New upstream version 5.6.0

108 files changed, 1404 insertions, 74 deletions

diff --git a/testing/Makefile.in b/testing/Makefile.in
index af153d3ea..3f6f1e4dd 100644
--- a/testing/Makefile.in
+++ b/testing/Makefile.in
@@ -227,8 +227,6 @@ RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
 RUBYGEMDIR = @RUBYGEMDIR@
-RUBYINCLUDE = @RUBYINCLUDE@
-RUBYLIB = @RUBYLIB@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
@@ -329,6 +327,8 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
+ruby_CFLAGS = @ruby_CFLAGS@
+ruby_LIBS = @ruby_LIBS@
 runstatedir = @runstatedir@
 s_plugins = @s_plugins@
 sbindir = @sbindir@
@@ -357,6 +357,10 @@ top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
 tss2_CFLAGS = @tss2_CFLAGS@
 tss2_LIBS = @tss2_LIBS@
+tss2_socket_CFLAGS = @tss2_socket_CFLAGS@
+tss2_socket_LIBS = @tss2_socket_LIBS@
+tss2_tabrmd_CFLAGS = @tss2_tabrmd_CFLAGS@
+tss2_tabrmd_LIBS = @tss2_tabrmd_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/testing/do-tests b/testing/do-tests
index 60c34c798..e3fd9b464 100755
--- a/testing/do-tests
+++ b/testing/do-tests
@@ -49,6 +49,25 @@ passed_cnt="0"
 subdir_cnt="0"
 
 ##############################################################################
+# parse optional arguments
+#
+while getopts "v" opt
+do
+	case "$opt" in
+	v)
+		verbose=YES
+		;;
+	esac
+done
+shift $((OPTIND-1))
+
+
+function print_time()
+{
+	[ "$verbose" == "YES" ] && echo "$(date +%T.%N) ~ "
+}
+
+##############################################################################
 # copy default tests to $BUILDDIR
 #
 
@@ -207,12 +226,16 @@ for SUBDIR in $TESTS
 do
     SUBTESTS="`basename $SUBDIR`"
 
-    if [ $SUBTESTS = $SUBDIR ]
-    then
-	SUBTESTS="`ls $DEFAULTTESTSDIR/$SUBDIR`"
-    else
-	SUBDIR="`dirname $SUBDIR`"
-    fi
+	if [ $SUBTESTS = $SUBDIR ]
+	then
+		SUBTESTS="`ls $DEFAULTTESTSDIR/$SUBDIR`"
+	else
+		if [[ $SUBTESTS == *'*'* ]]
+		then
+			SUBTESTS="`basename -a $DEFAULTTESTSDIR/$SUBDIR`"
+		fi
+		SUBDIR="`dirname $SUBDIR`"
+	fi
 
     if [ ! -d $TODAYDIR/$SUBDIR ]
     then
@@ -326,7 +349,7 @@ do
 		host=`echo $host_iface | awk -F ":" '{print $1}'`
 		iface=`echo $host_iface | awk -F ":" '{if ($2 != "") { print $2 } else { printf("eth0") }}'`
 		tcpdump_cmd="tcpdump -l $TCPDUMP_IM -i $iface not port ssh and not port domain >/tmp/tcpdump.log 2>/tmp/tcpdump.err.log &"
-		echo "${host}# $tcpdump_cmd" >> $CONSOLE_LOG
+		echo "$(print_time)${host}# $tcpdump_cmd" >> $CONSOLE_LOG
 		ssh $SSHCONF root@`eval echo \\\$ipv4_$host '$tcpdump_cmd'`
 		eval TDUP_${host}="true"
 	    done
@@ -381,7 +404,7 @@ do
 	eval `awk -F "::" '{
 	    if ($1 !~ /^#.*/ && $2 != "")
 	    {
-		printf("echo \"%s# %s\"; ", $1, $2)
+		printf("echo \"$(print_time)%s# %s\"; ", $1, $2)
 		printf("ssh \044SSHCONF root@\044ipv4_%s \"%s\"; ", $1, $2)
 		printf("echo;\n")
 	    }
@@ -395,7 +418,7 @@ do
 	function stop_tcpdump {
 	    # wait for packets to get processed, but don't wait longer than 1s
 	    eval ssh $SSHCONF root@\$ipv4_${1} "\"i=100; while [ \\\$i -gt 0 ]; do pkill -USR1 tcpdump; tail -1 /tmp/tcpdump.err.log | perl -n -e '/(\\d+).*?(\\d+)/; exit (\\\$1 == \\\$2)' || break; sleep 0.01; i=\\\$((\\\$i-1)); done;\""
-	    echo "${1}# killall tcpdump" >> $CONSOLE_LOG
+	    echo "$(print_time)${1}# killall tcpdump" >> $CONSOLE_LOG
 	    eval ssh $SSHCONF root@\$ipv4_${1} "\"killall tcpdump; while true; do killall -q -0 tcpdump || break; sleep 0.01; done;\""
 	    eval TDUP_${1}="false"
 	    echo "" >> $CONSOLE_LOG
@@ -412,29 +435,50 @@ do
 	STATUS="passed"
 
 	eval `awk -F "::" '{
-	    host=$1
-	    command=$2
-	    pattern=$3
-	    hit=$4
-	    if (host !~ /^#.*/ && command != "")
-	    {
+		host=$1
+		command=$2
+		pattern=$3
+		hit=$4
+		if (host ~ /^#.*/ || command == "")
+		{
+			next
+		}
+		printf("cmd_err=\044(tempfile -p test -s err); ")
 		if (command == "tcpdump")
 		{
-		    printf("if [ \044TDUP_%s == \"true\" ]; then stop_tcpdump %s; fi; \n", host, host)
-		    printf("echo \"%s# cat /tmp/tcpdump.log | grep \047%s\047  [%s]\"; ", host, pattern, hit)
-		    printf("ssh \044SSHCONF root@\044ipv4_%s cat /tmp/tcpdump.log | grep \"%s\"; ", host, pattern)
+			printf("if [ \044TDUP_%s == \"true\" ]; then stop_tcpdump %s; fi; \n", host, host)
+			printf("cmd_out=\044(ssh \044SSHCONF root@\044ipv4_%s cat /tmp/tcpdump.log | grep \"%s\"); ", host, pattern)
 		}
 		else
 		{
-		    printf("echo \"%s# %s | grep \047%s\047  [%s]\"; ", host, command, pattern, hit)
-		    printf("ssh \044SSHCONF root@\044ipv4_%s %s | grep \"%s\"; ",  host, command, pattern)
+			printf("cmd_out=\044(ssh \044SSHCONF root@\044ipv4_%s %s 2>\044cmd_err | grep \"%s\"); ",  host, command, pattern)
 		}
 		printf("cmd_exit=\044?; ")
+		printf("cmd_fail=0; ")
+		if (hit ~ /^[0-9]+$/)
+		{
+			printf("if [ \044(echo \"\044cmd_out\" | wc -l) -ne %d ] ", hit)
+		}
+		else
+		{
+			printf("if [ \044cmd_exit -eq 0 -a \"%s\" = \"NO\"  ] ", hit)
+			printf("|| [ \044cmd_exit -ne 0 -a \"%s\" = \"YES\" ] ", hit)
+		}
+		printf("; then STATUS=\"failed\"; cmd_fail=1; fi; \n")
+
+		printf("if [ \044cmd_fail -ne 0 ]; then echo \"~~~~~~~ FAIL ~~~~~~~\"; fi; \n")
+		if (command == "tcpdump")
+		{
+			printf("echo \"$(print_time)%s# cat /tmp/tcpdump.log | grep \047%s\047  [%s]\"; ", host, pattern, hit)
+		}
+		else
+		{
+			printf("echo \"$(print_time)%s# %s | grep \047%s\047  [%s]\"; ", host, command, pattern, hit)
+		}
+		printf("if [ -n \"\044cmd_out\" ]; then echo \"\044cmd_out\"; fi; \n")
+		printf("cat \044cmd_err; rm -f -- \044cmd_err; \n")
+		printf("if [ \044cmd_fail -ne 0 ]; then echo \"~~~~~~~~~~~~~~~~~~~~\"; fi; \n")
 		printf("echo; ")
-		printf("if [ \044cmd_exit -eq 0 -a \"%s\" = \"NO\"  ] ", hit)
-		printf("|| [ \044cmd_exit -ne 0 -a \"%s\" = \"YES\" ] ", hit)
-		printf("; then STATUS=\"failed\"; fi; \n")
-	    }
 	}' $TESTDIR/evaltest.dat` >> $CONSOLE_LOG 2>&1
 
 
@@ -718,7 +762,7 @@ do
 	eval `awk -F "::" '{
 	    if ($1 !~ /^#.*/ && $2 != "")
 	    {
-		printf("echo \"%s# %s\"; ", $1, $2)
+		printf("echo \"$(print_time)%s# %s\"; ", $1, $2)
 		printf("ssh \044SSHCONF root@\044ipv4_%s \"%s\"; ", $1, $2)
 		printf("echo;\n")
 	    }
diff --git a/testing/hosts/alice/etc/strongswan.conf b/testing/hosts/alice/etc/strongswan.conf
index f7a87e90c..bc0ddbf33 100644
--- a/testing/hosts/alice/etc/strongswan.conf
+++ b/testing/hosts/alice/etc/strongswan.conf
@@ -1,9 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints pubkey gmp random nonce curl kernel-netlink socket-default updown stroke
-}
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints curve25519 pubkey gmp random nonce curl kernel-netlink socket-default updown stroke vici
 }
diff --git a/testing/hosts/bob/etc/strongswan.conf b/testing/hosts/bob/etc/strongswan.conf
index f7a87e90c..bc0ddbf33 100644
--- a/testing/hosts/bob/etc/strongswan.conf
+++ b/testing/hosts/bob/etc/strongswan.conf
@@ -1,9 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints pubkey gmp random nonce curl kernel-netlink socket-default updown stroke
-}
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints curve25519 pubkey gmp random nonce curl kernel-netlink socket-default updown stroke vici
 }
diff --git a/testing/hosts/carol/etc/strongswan.conf b/testing/hosts/carol/etc/strongswan.conf
index f7a87e90c..bc0ddbf33 100644
--- a/testing/hosts/carol/etc/strongswan.conf
+++ b/testing/hosts/carol/etc/strongswan.conf
@@ -1,9 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints pubkey gmp random nonce curl kernel-netlink socket-default updown stroke
-}
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints curve25519 pubkey gmp random nonce curl kernel-netlink socket-default updown stroke vici
 }
diff --git a/testing/hosts/dave/etc/strongswan.conf b/testing/hosts/dave/etc/strongswan.conf
index f7a87e90c..bc0ddbf33 100644
--- a/testing/hosts/dave/etc/strongswan.conf
+++ b/testing/hosts/dave/etc/strongswan.conf
@@ -1,9 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints pubkey gmp random nonce curl kernel-netlink socket-default updown stroke
-}
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints curve25519 pubkey gmp random nonce curl kernel-netlink socket-default updown stroke vici
 }
diff --git a/testing/hosts/default/usr/local/bin/init_collector b/testing/hosts/default/usr/local/bin/init_collector
new file mode 100755
index 000000000..c522de874
--- /dev/null
+++ b/testing/hosts/default/usr/local/bin/init_collector
@@ -0,0 +1,4 @@
+#! /bin/sh
+
+cat /usr/local/share/strongswan/templates/database/sw-collector/sw_collector_tables.sql | sqlite3 /etc/db.d/collector.db
+LEAK_DETECTIVE_DISABLE=1 /usr/local/sbin/sw-collector
diff --git a/testing/hosts/moon/etc/strongswan.conf b/testing/hosts/moon/etc/strongswan.conf
index f7a87e90c..bc0ddbf33 100644
--- a/testing/hosts/moon/etc/strongswan.conf
+++ b/testing/hosts/moon/etc/strongswan.conf
@@ -1,9 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints pubkey gmp random nonce curl kernel-netlink socket-default updown stroke
-}
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints curve25519 pubkey gmp random nonce curl kernel-netlink socket-default updown stroke vici
 }
diff --git a/testing/hosts/sun/etc/strongswan.conf b/testing/hosts/sun/etc/strongswan.conf
index f7a87e90c..bc0ddbf33 100644
--- a/testing/hosts/sun/etc/strongswan.conf
+++ b/testing/hosts/sun/etc/strongswan.conf
@@ -1,9 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints pubkey gmp random nonce curl kernel-netlink socket-default updown stroke
-}
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints curve25519 pubkey gmp random nonce curl kernel-netlink socket-default updown stroke vici
 }
diff --git a/testing/hosts/venus/etc/strongswan.conf b/testing/hosts/venus/etc/strongswan.conf
index f7a87e90c..bc0ddbf33 100644
--- a/testing/hosts/venus/etc/strongswan.conf
+++ b/testing/hosts/venus/etc/strongswan.conf
@@ -1,9 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints pubkey gmp random nonce curl kernel-netlink socket-default updown stroke
-}
-
-libstrongswan {
-  dh_exponent_ansi_x9_42 = no
+  load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints curve25519 pubkey gmp random nonce curl kernel-netlink socket-default updown stroke vici
 }
diff --git a/testing/scripts/build-guestimages b/testing/scripts/build-guestimages
index 43a71b921..7dd7188c2 100755
--- a/testing/scripts/build-guestimages
+++ b/testing/scripts/build-guestimages
@@ -48,11 +48,11 @@ do
 	execute "cp -rf $HOSTSDIR/${host}/etc $LOOPDIR" 0
 	execute "cp -rf $HOSTSDIR/default/* $LOOPDIR" 0
 	execute_chroot "ldconfig" 0
+	execute "mkdir $LOOPDIR/etc/pts" 0
 
