name, file, rec_fail, rec_noresult
+) VALUES (
+  6, 'Measure /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0', 4, 2, 2
+);
+
+INSERT INTO policies (			/* 14 */
+  type, name, dir, rec_fail, rec_noresult
+) VALUES (
+  8, 'Get /system/bin', 13, 0, 0
+);
+
+INSERT INTO policies (			/* 15 */
+  type, name, dir, rec_fail, rec_noresult
+) VALUES (
+  8, 'Get /system/lib', 14, 0, 0
+);
+
+INSERT INTO policies (                  /* 16 */
+  type, name, dir, rec_fail, rec_noresult
+) VALUES (
+  9, 'Measure /bin', 1, 2, 2
+);
+
+/* Enforcements */
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  1, 1, 86400
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  2, 3, 0
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age, rec_fail, rec_noresult
+) VALUES (
+  3, 2, 0, 2, 2
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  5, 7, 86400
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  6, 7, 86400
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  7, 2, 86400
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  8, 1, 60
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  9, 1, 60
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  10, 2, 60
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  11, 10, 86400
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  12, 5, 86400
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  13, 5, 86400
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  14, 9, 0
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  15, 9, 0
+);
+
diff --git a/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..3e017e905
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,26 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown sqlite
+  multiple_authentication=no
+  plugins {
+    eap-ttls {
+      phase2_method = md5
+      phase2_piggyback = yes
+      phase2_tnc = yes
+    }
+    eap-tnc {
+      protocol = tnccs-2.0
+    }
+  }
+}
+
+libimcv {
+  database = sqlite:///etc/pts/config.db
+  policy_script = ipsec imv_policy_manager
+}
+
+attest {
+  load = random nonce openssl sqlite
+  database = sqlite:///etc/pts/config.db
+}
diff --git a/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/tnc_config b/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/tnc_config
new file mode 100644
index 000000000..b75a9cb1e
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/tnc_config
@@ -0,0 +1,3 @@
+#IMV configuration file for strongSwan client 
+
+IMV "OS" /usr/local/lib/ipsec/imcvs/imv-os.so
diff --git a/testing/tests/tnc/tnccs-20-os/posttest.dat b/testing/tests/tnc/tnccs-20-os/posttest.dat
new file mode 100644
index 000000000..48514d6e0
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-os/posttest.dat
@@ -0,0 +1,8 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
+carol::echo 1 > /proc/sys/net/ipv4/ip_forward
+moon::rm /etc/pts/config.db
diff --git a/testing/tests/tnc/tnccs-20-os/pretest.dat b/testing/tests/tnc/tnccs-20-os/pretest.dat
new file mode 100644
index 000000000..333ac7462
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-os/pretest.dat
@@ -0,0 +1,19 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+carol::echo 0 > /proc/sys/net/ipv4/ip_forward
+dave::echo aabbccddeeff11223344556677889900 > /var/lib/dbus/machine-id
+moon::cd /etc/pts; cat tables.sql data.sql | sqlite3 config.db
+moon::cat /etc/tnc_config
+carol::cat /etc/tnc_config
+dave::cat /etc/tnc_config
+moon::ipsec start
+carol::ipsec start 
+dave::ipsec start 
+carol::sleep 1
+carol::ipsec up home
+dave::ipsec up home
+dave::sleep 1
+moon::ipsec attest --packages --product 'Debian 7.0 x86_64'
+moon::ipsec attest --sessions
+moon::ipsec attest --devices
diff --git a/testing/tests/tnc/tnccs-20-os/test.conf b/testing/tests/tnc/tnccs-20-os/test.conf
new file mode 100644
index 000000000..a8a05af19
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-os/test.conf
@@ -0,0 +1,26 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice venus moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
+
+# Guest instances on which FreeRadius is started
+#
+RADIUSHOSTS=
+
diff --git a/testing/tests/tnc/tnccs-20-pdp/evaltest.dat b/testing/tests/tnc/tnccs-20-pdp/evaltest.dat
index ab78a9b76..f028ec609 100644
--- a/testing/tests/tnc/tnccs-20-pdp/evaltest.dat
+++ b/testing/tests/tnc/tnccs-20-pdp/evaltest.dat
@@ -1,19 +1,20 @@
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
 carol::cat /var/log/daemon.log::PB-TNC access recommendation is .*Access Allowed::YES
-carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
+carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
-dave::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
-dave::cat /var/log/daemon.log::PB-TNC access recommendation is .*Quarantined::YES
-dave::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
-dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
-moon::cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'allow'::YES
-moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES            
-moon::cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'isolate'::YES
-moon::cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
-moon::ipsec statusall::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
-moon::ipsec statusall::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_seq=1::NO
-dave::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO
-
+dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+dave:: cat /var/log/daemon.log::PB-TNC access recommendation is .*Quarantined::YES
+dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
+dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
+moon:: cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'allow'::YES
+moon:: cat /var/log/daemon.log::RADIUS authentication of 'carol' successful::YES
+moon:: cat /var/log/daemon.log::authentication of '192.168.0.100' with EAP successful::YES
+moon:: cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'isolate'::YES
+moon:: cat /var/log/daemon.log::RADIUS authentication of 'dave' successful::YES
+moon:: cat /var/log/daemon.log::authentication of '192.168.0.200' with EAP successful::YES
+moon:: ipsec statusall 2>/dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
+moon:: ipsec statusall 2>/dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO
+dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO
diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/ipsec.conf
index bdba8d32d..6f673dcc5 100755..100644
--- a/testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/ipsec.conf
+++ b/testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 	charondebug="tnc 3, imv 3"
 
 conn aaa
diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/ipsec.secrets
index 96b9a8dd5..11d45cd14 100644
--- a/testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/ipsec.secrets
+++ b/testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/ipsec.secrets
@@ -2,5 +2,5 @@
 
 : RSA aaaKey.pem
 
-carol@strongswan.org : EAP "Ar3etTnp"
-dave@strongswan.org  : EAP "W7R0g3do"
+carol : EAP "Ar3etTnp"
+dave  : EAP "W7R0g3do"
diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/strongswan.conf
index b3769c7d9..70da7766a 100644
--- a/testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke eap-identity eap-ttls eap-md5 eap-tnc tnc-pdp tnc-imv tnc-tnccs tnccs-20
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac socket-default kernel-netlink stroke eap-identity eap-ttls eap-md5 eap-tnc tnc-pdp tnc-imv tnc-tnccs tnccs-20
   plugins {
     eap-ttls {
       phase2_method = md5
@@ -24,10 +24,5 @@ libimcv {
     imv-test {
       rounds = 1 
     }
-    imv-scanner {
-      closed_port_policy = yes
-      tcp_ports = 22
-      udp_ports = 500 4500
-    }
   }
 }
diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pdp/hosts/carol/etc/ipsec.conf
index a639b0426..59563730b 100755..100644
--- a/testing/tests/tnc/tnccs-20-pdp/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/tnc/tnccs-20-pdp/hosts/carol/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 	charondebug="tnc 3, imc 3"
 
 conn %default
@@ -13,12 +12,12 @@ conn %default
 
 conn home
 	left=PH_IP_CAROL
-	leftid=carol@strongswan.org
 	leftauth=eap
 	leftfirewall=yes
 	right=PH_IP_MOON
 	rightid=@moon.strongswan.org
 	rightsubnet=10.1.0.0/16
 	rightauth=pubkey
+	eap_identity=carol
 	aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
 	auto=add
diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/carol/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-pdp/hosts/carol/etc/ipsec.secrets
index 74942afda..23d79cf2e 100644
--- a/testing/tests/tnc/tnccs-20-pdp/hosts/carol/etc/ipsec.secrets
+++ b/testing/tests/tnc/tnccs-20-pdp/hosts/carol/etc/ipsec.secrets
@@ -1,3 +1,3 @@
 # /etc/ipsec.secrets - strongSwan IPsec secrets file
 
-carol@strongswan.org : EAP "Ar3etTnp"
+carol : EAP "Ar3etTnp"
diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pdp/hosts/carol/etc/strongswan.conf
index 2f9a6d0b7..808f1d11a 100644
--- a/testing/tests/tnc/tnccs-20-pdp/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-pdp/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
   plugins {
     eap-tnc {
       protocol = tnccs-2.0
diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pdp/hosts/dave/etc/ipsec.conf
index 5da78b4ab..8c27c78d2 100755..100644
--- a/testing/tests/tnc/tnccs-20-pdp/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/tnc/tnccs-20-pdp/hosts/dave/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 	charondebug="tnc 3, imc 3"
 
 conn %default
@@ -13,12 +12,12 @@ conn %default
 
 conn home
 	left=PH_IP_DAVE
-	leftid=dave@strongswan.org
 	leftauth=eap
 	leftfirewall=yes
 	right=PH_IP_MOON
 	rightid=@moon.strongswan.org
 	rightsubnet=10.1.0.0/16
 	rightauth=pubkey
+	eap_identity=dave
 	aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
 	auto=add
diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/dave/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-pdp/hosts/dave/etc/ipsec.secrets
index 5496df7ad..02e0c9963 100644
--- a/testing/tests/tnc/tnccs-20-pdp/hosts/dave/etc/ipsec.secrets
+++ b/testing/tests/tnc/tnccs-20-pdp/hosts/dave/etc/ipsec.secrets
@@ -1,3 +1,3 @@
 # /etc/ipsec.secrets - strongSwan IPsec secrets file
 