 	if [ "$host" = "alice" ]
 	then
 		execute "mkdir $LOOPDIR/var/log/apache2/tnc" 0
-		execute "mkdir $LOOPDIR/etc/pts" 0
 		execute_chroot "chgrp www-data /etc/pts" 0
 		execute_chroot "chmod g+w /etc/pts" 0
 	fi
diff --git a/testing/scripts/build-strongswan b/testing/scripts/build-strongswan
index 8c6ecaafd..d4e9e922f 100755
--- a/testing/scripts/build-strongswan
+++ b/testing/scripts/build-strongswan
@@ -51,6 +51,7 @@ do_on_exit umount $LOOPDIR/root/strongswan
 
 log_action "Remove SWID tags of previous versions"
 execute_chroot 'find /usr/local/share/regid.2004-03.org.strongswan -name *.swidtag -delete'
+execute_chroot 'find /usr/local/share/strongswan -name *.swidtag -delete'
 
 echo "Building and installing strongSwan"
 
diff --git a/testing/scripts/recipes/013_strongswan.mk b/testing/scripts/recipes/013_strongswan.mk
index a5b2d8060..3c5f41834 100644
--- a/testing/scripts/recipes/013_strongswan.mk
+++ b/testing/scripts/recipes/013_strongswan.mk
@@ -56,6 +56,8 @@ CONFIG_OPTS = \
 	--enable-imv-attestation \
 	--enable-imc-swid \
 	--enable-imv-swid \
+	--enable-imc-swima \
+	--enable-imv-swima \
 	--enable-imc-hcd \
 	--enable-imv-hcd \
 	--enable-sql \
diff --git a/testing/testing.conf b/testing/testing.conf
index eeb69ea3d..e22afc3e4 100644
--- a/testing/testing.conf
+++ b/testing/testing.conf
@@ -31,7 +31,7 @@ fi
 : ${KERNELPATCH=ha-4.4-abicompat.patch.bz2}
 
 # strongSwan version used in tests
-: ${SWANVERSION=5.5.3}
+: ${SWANVERSION=5.6.0}
 
 # Build directory where the guest kernel and images will be built
 : ${BUILDDIR=$TESTDIR/build}
diff --git a/testing/tests/ikev2/net2net-rekey/description.txt b/testing/tests/ikev2/net2net-rekey/description.txt
new file mode 100644
index 000000000..c3122a76f
--- /dev/null
+++ b/testing/tests/ikev2/net2net-rekey/description.txt
@@ -0,0 +1,10 @@
+A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
+The authentication is based on <b>X.509 certificates</b>. Upon the successful
+establishment of the IPsec tunnel, <b>leftfirewall=yes</b> automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
+After a while the CHILD_SA is rekeyed by <b>moon</b> (after a deliberately short
+time in this test scenario).
+In order to test both tunnel and firewall after the rekeying, client <b>alice</b>
+behind gateway <b>moon</b> pings client <b>bob</b> located behind gateway <b>sun</b>
+twice, once right after the rekeying and once after the old inbound SA has been
+deleted.
diff --git a/testing/tests/ikev2/net2net-rekey/evaltest.dat b/testing/tests/ikev2/net2net-rekey/evaltest.dat
new file mode 100644
index 000000000..0a34efe9d
--- /dev/null
+++ b/testing/tests/ikev2/net2net-rekey/evaltest.dat
@@ -0,0 +1,14 @@
+moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+moon::sleep 6::wait for rekeying::NO
+moon::cat /var/log/daemon.log::creating rekey job for CHILD_SA::YES
+moon::cat /var/log/daemon.log::generating CREATE_CHILD_SA request.*REKEY_SA::YES
+moon::cat /var/log/daemon.log::deleted SAD entry with SPI::1
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
+moon::sleep 2::wait until inbound SA is deleted::NO
+moon::cat /var/log/daemon.log::deleted SAD entry with SPI::2
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/net2net-rekey/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-rekey/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..dcd98b4de
--- /dev/null
+++ b/testing/tests/ikev2/net2net-rekey/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	charondebug="knl 2"
+
+conn %default
+	ikelifetime=60m
+	lifetime=10s
+	margintime=5s
+	rekeyfuzz=0%
+	keyingtries=1
+	keyexchange=ikev2
+	mobike=no
+
+conn net-net
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	leftfirewall=yes
+	right=PH_IP_SUN
+	rightid=@sun.strongswan.org
+	rightsubnet=10.2.0.0/16
+	auto=add
diff --git a/testing/tests/ikev2/net2net-rekey/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-rekey/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..3dcbf76ea
--- /dev/null
+++ b/testing/tests/ikev2/net2net-rekey/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,7 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
+  # remove rekeyed inbound SA a bit quicker for the test scenario
+  delete_rekeyed_delay = 2
+}
diff --git a/testing/tests/ikev2/net2net-rekey/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-rekey/hosts/sun/etc/ipsec.conf
new file mode 100644
index 000000000..5b391db4b
--- /dev/null
+++ b/testing/tests/ikev2/net2net-rekey/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	mobike=no
+
+conn net-net
+	left=PH_IP_SUN
+	leftcert=sunCert.pem
+	leftid=@sun.strongswan.org
+	leftsubnet=10.2.0.0/16
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/ikev2/net2net-rekey/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-rekey/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..93f434598
--- /dev/null
+++ b/testing/tests/ikev2/net2net-rekey/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev2/net2net-rekey/posttest.dat b/testing/tests/ikev2/net2net-rekey/posttest.dat
new file mode 100644
index 000000000..837738fc6
--- /dev/null
+++ b/testing/tests/ikev2/net2net-rekey/posttest.dat
@@ -0,0 +1,5 @@
+moon::ipsec stop
+sun::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
+
diff --git a/testing/tests/ikev2/net2net-rekey/pretest.dat b/testing/tests/ikev2/net2net-rekey/pretest.dat
new file mode 100644
index 000000000..bcc2cb04d
--- /dev/null
+++ b/testing/tests/ikev2/net2net-rekey/pretest.dat
@@ -0,0 +1,7 @@
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
+sun::ipsec start
+moon::ipsec start
+sun::expect-connection net-net
+moon::expect-connection net-net
+moon::ipsec up net-net
diff --git a/testing/tests/ikev2/net2net-rekey/test.conf b/testing/tests/ikev2/net2net-rekey/test.conf
new file mode 100644
index 000000000..afa2accbe
--- /dev/null
+++ b/testing/tests/ikev2/net2net-rekey/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-w-s-b.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.conf
index f6feda0bb..b81e9b277 100644
--- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/ipsec.conf
@@ -9,7 +9,7 @@ conn %default
 	keyingtries=1
 	keyexchange=ikev2
 	ike=aes256gcm128-prfsha384-ecp384!
-	esp=aes256cm128-ecp384!
+	esp=aes256gcm128-ecp384!
 
 conn peer
 	left=PH_IP_DAVE
diff --git a/testing/tests/pfkey/net2net-rekey/description.txt b/testing/tests/pfkey/net2net-rekey/description.txt
new file mode 100644
index 000000000..c3122a76f
--- /dev/null
+++ b/testing/tests/pfkey/net2net-rekey/description.txt
@@ -0,0 +1,10 @@
+A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
+The authentication is based on <b>X.509 certificates</b>. Upon the successful
+establishment of the IPsec tunnel, <b>leftfirewall=yes</b> automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
+After a while the CHILD_SA is rekeyed by <b>moon</b> (after a deliberately short
+time in this test scenario).
+In order to test both tunnel and firewall after the rekeying, client <b>alice</b>
+behind gateway <b>moon</b> pings client <b>bob</b> located behind gateway <b>sun</b>
+twice, once right after the rekeying and once after the old inbound SA has been
+deleted.
diff --git a/testing/tests/pfkey/net2net-rekey/evaltest.dat b/testing/tests/pfkey/net2net-rekey/evaltest.dat
new file mode 100644
index 000000000..3bf3b274b
--- /dev/null
+++ b/testing/tests/pfkey/net2net-rekey/evaltest.dat
@@ -0,0 +1,16 @@
+moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+# deleting the inbound SPI
+moon::cat /var/log/daemon.log::deleted SAD entry with SPI::1
+moon::sleep 6::wait for rekeying::NO
+moon::cat /var/log/daemon.log::creating rekey job for CHILD_SA::YES
+moon::cat /var/log/daemon.log::generating CREATE_CHILD_SA request.*REKEY_SA::YES
+moon::cat /var/log/daemon.log::deleted SAD entry with SPI::3
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
+moon::sleep 2::wait until inbound SA is deleted::NO
+moon::cat /var/log/daemon.log::deleted SAD entry with SPI::4
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/pfkey/net2net-rekey/hosts/moon/etc/ipsec.conf b/testing/tests/pfkey/net2net-rekey/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..dcd98b4de
--- /dev/null
+++ b/testing/tests/pfkey/net2net-rekey/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	charondebug="knl 2"
+
+conn %default
+	ikelifetime=60m
+	lifetime=10s
+	margintime=5s
+	rekeyfuzz=0%
+	keyingtries=1
+	keyexchange=ikev2
+	mobike=no
+
+conn net-net
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	leftfirewall=yes
+	right=PH_IP_SUN
+	rightid=@sun.strongswan.org
+	rightsubnet=10.2.0.0/16
+	auto=add
diff --git a/testing/tests/pfkey/net2net-rekey/hosts/moon/etc/strongswan.conf b/testing/tests/pfkey/net2net-rekey/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..4234eb134
--- /dev/null
+++ b/testing/tests/pfkey/net2net-rekey/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,7 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-pfkey kernel-netlink socket-default updown
+  # remove rekeyed inbound SA a bit quicker for the test scenario
+  delete_rekeyed_delay = 2
+}
diff --git a/testing/tests/pfkey/net2net-rekey/hosts/sun/etc/ipsec.conf b/testing/tests/pfkey/net2net-rekey/hosts/sun/etc/ipsec.conf
new file mode 100644
index 000000000..5b391db4b
--- /dev/null
+++ b/testing/tests/pfkey/net2net-rekey/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	mobike=no
+
+conn net-net
+	left=PH_IP_SUN
+	leftcert=sunCert.pem
+	leftid=@sun.strongswan.org
+	leftsubnet=10.2.0.0/16
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/pfkey/net2net-rekey/hosts/sun/etc/strongswan.conf b/testing/tests/pfkey/net2net-rekey/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..0ecc2f847
--- /dev/null
+++ b/testing/tests/pfkey/net2net-rekey/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-pfkey kernel-netlink socket-default updown
+}
diff --git a/testing/tests/pfkey/net2net-rekey/posttest.dat b/testing/tests/pfkey/net2net-rekey/posttest.dat
new file mode 100644
index 000000000..837738fc6
--- /dev/null
+++ b/testing/tests/pfkey/net2net-rekey/posttest.dat
@@ -0,0 +1,5 @@
+moon::ipsec stop
+sun::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
+
diff --git a/testing/tests/pfkey/net2net-rekey/pretest.dat b/testing/tests/pfkey/net2net-rekey/pretest.dat
new file mode 100644
index 000000000..bcc2cb04d
--- /dev/null
+++ b/testing/tests/pfkey/net2net-rekey/pretest.dat
@@ -0,0 +1,7 @@
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
+sun::ipsec start
+moon::ipsec start
+sun::expect-connection net-net
+moon::expect-connection net-net
+moon::ipsec up net-net
diff --git a/testing/tests/pfkey/net2net-rekey/test.conf b/testing/tests/pfkey/net2net-rekey/test.conf
new file mode 100644
index 000000000..afa2accbe
--- /dev/null
+++ b/testing/tests/pfkey/net2net-rekey/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-w-s-b.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
diff --git a/testing/tests/tkm/xfrmproxy-expire/evaltest.dat b/testing/tests/tkm/xfrmproxy-expire/evaltest.dat
index 05bf42057..a3f45871c 100644
--- a/testing/tests/tkm/xfrmproxy-expire/evaltest.dat
+++ b/testing/tests/tkm/xfrmproxy-expire/evaltest.dat
@@ -2,20 +2,24 @@ moon::ipsec stroke status 2> /dev/null::conn1.*ESTABLISHED.*moon.strongswan.org.
 sun::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
 moon::ipsec stroke status 2> /dev/null::conn1.*INSTALLED, TRANSPORT::YES
 sun::ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES
-moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_.eq=1::YES
-sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
-sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
+moon::sleep 2::wait for rekeying::NO
 moon::cat /var/log/daemon.log::ees: acquire received for reqid 1::YES
 moon::cat /var/log/daemon.log::ees: expire received for reqid 1, spi.*, dst 192.168.0.2::YES
 moon::cat /var/log/daemon.log::creating rekey job for CHILD_SA ESP/0x.*/192.168.0.2::YES
+moon::cat /var/log/daemon.log::deleting child SA (esa: 1, spi:.*)::NO
+moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_.eq=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
+moon::sleep 2::wait until inbound SA is deleted::NO
 moon::cat /var/log/daemon.log::deleting child SA (esa: 1, spi:.*)::YES
+moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_.eq=1::YES
 moon::cat /tmp/tkm.log::RSA private key '/etc/tkm/moonKey.der' loaded::YES
 moon::cat /tmp/tkm.log::Adding policy \[ 1, 192.168.0.1 <-> 192.168.0.2 \]::YES
 moon::cat /tmp/tkm.log::Checked CA certificate of CC context 1::YES
 moon::cat /tmp/tkm.log::Authentication of ISA context 1 successful::YES
 moon::cat /tmp/tkm.log::Creating first new ESA context with ID 1 (Isa 1, Sp 1, Ea 1, Initiator TRUE, spi_loc.*, spi_rem.*)::YES
 moon::cat /tmp/tkm.log::Creating ESA context with ID 2 (Isa 1, Sp 1, Ea 1, Dh_Id 1, Nc_Loc_Id 1, Initiator TRUE, spi_loc.*, spi_rem.*)::YES
-moon::cat /tmp/tkm.log | grep 'Adding ESA \[ 1, 192.168.0.1 <-> 192.168.0.2, SPI_in.*, SPI_out.*, soft 2, hard 60 \]' | wc -l::2::YES
+moon::cat /tmp/tkm.log | grep 'Adding ESA \[ 1, 192.168.0.1 <-> 192.168.0.2, SPI_in.*, SPI_out.*, soft 4, hard 60 \]' | wc -l::2::YES
 moon::cat /tmp/tkm.log::Resetting ESA context 1::YES
 moon::cat /tmp/tkm.log::Deleting ESA \[ 1, 192.168.0.1 <=> 192.168.0.2, SPI_in.*, SPI_out.* \]::YES
 moon::cat /tmp/xfrm_proxy.log::Initiating ESA acquire for reqid 1::YES
diff --git a/testing/tests/tkm/xfrmproxy-expire/hosts/moon/etc/strongswan.conf b/testing/tests/tkm/xfrmproxy-expire/hosts/moon/etc/strongswan.conf
index cc9d6e072..5b79af9f4 100644
--- a/testing/tests/tkm/xfrmproxy-expire/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/tkm/xfrmproxy-expire/hosts/moon/etc/strongswan.conf
@@ -1,6 +1,8 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon-tkm {
+  # remove rekeyed inbound SA a bit quicker for the test scenario
+  delete_rekeyed_delay = 2
   dh_mapping {
     15 = 1
     16 = 2
diff --git a/testing/tests/tkm/xfrmproxy-expire/hosts/moon/etc/tkm/tkm.conf b/testing/tests/tkm/xfrmproxy-expire/hosts/moon/etc/tkm/tkm.conf
index 23e958ab0..62b103a80 100644
--- a/testing/tests/tkm/xfrmproxy-expire/hosts/moon/etc/tkm/tkm.conf
+++ b/testing/tests/tkm/xfrmproxy-expire/hosts/moon/etc/tkm/tkm.conf
@@ -14,7 +14,7 @@
             <ip>192.168.0.2</ip>
         </remote>
         <lifetime>
-            <soft>2</soft>
+            <soft>4</soft>
             <hard>60</hard>
         </lifetime>
     </policy>
diff --git a/testing/tests/tkm/xfrmproxy-rekey/description.txt b/testing/tests/tkm/xfrmproxy-rekey/description.txt
new file mode 100644
index 000000000..648011b11
--- /dev/null
+++ b/testing/tests/tkm/xfrmproxy-rekey/description.txt
@@ -0,0 +1,6 @@
+A transport connection between the hosts <b>moon</b> and <b>sun</b> is set up.
+The host <b>moon</b> starts the Trusted Key Manager (TKM) and the Ada XFRM
+proxy, which relays XFRM kernel messages to charon. The authentication is based
+on X.509 certificates. The connection is initiated by a ping from <b>moon</b>
+to <b>sun</b>. The test asserts that a rekeying initiated by <b>sun</b> works
+as expected.
diff --git a/testing/tests/tkm/xfrmproxy-rekey/evaltest.dat b/testing/tests/tkm/xfrmproxy-rekey/evaltest.dat
new file mode 100644
index 000000000..15bdf3b39
--- /dev/null
+++ b/testing/tests/tkm/xfrmproxy-rekey/evaltest.dat
@@ -0,0 +1,23 @@
+moon::ipsec stroke status 2> /dev/null::conn1.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon::ipsec stroke status 2> /dev/null::conn1.*INSTALLED, TRANSPORT::YES
+sun::ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES
+moon::sleep 2::wait for rekeying::NO
+sun::cat /var/log/daemon.log::creating rekey job for CHILD_SA ESP/0x.*/192.168.0.2::YES
+moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_.eq=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
+moon::cat /var/log/daemon.log::deleting child SA (esa: 1, spi:.*)::NO
+moon::sleep 2::wait until inbound SA is deleted::NO
+moon::cat /var/log/daemon.log::deleting child SA (esa: 1, spi:.*)::YES
+moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_.eq=1::YES
+moon::cat /tmp/tkm.log::RSA private key '/etc/tkm/moonKey.der' loaded::YES
+moon::cat /tmp/tkm.log::Adding policy \[ 1, 192.168.0.1 <-> 192.168.0.2 \]::YES
+moon::cat /tmp/tkm.log::Checked CA certificate of CC context 1::YES
+moon::cat /tmp/tkm.log::Authentication of ISA context 1 successful::YES
+moon::cat /tmp/tkm.log::Creating first new ESA context with ID 1 (Isa 1, Sp 1, Ea 1, Initiator TRUE, spi_loc.*, spi_rem.*)::YES
+moon::cat /tmp/tkm.log::Creating ESA context with ID 2 (Isa 1, Sp 1, Ea 1, Dh_Id 1, Nc_Loc_Id 1, Initiator FALSE, spi_loc.*, spi_rem.*)::YES
+moon::cat /tmp/tkm.log | grep 'Adding ESA \[ 1, 192.168.0.1 <-> 192.168.0.2, SPI_in.*, SPI_out.*, soft 30, hard 60 \]' | wc -l::2::YES
+moon::cat /tmp/tkm.log::Resetting ESA context 1::YES
+moon::cat /tmp/tkm.log::Deleting ESA \[ 1, 192.168.0.1 <=> 192.168.0.2, SPI_in.*, SPI_out.* \]::YES
+moon::cat /tmp/xfrm_proxy.log::Initiating ESA acquire for reqid 1::YES
diff --git a/testing/tests/tkm/xfrmproxy-rekey/hosts/moon/etc/strongswan.conf b/testing/tests/tkm/xfrmproxy-rekey/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..5b79af9f4