-dave@strongswan.org : EAP "W7R0g3do"
+dave : EAP "W7R0g3do"
diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pdp/hosts/dave/etc/strongswan.conf
index 050d41b9f..96ff63ab1 100644
--- a/testing/tests/tnc/tnccs-20-pdp/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-pdp/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
   plugins {    
     eap-tnc {
       protocol = tnccs-2.0
@@ -14,5 +14,8 @@ libimcv {
     imc-test {
       command = isolate
     }
+    imc-scannner {
+      push_info = no
+    }
   }
 }
diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/init.d/iptables b/testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/init.d/iptables
deleted file mode 100755
index 56587b2e8..000000000
--- a/testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/init.d/iptables
+++ /dev/null
@@ -1,84 +0,0 @@
-#!/sbin/runscript
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-opts="start stop reload"
-
-depend() {
-	before net
-	need logger
-}
-
-start() {
-	ebegin "Starting firewall"
-
-	# enable IP forwarding
-	echo 1 > /proc/sys/net/ipv4/ip_forward
-	
-	# default policy is DROP
-	/sbin/iptables -P INPUT DROP
-	/sbin/iptables -P OUTPUT DROP
-	/sbin/iptables -P FORWARD DROP
-
-	# allow esp
-	iptables -A INPUT  -i eth0 -p 50 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-	# allow IKE
-	iptables -A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-	# allow MobIKE
-	iptables -A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-	# allow crl fetch from winnetou
-	iptables -A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
-	iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-	# allow RADIUS protocol with alice
-	iptables -A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
-	iptables -A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
-
-	# allow ssh
-	iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
-	iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-	
-			if [ $a == nat ]; then
-				/sbin/iptables -t nat -P PREROUTING ACCEPT
-				/sbin/iptables -t nat -P POSTROUTING ACCEPT
-				/sbin/iptables -t nat -P OUTPUT ACCEPT
-			elif [ $a == mangle ]; then
-				/sbin/iptables -t mangle -P PREROUTING ACCEPT
-				/sbin/iptables -t mangle -P INPUT ACCEPT
-				/sbin/iptables -t mangle -P FORWARD ACCEPT
-				/sbin/iptables -t mangle -P OUTPUT ACCEPT
-				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
-			elif [ $a == filter ]; then
-				/sbin/iptables -t filter -P INPUT ACCEPT
-				/sbin/iptables -t filter -P FORWARD ACCEPT
-				/sbin/iptables -t filter -P OUTPUT ACCEPT
-			fi
-		done
-	eend $?
-}
-
-reload() {
-	ebegin "Flushing firewall"
-		for a in `cat /proc/net/ip_tables_names`; do
-			/sbin/iptables -F -t $a
-			/sbin/iptables -X -t $a
-		done;
-        eend $?
-	start
-}
-
diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/ipsec.conf
index 33dcdcfb0..02ada5665 100755..100644
--- a/testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/ipsec.conf
@@ -1,8 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	strictcrlpolicy=no
-	plutostart=no
 
 conn %default
 	ikelifetime=60m
@@ -30,6 +28,6 @@ conn rw-eap
 	leftauth=pubkey
 	leftfirewall=yes
 	rightauth=eap-radius
-	rightid=*@strongswan.org
 	rightsendcert=never
 	right=%any
+	eap_identity=%any
diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/iptables.rules b/testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/iptables.rules
new file mode 100644
index 000000000..1eb755354
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/iptables.rules
@@ -0,0 +1,32 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# allow RADIUS protocol with alice
+-A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/strongswan.conf
index d298c17ad..d32951866 100644
--- a/testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-radius updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-radius updown
   multiple_authentication=no
   plugins {
     eap-radius {
diff --git a/testing/tests/tnc/tnccs-20-pdp/posttest.dat b/testing/tests/tnc/tnccs-20-pdp/posttest.dat
index 16218f385..e7eecd5f4 100644
--- a/testing/tests/tnc/tnccs-20-pdp/posttest.dat
+++ b/testing/tests/tnc/tnccs-20-pdp/posttest.dat
@@ -2,6 +2,6 @@ moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
 alice::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/tnc/tnccs-20-pdp/pretest.dat b/testing/tests/tnc/tnccs-20-pdp/pretest.dat
index 9b9d6b699..32ed4d854 100644
--- a/testing/tests/tnc/tnccs-20-pdp/pretest.dat
+++ b/testing/tests/tnc/tnccs-20-pdp/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 alice::cat /etc/tnc_config
 carol::cat /etc/tnc_config
 dave::cat /etc/tnc_config
diff --git a/testing/tests/tnc/tnccs-20-pdp/test.conf b/testing/tests/tnc/tnccs-20-pdp/test.conf
index 400628531..c4ca1a19f 100644
--- a/testing/tests/tnc/tnccs-20-pdp/test.conf
+++ b/testing/tests/tnc/tnccs-20-pdp/test.conf
@@ -1,26 +1,26 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon carol winnetou dave"
+VIRTHOSTS="alice venus moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave alice"
 
-# UML instances on which FreeRadius is started
+# Guest instances on which FreeRadius is started
 #
 RADIUSHOSTS=
 
diff --git a/testing/tests/tnc/tnccs-20-pts/description.txt b/testing/tests/tnc/tnccs-20-pts/description.txt
new file mode 100644
index 000000000..e78a70091
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pts/description.txt
@@ -0,0 +1,22 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>
+using EAP-TTLS authentication only with the gateway presenting a server certificate and
+the clients doing EAP-MD5 password-based authentication.
+In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the
+state of <b>carol</b>'s and <b>dave</b>'s operating system via the <b>TNCCS 2.0 </b>
+client-server interface compliant with <b>RFC 5793 PB-TNC</b>. The OS IMC and OS IMV pair
+is using the <b>IF-M 1.0</b> measurement protocol defined by <b>RFC 5792 PA-TNC</b> to
+exchange PA-TNC attributes.
+<p>
+<b>carol</b> sends information on her operating system consisting of the PA-TNC attributes
+<em>Product Information</em>, <em>String Version</em>, and <em>Device ID</em> up-front
+to the Attestation IMV, whereas <b>dave</b> must be prompted by the IMV to do so via an
+<em>Attribute Request</em> PA-TNC attribute. <b>dave</b> is instructed to do a reference
+measurement on all files in the <b>/bin</b> directory. <b>carol</b> is then prompted to
+measure a couple of individual files and the files in the <b>/bin</b> directory as
+well as to get metadata on the <b>/etc/tnc_confg</b> configuration file.
+<p>
+<b>carol</b> passes the health test and <b>dave</b> fails because IP forwarding is
+enabled. Based on these assessments which are communicated to the IMCs using the
+<em>Assessment Result</em> PA-TNC attribute, the clients are connected by gateway <b>moon</b>
+to the "rw-allow" and "rw-isolate" subnets, respectively.
+</p>
diff --git a/testing/tests/tnc/tnccs-20-pts/evaltest.dat b/testing/tests/tnc/tnccs-20-pts/evaltest.dat
new file mode 100644
index 000000000..100754332
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pts/evaltest.dat
@@ -0,0 +1,20 @@
+carol::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'::YES
+carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
+dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YES
+dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
+dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
+moon:: ipsec attest --session 2> /dev/null::Debian 7.0 x86_64.*carol@strongswan.org - allow::YES
+moon:: cat /var/log/daemon.log::added group membership 'allow'::YES
+moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon:: ipsec attest --session 2> /dev/null::Debian 7.0 x86_64.*dave@strongswan.org - isolate::YES
+moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES
+moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
+moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
+moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO
+dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO
diff --git a/testing/tests/tnc/tnccs-20-pts/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pts/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..d17473db1
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pts/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	charondebug="tnc 3, imc 3, pts 3"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_CAROL
+	leftid=carol@strongswan.org
+	leftauth=eap
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightauth=any
+	rightsendcert=never
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/tnc/tnccs-20-pts/hosts/carol/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-pts/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..74942afda
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pts/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+carol@strongswan.org : EAP "Ar3etTnp"
diff --git a/testing/tests/tnc/tnccs-20-pts/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pts/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..e6046833c
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pts/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,19 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl openssl pem pkcs1 random nonce revocation stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown
+  multiple_authentication=no
+  plugins {
+    eap-tnc {
+      protocol = tnccs-2.0
+    }
+  }
+}
+
+libimcv {
+  plugins {
+    imc-os {
+      push_info = yes
+    }
+  }
+}
diff --git a/testing/tests/tnc/tnccs-20-pts/hosts/carol/etc/tnc_config b/testing/tests/tnc/tnccs-20-pts/hosts/carol/etc/tnc_config
new file mode 100644
index 000000000..15dc93a0a
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pts/hosts/carol/etc/tnc_config
@@ -0,0 +1,4 @@
+#IMC configuration file for strongSwan client 
+
+IMC "OS"          /usr/local/lib/ipsec/imcvs/imc-os.so
+IMC "Attestation" /usr/local/lib/ipsec/imcvs/imc-attestation.so
diff --git a/testing/tests/tnc/tnccs-20-pts/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pts/hosts/dave/etc/ipsec.conf
new file mode 100644
index 000000000..d459bfc6c
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pts/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	charondebug="tnc 3, imc 3, pts 3"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_DAVE
+	leftid=dave@strongswan.org
+	leftauth=eap
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightauth=any
+	rightsendcert=never
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/tnc/tnccs-20-pts/hosts/dave/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-pts/hosts/dave/etc/ipsec.secrets
new file mode 100644
index 000000000..5496df7ad
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pts/hosts/dave/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+dave@strongswan.org : EAP "W7R0g3do"
diff --git a/testing/tests/tnc/tnccs-20-pts/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pts/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..3236a18fa
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pts/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,22 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl openssl pem pkcs1 random nonce revocation stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+  multiple_authentication=no
+  plugins {
+    eap-tnc {
+      protocol = tnccs-2.0
+    }
+    tnc-imc {
+      preferred_language = de
+    }
+  }
+}
+
+libimcv {
+  plugins {
+    imc-os {
+      push_info = no
+    }
+  }
+}
diff --git a/testing/tests/tnc/tnccs-20-pts/hosts/dave/etc/tnc_config b/testing/tests/tnc/tnccs-20-pts/hosts/dave/etc/tnc_config
new file mode 100644
index 000000000..15dc93a0a
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pts/hosts/dave/etc/tnc_config
@@ -0,0 +1,4 @@
+#IMC configuration file for strongSwan client 
+
+IMC "OS"          /usr/local/lib/ipsec/imcvs/imc-os.so
+IMC "Attestation" /usr/local/lib/ipsec/imcvs/imc-attestation.so
diff --git a/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..bc8b2d8f9
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,34 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	charondebug="tnc 3, imv 3, pts 3"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn rw-allow
+	rightgroups=allow
+	leftsubnet=10.1.0.0/28
+	also=rw-eap
+	auto=add
+
+conn rw-isolate
+	rightgroups=isolate
+	leftsubnet=10.1.0.16/28
+	also=rw-eap
+	auto=add
+
+conn rw-eap
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftauth=eap-ttls
+	leftfirewall=yes
+	rightauth=eap-ttls
+	rightid=*@strongswan.org
+	rightsendcert=never
+	right=%any
diff --git a/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..2e277ccb0
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,6 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA moonKey.pem
+
+carol@strongswan.org : EAP "Ar3etTnp"
+dave@strongswan.org  : EAP "W7R0g3do"
diff --git a/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/pts/data.sql b/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/pts/data.sql
new file mode 100644
index 000000000..090eb47ff
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/pts/data.sql
@@ -0,0 +1,873 @@
+/* Products */
+
+INSERT INTO products (			/*  1 */
+  name
+) VALUES (
+ 'Debian 6.0 i686'
+);
+
+INSERT INTO products (			/*  2 */
+  name
+) VALUES (
+ 'Debian 6.0 x86_64'
+);
+
+INSERT INTO products (			/*  3 */
+  name
+) VALUES (
+ 'Debian 7.0 i686'
+);
+
+INSERT INTO products (			/*  4 */
+  name
+) VALUES (
+ 'Debian 7.0 x86_64'
+);
+
+INSERT INTO products (			/*  5 */
+  name
+) VALUES (
+ 'Debian 8.0 i686'
+);
+
+INSERT INTO products (			/*  6 */
+  name
+) VALUES (
+ 'Debian 8.0 x86_64'
+);
+
+INSERT INTO products (			/*  7 */
+  name
+) VALUES (
+ 'Ubuntu 10.04 i686'
+);
+
+INSERT INTO products (			/*  8 */
+  name
+) VALUES (
+ 'Ubuntu 10.04 x86_64'
+);
+
+INSERT INTO products (			/*  9 */
+  name
+) VALUES (
+ 'Ubuntu 10.10 i686'
+);
+
+INSERT INTO products (			/* 10 */
+  name
+) VALUES (
+ 'Ubuntu 10.10 x86_64'
+);
+
+INSERT INTO products (			/* 11 */
+  name
+) VALUES (
+ 'Ubuntu 11.04 i686'
+);
+
+INSERT INTO products (			/* 12 */
+  name
+) VALUES (
+ 'Ubuntu 11.04 x86_64'
+);
+
+INSERT INTO products (			/* 13 */
+  name
+) VALUES (
+ 'Ubuntu 11.10 i686'
+);
+
+INSERT INTO products (			/* 14 */
+  name
+) VALUES (
+ 'Ubuntu 11.10 x86_64'
+);
+
+INSERT INTO products (			/* 15 */
+  name
+) VALUES (
+ 'Ubuntu 12.04 i686'
+);
+
+INSERT INTO products (			/* 16 */
+  name
+) VALUES (
+ 'Ubuntu 12.04 x86_64'
+);
+
+INSERT INTO products (			/* 17 */
+  name
+) VALUES (
+ 'Ubuntu 12.10 i686'
+);
+
+INSERT INTO products (			/* 18 */
+  name
+) VALUES (
+ 'Ubuntu 12.10 x86_64'
+);
+
+INSERT INTO products (			/* 19 */
+  name
+) VALUES (
+ 'Ubuntu 13.04 i686'
+);
+
+INSERT INTO products (			/* 20 */
+  name
+) VALUES (
+ 'Ubuntu 13.04 x86_64'
+);
+
+INSERT INTO products (			/* 21 */
+  name
+) VALUES (
+ 'Android 4.1.1'
+);
+
+INSERT INTO products (			/* 22 */
+  name
+) VALUES (
+ 'Android 4.2.1'
+);
+
+/* Directories */
+
+INSERT INTO directories (		/*  1 */
+  path
+) VALUES (
+ '/bin'
+);
+
+INSERT INTO directories (		/*  2 */
+  path
+) VALUES (
+ '/etc'
+);
+
+INSERT INTO directories (		/*  3 */
+  path
+) VALUES (
+ '/lib'
+);
+
+INSERT INTO directories (		/*  4 */
+  path
+) VALUES (
+ '/lib/i386-linux-gnu'
+);
+
+INSERT INTO directories (		/*  5 */
+  path
+) VALUES (
+ '/lib/x86_64-linux-gnu'
+);
+
+INSERT INTO directories (		/*  6 */
+  path
+) VALUES (
+ '/lib/xtables'
+);
+
+INSERT INTO directories (		/*  7 */
+  path
+) VALUES (
+ '/sbin'
+);
+
+INSERT INTO directories (		/*  8 */
+  path
+) VALUES (
+ '/usr/bin'
+);
+
+INSERT INTO directories (		/*  9 */
+  path
+) VALUES (
+ '/usr/lib'
+);
+
+INSERT INTO directories (		/* 10 */
+  path
+) VALUES (
+ '/usr/lib/i386-linux-gnu'
+);
+
+INSERT INTO directories (		/* 11 */
+  path
+) VALUES (
+ '/usr/lib/x86_64-linux-gnu'
+);
+
+INSERT INTO directories (		/* 12 */
+  path
+) VALUES (
+ '/usr/sbin'
+);
+
+INSERT INTO directories (		/* 13 */
+  path
+) VALUES (
+ '/system/bin'
+);
+
+INSERT INTO directories (		/* 14 */
+  path
+) VALUES (
+ '/system/lib'
+);
+
+/* Files */
+
+INSERT INTO files (				/*  1 */
+  name, dir
+) VALUES (
+ 'libcrypto.so.1.0.0', 5
+);
+
+INSERT INTO files (				/*  2 */
+  name, dir
+) VALUES (
+ 'libcrypto.so.1.0.0', 11
+);
+
+INSERT INTO files (				/*  3 */
+  name, dir
+) VALUES (
+ 'libssl.so.1.0.0', 5
+);
+
+INSERT INTO files (				/*  4 */
+  name, dir
+) VALUES (
+ 'libssl.so.1.0.0', 11
+);
+
+INSERT INTO files (				/*  5 */
+  name, dir
+) VALUES (
+  'openssl', 8
+);
+
+INSERT INTO files (				/*  6 */
+  name, dir
+) VALUES (
+  'tnc_config', 2
+);
+
+/* Algorithms */
+
+INSERT INTO algorithms (
+  id, name
+) VALUES (
+  65536, 'SHA1-IMA' 
+);
+
+INSERT INTO algorithms (
+  id, name
+) VALUES (
+  32768, 'SHA1' 
+);
+
+INSERT INTO algorithms (
+  id, name
+) VALUES (
+  16384, 'SHA256' 
+);
+
+INSERT INTO algorithms (
+  id, name
+) VALUES (
+  8192, 'SHA384' 
+);
+
+/* File Hashes */