--- /dev/null
+++ b/testing/tests/tkm/xfrmproxy-rekey/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,10 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon-tkm {
+  # remove rekeyed inbound SA a bit quicker for the test scenario
+  delete_rekeyed_delay = 2
+  dh_mapping {
+    15 = 1
+    16 = 2
+  }
+}
diff --git a/testing/tests/tkm/xfrmproxy-rekey/hosts/moon/etc/tkm/moonKey.der b/testing/tests/tkm/xfrmproxy-rekey/hosts/moon/etc/tkm/moonKey.der
new file mode 100644
index 000000000..d3748930a
--- /dev/null
+++ b/testing/tests/tkm/xfrmproxy-rekey/hosts/moon/etc/tkm/moonKey.der
diff --git a/testing/tests/tkm/xfrmproxy-rekey/hosts/moon/etc/tkm/strongswanCert.der b/testing/tests/tkm/xfrmproxy-rekey/hosts/moon/etc/tkm/strongswanCert.der
new file mode 100644
index 000000000..a5a631f4b
--- /dev/null
+++ b/testing/tests/tkm/xfrmproxy-rekey/hosts/moon/etc/tkm/strongswanCert.der
diff --git a/testing/tests/tkm/xfrmproxy-rekey/hosts/moon/etc/tkm/tkm.conf b/testing/tests/tkm/xfrmproxy-rekey/hosts/moon/etc/tkm/tkm.conf
new file mode 100644
index 000000000..2619c0089
--- /dev/null
+++ b/testing/tests/tkm/xfrmproxy-rekey/hosts/moon/etc/tkm/tkm.conf
@@ -0,0 +1,21 @@
+<tkmconfig>
+    <local_identity id="1">
+        <identity>moon.strongswan.org</identity>
+        <certificate>moonCert.pem</certificate>
+    </local_identity>
+    <policy id="1">
+        <mode>transport</mode>
+        <local>
+            <identity_id>1</identity_id>
+            <ip>192.168.0.1</ip>
+        </local>
+        <remote>
+            <identity>sun.strongswan.org</identity>
+            <ip>192.168.0.2</ip>
+        </remote>
+        <lifetime>
+            <soft>30</soft>
+            <hard>60</hard>
+        </lifetime>
+    </policy>
+</tkmconfig>
diff --git a/testing/tests/tkm/xfrmproxy-rekey/hosts/sun/etc/ipsec.conf b/testing/tests/tkm/xfrmproxy-rekey/hosts/sun/etc/ipsec.conf
new file mode 100644
index 000000000..9dc641240
--- /dev/null
+++ b/testing/tests/tkm/xfrmproxy-rekey/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=10s
+	rekeymargin=6s
+	rekeyfuzz=0%
+	keyingtries=1
+	keyexchange=ikev2
+
+conn host-host
+	left=PH_IP_SUN
+	leftcert=sunCert.pem
+	leftid=sun.strongswan.org
+	right=PH_IP_MOON
+	rightid=moon.strongswan.org
+	ike=aes256-sha512-modp4096!
+	esp=aes256-sha512-modp4096!
+	type=transport
+	auto=add
diff --git a/testing/tests/tkm/xfrmproxy-rekey/hosts/sun/etc/strongswan.conf b/testing/tests/tkm/xfrmproxy-rekey/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..f585edfca
--- /dev/null
+++ b/testing/tests/tkm/xfrmproxy-rekey/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/tkm/xfrmproxy-rekey/posttest.dat b/testing/tests/tkm/xfrmproxy-rekey/posttest.dat
new file mode 100644
index 000000000..99efe7b00
--- /dev/null
+++ b/testing/tests/tkm/xfrmproxy-rekey/posttest.dat
@@ -0,0 +1,5 @@
+moon::DAEMON_NAME=charon-tkm ipsec stop
+moon::killall xfrm_proxy
+moon::killall tkm_keymanager
+moon::rm -f /tmp/tkm.rpc.ike /tmp/tkm.rpc.ees /tmp/tkm.log /tmp/xfrm_proxy.log
+sun::ipsec stop
diff --git a/testing/tests/tkm/xfrmproxy-rekey/pretest.dat b/testing/tests/tkm/xfrmproxy-rekey/pretest.dat
new file mode 100644
index 000000000..d645ddbfe
--- /dev/null
+++ b/testing/tests/tkm/xfrmproxy-rekey/pretest.dat
@@ -0,0 +1,12 @@
+sun::ipsec start
+moon::rm /etc/ipsec.secrets
+moon::tkm_cfgtool -c /etc/tkm/tkm.conf -i /etc/ipsec.conf -t /etc/tkm/tkm.bin -s /usr/local/share/tkm/tkmconfig.xsd
+moon::cat /etc/ipsec.conf
+moon::tkm_keymanager -c /etc/tkm/tkm.bin -k /etc/tkm/moonKey.der -r /etc/tkm/strongswanCert.der >/tmp/tkm.log 2>&1 &
+moon::expect-file /tmp/tkm.rpc.ike
+moon::DAEMON_NAME=charon-tkm ipsec start
+moon::expect-file /tmp/tkm.rpc.ees
+moon::xfrm_proxy >/tmp/xfrm_proxy.log 2>&1 &
+moon::DAEMON_NAME=charon-tkm expect-connection conn1
+sun::expect-connection host-host
+moon::ping -c 3 192.168.0.2
diff --git a/testing/tests/tkm/xfrmproxy-rekey/test.conf b/testing/tests/tkm/xfrmproxy-rekey/test.conf
new file mode 100644
index 000000000..9647dc6a2
--- /dev/null
+++ b/testing/tests/tkm/xfrmproxy-rekey/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="moon winnetou sun"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-w-s.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
diff --git a/testing/tests/tnc/tnccs-20-ev-pt-tls/description.txt b/testing/tests/tnc/tnccs-20-ev-pt-tls/description.txt
new file mode 100644
index 000000000..a4d9b4cf4
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-ev-pt-tls/description.txt
@@ -0,0 +1,9 @@
+The PT-TLS (RFC 6876) clients <b>carol</b> and <b>dave</b> set up a connection each to the policy decision 
+point (PDP) <b>alice</b>. Endpoint <b>carol</b> uses password-based SASL PLAIN client authentication during the
+<b>PT-TLS negotiation phase</b> whereas endpoint <b>dave</b> uses certificate-based TLS client authentication
+during the <b>TLS setup phase</b>.
+<p/>
+During the ensuing <b>PT-TLS data transport phase</b> the <b>OS</b> and <b>SWIMA</b> IMC/IMV pairs
+loaded by the PT-TLS clients and PDP, respectively, exchange PA-TNC (RFC 5792) messages
+embedded in PB-TNC (RFC 5793) batches. The <b>SWIMA</b> IMC on <b>carol</b> is requested to deliver
+all <b>Software ID Events</b> whereas <b>dave</b> must send a full <b>Software Inventory</b>.
diff --git a/testing/tests/tnc/tnccs-20-ev-pt-tls/evaltest.dat b/testing/tests/tnc/tnccs-20-ev-pt-tls/evaltest.dat
new file mode 100644
index 000000000..2248d002c
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-ev-pt-tls/evaltest.dat
@@ -0,0 +1,24 @@
+dave:: cat /var/log/auth.log::sending TLS CertificateVerify handshake::YES
+dave:: cat /var/log/auth.log::collected ... SW records::YES
+dave:: cat /var/log/auth.log::strongswan.org__strongSwan.*swidtag::YES
+carol::cat /var/log/auth.log::received SASL Success result::YES
+carol::cat /var/log/auth.log::collected ... SW ID events::YES
+carol::cat /var/log/auth.log::collected 3 SW records::YES
+alice::cat /var/log/daemon.log::accepting PT-TLS stream from PH_IP_DAVE::YES
+alice::cat /var/log/daemon.log::checking certificate status of.*C=CH, O=Linux strongSwan, OU=Accounting, CN=dave@strongswan.org::YES
+alice::cat /var/log/daemon.log::certificate status is good::YES
+alice::cat /var/log/daemon.log::skipping SASL, client already authenticated by TLS certificate::YES
+alice::cat /var/log/daemon.log::user AR identity.*C=CH, O=Linux strongSwan, OU=Accounting, CN=dave@strongswan.org.*authenticated by certificate::YES
+alice::cat /var/log/daemon.log::received software inventory with ... items for request 3 at last eid 1 of epoch::YES
+alice::cat /var/log/daemon.log::role=.softwareCreator licensor tagCreator::YES
+alice::cat /var/log/daemon.log::successful system command: ssh root@moon.*logger -t charon -p auth.alert.*host with IP address 192.168.0.200 is blocked::YES
+moon:: cat /var/log/auth.log::host with IP address 192.168.0.200 is blocked::YES
+alice::cat /var/log/daemon.log::accepting PT-TLS stream from PH_IP_CAROL::YES
+alice::cat /var/log/daemon.log::SASL PLAIN authentication successful::YES
+alice::cat /var/log/daemon.log::SASL client identity is.*carol::YES
+alice::cat /var/log/daemon.log::user AR identity.*carol.*authenticated by password::YES
+alice::cat /var/log/daemon.log::received software ID events with ... items for request 9 at last eid 2 of epoch::YES
+alice::cat /var/log/daemon.log::3 SWID tag target::YES
+alice::cat /var/log/daemon.log::received software inventory with 3 items for request 9 at last eid 2 of epoch::YES
+alice::cat /var/log/daemon.log::successful system command: ssh root@moon.*logger -t charon -p auth.alert.*host with IP address 192.168.0.100 is allowed::YES
+moon::cat /var/log/auth.log::host with IP address 192.168.0.100 is allowed::YES
diff --git a/testing/tests/tnc/tnccs-20-ev-pt-tls/hosts/alice/etc/apache2/sites-available/000-default.conf b/testing/tests/tnc/tnccs-20-ev-pt-tls/hosts/alice/etc/apache2/sites-available/000-default.conf
new file mode 100644
index 000000000..4075f75bd
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-ev-pt-tls/hosts/alice/etc/apache2/sites-available/000-default.conf
@@ -0,0 +1,31 @@
+WSGIPythonPath /var/www/tnc
+
+<VirtualHost *:80>
+    ServerName tnc.strongswan.org
+    ServerAlias tnc
+    ServerAdmin webmaster@localhost
+
+    DocumentRoot /var/www/tnc
+
+    <Directory /var/www/tnc/config>
+        <Files wsgi.py>
+            <IfModule mod_authz_core.c>
+               Require all granted
+            </IfModule>
+            <IfModule !mod_authz_core.c>
+                Order deny,allow
+                Allow from all
+            </IfModule>
+        </Files>
+    </Directory>
+
+    WSGIScriptAlias / /var/www/tnc/config/wsgi.py
+    WSGIApplicationGroup %{GLOBAL}
+    WSGIPassAuthorization On
+
+    Alias /static/ /var/www/tnc/static/
+
+    ErrorLog ${APACHE_LOG_DIR}/tnc/error.log
+    LogLevel warn
+    CustomLog ${APACHE_LOG_DIR}/tnc/access.log combined
+</VirtualHost>
diff --git a/testing/tests/tnc/tnccs-20-ev-pt-tls/hosts/alice/etc/apache2/sites-available/default b/testing/tests/tnc/tnccs-20-ev-pt-tls/hosts/alice/etc/apache2/sites-available/default
new file mode 100644
index 000000000..1dc8b5688
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-ev-pt-tls/hosts/alice/etc/apache2/sites-available/default
@@ -0,0 +1 @@
+Include sites-available/000-default.conf
\ No newline at end of file
diff --git a/testing/tests/tnc/tnccs-20-ev-pt-tls/hosts/alice/etc/iptables.rules b/testing/tests/tnc/tnccs-20-ev-pt-tls/hosts/alice/etc/iptables.rules
new file mode 100644
index 000000000..c556d9483
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-ev-pt-tls/hosts/alice/etc/iptables.rules
@@ -0,0 +1,28 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# open loopback interface
+-A INPUT  -i lo -j ACCEPT
+-A OUTPUT -o lo -j ACCEPT
+
+# allow PT-TLS
+-A INPUT  -i eth0 -p tcp --dport 271 -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --sport 271 -j ACCEPT
+
+# allow inbound ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow outbound ssh
+-A OUTPUT  -p tcp --dport 22 -j ACCEPT
+-A INPUT  -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s 192.168.0.150 -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d 192.168.0.150 -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/tnc/tnccs-20-ev-pt-tls/hosts/alice/etc/pts/data1.sql b/testing/tests/tnc/tnccs-20-ev-pt-tls/hosts/alice/etc/pts/data1.sql
new file mode 100644
index 000000000..16ab96d58
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-ev-pt-tls/hosts/alice/etc/pts/data1.sql
@@ -0,0 +1,61 @@
+/* Devices */
+
+INSERT INTO devices (                  /*  1 */
+  value, product, created
+)
+SELECT 'aabbccddeeff11223344556677889900', id, 1372330615
+FROM products WHERE name = 'Debian DEBIAN_VERSION x86_64';
+
+/* Groups Members */
+
+INSERT INTO groups_members (
+  group_id, device_id
+) VALUES (
+  10, 1
+);
+
+/* Identities */
+
+INSERT INTO identities (
+  type, value
+) VALUES ( /* dave@strongswan.org */
+  4, X'64617665407374726f6e677377616e2e6f7267'
+);
+
+/* Sessions */
+
+INSERT INTO sessions (
+  time, connection, identity, device, product, rec
+)
+SELECT NOW, 1, 1, 1, id, 0
+FROM products WHERE name = 'Debian DEBIAN_VERSION x86_64';
+
+/* Results */
+
+INSERT INTO results (
+  session, policy, rec, result
+) VALUES (
+  1, 1, 0, 'processed 355 packages: 0 not updated, 0 blacklisted, 4 ok, 351 not found'
+);
+
+/* Enforcements */
+
+INSERT INTO enforcements (
+  policy, group_id, max_age, rec_fail, rec_noresult
+) VALUES (
+  3, 10, 0, 2, 2
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  17, 2, 86400
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  18, 10, 86400
+);
+
+DELETE FROM enforcements WHERE id = 1;
diff --git a/testing/tests/tnc/tnccs-20-ev-pt-tls/hosts/alice/etc/strongTNC/settings.ini b/testing/tests/tnc/tnccs-20-ev-pt-tls/hosts/alice/etc/strongTNC/settings.ini
new file mode 100644
index 000000000..5ae53c47a
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-ev-pt-tls/hosts/alice/etc/strongTNC/settings.ini
@@ -0,0 +1,19 @@
+[debug]
+DEBUG=0
+TEMPLATE_DEBUG=0
+DEBUG_TOOLBAR=0
+
+[db]
+DJANGO_DB_URL=sqlite:////var/www/tnc/django.db
+STRONGTNC_DB_URL = sqlite:////etc/db.d/config.db
+
+[localization]
+LANGUAGE_CODE=en-us
+TIME_ZONE=Europe/Zurich
+
+[admins]
+Your Name: alice@strongswan.org
+
+[security]
+SECRET_KEY=strongSwan
+ALLOWED_HOSTS=127.0.0.1,10.1.0.10,tnc.strongswan.org,tnc
diff --git a/testing/tests/tnc/tnccs-20-ev-pt-tls/hosts/alice/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-ev-pt-tls/hosts/alice/etc/strongswan.conf
new file mode 100644
index 000000000..1148b945a
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-ev-pt-tls/hosts/alice/etc/strongswan.conf
@@ -0,0 +1,49 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce pem pkcs1 x509 openssl revocation constraints curl vici socket-default kernel-netlink tnc-pdp tnc-imv tnc-tnccs tnccs-20 sqlite
+
+  syslog {
+    auth {
+      default = 0
+    }
+    daemon {
+      tls = 2
+      tnc = 2 
+      imv = 3
+    }
+  }
+  plugins {
+    tnc-pdp {
+      server = aaa.strongswan.org
+      radius {
+        secret = gv6URkSs
+      }
+    }
+    tnc-imv {
+      dlclose = no
+    }
+  }
+}
+
+libtls {
+  suites = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+}
+
+libimcv {
+  database = sqlite:///etc/db.d/config.db
+  policy_script = /usr/local/libexec/ipsec/imv_policy_manager 
+
+  plugins {
+    imv-swima {
+      rest_api {
+        uri = http://admin-user:strongSwan@tnc.strongswan.org/api/
+      }
+    }
+  }
+}
+
+imv_policy_manager {
+  command_allow = ssh root@moon 'logger -t charon -p auth.alert "\"host with IP address %s is allowed\""'
+  command_block = ssh root@moon 'logger -t charon -p auth.alert "\"host with IP address %s is blocked\""'
+}
diff --git a/testing/tests/tnc/tnccs-20-ev-pt-tls/hosts/alice/etc/swanctl/rsa/aaaKey.pem b/testing/tests/tnc/tnccs-20-ev-pt-tls/hosts/alice/etc/swanctl/rsa/aaaKey.pem
new file mode 100644
index 000000000..adc47dd33
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-ev-pt-tls/hosts/alice/etc/swanctl/rsa/aaaKey.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpQIBAAKCAQEAtxfP0jM8wZqtJvNmYar+WmB5GkzZbm431C5YWpSc/4vjCMXl
+h/7VuGPkOeuEqU4KOKL3l0OQt1Exh77ii9ekg0X//4n132fI/hg0sKVRPCK8HC8l
+0LdwnLLNI7uO5ObYY1KtAVnDeI/cfFbLV0z38/X7GWCpKi7ocmVMNalpD5w7c/9a
+VgpO70O9NPr+OPhs1Lp9uJQQbQzQlhydhK3SLA1bJEcyXYMqOamJud+EcM1Hjq3S
+W5JpKhuroDSxGzMntRF0TgrGXf8ctNfz/52repoUh2GrFfOhkpXrKUErf46NNtnD
+e4FXvyprZNQO4wJBWKCSS3p16UWEL+1LFwiDPQIDAQABAoIBAQCNeNG0+rA0bF7k
+nOf8CZL1pFuOzdin8nQi+Bh/DRvufVlU+wyrM2ZSTqUXd/sOkuVk889ZyvQ0IYGj
+AQStx1cvs9Pl0OTx1ZDBfVShNWv6imBNasTObB+QhLvro037Yr/KpyRUydY2/vn/
+/VSrRSbGE8gMyNqNZKdpVQo44Ij0bJXxx7kVJ7CfftB65bujkRSK5u7eGjFVyHGs
+P9v4n72Pt0mVdC8yeiMjJAmmKLWaDf7U2SUoaxf0IRjRNPdVBuPjbYjfnJ0sGlxF
+sCQtu+3JQ4b7vyxrAyUtImbTLwvFqQHTGIahZUvhGd/1aO0Zmls1mvuZ+VhUIsek
+uBJh54jFAoGBAN7M08mBkA8oUns0IzzG+A0JYDmdbvOWbKtyQDRl7LkXOq/PckIj
+PoliI/5aNZe9+Q8kq8xnvLVcsup7EX6Ovaqc6S3ODNEjy4XEqGMM9tkrz4R4N5f5
+hLayOg3MfdJiPOn3HF+cVvHp0Vwpt8K5TgVmOWkVSKTa+6eX4mhQUuKjAoGBANJg
+Rmka90zo+7PPze4oo5ePeqwZrwQ3/6OeD/G1lqMFPOgk3MLGuv9HvtQA5gyyAH7+
+Qy/t+rdPSC7PZi29s8/cERmWTdbZ1ocuKa6xxSvktl7Ibv51d0sW1n+kfVin7cLL
+SskoK8BRXjXsZg7jjZjE5f6iqdHq+JPA2JWM10CfAoGAOXTvJScxhIcshjNS5wiU
+zZ/eXd1Y0J65VZl4L0sdujngW5iO6bl3FizmBWE0Mva99QbK+0LBarAGP+wO/elH
+xmkCxVo++exWPyARIMImIqlmsc3i4GFrtUXPLOHQjOHivZ+JhKqnzWk0IaVsi14I
+XeIX6h6gBkum3HiR3b7hMSsCgYEAtq7ftbmy8liG6hgTzTIBDUWM0xHihxlRpnVF
+hzGWw61yvGv2QDVugOt+bH7zRib0g1KsaVyQkMoJ9ownQKUxFdkWCFAa++1iezS9
+AXRhscIEE76dk93RX6VPUrw2FNyOfM8n/BIkG/cMhmroHRnBBd5Fkp8SNLWEclnO
+Od95tCUCgYEAgvohkyZAAKMRUFYEvHgwyxeXHifHVPIoK9UN022DJmIEJE2ISGtH
+yHnBKgF52tlYhC9ijKwMG43C9IvycydRUtViOxDV8AiE4BV1tXuQHLl0jD2R7yq5
+9pNtnYgXW+ZKlx9705ltHj8hhKl6r2I8oXdR9KFGO83wq8fr6tyjqHc=
+-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/tnc/tnccs-20-ev-pt-tls/hosts/alice/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-ev-pt-tls/hosts/alice/etc/swanctl/swanctl.conf
new file mode 100644
index 000000000..635620b7d
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-ev-pt-tls/hosts/alice/etc/swanctl/swanctl.conf
@@ -0,0 +1,7 @@
+secrets {
+
+   eap-carol {
+      id = carol
+      secret = "Ar3etTnp"
+   }
+}
diff --git a/testing/tests/tnc/tnccs-20-ev-pt-tls/hosts/alice/etc/swanctl/x509/aaaCert.pem b/testing/tests/tnc/tnccs-20-ev-pt-tls/hosts/alice/etc/swanctl/x509/aaaCert.pem
new file mode 100644
index 000000000..42083c2a9
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-ev-pt-tls/hosts/alice/etc/swanctl/x509/aaaCert.pem
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEIDCCAwigAwIBAgIBMzANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTE1MDgwNDE0NTUzMVoXDTE5MDkwNjE0NTUzMVowRTELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEmFhYS5z
+dHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALcX
+z9IzPMGarSbzZmGq/lpgeRpM2W5uN9QuWFqUnP+L4wjF5Yf+1bhj5DnrhKlOCjii
+95dDkLdRMYe+4ovXpINF//+J9d9nyP4YNLClUTwivBwvJdC3cJyyzSO7juTm2GNS
+rQFZw3iP3HxWy1dM9/P1+xlgqSou6HJlTDWpaQ+cO3P/WlYKTu9DvTT6/jj4bNS6
+fbiUEG0M0JYcnYSt0iwNWyRHMl2DKjmpibnfhHDNR46t0luSaSobq6A0sRszJ7UR
+dE4Kxl3/HLTX8/+dq3qaFIdhqxXzoZKV6ylBK3+OjTbZw3uBV78qa2TUDuMCQVig
+kkt6delFhC/tSxcIgz0CAwEAAaOCARkwggEVMAkGA1UdEwQCMAAwCwYDVR0PBAQD
+AgOoMB0GA1UdDgQWBBRFNnP26ELy5j7KMOO+a8dh5pLe6DBtBgNVHSMEZjBkgBRd
+p91wBlEyfue2bbO15eBg6i5N76FJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoT
+EExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIB
+ADAdBgNVHREEFjAUghJhYWEuc3Ryb25nc3dhbi5vcmcwEwYDVR0lBAwwCgYIKwYB
+BQUHAwEwOQYDVR0fBDIwMDAuoCygKoYoaHR0cDovL2NybC5zdHJvbmdzd2FuLm9y
+Zy9zdHJvbmdzd2FuLmNybDANBgkqhkiG9w0BAQsFAAOCAQEAsncNPDCCDd4mzIHs
+nHY7b6H1tVQtFSbAQntV06D4D7vOp6Y+M5S8ta50hJu4f4GEeH5c7/hm8gbRdHt/
+TcjlV/UWBfhU3c/hNJo2LpmmtdmYUABLA3rdZ+FzOnAHX9H8eI988G7eHpI9T7L2
+FY2YEnWhIUVjFrojtH2+NbuA/Ori1QwSBiVhvJQgvUPjhKkjUtC+8zIdaCmJFErQ
+GGObpAMtnTcQ74md9BQ791RPMp77tDe1fgm7m8QWIsoIyYEhvzyfk2VTBn1VlWyH
+sbT0Vb3X9ubt0KXn2Xr491WTCpc5rzDWj9CNUYUgW7RaPxgw5cj2HK6oiLnGpO73
+xyr/Qw==
+-----END CERTIFICATE-----
diff --git a/testing/tests/tnc/tnccs-20-ev-pt-tls/hosts/alice/etc/tnc_config b/testing/tests/tnc/tnccs-20-ev-pt-tls/hosts/alice/etc/tnc_config
new file mode 100644
index 000000000..1499dfc90
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-ev-pt-tls/hosts/alice/etc/tnc_config
@@ -0,0 +1,4 @@
+#IMV configuration file for strongSwan client 
+
+IMV "OS"	/usr/local/lib/ipsec/imcvs/imv-os.so
+IMV "SWIMA"	/usr/local/lib/ipsec/imcvs/imv-swima.so
diff --git a/testing/tests/tnc/tnccs-20-ev-pt-tls/hosts/carol/etc/ipsec.sql b/testing/tests/tnc/tnccs-20-ev-pt-tls/hosts/carol/etc/ipsec.sql
new file mode 100644
index 000000000..805c8bfd9
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-ev-pt-tls/hosts/carol/etc/ipsec.sql
@@ -0,0 +1,4 @@
+/* strongSwan SQLite database */
+
+/* configuration is read from the command line */
+/* credentials are read from the command line */
diff --git a/testing/tests/tnc/tnccs-20-ev-pt-tls/hosts/carol/etc/iptables.rules b/testing/tests/tnc/tnccs-20-ev-pt-tls/hosts/carol/etc/iptables.rules
new file mode 100644
index 000000000..d01d0a3c9
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-ev-pt-tls/hosts/carol/etc/iptables.rules
@@ -0,0 +1,20 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow PT-TLS 
+-A INPUT  -i eth0 -s 10.1.0.10 -p tcp --sport 271 -j ACCEPT
+-A OUTPUT -o eth0 -d 10.1.0.10 -p tcp --dport 271 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s 192.168.0.150 -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d 192.168.0.150 -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/tnc/tnccs-20-ev-pt-tls/hosts/carol/etc/pts/options b/testing/tests/tnc/tnccs-20-ev-pt-tls/hosts/carol/etc/pts/options
new file mode 100644
index 000000000..52a3673b3
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-ev-pt-tls/hosts/carol/etc/pts/options
@@ -0,0 +1,6 @@
+--connect aaa.strongswan.org
+--client carol
+--secret "Ar3etTnp"
+--cert /etc/swanctl/x509ca/strongswanCert.pem
+--quiet
+--debug 2
diff --git a/testing/tests/tnc/tnccs-20-ev-pt-tls/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-ev-pt-tls/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..87c3745a3
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-ev-pt-tls/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,25 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+libtls {
+  suites = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+}
+
+libimcv {
+  plugins {
+    imc-swima {
+      swid_database = sqlite:///etc/db.d/collector.db
+    }
+  }
+}
+
+pt-tls-client {
+  load = revocation constraints pem openssl curl sqlite nonce tnc-tnccs tnc-imc tnccs-20
+}
+
+sw-collector {
+  database = sqlite:///etc/db.d/collector.db
+  history = /var/log/apt/history.log
+  rest_api {
+    uri = http://admin-user:strongSwan@tnc.strongswan.org/api/
+  }
+}
diff --git a/testing/tests/tnc/tnccs-20-ev-pt-tls/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-ev-pt-tls/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100644
index 000000000..28da4d427
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-ev-pt-tls/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1 @@
+# the PT-TLS client reads its configuration and secrets via the command line
diff --git a/testing/tests/tnc/tnccs-20-ev-pt-tls/hosts/carol/etc/tnc_config b/testing/tests/tnc/tnccs-20-ev-pt-tls/hosts/carol/etc/tnc_config
new file mode 100644
index 000000000..3975056ca
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-ev-pt-tls/hosts/carol/etc/tnc_config
@@ -0,0 +1,4 @@
+#IMC configuration file for strongSwan client 
+