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 2, 32768, X'6c6f8e12f6cbfba612e780374c4cdcd40f20968a' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 2, 16384, X'dbcecd19d59310183cf5c31ddee29e8d7bec64d3f9583aad074330a1b3024b07' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 2, 8192, X'197c5385e5853003188833d4f991136c1b0875fa416a60b1159f64e57e457b3184762c884a802a2bda194c058e3bd953' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 4, 32768, X'3ad204f99eb7262efab79cfca02628870ea76361' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 4, 16384, X'3a2170aad92fdd58b55e0e199822bc873cf587b2d1eb1ed7ed8dcea97ae86376' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 4, 8192, X'f778076baa876b5e4b502494a3db081fb09dd870dee6991d54104a74b7e009c58fe261db5ffd13c11e08ef0cefcfa59f' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 5, 32768, X'ecd9c7076cc0572724c7a67db7f19c2831e0445f' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 5, 16384, X'28f3ea5afd34444c8232ea75003131e294a0c9b847de300e4b205d38c1a41305' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  4, 5, 8192, X'51921a8b9322f2d3f06d55002ff40a79da67e70cb563b2a50977642d603dfac2ccbb68b3d32a8bb350769b75d6254208' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 1, 32768, X'd9309b9e45928239d7a7b18711e690792632cce4' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 1, 16384, X'dbfa1856d278d8707c4989b30dd065b4bcd309908f0f2e6e66ff2aa83ff93f59' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 1, 8192, X'fb8d027f03bb5ebb47741ed247eb9e174127b714d20229885feb37e0979aeb14a1b74020cded891d680441093625729c' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 3, 32768, X'3715f2f94016a91fab5bbc503f0f1d43c5a9fc2b' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 3, 16384, X'c03a5296b5decb87b01517f9927a8b2349dfb29ff9f5ba084f994c155ca5d4be' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 3, 8192, X'b8bc345f56115235cc6091f61e312ce43ea54a5b99e7295002ae7b415fd35e06ec4c731ab70ad00d784bb53a318a2fa0' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 5, 32768, X'e59602f4edf24c1b36199588886d06665d4adcd7' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 5, 16384, X'090e1b77bda7fe665e498c6b5e09dbb7ddc5cfe57f213de48f4fb6736484f500' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  18, 5, 8192, X'7cbdb4612a13443dba910ecdef5161f2213e52c9b4a2eef14bcee5d287e9df931cd022e9e9715518ad9c9b6e3384a668' 
+);
+
+/* Packages */
+
+INSERT INTO packages (			/*  1 */
+  name
+) VALUES (
+ 'libssl-dev'
+);
+
+INSERT INTO packages (			/*  2 */
+  name
+) VALUES (
+ 'libssl1.0.0'
+);
+
+INSERT INTO packages (			/*  3 */
+  name
+) VALUES (
+ 'libssl1.0.0-dbg'
+);
+
+INSERT INTO packages (			/*  4 */
+  name
+) VALUES (
+ 'openssl'
+);
+
+/* Versions */
+
+INSERT INTO versions (
+  package, product, release, time
+) VALUES (
+  1, 4, '1.0.1e-2', 1366531494
+);
+
+INSERT INTO versions (
+  package, product, release, time
+) VALUES (
+  2, 4, '1.0.1e-2', 1366531494
+);
+
+INSERT INTO versions (
+  package, product, release, time
+) VALUES (
+  3, 4, '1.0.1e-2', 1366531494
+);
+
+INSERT INTO versions (
+  package, product, release, time
+) VALUES (
+  4, 4, '1.0.1e-2', 1366531494
+);
+
+/* Components */
+
+INSERT INTO components (
+  vendor_id, name, qualifier
+) VALUES (
+  36906, 1, 33  /* ITA TGRUB */
+);
+
+INSERT INTO components (
+  vendor_id, name, qualifier
+) VALUES (
+  36906, 2, 33  /* ITA TBOOT */
+);
+
+INSERT INTO components (
+  vendor_id, name, qualifier
+) VALUES (
+  36906, 3, 33  /* ITA IMA - Trusted Platform */
+);
+
+INSERT INTO components (
+  vendor_id, name, qualifier
+) VALUES (
+  36906, 3, 34  /* ITA IMA - Operating System */
+);
+
+/* Groups */
+
+INSERT INTO groups (			/*  1 */
+  name
+) VALUES (
+  'Default'
+);
+
+INSERT INTO groups (			/*  2 */
+  name, parent
+) VALUES (
+  'Linux', 1
+);
+
+INSERT INTO groups (			/*  3 */
+  name, parent
+) VALUES (
+  'Android', 1
+);
+
+INSERT INTO groups (			/*  4 */
+  name, parent
+) VALUES (
+  'Debian i686', 2
+);
+
+INSERT INTO groups (			/*  5 */
+  name, parent
+) VALUES (
+  'Debian x86_64', 2
+);
+
+INSERT INTO groups (			/*  6 */
+  name, parent
+) VALUES (
+  'Ubuntu i686', 2
+);
+
+INSERT INTO groups (			/*  7 */
+  name, parent
+) VALUES (
+  'Ubuntu x86_64', 2
+);
+
+INSERT INTO groups (			/*  8 */
+  name
+) VALUES (
+  'Reference'
+);
+
+INSERT INTO groups (			/*  9 */
+  name, parent
+) VALUES (
+  'Ref. Android', 8
+);
+
+INSERT INTO groups (			/* 10 */
+  name, parent
+) VALUES (
+  'Ref. Linux', 8
+);
+
+/* Default Product Groups */
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  4, 1
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  4, 3
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  4, 5
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  5, 2
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  5, 4
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  5, 6
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  6, 7
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  6, 9
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  6, 11
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  6, 13
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  6, 15
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  6, 17
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  6, 19
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  7, 8
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  7, 10
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  7, 12
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  7, 14
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  7, 16
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  7, 18
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  7, 20
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  3, 21
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  3, 22
+);
+
+/* Devices */
+
+INSERT INTO devices (                  /*  1 */
+  value, product, created  
+) VALUES (
+  'aabbccddeeff11223344556677889900', 4, 1372330615
+);
+
+/* Groups Members */
+
+INSERT INTO groups_members (
+  group_id, device_id
+) VALUES (
+  10, 1
+);
+
+/* Policies */
+
+INSERT INTO policies (			/*  1 */
+  type, name, rec_fail, rec_noresult
+) VALUES (
+  1, 'Installed Packages', 2, 2
+);
+
+INSERT INTO policies (			/*  2 */
+  type, name, rec_fail, rec_noresult
+) VALUES (
+  2, 'Unknown Source', 2, 2
+);
+
+INSERT INTO policies (			/*  3 */
+  type, name, rec_fail, rec_noresult
+) VALUES (
+  3, 'IP Forwarding Enabled',  1, 1
+);
+
+INSERT INTO policies (			/*  4 */
+  type, name, rec_fail, rec_noresult
+) VALUES (
+  4, 'Default Factory Password Enabled', 1, 1
+);
+
+INSERT INTO policies (			/*  5 */
+  type, name, file, rec_fail, rec_noresult
+) VALUES (
+  6, 'Measure /lib/x86_64-linux-gnu/libcrypto.so.1.0.0', 1, 2, 2
+);
+
+INSERT INTO policies (			/*  6 */
+  type, name, file, rec_fail, rec_noresult
+) VALUES (
+  6, 'Measure /lib/x86_64-linux-gnu/libssl.so.1.0.0', 3, 2, 2
+);
+
+INSERT INTO policies (			/*  7 */
+  type, name, file, rec_fail, rec_noresult
+) VALUES (
+  6, 'Measure /usr/bin/openssl', 5, 2, 2
+);
+
+INSERT INTO policies (			/*  8 */
+  type, name, rec_fail, rec_noresult
+) VALUES (
+  11, 'No Open TCP Ports', 1, 1
+);
+
+INSERT INTO policies (			/*  9 */
+  type, name, argument, rec_fail, rec_noresult
+) VALUES (
+  13, 'Open UDP Ports', '500 4500 10000-65000', 1, 1
+);
+
+INSERT INTO policies (			/* 10 */
+  type, name, file, rec_fail, rec_noresult
+) VALUES (
+  7, 'Metadata of /etc/tnc_config', 6, 0, 0
+);
+
+INSERT INTO policies (			/* 11 */
+  type, name, dir, rec_fail, rec_noresult
+) VALUES (
+  8, 'Get /bin', 1, 0, 0
+);
+
+INSERT INTO policies (			/*  12 */
+  type, name, file, rec_fail, rec_noresult
+) VALUES (
+  6, 'Measure /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0', 2, 2, 2
+);
+
+INSERT INTO policies (			/* 13 */
+  type, name, file, rec_fail, rec_noresult
+) VALUES (
+  6, 'Measure /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0', 4, 2, 2
+);
+
+INSERT INTO policies (			/* 14 */
+  type, name, dir, rec_fail, rec_noresult
+) VALUES (
+  8, 'Get /system/bin', 13, 0, 0
+);
+
+INSERT INTO policies (			/* 15 */
+  type, name, dir, rec_fail, rec_noresult
+) VALUES (
+  8, 'Get /system/lib', 14, 0, 0
+);
+
+INSERT INTO policies (                  /* 16 */
+  type, name, dir, rec_fail, rec_noresult
+) VALUES (
+  9, 'Measure /bin', 1, 2, 2
+);
+
+/* Enforcements */
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  2, 3, 0
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age, rec_fail, rec_noresult
+) VALUES (
+  3, 2, 0, 2, 2
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age, rec_fail, rec_noresult
+) VALUES (
+  3, 10, 0, 2, 2
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  5, 7, 86400
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  6, 7, 86400
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  7, 2, 86400
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  8, 1, 60
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  9, 1, 60
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  10, 2, 60
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  11, 10, 86400
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  12, 5, 86400
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  13, 5, 86400
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  14, 9, 0
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  15, 9, 0
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  16, 2, 0
+);
diff --git a/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..0298a5151
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,32 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl openssl pem pkcs1 random nonce revocation stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown sqlite
+  multiple_authentication=no
+  plugins {
+    eap-ttls {
+      phase2_method = md5
+      phase2_piggyback = yes
+      phase2_tnc = yes
+    }
+    eap-tnc {
+      protocol = tnccs-2.0
+    }
+  }
+}
+
+libimcv {
+  database = sqlite:///etc/pts/config.db
+  policy_script = ipsec imv_policy_manager
+  plugins {
+    imv-attestation {
+      hash_algorithm = sha1
+    }
+  }
+}
+
+attest {
+  load = random nonce openssl sqlite
+  database = sqlite:///etc/pts/config.db
+}
+
diff --git a/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/tnc_config b/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/tnc_config
new file mode 100644
index 000000000..6507baaa1
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/tnc_config
@@ -0,0 +1,4 @@
+#IMV configuration file for strongSwan client 
+
+IMV "OS"          /usr/local/lib/ipsec/imcvs/imv-os.so
+IMV "Attestation" /usr/local/lib/ipsec/imcvs/imv-attestation.so
diff --git a/testing/tests/tnc/tnccs-20-pts/posttest.dat b/testing/tests/tnc/tnccs-20-pts/posttest.dat
new file mode 100644
index 000000000..48514d6e0
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pts/posttest.dat
@@ -0,0 +1,8 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
+carol::echo 1 > /proc/sys/net/ipv4/ip_forward
+moon::rm /etc/pts/config.db
diff --git a/testing/tests/tnc/tnccs-20-pts/pretest.dat b/testing/tests/tnc/tnccs-20-pts/pretest.dat
new file mode 100644
index 000000000..cb6c131ef
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pts/pretest.dat
@@ -0,0 +1,18 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+carol::echo 0 > /proc/sys/net/ipv4/ip_forward
+dave::echo aabbccddeeff11223344556677889900 > /var/lib/dbus/machine-id
+moon::cd /etc/pts; cat tables.sql data.sql | sqlite3 config.db
+moon::cat /etc/tnc_config
+carol::cat /etc/tnc_config
+dave::cat /etc/tnc_config
+moon::ipsec start
+dave::ipsec start 
+carol::ipsec start 
+dave::sleep 1
+dave::ipsec up home
+carol::ipsec up home
+carol::sleep 1
+moon::ipsec attest --sessions
+moon::ipsec attest --devices
diff --git a/testing/tests/tnc/tnccs-20-pts/test.conf b/testing/tests/tnc/tnccs-20-pts/test.conf
new file mode 100644
index 000000000..a8a05af19
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pts/test.conf
@@ -0,0 +1,26 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice venus moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
+
+# Guest instances on which FreeRadius is started
+#
+RADIUSHOSTS=
+
diff --git a/testing/tests/tnc/tnccs-20-server-retry/evaltest.dat b/testing/tests/tnc/tnccs-20-server-retry/evaltest.dat
index 737c9b9ef..bac7294b2 100644
--- a/testing/tests/tnc/tnccs-20-server-retry/evaltest.dat
+++ b/testing/tests/tnc/tnccs-20-server-retry/evaltest.dat
@@ -1,19 +1,19 @@
 carol::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'::YES
-carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
+carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
 carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
-dave::cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YES
-dave::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
-dave::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
-moon::cat /var/log/daemon.log::added group membership 'allow'::YES
-moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
-moon::cat /var/log/daemon.log::added group membership 'isolate'::YES
-moon::cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
-moon::ipsec statusall::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
-moon::ipsec statusall::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_seq=1::NO
-dave::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO
+dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YES
+dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
+dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
+moon:: cat /var/log/daemon.log::added group membership 'allow'::YES
+moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES
+moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
+moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
+moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO
+dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO
 