+IMC "OS" 	/usr/local/lib/ipsec/imcvs/imc-os.so
+IMC "SWIMA"	/usr/local/lib/ipsec/imcvs/imc-swima.so
diff --git a/testing/tests/tnc/tnccs-20-ev-pt-tls/hosts/dave/etc/ipsec.sql b/testing/tests/tnc/tnccs-20-ev-pt-tls/hosts/dave/etc/ipsec.sql
new file mode 100644
index 000000000..805c8bfd9
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-ev-pt-tls/hosts/dave/etc/ipsec.sql
@@ -0,0 +1,4 @@
+/* strongSwan SQLite database */
+
+/* configuration is read from the command line */
+/* credentials are read from the command line */
diff --git a/testing/tests/tnc/tnccs-20-ev-pt-tls/hosts/dave/etc/iptables.rules b/testing/tests/tnc/tnccs-20-ev-pt-tls/hosts/dave/etc/iptables.rules
new file mode 100644
index 000000000..d01d0a3c9
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-ev-pt-tls/hosts/dave/etc/iptables.rules
@@ -0,0 +1,20 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow PT-TLS 
+-A INPUT  -i eth0 -s 10.1.0.10 -p tcp --sport 271 -j ACCEPT
+-A OUTPUT -o eth0 -d 10.1.0.10 -p tcp --dport 271 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s 192.168.0.150 -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d 192.168.0.150 -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/tnc/tnccs-20-ev-pt-tls/hosts/dave/etc/pts/options b/testing/tests/tnc/tnccs-20-ev-pt-tls/hosts/dave/etc/pts/options
new file mode 100644
index 000000000..08953142f
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-ev-pt-tls/hosts/dave/etc/pts/options
@@ -0,0 +1,7 @@
+--connect aaa.strongswan.org
+--client dave@strongswan.org
+--key  /etc/swanctl/rsa/daveKey.pem
+--cert /etc/swanctl/x509/daveCert.pem
+--cert /etc/swanctl/x509ca/strongswanCert.pem
+--quiet
+--debug 2
diff --git a/testing/tests/tnc/tnccs-20-ev-pt-tls/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-ev-pt-tls/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..93cbb7101
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-ev-pt-tls/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,20 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+libimcv {
+  plugins {
+    imc-os {
+      push_info = no
+    }
+    imc-swima {
+      swid_pretty = yes
+    }
+  }
+}
+
+libtls {
+  suites = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+}
+
+pt-tls-client {
+  load = revocation constraints pem openssl curl nonce tnc-tnccs tnc-imc tnccs-20
+}
diff --git a/testing/tests/tnc/tnccs-20-ev-pt-tls/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-ev-pt-tls/hosts/dave/etc/swanctl/swanctl.conf
new file mode 100644
index 000000000..28da4d427
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-ev-pt-tls/hosts/dave/etc/swanctl/swanctl.conf
@@ -0,0 +1 @@
+# the PT-TLS client reads its configuration and secrets via the command line
diff --git a/testing/tests/tnc/tnccs-20-ev-pt-tls/hosts/dave/etc/tnc_config b/testing/tests/tnc/tnccs-20-ev-pt-tls/hosts/dave/etc/tnc_config
new file mode 100644
index 000000000..3975056ca
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-ev-pt-tls/hosts/dave/etc/tnc_config
@@ -0,0 +1,4 @@
+#IMC configuration file for strongSwan client 
+
+IMC "OS" 	/usr/local/lib/ipsec/imcvs/imc-os.so
+IMC "SWIMA"	/usr/local/lib/ipsec/imcvs/imc-swima.so
diff --git a/testing/tests/tnc/tnccs-20-ev-pt-tls/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-ev-pt-tls/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..d99a4b78a
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-ev-pt-tls/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,3 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+# this file is not used in this scenario 
diff --git a/testing/tests/tnc/tnccs-20-ev-pt-tls/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-ev-pt-tls/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100644
index 000000000..27f96a620
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-ev-pt-tls/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1 @@
+# this file is not used in this scenario 
diff --git a/testing/tests/tnc/tnccs-20-ev-pt-tls/posttest.dat b/testing/tests/tnc/tnccs-20-ev-pt-tls/posttest.dat
new file mode 100644
index 000000000..09c8a6cbc
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-ev-pt-tls/posttest.dat
@@ -0,0 +1,10 @@
+carol::ip route del 10.1.0.0/16 via 192.168.0.1
+dave::ip route del 10.1.0.0/16 via 192.168.0.1
+winnetou::ip route del 10.1.0.0/16 via 192.168.0.1
+alice::service charon stop
+alice::service apache2 stop
+alice::rm /etc/swanctl/rsa/aaaKey.pem
+alice::rm /etc/swanctl/x509/aaaCert.pem
+alice::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/tnc/tnccs-20-ev-pt-tls/pretest.dat b/testing/tests/tnc/tnccs-20-ev-pt-tls/pretest.dat
new file mode 100644
index 000000000..c0d732368
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-ev-pt-tls/pretest.dat
@@ -0,0 +1,26 @@
+alice::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+alice::cat /etc/tnc_config
+carol::cat /etc/tnc_config
+carol::echo 0 > /proc/sys/net/ipv4/ip_forward
+dave::echo aabbccddeeff11223344556677889900 > /var/lib/dbus/machine-id
+dave::cat /etc/tnc_config
+alice::sed -i "s/NOW/`date +%s`/g" /etc/pts/data1.sql
+alice::sed -i "s:DEBIAN_VERSION:\`cat /etc/debian_version\`:" /etc/pts/data1.sql
+alice::cd /usr/local/share/strongswan/templates/database/imv; cat tables.sql data.sql /etc/pts/data1.sql | sqlite3 /etc/db.d/config.db
+alice::chgrp -R www-data /etc/db.d/config.db; chmod -R g+w /etc/db.d/config.db
+alice::/usr/local/bin/init_tnc
+alice::rm /etc/swanctl/x509/aliceCert.pem
+alice::rm /etc/swanctl/rsa/aliceKey.pem
+alice::service charon start
+alice::service apache2 start
+alice::swanctl --load-creds
+winnetou::ip route add 10.1.0.0/16 via 192.168.0.1
+dave::ip route add 10.1.0.0/16 via 192.168.0.1
+dave::cat /etc/pts/options
+dave::/usr/local/bin/pt-tls-client --optionsfrom /etc/pts/options
+carol::/usr/local/bin/init_collector
+carol::ip route add 10.1.0.0/16 via 192.168.0.1
+carol::cat /etc/pts/options
+carol::/usr/local/bin/pt-tls-client --optionsfrom /etc/pts/options
diff --git a/testing/tests/tnc/tnccs-20-ev-pt-tls/test.conf b/testing/tests/tnc/tnccs-20-ev-pt-tls/test.conf
new file mode 100644
index 000000000..f434789b9
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-ev-pt-tls/test.conf
@@ -0,0 +1,29 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="carol moon dave alice"
+
+# Guest instances on which databases are used
+#
+DBHOSTS="alice carol"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/tnc/tnccs-20-mutual-pt-tls/pretest.dat b/testing/tests/tnc/tnccs-20-mutual-pt-tls/pretest.dat
index af53e6c9b..8642292a8 100644
--- a/testing/tests/tnc/tnccs-20-mutual-pt-tls/pretest.dat
+++ b/testing/tests/tnc/tnccs-20-mutual-pt-tls/pretest.dat
@@ -1,4 +1,4 @@
 sun::service charon start
 moon::cat /etc/pts/options
 moon::sleep 1
-moon::ipsec pt-tls-client --optionsfrom /etc/pts/options
+moon::/usr/local/bin/pt-tls-client --optionsfrom /etc/pts/options
diff --git a/testing/tests/tnc/tnccs-20-nea-pt-tls/description.txt b/testing/tests/tnc/tnccs-20-nea-pt-tls/description.txt
new file mode 100644
index 000000000..90e85485c
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-nea-pt-tls/description.txt
@@ -0,0 +1,9 @@
+The PT-TLS (RFC 6876) clients <b>carol</b> and <b>dave</b> set up a connection each to the policy decision 
+point (PDP) <b>alice</b>. Endpoint <b>carol</b> uses password-based SASL PLAIN client authentication during the
+<b>PT-TLS negotiation phase</b> whereas endpoint <b>dave</b> uses certificate-based TLS client authentication
+during the <b>TLS setup phase</b>.
+<p/>
+During the ensuing <b>PT-TLS data transport phase</b> the <b>OS</b> and <b>SWIMA</b> IMC/IMV pairs
+loaded by the PT-TLS clients and PDP, respectively, exchange PA-TNC (RFC 5792) messages
+embedded in PB-TNC (RFC 5793) batches. The <b>SWIMA</b> IMC on <b>carol</b> is requested to deliver
+a concise <b>Software ID Inventory</b> whereas <b>dave</b> must send a full <b>Software Inventory</b>.
diff --git a/testing/tests/tnc/tnccs-20-nea-pt-tls/evaltest.dat b/testing/tests/tnc/tnccs-20-nea-pt-tls/evaltest.dat
new file mode 100644
index 000000000..198b2bde3
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-nea-pt-tls/evaltest.dat
@@ -0,0 +1,25 @@
+dave:: cat /var/log/auth.log::sending TLS CertificateVerify handshake::YES
+dave:: cat /var/log/auth.log::collected ... SW records::YES
+carol::cat /var/log/auth.log::received SASL Success result::YES
+carol::cat /var/log/auth.log::collected ... SW ID records::YES
+carol::cat /var/log/auth.log::strongswan.org__strongSwan.*swidtag::YES
+carol::cat /var/log/auth.log::collected 1 SW record::YES
+alice::cat /var/log/daemon.log::accepting PT-TLS stream from PH_IP_DAVE::YES
+alice::cat /var/log/daemon.log::checking certificate status of.*C=CH, O=Linux strongSwan, OU=Accounting, CN=dave@strongswan.org::YES
+alice::cat /var/log/daemon.log::certificate status is good::YES
+alice::cat /var/log/daemon.log::skipping SASL, client already authenticated by TLS certificate::YES
+alice::cat /var/log/daemon.log::user AR identity.*C=CH, O=Linux strongSwan, OU=Accounting, CN=dave@strongswan.org.*authenticated by certificate::YES
+alice::cat /var/log/daemon.log::received software inventory with ... items for request 3 at last eid 1 of epoch::YES
+alice::cat /var/log/daemon.log::successful system command: ssh root@moon.*logger -t charon -p auth.alert.*host with IP address 192.168.0.200 is blocked::YES
+moon:: cat /var/log/auth.log::host with IP address 192.168.0.200 is blocked::YES
+alice::cat /var/log/daemon.log::accepting PT-TLS stream from PH_IP_CAROL::YES
+alice::cat /var/log/daemon.log::SASL PLAIN authentication successful::YES
+alice::cat /var/log/daemon.log::SASL client identity is.*carol::YES
+alice::cat /var/log/daemon.log::user AR identity.*carol.*authenticated by password::YES
+alice::cat /var/log/daemon.log::failed to collect SW ID events, fallback to SW ID inventory::YES
+alice::cat /var/log/daemon.log::received software ID inventory with ... items for request 9 at last eid 1 of epoch::YES
+alice::cat /var/log/daemon.log::1 SWID tag target::YES
+alice::cat /var/log/daemon.log::received software inventory with 1 item for request 9 at last eid 1 of epoch::YES
+alice::cat /var/log/daemon.log::strongswan.org__strongSwan.*@ /usr/local/share/strongswan::YES
+alice::cat /var/log/daemon.log::successful system command: ssh root@moon.*logger -t charon -p auth.alert.*host with IP address 192.168.0.100 is allowed::YES
+moon::cat /var/log/auth.log::host with IP address 192.168.0.100 is allowed::YES
diff --git a/testing/tests/tnc/tnccs-20-nea-pt-tls/hosts/alice/etc/apache2/sites-available/000-default.conf b/testing/tests/tnc/tnccs-20-nea-pt-tls/hosts/alice/etc/apache2/sites-available/000-default.conf
new file mode 100644
index 000000000..4075f75bd
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-nea-pt-tls/hosts/alice/etc/apache2/sites-available/000-default.conf
@@ -0,0 +1,31 @@
+WSGIPythonPath /var/www/tnc
+
+<VirtualHost *:80>
+    ServerName tnc.strongswan.org
+    ServerAlias tnc
+    ServerAdmin webmaster@localhost
+
+    DocumentRoot /var/www/tnc
+
+    <Directory /var/www/tnc/config>
+        <Files wsgi.py>
+            <IfModule mod_authz_core.c>
+               Require all granted
+            </IfModule>
+            <IfModule !mod_authz_core.c>
+                Order deny,allow
+                Allow from all
+            </IfModule>
+        </Files>
+    </Directory>
+
+    WSGIScriptAlias / /var/www/tnc/config/wsgi.py
+    WSGIApplicationGroup %{GLOBAL}
+    WSGIPassAuthorization On
+
+    Alias /static/ /var/www/tnc/static/
+
+    ErrorLog ${APACHE_LOG_DIR}/tnc/error.log
+    LogLevel warn
+    CustomLog ${APACHE_LOG_DIR}/tnc/access.log combined
+</VirtualHost>
diff --git a/testing/tests/tnc/tnccs-20-nea-pt-tls/hosts/alice/etc/apache2/sites-available/default b/testing/tests/tnc/tnccs-20-nea-pt-tls/hosts/alice/etc/apache2/sites-available/default
new file mode 100644
index 000000000..1dc8b5688
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-nea-pt-tls/hosts/alice/etc/apache2/sites-available/default
@@ -0,0 +1 @@
+Include sites-available/000-default.conf
\ No newline at end of file
diff --git a/testing/tests/tnc/tnccs-20-nea-pt-tls/hosts/alice/etc/iptables.rules b/testing/tests/tnc/tnccs-20-nea-pt-tls/hosts/alice/etc/iptables.rules
new file mode 100644
index 000000000..c556d9483
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-nea-pt-tls/hosts/alice/etc/iptables.rules
@@ -0,0 +1,28 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# open loopback interface
+-A INPUT  -i lo -j ACCEPT
+-A OUTPUT -o lo -j ACCEPT
+
+# allow PT-TLS
+-A INPUT  -i eth0 -p tcp --dport 271 -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --sport 271 -j ACCEPT
+
+# allow inbound ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow outbound ssh
+-A OUTPUT  -p tcp --dport 22 -j ACCEPT
+-A INPUT  -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s 192.168.0.150 -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d 192.168.0.150 -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/tnc/tnccs-20-nea-pt-tls/hosts/alice/etc/pts/data1.sql b/testing/tests/tnc/tnccs-20-nea-pt-tls/hosts/alice/etc/pts/data1.sql
new file mode 100644
index 000000000..16ab96d58
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-nea-pt-tls/hosts/alice/etc/pts/data1.sql
@@ -0,0 +1,61 @@
+/* Devices */
+
+INSERT INTO devices (                  /*  1 */
+  value, product, created
+)
+SELECT 'aabbccddeeff11223344556677889900', id, 1372330615
+FROM products WHERE name = 'Debian DEBIAN_VERSION x86_64';
+
+/* Groups Members */
+
+INSERT INTO groups_members (
+  group_id, device_id
+) VALUES (
+  10, 1
+);
+
+/* Identities */
+
+INSERT INTO identities (
+  type, value
+) VALUES ( /* dave@strongswan.org */
+  4, X'64617665407374726f6e677377616e2e6f7267'
+);
+
+/* Sessions */
+
+INSERT INTO sessions (
+  time, connection, identity, device, product, rec
+)
+SELECT NOW, 1, 1, 1, id, 0
+FROM products WHERE name = 'Debian DEBIAN_VERSION x86_64';
+
+/* Results */
+
+INSERT INTO results (
+  session, policy, rec, result
+) VALUES (
+  1, 1, 0, 'processed 355 packages: 0 not updated, 0 blacklisted, 4 ok, 351 not found'
+);
+
+/* Enforcements */
+
+INSERT INTO enforcements (
+  policy, group_id, max_age, rec_fail, rec_noresult
+) VALUES (
+  3, 10, 0, 2, 2
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  17, 2, 86400
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  18, 10, 86400
+);
+
+DELETE FROM enforcements WHERE id = 1;
diff --git a/testing/tests/tnc/tnccs-20-nea-pt-tls/hosts/alice/etc/strongTNC/settings.ini b/testing/tests/tnc/tnccs-20-nea-pt-tls/hosts/alice/etc/strongTNC/settings.ini
new file mode 100644
index 000000000..5ae53c47a
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-nea-pt-tls/hosts/alice/etc/strongTNC/settings.ini
@@ -0,0 +1,19 @@
+[debug]
+DEBUG=0
+TEMPLATE_DEBUG=0
+DEBUG_TOOLBAR=0
+
+[db]
+DJANGO_DB_URL=sqlite:////var/www/tnc/django.db
+STRONGTNC_DB_URL = sqlite:////etc/db.d/config.db
+
+[localization]
+LANGUAGE_CODE=en-us
+TIME_ZONE=Europe/Zurich
+
+[admins]
+Your Name: alice@strongswan.org
+
+[security]
+SECRET_KEY=strongSwan
+ALLOWED_HOSTS=127.0.0.1,10.1.0.10,tnc.strongswan.org,tnc
diff --git a/testing/tests/tnc/tnccs-20-nea-pt-tls/hosts/alice/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-nea-pt-tls/hosts/alice/etc/strongswan.conf
new file mode 100644
index 000000000..1148b945a
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-nea-pt-tls/hosts/alice/etc/strongswan.conf
@@ -0,0 +1,49 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = random nonce pem pkcs1 x509 openssl revocation constraints curl vici socket-default kernel-netlink tnc-pdp tnc-imv tnc-tnccs tnccs-20 sqlite
+
+  syslog {
+    auth {
+      default = 0
+    }
+    daemon {
+      tls = 2
+      tnc = 2 
+      imv = 3
+    }
+  }
+  plugins {
+    tnc-pdp {
+      server = aaa.strongswan.org
+      radius {
+        secret = gv6URkSs
+      }
+    }
+    tnc-imv {
+      dlclose = no
+    }
+  }
+}
+
+libtls {
+  suites = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+}
+
+libimcv {
+  database = sqlite:///etc/db.d/config.db
+  policy_script = /usr/local/libexec/ipsec/imv_policy_manager 
+
+  plugins {
+    imv-swima {
+      rest_api {
+        uri = http://admin-user:strongSwan@tnc.strongswan.org/api/
+      }
+    }
+  }
+}
+
+imv_policy_manager {
+  command_allow = ssh root@moon 'logger -t charon -p auth.alert "\"host with IP address %s is allowed\""'
+  command_block = ssh root@moon 'logger -t charon -p auth.alert "\"host with IP address %s is blocked\""'
+}
diff --git a/testing/tests/tnc/tnccs-20-nea-pt-tls/hosts/alice/etc/swanctl/rsa/aaaKey.pem b/testing/tests/tnc/tnccs-20-nea-pt-tls/hosts/alice/etc/swanctl/rsa/aaaKey.pem
new file mode 100644
index 000000000..adc47dd33
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-nea-pt-tls/hosts/alice/etc/swanctl/rsa/aaaKey.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpQIBAAKCAQEAtxfP0jM8wZqtJvNmYar+WmB5GkzZbm431C5YWpSc/4vjCMXl
+h/7VuGPkOeuEqU4KOKL3l0OQt1Exh77ii9ekg0X//4n132fI/hg0sKVRPCK8HC8l
+0LdwnLLNI7uO5ObYY1KtAVnDeI/cfFbLV0z38/X7GWCpKi7ocmVMNalpD5w7c/9a
+VgpO70O9NPr+OPhs1Lp9uJQQbQzQlhydhK3SLA1bJEcyXYMqOamJud+EcM1Hjq3S
+W5JpKhuroDSxGzMntRF0TgrGXf8ctNfz/52repoUh2GrFfOhkpXrKUErf46NNtnD
+e4FXvyprZNQO4wJBWKCSS3p16UWEL+1LFwiDPQIDAQABAoIBAQCNeNG0+rA0bF7k
+nOf8CZL1pFuOzdin8nQi+Bh/DRvufVlU+wyrM2ZSTqUXd/sOkuVk889ZyvQ0IYGj
+AQStx1cvs9Pl0OTx1ZDBfVShNWv6imBNasTObB+QhLvro037Yr/KpyRUydY2/vn/
+/VSrRSbGE8gMyNqNZKdpVQo44Ij0bJXxx7kVJ7CfftB65bujkRSK5u7eGjFVyHGs
+P9v4n72Pt0mVdC8yeiMjJAmmKLWaDf7U2SUoaxf0IRjRNPdVBuPjbYjfnJ0sGlxF
+sCQtu+3JQ4b7vyxrAyUtImbTLwvFqQHTGIahZUvhGd/1aO0Zmls1mvuZ+VhUIsek
+uBJh54jFAoGBAN7M08mBkA8oUns0IzzG+A0JYDmdbvOWbKtyQDRl7LkXOq/PckIj
+PoliI/5aNZe9+Q8kq8xnvLVcsup7EX6Ovaqc6S3ODNEjy4XEqGMM9tkrz4R4N5f5
+hLayOg3MfdJiPOn3HF+cVvHp0Vwpt8K5TgVmOWkVSKTa+6eX4mhQUuKjAoGBANJg
+Rmka90zo+7PPze4oo5ePeqwZrwQ3/6OeD/G1lqMFPOgk3MLGuv9HvtQA5gyyAH7+
+Qy/t+rdPSC7PZi29s8/cERmWTdbZ1ocuKa6xxSvktl7Ibv51d0sW1n+kfVin7cLL
+SskoK8BRXjXsZg7jjZjE5f6iqdHq+JPA2JWM10CfAoGAOXTvJScxhIcshjNS5wiU
+zZ/eXd1Y0J65VZl4L0sdujngW5iO6bl3FizmBWE0Mva99QbK+0LBarAGP+wO/elH
+xmkCxVo++exWPyARIMImIqlmsc3i4GFrtUXPLOHQjOHivZ+JhKqnzWk0IaVsi14I
+XeIX6h6gBkum3HiR3b7hMSsCgYEAtq7ftbmy8liG6hgTzTIBDUWM0xHihxlRpnVF
+hzGWw61yvGv2QDVugOt+bH7zRib0g1KsaVyQkMoJ9ownQKUxFdkWCFAa++1iezS9
+AXRhscIEE76dk93RX6VPUrw2FNyOfM8n/BIkG/cMhmroHRnBBd5Fkp8SNLWEclnO
+Od95tCUCgYEAgvohkyZAAKMRUFYEvHgwyxeXHifHVPIoK9UN022DJmIEJE2ISGtH
+yHnBKgF52tlYhC9ijKwMG43C9IvycydRUtViOxDV8AiE4BV1tXuQHLl0jD2R7yq5
+9pNtnYgXW+ZKlx9705ltHj8hhKl6r2I8oXdR9KFGO83wq8fr6tyjqHc=
+-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/tnc/tnccs-20-nea-pt-tls/hosts/alice/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-nea-pt-tls/hosts/alice/etc/swanctl/swanctl.conf
new file mode 100644
index 000000000..635620b7d
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-nea-pt-tls/hosts/alice/etc/swanctl/swanctl.conf
@@ -0,0 +1,7 @@
+secrets {
+
+   eap-carol {
+      id = carol
+      secret = "Ar3etTnp"
+   }
+}
diff --git a/testing/tests/tnc/tnccs-20-nea-pt-tls/hosts/alice/etc/swanctl/x509/aaaCert.pem b/testing/tests/tnc/tnccs-20-nea-pt-tls/hosts/alice/etc/swanctl/x509/aaaCert.pem
new file mode 100644
index 000000000..42083c2a9
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-nea-pt-tls/hosts/alice/etc/swanctl/x509/aaaCert.pem
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEIDCCAwigAwIBAgIBMzANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTE1MDgwNDE0NTUzMVoXDTE5MDkwNjE0NTUzMVowRTELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEmFhYS5z
+dHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALcX
+z9IzPMGarSbzZmGq/lpgeRpM2W5uN9QuWFqUnP+L4wjF5Yf+1bhj5DnrhKlOCjii
+95dDkLdRMYe+4ovXpINF//+J9d9nyP4YNLClUTwivBwvJdC3cJyyzSO7juTm2GNS
+rQFZw3iP3HxWy1dM9/P1+xlgqSou6HJlTDWpaQ+cO3P/WlYKTu9DvTT6/jj4bNS6
+fbiUEG0M0JYcnYSt0iwNWyRHMl2DKjmpibnfhHDNR46t0luSaSobq6A0sRszJ7UR
+dE4Kxl3/HLTX8/+dq3qaFIdhqxXzoZKV6ylBK3+OjTbZw3uBV78qa2TUDuMCQVig
+kkt6delFhC/tSxcIgz0CAwEAAaOCARkwggEVMAkGA1UdEwQCMAAwCwYDVR0PBAQD
+AgOoMB0GA1UdDgQWBBRFNnP26ELy5j7KMOO+a8dh5pLe6DBtBgNVHSMEZjBkgBRd
+p91wBlEyfue2bbO15eBg6i5N76FJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoT
+EExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIB
+ADAdBgNVHREEFjAUghJhYWEuc3Ryb25nc3dhbi5vcmcwEwYDVR0lBAwwCgYIKwYB
+BQUHAwEwOQYDVR0fBDIwMDAuoCygKoYoaHR0cDovL2NybC5zdHJvbmdzd2FuLm9y
+Zy9zdHJvbmdzd2FuLmNybDANBgkqhkiG9w0BAQsFAAOCAQEAsncNPDCCDd4mzIHs
+nHY7b6H1tVQtFSbAQntV06D4D7vOp6Y+M5S8ta50hJu4f4GEeH5c7/hm8gbRdHt/
+TcjlV/UWBfhU3c/hNJo2LpmmtdmYUABLA3rdZ+FzOnAHX9H8eI988G7eHpI9T7L2
+FY2YEnWhIUVjFrojtH2+NbuA/Ori1QwSBiVhvJQgvUPjhKkjUtC+8zIdaCmJFErQ
+GGObpAMtnTcQ74md9BQ791RPMp77tDe1fgm7m8QWIsoIyYEhvzyfk2VTBn1VlWyH
+sbT0Vb3X9ubt0KXn2Xr491WTCpc5rzDWj9CNUYUgW7RaPxgw5cj2HK6oiLnGpO73
+xyr/Qw==
+-----END CERTIFICATE-----
diff --git a/testing/tests/tnc/tnccs-20-nea-pt-tls/hosts/alice/etc/tnc_config b/testing/tests/tnc/tnccs-20-nea-pt-tls/hosts/alice/etc/tnc_config
new file mode 100644
index 000000000..1499dfc90
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-nea-pt-tls/hosts/alice/etc/tnc_config
@@ -0,0 +1,4 @@
+#IMV configuration file for strongSwan client 
+
+IMV "OS"	/usr/local/lib/ipsec/imcvs/imv-os.so
+IMV "SWIMA"	/usr/local/lib/ipsec/imcvs/imv-swima.so
diff --git a/testing/tests/tnc/tnccs-20-nea-pt-tls/hosts/carol/etc/ipsec.sql b/testing/tests/tnc/tnccs-20-nea-pt-tls/hosts/carol/etc/ipsec.sql
new file mode 100644
index 000000000..805c8bfd9
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-nea-pt-tls/hosts/carol/etc/ipsec.sql
@@ -0,0 +1,4 @@
+/* strongSwan SQLite database */
+
+/* configuration is read from the command line */
+/* credentials are read from the command line */