diff --git a/testing/tests/tnc/tnccs-20-server-retry/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-server-retry/hosts/carol/etc/ipsec.conf
index 847ca2e7f..a483d6df8 100755..100644
--- a/testing/tests/tnc/tnccs-20-server-retry/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/tnc/tnccs-20-server-retry/hosts/carol/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 	charondebug="tnc 3, imc 2"
 
 conn %default
@@ -18,6 +17,7 @@ conn home
 	leftfirewall=yes
 	right=PH_IP_MOON
 	rightid=@moon.strongswan.org
+	rightauth=any
 	rightsendcert=never
 	rightsubnet=10.1.0.0/16
 	auto=add
diff --git a/testing/tests/tnc/tnccs-20-server-retry/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-server-retry/hosts/carol/etc/strongswan.conf
index e296bcf0b..6f145ab0b 100644
--- a/testing/tests/tnc/tnccs-20-server-retry/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-server-retry/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
   multiple_authentication=no
   plugins {
     eap-tnc {
diff --git a/testing/tests/tnc/tnccs-20-server-retry/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-server-retry/hosts/dave/etc/ipsec.conf
index f0ad4721f..11378131a 100755..100644
--- a/testing/tests/tnc/tnccs-20-server-retry/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/tnc/tnccs-20-server-retry/hosts/dave/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 	charondebug="tnc 3, imc 2"
 
 conn %default
@@ -18,6 +17,7 @@ conn home
 	leftfirewall=yes
 	right=PH_IP_MOON
 	rightid=@moon.strongswan.org
+	rightauth=any
 	rightsendcert=never
 	rightsubnet=10.1.0.0/16
 	auto=add
diff --git a/testing/tests/tnc/tnccs-20-server-retry/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-server-retry/hosts/dave/etc/strongswan.conf
index fc9c86b86..fce949901 100644
--- a/testing/tests/tnc/tnccs-20-server-retry/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-server-retry/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
   multiple_authentication=no
   plugins {
     eap-tnc {
@@ -19,5 +19,8 @@ libimcv {
       command = retry 
       retry_command = isolate
     }
+    imc-scanner {
+      push_info = no
+    }
   }
 }
diff --git a/testing/tests/tnc/tnccs-20-server-retry/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-server-retry/hosts/moon/etc/ipsec.conf
index 9eec48402..b1093d46d 100755..100644
--- a/testing/tests/tnc/tnccs-20-server-retry/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/tnc/tnccs-20-server-retry/hosts/moon/etc/ipsec.conf
@@ -1,8 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	strictcrlpolicy=no
-	plutostart=no
 	charondebug="tnc 3, imv 2"
 
 conn %default
diff --git a/testing/tests/tnc/tnccs-20-server-retry/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-server-retry/hosts/moon/etc/strongswan.conf
index bfc5d9531..3e6bc65a6 100644
--- a/testing/tests/tnc/tnccs-20-server-retry/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-server-retry/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-20 tnc-imv updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-20 tnc-imv updown
   multiple_authentication=no
   plugins {
     eap-ttls {
diff --git a/testing/tests/tnc/tnccs-20-server-retry/posttest.dat b/testing/tests/tnc/tnccs-20-server-retry/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/tnc/tnccs-20-server-retry/posttest.dat
+++ b/testing/tests/tnc/tnccs-20-server-retry/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/tnc/tnccs-20-server-retry/pretest.dat b/testing/tests/tnc/tnccs-20-server-retry/pretest.dat
index 208f9daa9..b2b243ba3 100644
--- a/testing/tests/tnc/tnccs-20-server-retry/pretest.dat
+++ b/testing/tests/tnc/tnccs-20-server-retry/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::cat /etc/tnc_config
 carol::cat /etc/tnc_config
 dave::cat /etc/tnc_config
diff --git a/testing/tests/tnc/tnccs-20-server-retry/test.conf b/testing/tests/tnc/tnccs-20-server-retry/test.conf
index e28b8259b..a8a05af19 100644
--- a/testing/tests/tnc/tnccs-20-server-retry/test.conf
+++ b/testing/tests/tnc/tnccs-20-server-retry/test.conf
@@ -1,26 +1,26 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon carol winnetou dave"
+VIRTHOSTS="alice venus moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
 
-# UML instances on which FreeRadius is started
+# Guest instances on which FreeRadius is started
 #
 RADIUSHOSTS=
 
diff --git a/testing/tests/tnc/tnccs-20-tls/evaltest.dat b/testing/tests/tnc/tnccs-20-tls/evaltest.dat
index bbc0603b6..40d5e24d5 100644
--- a/testing/tests/tnc/tnccs-20-tls/evaltest.dat
+++ b/testing/tests/tnc/tnccs-20-tls/evaltest.dat
@@ -1,19 +1,19 @@
 carol::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'::YES
-carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
+carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
 carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
-dave::cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YES
-dave::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
-dave::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
-moon::cat /var/log/daemon.log::added group membership 'allow'::YES
-moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES              
-moon::cat /var/log/daemon.log::added group membership 'isolate'::YES
-moon::cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
-moon::ipsec statusall::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
-moon::ipsec statusall::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_seq=1::NO
-dave::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO
+dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YES
+dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
+dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
+moon:: cat /var/log/daemon.log::added group membership 'allow'::YES
+moon:: cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org' with EAP successful::YES
+moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES
+moon:: cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, OU=Accounting, CN=dave@strongswan.org' with EAP successful::YES
+moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
+moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO
+dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO
 
diff --git a/testing/tests/tnc/tnccs-20-tls/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-tls/hosts/carol/etc/ipsec.conf
index fe26aaede..eece9f294 100755..100644
--- a/testing/tests/tnc/tnccs-20-tls/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/tnc/tnccs-20-tls/hosts/carol/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 	charondebug="tnc 2, imc 2"
 
 conn %default
@@ -14,11 +13,11 @@ conn %default
 conn home
 	left=PH_IP_CAROL
 	leftcert=carolCert.pem
-	leftid=carol@strongswan.org
 	leftauth=eap
 	leftfirewall=yes
 	right=PH_IP_MOON
 	rightid=@moon.strongswan.org
+	rightauth=any
 	rightsendcert=never
 	rightsubnet=10.1.0.0/16
 	auto=add
diff --git a/testing/tests/tnc/tnccs-20-tls/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-tls/hosts/carol/etc/strongswan.conf
index c38dc7de5..ada13a325 100644
--- a/testing/tests/tnc/tnccs-20-tls/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-tls/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
   multiple_authentication=no
   plugins {
     eap-tnc {
diff --git a/testing/tests/tnc/tnccs-20-tls/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-tls/hosts/dave/etc/ipsec.conf
index e1cfd14bb..362042656 100755..100644
--- a/testing/tests/tnc/tnccs-20-tls/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/tnc/tnccs-20-tls/hosts/dave/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 	charondebug="tnc 2, imc 2"
 
 conn %default
@@ -14,11 +13,11 @@ conn %default
 conn home
 	left=PH_IP_DAVE
 	leftcert=daveCert.pem
-	leftid=dave@strongswan.org
 	leftauth=eap
 	leftfirewall=yes
 	right=PH_IP_MOON
 	rightid=@moon.strongswan.org
+	rightauth=any
 	rightsendcert=never
 	rightsubnet=10.1.0.0/16
 	auto=add
diff --git a/testing/tests/tnc/tnccs-20-tls/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-tls/hosts/dave/etc/strongswan.conf
index f8fe44563..0870ca667 100644
--- a/testing/tests/tnc/tnccs-20-tls/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-tls/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
   multiple_authentication=no
   plugins {
     eap-tnc {
@@ -15,5 +15,8 @@ libimcv {
     imc-test {
       command = isolate
     }
+    imc-scanner {
+      push_info = no
+    }
   }
 }
diff --git a/testing/tests/tnc/tnccs-20-tls/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-tls/hosts/moon/etc/ipsec.conf
index 80bcb5a5a..0ec930286 100755..100644
--- a/testing/tests/tnc/tnccs-20-tls/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/tnc/tnccs-20-tls/hosts/moon/etc/ipsec.conf
@@ -1,8 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	strictcrlpolicy=no
-	plutostart=no
 	charondebug="tnc 2, imv 2"
 
 conn %default
@@ -31,6 +29,6 @@ conn rw-eap
 	leftauth=eap-ttls
 	leftfirewall=yes
 	rightauth=eap-ttls
-	rightid=*@strongswan.org
+	rightid="C=CH, O=Linux strongSwan, OU=*, CN=*"
 	rightsendcert=never
 	right=%any
diff --git a/testing/tests/tnc/tnccs-20-tls/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-tls/hosts/moon/etc/strongswan.conf
index 47fb3253f..bc1d421c1 100644
--- a/testing/tests/tnc/tnccs-20-tls/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-tls/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-20 tnc-imv updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-20 tnc-imv updown
   multiple_authentication=no
   plugins {
     eap-ttls {
diff --git a/testing/tests/tnc/tnccs-20-tls/posttest.dat b/testing/tests/tnc/tnccs-20-tls/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/tnc/tnccs-20-tls/posttest.dat
+++ b/testing/tests/tnc/tnccs-20-tls/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/tnc/tnccs-20-tls/pretest.dat b/testing/tests/tnc/tnccs-20-tls/pretest.dat
index c332f131b..cac1cfafc 100644
--- a/testing/tests/tnc/tnccs-20-tls/pretest.dat
+++ b/testing/tests/tnc/tnccs-20-tls/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::cat /etc/tnc_config
 carol::cat /etc/tnc_config
 dave::cat /etc/tnc_config
diff --git a/testing/tests/tnc/tnccs-20-tls/test.conf b/testing/tests/tnc/tnccs-20-tls/test.conf
index e28b8259b..a8a05af19 100644
--- a/testing/tests/tnc/tnccs-20-tls/test.conf
+++ b/testing/tests/tnc/tnccs-20-tls/test.conf
@@ -1,26 +1,26 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon carol winnetou dave"
+VIRTHOSTS="alice venus moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
 