diff --git a/testing/tests/tnc/tnccs-20-nea-pt-tls/hosts/carol/etc/iptables.rules b/testing/tests/tnc/tnccs-20-nea-pt-tls/hosts/carol/etc/iptables.rules
new file mode 100644
index 000000000..d01d0a3c9
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-nea-pt-tls/hosts/carol/etc/iptables.rules
@@ -0,0 +1,20 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow PT-TLS 
+-A INPUT  -i eth0 -s 10.1.0.10 -p tcp --sport 271 -j ACCEPT
+-A OUTPUT -o eth0 -d 10.1.0.10 -p tcp --dport 271 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s 192.168.0.150 -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d 192.168.0.150 -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/tnc/tnccs-20-nea-pt-tls/hosts/carol/etc/pts/options b/testing/tests/tnc/tnccs-20-nea-pt-tls/hosts/carol/etc/pts/options
new file mode 100644
index 000000000..52a3673b3
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-nea-pt-tls/hosts/carol/etc/pts/options
@@ -0,0 +1,6 @@
+--connect aaa.strongswan.org
+--client carol
+--secret "Ar3etTnp"
+--cert /etc/swanctl/x509ca/strongswanCert.pem
+--quiet
+--debug 2
diff --git a/testing/tests/tnc/tnccs-20-nea-pt-tls/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-nea-pt-tls/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..5aad08905
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-nea-pt-tls/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,18 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+libtls {
+  suites = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+}
+
+libimcv {
+  swid_gen {
+    tag_creator {
+      name = Debian Project
+      regid = debian.org
+    }
+  }
+}
+
+pt-tls-client {
+  load = revocation constraints pem openssl curl nonce tnc-tnccs tnc-imc tnccs-20
+}
diff --git a/testing/tests/tnc/tnccs-20-nea-pt-tls/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-nea-pt-tls/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100644
index 000000000..28da4d427
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-nea-pt-tls/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1 @@
+# the PT-TLS client reads its configuration and secrets via the command line
diff --git a/testing/tests/tnc/tnccs-20-nea-pt-tls/hosts/carol/etc/tnc_config b/testing/tests/tnc/tnccs-20-nea-pt-tls/hosts/carol/etc/tnc_config
new file mode 100644
index 000000000..3975056ca
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-nea-pt-tls/hosts/carol/etc/tnc_config
@@ -0,0 +1,4 @@
+#IMC configuration file for strongSwan client 
+
+IMC "OS" 	/usr/local/lib/ipsec/imcvs/imc-os.so
+IMC "SWIMA"	/usr/local/lib/ipsec/imcvs/imc-swima.so
diff --git a/testing/tests/tnc/tnccs-20-nea-pt-tls/hosts/dave/etc/ipsec.sql b/testing/tests/tnc/tnccs-20-nea-pt-tls/hosts/dave/etc/ipsec.sql
new file mode 100644
index 000000000..805c8bfd9
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-nea-pt-tls/hosts/dave/etc/ipsec.sql
@@ -0,0 +1,4 @@
+/* strongSwan SQLite database */
+
+/* configuration is read from the command line */
+/* credentials are read from the command line */
diff --git a/testing/tests/tnc/tnccs-20-nea-pt-tls/hosts/dave/etc/iptables.rules b/testing/tests/tnc/tnccs-20-nea-pt-tls/hosts/dave/etc/iptables.rules
new file mode 100644
index 000000000..d01d0a3c9
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-nea-pt-tls/hosts/dave/etc/iptables.rules
@@ -0,0 +1,20 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow PT-TLS 
+-A INPUT  -i eth0 -s 10.1.0.10 -p tcp --sport 271 -j ACCEPT
+-A OUTPUT -o eth0 -d 10.1.0.10 -p tcp --dport 271 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s 192.168.0.150 -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d 192.168.0.150 -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/tnc/tnccs-20-nea-pt-tls/hosts/dave/etc/pts/options b/testing/tests/tnc/tnccs-20-nea-pt-tls/hosts/dave/etc/pts/options
new file mode 100644
index 000000000..08953142f
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-nea-pt-tls/hosts/dave/etc/pts/options
@@ -0,0 +1,7 @@
+--connect aaa.strongswan.org
+--client dave@strongswan.org
+--key  /etc/swanctl/rsa/daveKey.pem
+--cert /etc/swanctl/x509/daveCert.pem
+--cert /etc/swanctl/x509ca/strongswanCert.pem
+--quiet
+--debug 2
diff --git a/testing/tests/tnc/tnccs-20-nea-pt-tls/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-nea-pt-tls/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..cf08b969d
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-nea-pt-tls/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,27 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+libimcv {
+  swid_gen {
+    tag_creator {
+      name = Debian Project
+      regid = debian.org
+    }
+  }
+  plugins {
+    imc-os {
+      push_info = no
+    }
+    imc-swima {
+      swid_directory = /usr/share
+      swid_pretty = yes
+    }
+  }
+}
+
+libtls {
+  suites = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+}
+
+pt-tls-client {
+  load = revocation constraints pem openssl curl nonce tnc-tnccs tnc-imc tnccs-20
+}
diff --git a/testing/tests/tnc/tnccs-20-nea-pt-tls/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-nea-pt-tls/hosts/dave/etc/swanctl/swanctl.conf
new file mode 100644
index 000000000..28da4d427
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-nea-pt-tls/hosts/dave/etc/swanctl/swanctl.conf
@@ -0,0 +1 @@
+# the PT-TLS client reads its configuration and secrets via the command line
diff --git a/testing/tests/tnc/tnccs-20-nea-pt-tls/hosts/dave/etc/tnc_config b/testing/tests/tnc/tnccs-20-nea-pt-tls/hosts/dave/etc/tnc_config
new file mode 100644
index 000000000..3975056ca
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-nea-pt-tls/hosts/dave/etc/tnc_config
@@ -0,0 +1,4 @@
+#IMC configuration file for strongSwan client 
+
+IMC "OS" 	/usr/local/lib/ipsec/imcvs/imc-os.so
+IMC "SWIMA"	/usr/local/lib/ipsec/imcvs/imc-swima.so
diff --git a/testing/tests/tnc/tnccs-20-nea-pt-tls/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-nea-pt-tls/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..d99a4b78a
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-nea-pt-tls/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,3 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+# this file is not used in this scenario 
diff --git a/testing/tests/tnc/tnccs-20-nea-pt-tls/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/tnc/tnccs-20-nea-pt-tls/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100644
index 000000000..27f96a620
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-nea-pt-tls/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1 @@
+# this file is not used in this scenario 
diff --git a/testing/tests/tnc/tnccs-20-nea-pt-tls/posttest.dat b/testing/tests/tnc/tnccs-20-nea-pt-tls/posttest.dat
new file mode 100644
index 000000000..09c8a6cbc
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-nea-pt-tls/posttest.dat
@@ -0,0 +1,10 @@
+carol::ip route del 10.1.0.0/16 via 192.168.0.1
+dave::ip route del 10.1.0.0/16 via 192.168.0.1
+winnetou::ip route del 10.1.0.0/16 via 192.168.0.1
+alice::service charon stop
+alice::service apache2 stop
+alice::rm /etc/swanctl/rsa/aaaKey.pem
+alice::rm /etc/swanctl/x509/aaaCert.pem
+alice::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/tnc/tnccs-20-nea-pt-tls/pretest.dat b/testing/tests/tnc/tnccs-20-nea-pt-tls/pretest.dat
new file mode 100644
index 000000000..d8ac3ab41
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-nea-pt-tls/pretest.dat
@@ -0,0 +1,25 @@
+alice::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+alice::cat /etc/tnc_config
+carol::cat /etc/tnc_config
+carol::echo 0 > /proc/sys/net/ipv4/ip_forward
+dave::echo aabbccddeeff11223344556677889900 > /var/lib/dbus/machine-id
+dave::cat /etc/tnc_config
+alice::sed -i "s/NOW/`date +%s`/g" /etc/pts/data1.sql
+alice::sed -i "s:DEBIAN_VERSION:\`cat /etc/debian_version\`:" /etc/pts/data1.sql
+alice::cd /usr/local/share/strongswan/templates/database/imv; cat tables.sql data.sql /etc/pts/data1.sql | sqlite3 /etc/db.d/config.db
+alice::chgrp -R www-data /etc/db.d/config.db; chmod -R g+w /etc/db.d/config.db
+alice::/usr/local/bin/init_tnc
+alice::rm /etc/swanctl/x509/aliceCert.pem
+alice::rm /etc/swanctl/rsa/aliceKey.pem
+alice::service charon start
+alice::service apache2 start
+alice::swanctl --load-creds
+winnetou::ip route add 10.1.0.0/16 via 192.168.0.1
+dave::ip route add 10.1.0.0/16 via 192.168.0.1
+dave::cat /etc/pts/options
+dave::/usr/local/bin/pt-tls-client --optionsfrom /etc/pts/options
+carol::ip route add 10.1.0.0/16 via 192.168.0.1
+carol::cat /etc/pts/options
+carol::/usr/local/bin/pt-tls-client --optionsfrom /etc/pts/options
diff --git a/testing/tests/tnc/tnccs-20-nea-pt-tls/test.conf b/testing/tests/tnc/tnccs-20-nea-pt-tls/test.conf
new file mode 100644
index 000000000..08ea543e2
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-nea-pt-tls/test.conf
@@ -0,0 +1,29 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="carol moon dave alice"
+
+# Guest instances on which databases are used
+#
+DBHOSTS="alice"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/evaltest.dat b/testing/tests/tnc/tnccs-20-pdp-pt-tls/evaltest.dat
index c3409fd66..fc232bfde 100644
--- a/testing/tests/tnc/tnccs-20-pdp-pt-tls/evaltest.dat
+++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/evaltest.dat
@@ -18,6 +18,6 @@ alice::cat /var/log/daemon.log::user AR identity.*carol.*authenticated by passwo
 alice::cat /var/log/daemon.log::received SWID tag ID inventory with ... items for request 9 at eid 1 of epoch::YES
 alice::cat /var/log/daemon.log::1 SWID tag target::YES
 alice::cat /var/log/daemon.log::received SWID tag inventory with 1 item for request 9 at eid 1 of epoch::YES
-alice::cat /var/log/daemon.log::regid.2004-03.org.strongswan_strongSwan-::YES
+alice::cat /var/log/daemon.log::strongswan.org__strongSwan-::YES
 alice::cat /var/log/daemon.log::successful system command: ssh root@moon.*logger -t charon -p auth.alert.*host with IP address 192.168.0.100 is allowed::YES
 moon::cat /var/log/auth.log::host with IP address 192.168.0.100 is allowed::YES
diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/pretest.dat b/testing/tests/tnc/tnccs-20-pdp-pt-tls/pretest.dat
index 17951e811..d8ac3ab41 100644
--- a/testing/tests/tnc/tnccs-20-pdp-pt-tls/pretest.dat
+++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/pretest.dat
@@ -19,7 +19,7 @@ alice::swanctl --load-creds
 winnetou::ip route add 10.1.0.0/16 via 192.168.0.1
 dave::ip route add 10.1.0.0/16 via 192.168.0.1
 dave::cat /etc/pts/options
-dave::ipsec pt-tls-client --optionsfrom /etc/pts/options
+dave::/usr/local/bin/pt-tls-client --optionsfrom /etc/pts/options
 carol::ip route add 10.1.0.0/16 via 192.168.0.1
 carol::cat /etc/pts/options
-carol::ipsec pt-tls-client --optionsfrom /etc/pts/options
+carol::/usr/local/bin/pt-tls-client --optionsfrom /etc/pts/options