-# UML instances on which FreeRadius is started
+# Guest instances on which FreeRadius is started
 #
 RADIUSHOSTS=
 
diff --git a/testing/tests/tnc/tnccs-20/evaltest.dat b/testing/tests/tnc/tnccs-20/evaltest.dat
index 737c9b9ef..bac7294b2 100644
--- a/testing/tests/tnc/tnccs-20/evaltest.dat
+++ b/testing/tests/tnc/tnccs-20/evaltest.dat
@@ -1,19 +1,19 @@
 carol::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'::YES
-carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
+carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
 carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
-dave::cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YES
-dave::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
-dave::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
-moon::cat /var/log/daemon.log::added group membership 'allow'::YES
-moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
-moon::cat /var/log/daemon.log::added group membership 'isolate'::YES
-moon::cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
-moon::ipsec statusall::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
-moon::ipsec statusall::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_seq=1::NO
-dave::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO
+dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YES
+dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
+dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
+moon:: cat /var/log/daemon.log::added group membership 'allow'::YES
+moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES
+moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
+moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
+moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO
+dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO
 
diff --git a/testing/tests/tnc/tnccs-20/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-20/hosts/carol/etc/ipsec.conf
index 847ca2e7f..e2bf349d9 100755..100644
--- a/testing/tests/tnc/tnccs-20/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/tnc/tnccs-20/hosts/carol/etc/ipsec.conf
@@ -1,8 +1,7 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
-	charondebug="tnc 3, imc 2"
+	charondebug="tnc 3, imc 3"
 
 conn %default
 	ikelifetime=60m
@@ -18,6 +17,7 @@ conn home
 	leftfirewall=yes
 	right=PH_IP_MOON
 	rightid=@moon.strongswan.org
+	rightauth=any
 	rightsendcert=never
 	rightsubnet=10.1.0.0/16
 	auto=add
diff --git a/testing/tests/tnc/tnccs-20/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20/hosts/carol/etc/strongswan.conf
index 50d7af66b..6d8c10eab 100644
--- a/testing/tests/tnc/tnccs-20/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown
   multiple_authentication=no
   plugins {
     eap-tnc {
diff --git a/testing/tests/tnc/tnccs-20/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-20/hosts/dave/etc/ipsec.conf
index f0ad4721f..77446cbae 100755..100644
--- a/testing/tests/tnc/tnccs-20/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/tnc/tnccs-20/hosts/dave/etc/ipsec.conf
@@ -1,8 +1,7 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
-	charondebug="tnc 3, imc 2"
+	charondebug="tnc 3, imc 3"
 
 conn %default
 	ikelifetime=60m
@@ -18,6 +17,7 @@ conn home
 	leftfirewall=yes
 	right=PH_IP_MOON
 	rightid=@moon.strongswan.org
+	rightauth=any
 	rightsendcert=never
 	rightsubnet=10.1.0.0/16
 	auto=add
diff --git a/testing/tests/tnc/tnccs-20/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20/hosts/dave/etc/strongswan.conf
index b67541c3c..1e5f50b05 100644
--- a/testing/tests/tnc/tnccs-20/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
   multiple_authentication=no
   plugins {
     eap-tnc {
@@ -19,5 +19,8 @@ libimcv {
       command = isolate
       additional_ids = 1
     }
+    imc-scanner {
+      push_info = no
+   }
   }
 }
diff --git a/testing/tests/tnc/tnccs-20/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-20/hosts/moon/etc/ipsec.conf
index 9eec48402..e21ef0d14 100755..100644
--- a/testing/tests/tnc/tnccs-20/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/tnc/tnccs-20/hosts/moon/etc/ipsec.conf
@@ -1,9 +1,7 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	strictcrlpolicy=no
-	plutostart=no
-	charondebug="tnc 3, imv 2"
+	charondebug="tnc 3, imv 3"
 
 conn %default
 	ikelifetime=60m
diff --git a/testing/tests/tnc/tnccs-20/hosts/moon/etc/pts/data.sql b/testing/tests/tnc/tnccs-20/hosts/moon/etc/pts/data.sql
new file mode 100644
index 000000000..dcc4e75d1
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20/hosts/moon/etc/pts/data.sql
@@ -0,0 +1,793 @@
+/* Products */
+
+INSERT INTO products (			/*  1 */
+  name
+) VALUES (
+ 'Debian 7.0'
+);
+
+INSERT INTO products (			/*  2 */
+  name
+) VALUES (
+ 'Debian 7.0 i686'
+);
+
+INSERT INTO products (			/*  3 */
+  name
+) VALUES (
+ 'Debian 7.0 x86_64'
+);
+
+INSERT INTO products (			/*  4 */
+  name
+) VALUES (
+ 'Ubuntu 10.04'
+);
+
+INSERT INTO products (			/*  5 */
+  name
+) VALUES (
+ 'Ubuntu 10.04 i686'
+);
+
+INSERT INTO products (			/*  6 */
+  name
+) VALUES (
+ 'Ubuntu 10.04 x86_64'
+);
+
+INSERT INTO products (			/*  7 */
+  name
+) VALUES (
+ 'Ubuntu 10.10'
+);
+
+INSERT INTO products (			/*  8 */
+  name
+) VALUES (
+ 'Ubuntu 10.10 i686'
+);
+
+INSERT INTO products (			/*  9 */
+  name
+) VALUES (
+ 'Ubuntu 10.10 x86_64'
+);
+
+INSERT INTO products (			/* 10 */
+  name
+) VALUES (
+ 'Ubuntu 11.04'
+);
+
+INSERT INTO products (			/* 11 */
+  name
+) VALUES (
+ 'Ubuntu 11.04 i686'
+);
+
+INSERT INTO products (			/* 12 */
+  name
+) VALUES (
+ 'Ubuntu 11.04 x86_64'
+);
+
+INSERT INTO products (			/* 13 */
+  name
+) VALUES (
+ 'Ubuntu 11.10'
+);
+
+INSERT INTO products (			/* 14 */
+  name
+) VALUES (
+ 'Ubuntu 11.10 i686'
+);
+
+INSERT INTO products (			/* 15 */
+  name
+) VALUES (
+ 'Ubuntu 11.10 x86_64'
+);
+
+INSERT INTO products (			/* 16 */
+  name
+) VALUES (
+ 'Ubuntu 12.04'
+);
+
+INSERT INTO products (			/* 17 */
+  name
+) VALUES (
+ 'Ubuntu 12.04 i686'
+);
+
+INSERT INTO products (			/* 18 */
+  name
+) VALUES (
+ 'Ubuntu 12.04 x86_64'
+);
+
+INSERT INTO products (			/* 19 */
+  name
+) VALUES (
+ 'Ubuntu 12.10'
+);
+
+INSERT INTO products (			/* 20 */
+  name
+) VALUES (
+ 'Ubuntu 12.10 i686'
+);
+
+INSERT INTO products (			/* 21 */
+  name
+) VALUES (
+ 'Ubuntu 12.10 x86_64'
+);
+
+INSERT INTO products (			/* 22 */
+  name
+) VALUES (
+ 'Ubuntu 13.04'
+);
+
+INSERT INTO products (			/* 23 */
+  name
+) VALUES (
+ 'Ubuntu 13.04 i686'
+);
+
+INSERT INTO products (			/* 24 */
+  name
+) VALUES (
+ 'Ubuntu 13.04 x86_64'
+);
+
+INSERT INTO products (			/* 25 */
+  name
+) VALUES (
+ 'Android 4.1.1'
+);
+
+INSERT INTO products (			/* 26 */
+  name
+) VALUES (
+ 'Android 4.2.1'
+);
+
+/* Directories */
+
+INSERT INTO directories (		/*  1 */
+  path
+) VALUES (
+ '/bin'
+);
+
+INSERT INTO directories (		/*  2 */
+  path
+) VALUES (
+ '/etc'
+);
+
+INSERT INTO directories (		/*  3 */
+  path
+) VALUES (
+ '/lib'
+);
+
+INSERT INTO directories (		/*  4 */
+  path
+) VALUES (
+ '/lib/i386-linux-gnu'
+);
+
+INSERT INTO directories (		/*  5 */
+  path
+) VALUES (
+ '/lib/x86_64-linux-gnu'
+);
+
+INSERT INTO directories (		/*  6 */
+  path
+) VALUES (
+ '/lib/xtables'
+);
+
+INSERT INTO directories (		/*  7 */
+  path
+) VALUES (
+ '/sbin'
+);
+
+INSERT INTO directories (		/*  8 */
+  path
+) VALUES (
+ '/usr/bin'
+);
+
+INSERT INTO directories (		/*  9 */
+  path
+) VALUES (
+ '/usr/lib'
+);
+
+INSERT INTO directories (		/* 10 */
+  path
+) VALUES (
+ '/usr/lib/i386-linux-gnu'
+);
+
+INSERT INTO directories (		/* 11 */
+  path
+) VALUES (
+ '/usr/lib/x86_64-linux-gnu'
+);
+
+INSERT INTO directories (		/* 12 */
+  path
+) VALUES (
+ '/usr/sbin'
+);
+
+/* Files */
+
+INSERT INTO files (				/*  1 */
+  name, dir
+) VALUES (
+ 'libcrypto.so.1.0.0', 5
+);
+
+INSERT INTO files (				/*  2 */
+  name, dir
+) VALUES (
+ 'libcrypto.so.1.0.0', 11
+);
+
+INSERT INTO files (				/*  3 */
+  name, dir
+) VALUES (
+ 'libssl.so.1.0.0', 5
+);
+
+INSERT INTO files (				/*  4 */
+  name, dir
+) VALUES (
+ 'libssl.so.1.0.0', 11
+);
+
+INSERT INTO files (				/*  5 */
+  name, dir
+) VALUES (
+  'openssl', 8
+);
+
+INSERT INTO files (				/*  6 */
+  name, dir
+) VALUES (
+  'tnc_config', 2
+);
+
+/* Algorithms */
+
+INSERT INTO algorithms (
+  id, name
+) VALUES (
+  65536, 'SHA1-IMA' 
+);
+
+INSERT INTO algorithms (
+  id, name
+) VALUES (
+  32768, 'SHA1' 
+);
+
+INSERT INTO algorithms (
+  id, name
+) VALUES (
+  16384, 'SHA256' 
+);
+
+INSERT INTO algorithms (
+  id, name
+) VALUES (
+  8192, 'SHA384' 
+);
+
+/* File Hashes */
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  3, 2, 32768, X'6c6f8e12f6cbfba612e780374c4cdcd40f20968a' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  3, 2, 16384, X'dbcecd19d59310183cf5c31ddee29e8d7bec64d3f9583aad074330a1b3024b07' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  3, 2, 8192, X'197c5385e5853003188833d4f991136c1b0875fa416a60b1159f64e57e457b3184762c884a802a2bda194c058e3bd953' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  3, 4, 32768, X'3ad204f99eb7262efab79cfca02628870ea76361' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  3, 4, 16384, X'3a2170aad92fdd58b55e0e199822bc873cf587b2d1eb1ed7ed8dcea97ae86376' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  3, 4, 8192, X'f778076baa876b5e4b502494a3db081fb09dd870dee6991d54104a74b7e009c58fe261db5ffd13c11e08ef0cefcfa59f' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  3, 5, 32768, X'ecd9c7076cc0572724c7a67db7f19c2831e0445f' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  3, 5, 16384, X'28f3ea5afd34444c8232ea75003131e294a0c9b847de300e4b205d38c1a41305' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  3, 5, 8192, X'51921a8b9322f2d3f06d55002ff40a79da67e70cb563b2a50977642d603dfac2ccbb68b3d32a8bb350769b75d6254208' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  21, 1, 32768, X'd9309b9e45928239d7a7b18711e690792632cce4' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  21, 1, 16384, X'dbfa1856d278d8707c4989b30dd065b4bcd309908f0f2e6e66ff2aa83ff93f59' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  21, 1, 8192, X'fb8d027f03bb5ebb47741ed247eb9e174127b714d20229885feb37e0979aeb14a1b74020cded891d680441093625729c' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  21, 3, 32768, X'3715f2f94016a91fab5bbc503f0f1d43c5a9fc2b' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  21, 3, 16384, X'c03a5296b5decb87b01517f9927a8b2349dfb29ff9f5ba084f994c155ca5d4be' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  21, 3, 8192, X'b8bc345f56115235cc6091f61e312ce43ea54a5b99e7295002ae7b415fd35e06ec4c731ab70ad00d784bb53a318a2fa0' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  21, 5, 32768, X'e59602f4edf24c1b36199588886d06665d4adcd7' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  21, 5, 16384, X'090e1b77bda7fe665e498c6b5e09dbb7ddc5cfe57f213de48f4fb6736484f500' 
+);
+
+INSERT INTO file_hashes (
+  product, file, algo, hash
+) VALUES (
+  21, 5, 8192, X'7cbdb4612a13443dba910ecdef5161f2213e52c9b4a2eef14bcee5d287e9df931cd022e9e9715518ad9c9b6e3384a668' 
+);
+
+/* Packages */
+
+INSERT INTO packages (			/*  1 */
+  name
+) VALUES (
+ 'libssl-dev'
+);
+
+INSERT INTO packages (			/*  2 */
+  name
+) VALUES (
+ 'libssl1.0.0'
+);
+
+INSERT INTO packages (			/*  3 */
+  name
+) VALUES (
+ 'libssl1.0.0-dbg'
+);
+
+INSERT INTO packages (			/*  4 */
+  name
+) VALUES (
+ 'openssl'
+);
+
+/* Versions */
+
+INSERT INTO versions (
+  package, product, release, time
+) VALUES (
+  1, 1, '1.0.1e-2', 1366531494
+);
+
+INSERT INTO versions (
+  package, product, release, time
+) VALUES (
+  2, 1, '1.0.1e-2', 1366531494
+);
+
+INSERT INTO versions (
+  package, product, release, time
+) VALUES (
+  3, 1, '1.0.1e-2', 1366531494
+);
+
+INSERT INTO versions (
+  package, product, release, time
+) VALUES (
+  4, 1, '1.0.1e-2', 1366531494
+);
+
+/* Components */
+
+INSERT INTO components (
+  vendor_id, name, qualifier
+) VALUES (
+  36906, 1, 33  /* ITA TGRUB */
+);
+
+INSERT INTO components (
+  vendor_id, name, qualifier
+) VALUES (
+  36906, 2, 33  /* ITA TBOOT */
+);
+
+INSERT INTO components (
+  vendor_id, name, qualifier
+) VALUES (
+  36906, 3, 33  /* ITA IMA - Trusted Platform */
+);
+
+INSERT INTO components (
+  vendor_id, name, qualifier
+) VALUES (
+  36906, 3, 34  /* ITA IMA - Operating System */
+);
+
+/* Groups */
+
+INSERT INTO groups (			/*  1 */
+  name, parent
+) VALUES (
+  'Debian i686', 6
+);
+
+INSERT INTO groups (			/*  2 */
+  name, parent
+) VALUES (
+  'Debian x86_64', 6
+);
+
+INSERT INTO groups (			/*  3 */
+  name, parent
+) VALUES (
+  'Ubuntu i686', 6
+);
+
+INSERT INTO groups (			/*  4 */
+  name, parent
+) VALUES (
+  'Ubuntu x86_64', 6
+);
+
+INSERT INTO groups (			/*  5 */
+  name, parent
+) VALUES (
+  'Android', 7
+);
+
+INSERT INTO groups (			/*  6 */
+  name, parent
+) VALUES (
+  'Linux', 7
+);
+
+INSERT INTO groups (			/*  7 */
+  name
+) VALUES (
+  'Default'
+);
+
+/* Default Product Groups */
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  1, 2
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  2, 3
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  3, 5
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  3, 8
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  3, 11
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  3, 14
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  3, 17
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  3, 20
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  3, 23
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  4, 6
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  4, 9
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  4, 12
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  4, 15
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  4, 18
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  4, 21
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  4, 24
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  5, 25
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  5, 26
+);
+
+/* Policies */
+
+INSERT INTO policies (			/*  1 */
+  type, name, rec_fail, rec_noresult
+) VALUES (
+  1, 'Installed Packages', 2, 2
+);
+
+INSERT INTO policies (			/*  2 */
+  type, name, rec_fail, rec_noresult
+) VALUES (
+  2, 'Unknown Source', 2, 2
+);
+
+INSERT INTO policies (			/*  3 */
+  type, name, rec_fail, rec_noresult
+) VALUES (
+  3, 'IP Forwarding Enabled',  1, 1
+);
+
+INSERT INTO policies (			/*  4 */
+  type, name, rec_fail, rec_noresult
+) VALUES (
+  4, 'Default Factory Password Enabled', 1, 1
+);
+
+INSERT INTO policies (			/*  5 */
+  type, name, file, rec_fail, rec_noresult
+) VALUES (
+  6, 'Measure /lib/x86_64-linux-gnu/libcrypto.so.1.0.0', 1, 2, 2
+);
+
+INSERT INTO policies (			/*  6 */
+  type, name, file, rec_fail, rec_noresult
+) VALUES (
+  6, 'Measure /lib/x86_64-linux-gnu/libssl.so.1.0.0', 3, 2, 2
+);
+
+INSERT INTO policies (			/*  7 */
+  type, name, file, rec_fail, rec_noresult
+) VALUES (
+  6, 'Measure /usr/bin/openssl', 5, 2, 2
+);
+
+INSERT INTO policies (			/*  8 */
+  type, name, rec_fail, rec_noresult
+) VALUES (
+  11, 'No Open TCP Ports', 1, 1
+);
+
+INSERT INTO policies (			/*  9 */
+  type, name, rec_fail, rec_noresult
+) VALUES (
+  13, 'No Open UDP Ports', 1, 1
+);
+
+INSERT INTO policies (			/* 10 */
+  type, name, file, rec_fail, rec_noresult
+) VALUES (
+  7, 'Metadata of /etc/tnc_config', 6, 0, 0
+);
+
+INSERT INTO policies (			/* 11 */
+  type, name, dir, rec_fail, rec_noresult
+) VALUES (
+  8, 'Measure as reference /bin', 1, 0, 0
+);
+
+INSERT INTO policies (			/*  12 */
+  type, name, file, rec_fail, rec_noresult
+) VALUES (
+  6, 'Measure /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0', 2, 2, 2
+);
+
+INSERT INTO policies (			/* 13 */
+  type, name, file, rec_fail, rec_noresult
+) VALUES (
+  6, 'Measure /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0', 4, 2, 2
+);
+
+
+/* Enforcements */
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  1, 7, 86400
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  2, 5, 0
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  3, 6, 0
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  5, 4, 86400
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  6, 4, 86400
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  7, 6, 86400
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  8, 7, 60
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  9, 7, 60
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  10, 6, 60
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  11, 6, 86400
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  12, 2, 86400
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  13, 2, 86400
+);
+
diff --git a/testing/tests/tnc/tnccs-20/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20/hosts/moon/etc/strongswan.conf
index 9e4ebcf04..032ae7e91 100644
--- a/testing/tests/tnc/tnccs-20/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown
   multiple_authentication=no
   plugins {
     eap-ttls {
diff --git a/testing/tests/tnc/tnccs-20/posttest.dat b/testing/tests/tnc/tnccs-20/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/tnc/tnccs-20/posttest.dat
+++ b/testing/tests/tnc/tnccs-20/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/tnc/tnccs-20/pretest.dat b/testing/tests/tnc/tnccs-20/pretest.dat
index 208f9daa9..b2b243ba3 100644
--- a/testing/tests/tnc/tnccs-20/pretest.dat
+++ b/testing/tests/tnc/tnccs-20/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::cat /etc/tnc_config
 carol::cat /etc/tnc_config
 dave::cat /etc/tnc_config
diff --git a/testing/tests/tnc/tnccs-20/test.conf b/testing/tests/tnc/tnccs-20/test.conf
index e28b8259b..a8a05af19 100644
--- a/testing/tests/tnc/tnccs-20/test.conf
+++ b/testing/tests/tnc/tnccs-20/test.conf
@@ -1,26 +1,26 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon carol winnetou dave"
+VIRTHOSTS="alice venus moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
 
-# UML instances on which FreeRadius is started
+# Guest instances on which FreeRadius is started
 #
 RADIUSHOSTS=
 
diff --git a/testing/tests/tnc/tnccs-dynamic/evaltest.dat b/testing/tests/tnc/tnccs-dynamic/evaltest.dat
index 5cc395ef8..405298381 100644
--- a/testing/tests/tnc/tnccs-dynamic/evaltest.dat
+++ b/testing/tests/tnc/tnccs-dynamic/evaltest.dat
@@ -1,27 +1,27 @@
 carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES
-carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
+carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
 carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
-dave::cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YES
-dave::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
-dave::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
-moon::cat /var/log/daemon.log::TNCCS 1.1 protocol detected dynamically::YES
-moon::cat /var/log/daemon.log::assigned TNCCS Connection ID 1::YES
-moon::cat /var/log/daemon.log::final recommendation is 'allow' and evaluation is 'compliant'::YES
-moon::cat /var/log/daemon.log::added group membership 'allow'::YES
-moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
-moon::cat /var/log/daemon.log::removed TNCCS Connection ID 1::YES
-moon::cat /var/log/daemon.log::TNCCS 2.0 protocol detected dynamically::YES
-moon::cat /var/log/daemon.log::assigned TNCCS Connection ID 2::YES
-moon::cat /var/log/daemon.log::final recommendation is 'isolate' and evaluation is 'non-compliant minor'::YES
-moon::cat /var/log/daemon.log::added group membership 'isolate'::YES
-moon::cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
-moon::cat /var/log/daemon.log::removed TNCCS Connection ID 2::YES
-moon::ipsec statusall::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
-moon::ipsec statusall::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
-carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_seq=1::NO
-dave::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
-dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO
+dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YES
+dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
+dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
+moon:: cat /var/log/daemon.log::TNCCS 1.1 protocol detected dynamically::YES
+moon:: cat /var/log/daemon.log::assigned TNCCS Connection ID 1::YES
+moon:: cat /var/log/daemon.log::final recommendation is 'allow' and evaluation is 'compliant'::YES
+moon:: cat /var/log/daemon.log::added group membership 'allow'::YES
+moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon:: cat /var/log/daemon.log::removed TNCCS Connection ID 1::YES
+moon:: cat /var/log/daemon.log::TNCCS 2.0 protocol detected dynamically::YES
+moon:: cat /var/log/daemon.log::assigned TNCCS Connection ID 2::YES
+moon:: cat /var/log/daemon.log::final recommendation is 'isolate' and evaluation is 'non-compliant minor'::YES
+moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES
+moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
+moon:: cat /var/log/daemon.log::removed TNCCS Connection ID 2::YES
+moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
+moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO
+dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO
 
diff --git a/testing/tests/tnc/tnccs-dynamic/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-dynamic/hosts/carol/etc/ipsec.conf
index 105fcbec6..e2bf349d9 100755..100644
--- a/testing/tests/tnc/tnccs-dynamic/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/tnc/tnccs-dynamic/hosts/carol/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 	charondebug="tnc 3, imc 3"
 
 conn %default
@@ -18,6 +17,7 @@ conn home
 	leftfirewall=yes
 	right=PH_IP_MOON
 	rightid=@moon.strongswan.org
+	rightauth=any
 	rightsendcert=never
 	rightsubnet=10.1.0.0/16
 	auto=add
diff --git a/testing/tests/tnc/tnccs-dynamic/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-dynamic/hosts/carol/etc/strongswan.conf
index 286eab61d..e6f5ad365 100644
--- a/testing/tests/tnc/tnccs-dynamic/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-dynamic/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
   multiple_authentication=no
   plugins {
     eap-tnc {
diff --git a/testing/tests/tnc/tnccs-dynamic/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-dynamic/hosts/dave/etc/ipsec.conf
index 97f322c28..77446cbae 100755..100644
--- a/testing/tests/tnc/tnccs-dynamic/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/tnc/tnccs-dynamic/hosts/dave/etc/ipsec.conf
@@ -1,7 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	plutostart=no
 	charondebug="tnc 3, imc 3"
 
 conn %default
@@ -18,6 +17,7 @@ conn home
 	leftfirewall=yes
 	right=PH_IP_MOON
 	rightid=@moon.strongswan.org
+	rightauth=any
 	rightsendcert=never
 	rightsubnet=10.1.0.0/16
 	auto=add
diff --git a/testing/tests/tnc/tnccs-dynamic/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-dynamic/hosts/dave/etc/strongswan.conf
index a9564bd38..db91eace4 100644
--- a/testing/tests/tnc/tnccs-dynamic/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-dynamic/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
   multiple_authentication=no
   plugins {
     eap-tnc {
@@ -19,5 +19,8 @@ libimcv {
     imc-test {
       command = isolate
     }
+    imc-scanner {
+      push_info = no
+    }
   }
 }
diff --git a/testing/tests/tnc/tnccs-dynamic/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-dynamic/hosts/moon/etc/ipsec.conf
index 997db0df7..e21ef0d14 100755..100644
--- a/testing/tests/tnc/tnccs-dynamic/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/tnc/tnccs-dynamic/hosts/moon/etc/ipsec.conf
@@ -1,8 +1,6 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file
 
 config setup
-	strictcrlpolicy=no
-	plutostart=no
 	charondebug="tnc 3, imv 3"
 
 conn %default
diff --git a/testing/tests/tnc/tnccs-dynamic/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-dynamic/hosts/moon/etc/strongswan.conf
index ca5fdd041..3fc6c3a4b 100644
--- a/testing/tests/tnc/tnccs-dynamic/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-dynamic/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-dynamic tnccs-11 tnccs-20 tnc-imv updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-dynamic tnccs-11 tnccs-20 tnc-imv updown
   multiple_authentication=no
   plugins {
     eap-ttls {
diff --git a/testing/tests/tnc/tnccs-dynamic/posttest.dat b/testing/tests/tnc/tnccs-dynamic/posttest.dat
index 7cebd7f25..1865a1c60 100644
--- a/testing/tests/tnc/tnccs-dynamic/posttest.dat
+++ b/testing/tests/tnc/tnccs-dynamic/posttest.dat
@@ -1,6 +1,6 @@
 moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
-moon::/etc/init.d/iptables stop 2> /dev/null
-carol::/etc/init.d/iptables stop 2> /dev/null
-dave::/etc/init.d/iptables stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/tnc/tnccs-dynamic/pretest.dat b/testing/tests/tnc/tnccs-dynamic/pretest.dat
index a7a3bf412..60775a11e 100644
--- a/testing/tests/tnc/tnccs-dynamic/pretest.dat
+++ b/testing/tests/tnc/tnccs-dynamic/pretest.dat
@@ -1,6 +1,6 @@
-moon::/etc/init.d/iptables start 2> /dev/null
-carol::/etc/init.d/iptables start 2> /dev/null
-dave::/etc/init.d/iptables start 2> /dev/null
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
 moon::cat /etc/tnc_config
 carol::cat /etc/tnc_config
 dave::cat /etc/tnc_config
diff --git a/testing/tests/tnc/tnccs-dynamic/test.conf b/testing/tests/tnc/tnccs-dynamic/test.conf
index e28b8259b..a8a05af19 100644
--- a/testing/tests/tnc/tnccs-dynamic/test.conf
+++ b/testing/tests/tnc/tnccs-dynamic/test.conf
@@ -1,26 +1,26 @@
 #!/bin/bash
 #
 # This configuration file provides information on the
-# UML instances used for this test
+# guest instances used for this test
 
-# All UML instances that are required for this test
+# All guest instances that are required for this test
 #
-UMLHOSTS="alice venus moon carol winnetou dave"
+VIRTHOSTS="alice venus moon carol winnetou dave"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-c-w-d.png"
 
-# UML instances on which tcpdump is to be started
+# Guest instances on which tcpdump is to be started
 #
 TCPDUMPHOSTS="moon"
 
-# UML instances on which IPsec is started
+# Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
 IPSECHOSTS="moon carol dave"
 
-# UML instances on which FreeRadius is started
+# Guest instances on which FreeRadius is started
 #
 RADIUSHOSTS=
author	Yves-Alexis Perez <corsac@debian.org>	2013-10-17 21:23:38 +0200
committer	Yves-Alexis Perez <corsac@debian.org>	2013-10-17 21:23:38 +0200
commit	9d37ad77ef660b92ea51b69d74e14f931d2a04e2 (patch)
tree	d6bbb4a5fed1959f8675df9ee7c03713b543fcc9 /testing/tests
parent	104f57d4b0fb6d7547d6898352eaa5fb4b222010 (diff)
parent	e5ee4e7fcdd58b7d86bf1b458da2c63e8e19627b (diff)
download	vyos-strongswan-9d37ad77ef660b92ea51b69d74e14f931d2a04e2.tar.gz vyos-strongswan-9d37ad77ef660b92ea51b69d74e14f931d2a04e2.zip